On October 25, 2021, the Dubai Financial Services Authority (“DFSA”) updated its Rulebook for “crypto” based investments by launching a regulatory framework for “Investment Tokens”. This framework follows, on the whole, the approach proposed in the DFSA’s “Consultation Paper No. 138 – Regulation of Security Tokens”, published in March 2021 (the “Consultation Paper”).

Peter Smith, Managing Director, Head of Strategy, Policy and Risk at the DFSA has noted that: “Creating an ecosystem for innovative firms to thrive in the UAE is a key priority for both the UAE and Dubai Governments, and the DFSA. Our consultation on Investment Tokens enabled us to understand what firms were looking for in a regulatory framework and introduce a regime that is relevant to the market. We look forward to receiving applications from interested firms and contributing to the ongoing growth of future-focused financial services in the DIFC.”[1]

What is an “Investment Token”?

An “Investment Token” is defined as either a “Security Token” or a “Derivative Token”[2]. Broadly speaking, these are:

a security (which includes, for example, a share, debenture or warrant) or derivative (an option or future) in the form of a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using Distributed Ledger Technology (“DLT”) or other similar technology; or
a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using DLT or other similar technology and: (i) confers rights and obligations that are substantially similar in nature to those conferred by a security or derivative; or (ii) has a substantially similar purpose or effect to a security or derivative.

However, importantly, the definition of “Investment Token” will not capture virtual assets which do not either confer rights and obligations substantially similar in nature to those conferred by a security or derivative, or have a substantially similar purpose or effect to a security or derivative. This means that key cryptocurrencies such as Bitcoin and Ethereum, as well as stablecoins such as Tether, will remain unregulated under the Investment Tokens regime.

Scope of framework

This regulatory framework applies to persons interested in marketing, issuing, trading or holding Investment Tokens in or from the Dubai International Financial Centre (“DIFC”). It also applies with respect to DFSA authorised firms wishing to undertake “financial services” relating to Investment Tokens. Such financial services would include (amongst other things) dealing in, advising on, or arranging transactions relating to, Investment Tokens, or managing discretionary portfolios or collective investment funds investing in Investment Tokens.

Approach taken by the DFSA

The approach taken by the DFSA has been to, rather than establish an entirely separate regime for Investment Tokens, bring these instruments within scope of the existing regime for “Investments”, subject to certain changes. The Consultation Paper noted that “in line with the approach adopted in the benchmarked jurisdictions, [the] aim is to ensure that the DFSA regime for regulating financial products and services will apply in an appropriate and robust manner to those tokens that [the DFSA considers] to be the same as, or sufficiently similar to, existing Investments to warrant regulation”.

The Consultation Paper proposed to do this through four means: (i) by making use of the existing regime for “Investments” as far as possible, whilst addressing specific risks associated with the tokens, especially technology risks; (ii) by not being too restrictive, so that the DFSA can accommodate the evolving nature of the underlying technologies that might drive tokenization of traditional financial products and services; (iii) by addressing risks to investor/customer communication and market integrity, and systemic risks, should they arise, where new technologies are used in the provision of financial products or services in or from the DIFC; and (iv) remaining true to the underlying key characteristics and attributes of regulated financial products and services, as far as practicable.

As noted at (i) above, the changes brought about on October 25, 2021 necessarily involved the addition of new requirements to address specific issues related to Investment Tokens. For instance, added requirements are imposed on firms providing financial services relating to Investment Tokens in Chapter 14 of the Conduct of Business Module of the DFSA Rulebook.

This sets out (amongst other things):

technology and governance requirements for firms operating facilities (trading venues) for Investment Tokens – for instance, they must: (i) ensure that any DLT application used by the facility operates on the basis of permissioned access, so that the operator is able to maintain adequate control of persons granted access; and (ii) have regard to industry best practices in developing their technology design and technology governance relating to DLT that is used by the facility;
rules relating to operators of facilities for Investment Tokens which permit direct access – for example, the operator must ensure that its operating rules clearly articulate: (i) the duties owed by the operator to the direct access member; (ii) the duties owed by the direct access member to the operator; and (iii) appropriate investor redress mechanisms available. The operator must also make certain risk disclosures and have in place adequate systems and controls to address market integrity, anti-money laundering and other investor protection risks;
requirements for firms providing custody of Investment Tokens (termed “digital wallet service providers”) – for example: (i) any DLT application used in providing custody of the Investment Tokens must be resilient, reliable and compatible with any relevant facility on which the Investment Tokens are traded or cleared; and (ii) the technology used and its associated procedures must have adequate security measures (including cyber security) to enable the safe storage and transmission of data relating to the Investment Tokens; and
a requirement that firms carrying on one or more financial services with respect to Investment Tokens (such as dealing in investments as principal/agent, arranging deals in investments, advising on financial products and managing assets), provide the client with a “key features document” in good time before the service is provided. This must contain, amongst other things: (i) the risks associated with, and the essential characteristics of, the Investment Token; (ii) whether the Investment Token is, or will be, admitted to trading (and, if so, the details of its admission); (iii) how the client may exercise any rights conferred by the Investment Tokens (such as voting); and (iv) any other information relevant to the particular Investment Token that would reasonably assist the client to understand the product and technology better and to make informed decisions in respect of it.

Comment

In taking the approach to Investment Tokens outlined in this alert, the DFSA has aligned with the approach taken by certain key jurisdictions. It is similar to that taken by the U.K. Financial Conduct Authority, for example, which has issued guidance to the effect that tokens with specific characteristics that mean they provide rights and obligations akin to specified investments, like a share or a debt instrument (the U.K. version of Investment Tokens) be treated as specified investments and, therefore, be considered within the existing regulatory framework[3].

The DFSA’s regime has baked-in flexibility, particularly as a consequence of the fairly high level, principles-based approach. This will likely prove helpful, given the evolving nature of the virtual assets world. However, the exclusion of key cryptocurrencies from the scope of this regime may limit the attractiveness of the regime, particularly to cryptocurrency exchanges seeking to offer spot trading. However, this may be offset to some extent by the DFSA regime’s willingness to allow operators of facilities for Investment Tokens to provide direct access to retail clients, subject to those clients meeting certain requirements (such as having sufficient competence and experience). This is in contrast to the approach proposed by the Hong Kong Financial Services and the Treasury Bureau, which has proposed restricting access to cryptocurrency trading to professional investors only.[4]

Next steps

As noted above, the Investment Tokens regime does not cover many key virtual assets. However, we understand that the DFSA is drafting proposals for tokens not covered by the Investment Tokens regulatory framework. These proposals are expected to cover exchange tokens, utility tokens and certain asset-backed tokens (stablecoins). The DFSA intends to issue a second consultation paper later in Q4 of this year.[5]

____________________________

[1] https://www.dfsa.ae/news/dfsa-introduces-regulatory-framework-investment-tokens

[2] DFSA Rulebook: General Module, A.2.1.1

[3] FCA Policy Statement (PS 19/22), Guidance on Cryptoassets (July 2019)

[4] See our previous alert on the proposed Hong Kong regime: https://www.gibsondunn.com/licensing-regime-for-virtual-asset-services-providers-in-hong-kong/

[5] https://www.dfsa.ae/news/dfsa-introduces-regulatory-framework-investment-tokens

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Crypto Taskforce (cryptotaskforce@gibsondunn.com) on the Global Financial Regulatory team, or the following authors:

Hardeep Plahe – Dubai (+971 (0) 4 318 4611, hplahe@gibsondunn.com)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
William R. Hallatt – Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Chris Hickey – London (+44 (0) 20 7071 4265, chickey@gibsondunn.com)
Martin Coombes – London (+44 (0) 20 7071 4258, mcoombes@gibsondunn.com)
Emily Rumble – Hong Kong (+852 2214 3839, erumble@gibsondunn.com)
Arnold Pun – Hong Kong (+852 2214 3838, apun@gibsondunn.com)
Becky Chung – Hong Kong (+852 2214 3837, bchung@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On November 1, 2021, the President’s Working Group on Financial Markets,[1] joined by the Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC), issued its expected report (Report) on stablecoins, a type of digital asset that has recently grown significantly in market capitalization and importance to the broader digital asset markets.[2]

Noting gaps in the regulation of stablecoins, the Report makes the following principal recommendations:

Congress should promptly enact legislation to provide a “consistent and comprehensive” federal prudential framework for stablecoins –
- Stablecoin issuers should be required to be insured depository institutions
- Custodial wallet providers that hold stablecoins on behalf of customers should be subject to federal oversight and risk-management standards
- Stablecoin issuers and wallet providers should be subject to restrictions on affiliations with commercial entities.
In the absence of Congressional action, the Financial Stability Oversight Council (FSOC) should consider steps to limit stablecoin risk, including designation of certain stablecoin activities as systemically important payment, clearing, and settlement activities.

The Report thus calls for the imposition of bank-like regulation on the world of stablecoins, and it does so with a sense of urgency. Below we summarize the Report’s key conclusions and recommendations, and then preview the path forward if the FSOC is to take up the Report’s call to action.

Stablecoins

A stablecoin is a digital asset that is created in exchange for fiat currency that a stablecoin issuer receives from a third-party; most stablecoins offer a promise or expectation that the stablecoin can be redeemed at par on request. Although certain stablecoins are advertised as being backed by “reserve assets,” there are currently no regulatory standards governing such assets, which can range on the risk spectrum from insured bank deposits and Treasury bills to commercial paper, corporate and municipal bonds, and other digital assets. Indeed, in October, the CFTC took enforcement action against the issuers of US Dollar Tether (USD Tether) for allegedly making untrue or misleading statements about USD Tether’s reserves.[3]

The market capitalization of stablecoins has grown extremely rapidly in the last year; according to the Report, the largest stablecoin issuers had, as of October, a market capitalization exceeding $127 billion.[4] The Report states that stablecoins are predominantly used in the United States to facilitate the trading, lending, and borrowing of other digital assets – they replace fiat currency for participants in the trading markets for Bitcoin and other digital assets and allow users to store and transfer value associated with digital asset trading, lending, and borrowing within distributed ledger environments.[5] The Report further notes that certain stablecoin issuers believe that stablecoins should be used in the payment system, both for domestic goods and services, and for international remittances.[6] Stablecoins, the Report asserts, are also used as a source of collateral against which participants in the digital assets markets can borrow to fund additional activity, “sometimes using extremely high leverage,” as well as to “earn yield,” by using stablecoins as collateral for extending loans and engaging in margined transactions.[7]

Perceived Risks of Stablecoins

The Report views the stablecoin market as currently having substantial risks not subject to regulation.

First, the Report asserts that stablecoins have “unique risks” associated with secondary market activity and market participants beyond the stablecoin issuers themselves, because most market participants rely on digital asset trading platforms to exchange stablecoins with national currencies and other stablecoins.[8] In addition, the Report states that the active trading of stablecoins is part of an essential stabilization mechanism to keep the price of the stablecoin close to or at its pegged value.[9] It further asserts that digital asset trading platforms typically hold stablecoins for customers in non-segregated omnibus custodial wallets and reflect trades on internal records only, and that such platforms and their affiliates may also engage in active trading of stablecoins and as market makers.[10]

Second, the Report argues that stablecoins play a central role in Decentralized Finance (DeFi). It gives two examples – first, stablecoins often are one asset in a pair of digital assets used in “automated market maker” arrangements, and second, they are frequently “locked” in DeFi arrangements to garner yield from interest payments made by persons borrowing stablecoins for leveraged transactions.[11]

As a result, the Report describes a range of risks arising from stablecoins, including risks of fraud, misappropriation, and conflicts of interest and market manipulation; the risk that failure of disruption of a digital asset trading platform could threaten stablecoins; the risk that failure or disruption of a stablecoin could threaten digital asset trading platforms; money laundering and terrorist financing risks; risks of excessive leverage on unregulated trading platforms; risks of non-compliance with applicable regulations; risks of co-mingling trading platform funds with funds of customers; risks flowing from information asymmetries and market abuse; risks from unsupervised trading; risks from distributed-ledger based arrangements, including governance, cybersecurity, and other operational risks; and risks from novel custody and settlement processes.[12]

The Report also notes the risk of stablecoin “runs” that could occur upon loss of confidence in a stablecoin and the reserves backing it, as well as risks to the payment system generally if stablecoins became an important part of the payment system. The Report notes that “unlike traditional payment systems where risk is managed centrally by the payment system operator,” some stablecoin arrangements feature “complex operations where no single organization is responsible or accountable for risk management and resilient operation of the entire arrangement.”[13]

Finally, the Report asserts that the rapid scaling of stablecoins raises three other sets of policy concerns. First is the potential systemic risk of the failure of a significant stablecoin issuer or key participant in a stablecoin arrangement, such as a custodial wallet provider.[14] Second, the Report points to the business combination of a stablecoin issuer or wallet provider with a commercial firm as raising economic concentration concerns traditionally associated with the mixing of banking and commerce.[15] Third, the Report states that if a stablecoin became widely accepted as a means of payment, it could raise antitrust concerns.[16]

Recommendations

The Report’s key takeaway is that the President’s Working Group, the OCC and the FDIC believe that there are currently too many regulatory gaps relating to stablecoins and DeFi. The Report does note that, in addition to existing anti-money laundering and anti-terrorist financing regulations, stablecoin activities may implicate the jurisdiction of the SEC and CFTC, because certain stablecoins may be securities or commodities. Indeed, the CFTC just recently asserted that Bitcoin, Ether, Litecoin and USD Tether are commodities.[17] Nonetheless, the Report states that as stablecoin markets continue to grow, “it is essential to address the significant investor and market risks that could threaten end users and other participants in stablecoin arrangements and secondary market activity.”[18]

The Report therefore calls for legislation to close what it sees as the critical gaps. First, it argues that stablecoin issuance, and the related activities of redemption and maintenance of reserve assets, should be limited to entities that are insured depository institutions: state and federally chartered banks and savings associations that are FDIC insured and have access to Federal Reserve services, including emergency liquidity.[19] Legislation should also ensure that supervisors have authority to implement standards to promote interoperability among stablecoins.[20] Given the global nature of stablecoins, the Report contends that legislation should apply to stablecoin issuers, custodial wallet providers, and other key entities “that are domiciled in the United States, offer products that are accessible to U.S. persons, or that otherwise have a significant U.S. nexus.”[21]

Second, given the Report’s perceived risks of custodial wallet providers, the Report argues that Congress should require those providers to be subject to “appropriate federal oversight,” including restricting them from lending customer stablecoins and requiring them to comply with appropriate risk-management, liquidity, and capital requirements.[22]

Third, because other entities may perform activities that are critical to the stablecoin arrangement, the Report argues that legislation should provide the supervisor of a stablecoin issuer with the authority to require any entity that performs activities “critical to the functioning of the stablecoin arrangement” to meet appropriate risk-management standards, and give the appropriate regulatory agencies examination and enforcement authority with respect to such activities.[23]

Finally, the Report advocates that both stablecoin issuers and wallet providers should, like banks, be limited in their ability to affiliate with commercial firms.[24]

Interim Measures

The Report characterizes the need for legislation as “urgent.” While legislation is being considered, the Report recommends that the Financial Stability Oversight Council (FSOC) consider taking actions within its jurisdiction, such as designating certain activities conducted within stablecoin arrangements as systemically significant payment, clearing, and settlement activities.[25] The Report states that such designation would permit the appropriate federal regulatory agency to establish risk-management requirements for financial institutions[26] that engage in the designated activities.

Such designations would occur pursuant to Title VIII of the Dodd-Frank Act, and it would be the first time that the FSOC would make them.[27] The procedure that the FSOC must follow is set forth in Title VIII, and, absent an emergency, it appears that it would not be a quick one. First, the FSOC must consult with the relevant federal supervisory agencies and the Federal Reserve.[28] Next, it must provide notice to the financial institutions whose activities are to be designated, and offer those institutions the opportunity for a hearing.[29] The institutions may then choose to appear, personally or through counsel, to submit written materials, or, at the sole discretion of FSOC, to present oral testimony or argument.[30] The FSOC must approve the activity designation by a vote of at least two-thirds of its members, including an affirmative vote by the Chair.[31] The FSOC must consider the designation in light of the following factors: (i) the aggregate monetary value of transactions carried out through the activity, (ii) the aggregate exposure of the institutions engaged in the activity to their counterparties, (iii) the relationship, interdependencies, or other interactions of the activity with other payment, clearing, or settlement activities, (iv) the effect that the failure of or a disruption to the activity would have on critical markets, financial institutions, or the broader financial system, and (v) any other factors that the FSOC deems appropriate.[32]

Conclusion

With the Report, Treasury and the relevant federal agencies – the Federal Reserve, the SEC, CFTC, OCC, and FDIC – have made it clear that they believe that the risks of stablecoin activities are not fully mitigated by existing regulation. Their recommendations for legislation look principally to bringing stablecoins within the banking system and to bank regulation as a means of addressing those risks. It is an open question, however, whether Congress will act, much less with the urgency that the Report desires. Action by the FSOC, moreover, will almost certainly take some time, given the statutory designation procedures. In the near term, therefore, it is likely to fall to the existing agencies with some jurisdiction over stablecoins – the CFTC and SEC – to address the gaps with the tools at their disposal.[33]

__________________________

[1] The Working Group comprises representatives of the Treasury Department (Treasury), Board of Governors of the Federal Reserve System (Federal Reserve), the Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC).

[2] See https://home.treasury.gov/system/files/136/StableCoinReport_Nov1_508.pdf.

[3] See https://www.gibsondunn.com/digital-asset-developments-us-commodity-futures-trading-commission-asserts-that-tether-is-a-commodity/.

[4] Report, at 7. In addition to USD Tether, the most circulated stablecoins are USD Coin, Binance USD, Dai Stablecoin, and TrueUSD. All are pegged to the U.S. dollar.

[5] Id. at 8.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

[11] Id. at 9.

[12] Id. at 10-11.

[13] Id. at 12-13.

[14] Id. at 14.

[15] Id.

[16] Id.

[17] See https://www.gibsondunn.com/digital-asset-developments-us-commodity-futures-trading-commission-asserts-that-tether-is-a-commodity/.

[18] Report, at 11.

[19] Id. at 16. Unless the insured depository institution in question is an industrial bank, requiring the stablecoin issuer to be an insured depository institution would also be a requirement for the issuer’s parent company, if any, to be a bank or thrift holding company supervised and regulated by the Federal Reserve.

[20] Id.

[21] Id. n. 29.

[22] Id. at 17.

[23] Id.

[24] Id.

[25] Id. at 18.

[26] Title VIII defines “financial institution” broadly to reach “any company engaged in activities that are financial in nature or incidental to a financial activity, as described in section 4 of the Bank Holding Company Act,” in addition to banks, credit unions, broker-dealers, insurance companies, investment advisers, investment companies, futures commission merchants, commodity pool operators and commodity trading advisers.

[27] The FSOC has previously undertaken designations of systemically significant nonbank financial companies under Title I of the Dodd-Frank Act and systemically significant financial market utilities under Title VIII of the Dodd-Frank Act.

[28] 12 U.S.C. § 5463(c)(1).

[29] Id. § 5463(c)(2).

[30] Id. § 5463(b)(1).

[31] Id. § 5463(c)(3).

[32] Id. § 5463(a)(2).

[33] In a press release issued just after the Report, the Director of the Consumer Financial Protection Bureau, Rohit Chopra, stated that “stablecoins may . . . be used for and in connection with consumer deposits, stored value instruments, retail and other consumer payments mechanisms, and in consumer credit arrangements. These use cases and others trigger obligations under federal consumer financial protection laws, including the prohibition on unfair, deceptive, or abusive acts or practices.” See https://www.consumerfinance.gov/about-us/newsroom/statement-cfpb-director-chopra-stablecoin-report/.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long and Jeffrey Steiner.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the author, or any of the following members of the firm’s Financial Institutions practice group:

Matthew L. Biben – New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Mylan L. Denerstein – New York (+1 212-351- 3850, mdenerstein@gibsondunn.com)
William R. Hallatt – Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)
Matthew Nunan – London (+44 (0) 20 7071 4201, mnunan@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, jsteiner@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On Friday October 15, 2021, the Commodity Futures Trading Commission (CFTC) issued an enforcement order (Tether Order) against the issuers of the U.S. dollar Tether token (USDT), a leading stablecoin, and fined those issuers $41 million for making untrue or misleading statements about maintaining sufficient fiat currency reserves to back each USDT “one-to-one.”[1] In so doing, the CFTC asserted that USDT is a “commodity” under the Commodity Exchange Act (CEA).

The Tether Order is significant for few reasons. First, it marks the first U.S. enforcement action against a major stablecoin. Second, the CFTC has now asserted that it has some enforcement authority over stablecoins, just at the time that the Biden Administration is gearing up its regulatory approach to digital currencies in general and stablecoins in particular. Securities and Exchange Commission (SEC) Chair Gary Gensler stated earlier this year that he believed that certain stablecoins, such as those backed by securities, are securities,[2] and the President’s Working Group on Financial Markets will soon be issuing a report on stablecoins.[3] Third, the CFTC’s assertion that USDT is a commodity signals that stablecoins that are backed one-to-one with fiat currency are not securities and therefore are not directly subject to the SEC’s jurisdiction.

CFTC Legal Authority

Although the CFTC is principally a regulator of the markets for commodity futures and derivatives such as swaps, it does have certain enforcement authority over commodities in the cash markets (i.e., spot commodities). Section 6(c)(1) of the Commodity Exchange Act, provides that it is “unlawful for any person, directly or indirectly, to use or employ, or attempt to use or employ, in connection with any swap, or a contract of sale of any commodity in interstate commerce, . . . any manipulative or deceptive device or contrivance, in contravention of such rules and regulations as the Commission shall promulgate.”[4] The CFTC has promulgated regulations pursuant to Section 6(c)(1), which render unlawful intentional or reckless statements or omissions “in connection with . . . any contract of sale of any commodity in interstate commerce.”[5] When those regulations were promulgated, the CFTC stated that “[it] expect[ed] to exercise its authority under 6(c)(1) to cover transactions related to the futures or swaps markets, or prices of commodities in interstate commerce, or where the fraud or manipulation has the potential to affect cash commodity, futures, or swaps markets or participants in these markets.”[6]

Tether Order

Prior to the Tether Order, the CFTC had asserted that some digital assets are commodities.[7] The Tether Order definitively states that USDT is a commodity (and, in dicta, asserts that bitcoin, ether, and litecoin are commodities as well). It then alleges that the issuers of USDT made material misstatements under Section 6(c)(1) of the CEA and its implementing regulations regarding whether USDT was backed on a one-to-one basis with fiat currency reserves and whether this reserving would undergo regular professional audits, and the issuers made material omissions regarding the timing of one of the reserve reviews that USDT issuers did take.[8] Without admitting or denying the CFTC’s findings and conclusions, the USDT issuers consented to the entry of a cease-and-desist order and civil money penalty of $41 million.[9]

Conclusion

The recent past has seen the explosive growth of the digital asset markets, with regulators globally seeking to catch up. In the United States, the challenge has been, in the absence of new legislation, to make digital asset transactions fit within existing regulatory schemes. Much initial regulation has been at the state level; most federal financial regulators have initially been attempting to regulate through enforcement. Now, however, there is the prospect of overlapping federal regulation, particularly with respect to stablecoins. The Tether Order comes at a time when media outlets have reported that the U.S. Department of Treasury will be working with U.S. financial regulators to issue a broad report on stablecoins, including how stablecoins should be regulated. And although the CFTC has taken its position on USDT, it is currently still unclear how other U.S. regulators will view stablecoins and other digital assets.

_____________________________

[1] In the Matter of Tether Holdings Limited, Tether Operations Limited, Tether Limited, and Tether International Limited, CFTC Docket No. 22-04 (Oct. 15, 2021), available at https://www.cftc.gov/media/6646/enftetherholdingsorder101521/download.

[2] Gary Gensler, SEC Chair, “Remarks Before the Aspen Security Forum” (August 3, 2021).

[3] See, e.g., Michelle Price, “Explainer: How the U.S. Regulators Are Cracking Down on Cryptocurrencies,” Reuters, September 24, 2021.

[4] 7 U.S.C. § 9(1).

[5] 17 C.F.R. § 180.1(a)(2).

[6] CFTC, Final Rules: Prohibition on the Employment, or Attempted Employment, of Manipulative and Deceptive Devices and Prohibition on Price Manipulation, 76 Fed. Reg. 41,398, 41,401 (July 14, 2011).

[7] See, e.g., In re Coinflip, Inc., CFTC No. 15-29, 2015 WL 5535736, at * 2 (Sept. 17, 2015) (stating that bitcoin is properly defined as a commodity within the meaning of the CEA).

[8] Tether Order at 8-9.

[9] Also on October 15, the CFTC entered into a consent order with Bitfinex, a leading digital currency exchange that has many management and operational interlocks with the USD Tether issuers, for allegedly permitting U.S. customers that were not eligible contract participants to engage in leveraged, margined or financed commodity transactions that were not carried out on a designated contract market (i.e., a CFTC registered futures exchange) in violation of the CEA’s requirements, and acting as a futures commission merchant (FCM) without being registered with the CFTC as such. The CFTC further asserted that Bitfinex had violated a 2016 CFTC order that had commanded it to cease-and-desist from such activity. Without admitting or denying the CFTC’s findings and conclusions, Bitfinex consented to the entry of the new cease-and-desist order and a $1 million fine. See In the Matter of iFinex Inc., BFXNA Inc., and BFXWW Inc., CFTC Docket No. 22-05 (Oct. 15, 2021), available at https://www.cftc.gov/media/6651/enfbfxnaincorder101521/download.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long and Jeffrey Steiner.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On September 23, 2021, President Joseph Biden announced his intention to nominate Professor Saule Omarova of Cornell Law School to be the next Comptroller of the Currency. The Comptroller heads the Office of the Comptroller of the Currency (OCC), the Treasury bureau that supervises national banks and federal thrifts; the Comptroller is also an ex officio member of the Board of Directors of the Federal Deposit Insurance Corporation (FDIC).

If confirmed by the Senate, Professor Omarova will have significant influence over regulatory policy, not only for banking institutions, but also for fintech companies that seek to enter the banking system via either a national bank or FDIC-insured industrial bank charter or that have bank partners.

Professor Omarova worked in the Bush Treasury Department and has published numerous articles on financial regulation. This Alert touches on the key themes of her academic writings and addresses how these themes could translate into regulatory priorities at the OCC and FDIC, and in view of the fact that President Biden will likely soon nominate a new Vice Chair for Supervision at the Board of Governors of the Federal Reserve System (Federal Reserve).

A. Key Themes

Professor Omarova has written on numerous topics in her academic career. Early on, she analyzed 1990s OCC interpretations that expanded national bank derivatives activities to include derivatives on commodities and equities; the Federal Reserve’s granting of Section 23A exemptions immediately before and during the 2008 Financial Crisis; and the historical exemptions from the definition of a “bank” under the Bank Holding Company Act.[1] More recently, she has written on bank governance, innovation in the financial industry, “culture” at financial institutions, restructuring the Federal Reserve to take customer demand deposits, and the “Too Big to Fail” problem, among other topics.[2]

Several key themes emerge from these writings:

Concerns that post-Financial Crisis reforms have only magnified the size and interconnectedness of the largest banking organizations
Concerns that banking and related financial activities frequently serve only private interests
Concerns that activities outside of narrow banking – derivatives, commodities, trading, and even certain capital markets activities – are inherently risky
Concerns that a focus on “innovation” may result in a weakening of supervisory standards

Perhaps most interesting, however, is Professor Omarova’s recurring theme that traditional bank supervision is too narrowly focused on what she calls “micro” issues and solutions, and that a new regulatory paradigm centered on overall “macro” economic and public interest goals, and including substantially increased government intervention in the financial sector, may be needed.

1. Concern with Size and Interconnectedness

Professor Omarova, like other observers, has noted one of the ironies of post-Financial Crisis regulation – that although the size and interconnectedness of the global banking sector contributed significantly to the Crisis, the financial system was saved only by increasing the size of the nation’s largest banks:

The post-crisis increase in the level of concentration of the U.S. financial industry is difficult to deny. For example, as of the year-end 2017, top five U.S. bank holding companies (BHCs) held forty-eight percent of the country’s BHC assets. By early 2018, there were four U.S. BHCs with more than $1.9 trillion in assets on their individual balance sheets. Despite the post-crisis passage of the Dodd-Frank Act, the most wide-ranging regulatory reform in the U.S. financial sector since the 1930s, [too big to fail] remains a “live” issue on the public policy agenda.[3]

This in turn, she believes, imposes considerable challenges for supervisors: “today’s financial system is growing increasingly complex and difficult to manage. This overarching trend manifests itself not only in the dazzling organizational complexity of large financial conglomerates, but also in the exponential growth of complex financial instruments – derivatives, asset-backed securities, and other structured products – and correspondingly complex markets in which they trade.”[4] The result is that it is “extremely difficult to measure and analyze not only the overall pattern of risk distribution in the financial system but also the true level of individual financial firms’ risk exposure.”[5]

2. Private Versus Public Interest

It is fair to say that Professor Omarova is not a strong believer in the “Invisible Hand.” Her articles frequently posit a dichotomy between the driving forces of finance and the “public interest.” Her article on bank culture, for example, makes this assertion:

[New York Federal Reserve Bank President] Gerald Corrigan argued that, in exchange for the publicly-conferred benefits uniquely available to them, banks have an obligation to align their implicit codes – and their actual conduct – with the public good. In practice, however, there has been little evidence of such an alignment . . . . One of the most troubling revelations [about bank conduct before the Financial Crisis] was that, in the vast majority of these cases, banks’ and their employees’ socially harmful and ethically questionable business conduct was perfectly permissible under the existing legal rules. In each of those instances, bankers voluntarily, and often knowingly, chose to pursue a particular privately lucrative but socially suboptimal business strategy. And, as long as mortgage markets kept going up and speculative trading in mortgage assets remained profitable, bankers showed no interest in fulfilling their public duties or prioritizing moral values over pecuniary self-interest.[6]

In an article on bank governance, she returns to this theme, stating that “[a]ll too often, however, the incentives of bank managers and shareholders to pursue short-term private gains are perfectly aligned but work directly against the public interest in preserving long-term financial stability. The recent financial crisis . . . made abundantly clear that the modern system of corporate governance . . . is not a sufficiently reliable or consistent mechanism for managing this insidious and apparently pervasive conflict in a publicly beneficial way.”[7]

Although it is clear how Professor Omarova views what then-Chief Judge Cardozo called “the forms of conduct permissible in a workaday world for those acting at arm’s length,”[8] it is less clear how she defines the “public interest.” Her writings do, however, suggest that it includes a focus on maintaining financial stability and appropriately allocating capital and credit to productive use, which she argues is not likely to occur absent government intervention:

[T]o date, there has been no meaningful debate on improving the system-wide allocation of financial resources to productive enterprise. In most, if not all, post-crisis discussions on financial regulation, the underlying presumption remains that private market actors are inherently better at assessing financial risks and spotting potentially beneficial investment opportunities ‘on the ground.’ Accordingly, the existing dysfunctions in the process of system-wide credit allocation are framed predominantly in terms of specific private incentive misalignments or more general political-economy frictions.[9]

3. Preference for Narrow Banking

From her earliest writings, Professor Omarova has expressed a distrust of activities that are not at the core of traditional commercial banking. In an early article, she took issue with the OCC’s increasingly flexible approach to interpreting the phrase “business of banking” in the National Bank Act to include derivative activities related to commodities and equities, including hedging such activities through physically settled transactions, and related activities such as national bank participation in power marketing and clearing organizations.[10] She similarly criticized Federal Reserve interpretations of the Gramm-Leach-Bliley Act under which commodity activities were deemed “complementary” to financial activities, and investments in commodity-related assets could be permissible merchant banking investments.[11] (It is worthwhile remembering that under Governor Daniel Tarullo, the Federal Reserve commenced an advanced notice of proposed rulemaking to consider established commodity activities by financial holding companies.[12]) And Professor Omarova strongly supported the statutory Volcker Rule but feared that the law’s mandated administrative rulemakings had great potential to weaken it.[13]

These concerns about risks from non-traditional activities extend to capital markets activities generally, including those that were broadly permissible for bank holding companies even before the Gramm-Leach-Bliley Act was enacted. (By 1997, the Federal Reserve had interpreted the Glass-Steagall Act in a manner that posed few limits on corporate debt and equity underwriting and dealing, in addition to underwriting and dealing in bank-permissible assets.[14]) Professor Omarova states that “[i]n today’s world, secondary markets in financial assets are far bigger, more complex, and more systemically important than primary markets. . . . It is not surprising, therefore, that today’s secondary markets in financial instruments are the principal sites of both relentless transactional ‘innovation’ and chronic over-generation of systemic risk.”[15] In criticizing the Federal Reserve’s Section 23A exemptions granted during the Financial Crisis, she argued that “it is hard to deny that these extraordinary liquidity backup programs also functioned to prop up the banks’ broker-dealer affiliates, which . . . were in the business of creating, trading, and dealing in securities that needed . . . financing and, as a result, had direct exposure to . . . highly unstable markets.”[16]

4. Innovation as a Source of Risk

In contrast to former Acting Comptroller Brian Brooks, who encouraged financial innovation, most notably with respect to national charters for virtual currency companies, Professor Omarova has had a skeptical eye on the question. One of her early articles, as noted above, criticized the OCC for its interpretive approach with respect to equity and commodity derivatives:

[T]he OCC’s highly expansive interpretation of the “business of banking” . . . served to undermine the integrity and efficacy of the U.S. system of bank regulation. Through the seemingly routine and often nontransparent administrative actions, the OCC effectively enabled large U.S. commercial banks to transform themselves from the traditionally conservative deposit-taking and lending institutions, whose safety and soundness were guarded through statutory and regulatory restrictions on potentially risky activities, into a new breed of financial “super-intermediaries,” or wholesale dealers in pure financial risk.[17]

This view carries over in later discussions of pre-Financial Crisis loan securitizations and credit default swaps, as well as fintech generally. Of the latter, Professor Omarova has written:

By making transacting in financial markets infinitely faster, cheaper, and easier to accomplish, fintech critically augments the ability of private actors to synthesize tradable financial claims – or private liabilities – and thus generate new financial risks on an unprecedented scale. Moreover, as the discussion of Bitcoin and ICOs shows, new crypto-technology enables private firms to synthesize tradable financial assets effectively out of thin air. . . . The sheer scale and complexity of the financial market effectively “liberated” from exogenously imposed constraints on its growth will make it inherently more volatile and unstable . . . . The same factors, however, will also make it increasingly difficult, if not impossible, for the public to control, or even track, new technology-driven proliferation of risk in the financial system.[18]

5. The Futility of Bank Supervision

Perhaps most interestingly for someone who would be the lead supervisor of most of the nation’s largest banks, Professor Omarova’s writings show a decidedly pessimistic view of the effectiveness of financial regulation. She frequently points out the failures of what she terms “micro” entity-specific solutions to such risks, in order to argue in favor of a revised “macro,” i.e., far more fundamental and structural, approach. One example comes from her article on Too Big To Fail: “At the heart of the TBTF problem, there is a fundamental paradox: TBTF is an entity-centric, micro-level metaphor for a cluster of interrelated systemic, macro-level problems. This inherent conceptual tension between the micro and the macro, the entity and the system, frames much of the public policy debate on TBTF.”[19]

Professor Omarova’s “macro” approach includes suggestions of potential governmental interventions in the financial system on a scale unprecedented even in times of crisis – government “golden shares” in large financial companies that would allow the government to override management decisions to forestall a crisis,[20] Federal Reserve counter-cyclical intervention in a broader range of financial markets,[21] “public interest” guardians who would supplement regulatory bodies to correct the self-interest of the financial sector,[22] and a significant National Investment Authority to counteract the biases of the private investment community.[23] As Professor Omarova acknowledges, such measures would require new legislation, for which there does not currently appear to substantial appetite.

B. Consequences For Regulatory Priorities

What then do these themes likely foretell should Professor Omarova receive Senate confirmation? It is of course always a challenge to predict the future, and academic writing is frequently at its best when it seeks to challenge traditional paradigms and manners of thought. This said, it does seem that the following outcomes are certainly within the realm of possibility.

1. Size and Interconnectedness

The OCC currently supervises eight of the country’s ten largest banks: JPMorgan Chase, Bank of America, Wells Fargo, Citibank, US Bank, PNC Bank, TD Bank, and Capital One, ranging from just under $400 billion in assets to over $3 trillion in assets. Some, but not all, of them also engage broadly in investment banking activities. The OCC also regulates many banks in the next asset tier below.

The OCC does not have any general authority to break up well-managed banks or to order them to cease activities, but it is not unusual for the OCC to adjust its supervisory approach based on the risk profile of an institution. What Professor Omarova might add to this traditional approach given her views of increasing systemic risk and the importance of the “macro” is a more holistic approach, in which not only will a particular institution’s own risk profile determine its supervision, but also the perceived risks created by those institutions to which it is most connected. In addition, large banks that fail to meet supervisory expectations can face activities limitations; an early article by Professor Omarova analyzed the idea of requiring regulatory approval of complex financial products.[24]

Moreover, although mergers of bank holding companies must be approved only by the Federal Reserve, in many cases once the holding company merger has been approved, the parties seek to merge the subsidiary banks for efficiency reasons. If the resulting bank will be a national bank, the OCC must approve the transaction under the Bank Merger Act. The statutory factors that the OCC must consider are similar to those the Federal Reserve considers, but the OCC makes an independent decision. Many of the required factors relate to size – competitive effect, ability of management (including on integrating institutions), and financial stability.[25]

2. Private Interest Versus Public Interest

In terms of constraining what Professor Omarova views as the self-interest of the financial sector, it is noteworthy that the responsible agencies, including the OCC, have never completely finalized the executive compensation rulemaking required by Dodd-Frank, something to which SEC Chair Gary Gensler has recently called attention.[26] One of the more controversial aspects of the original rulemaking was the extent of permissible clawbacks of compensation, if actions by individual bankers ended up imposing losses on the financial institution involved. On this question, Professor Omarova’s characterization of the “morals of the marketplace” could be significant.

Another means by which the bank regulators have sought to address privatizing gains and socializing losses since the Crisis is bank governance. The OCC’s principal contribution in this regard is its Guidelines Establishing Heightened Standards for large national banks and federal thrifts, which impose a prescriptive approach to certain aspects of bank corporate governance.[27] These Guidelines were adopted as safety and soundness standards pursuant to Section 39 of the Federal Deposit Insurance Act, which gives the OCC the authority to issue orders for noncompliance, orders that may be enforced by the issuance of civil money penalties or in federal district court actions. The OCC could further strengthen these standards or take a more aggressive approach to enforcing them.

3. Narrow Banking

Historically, as Professor Omarova herself has noted, the OCC has been one of the most flexible agencies in its interpretations of its governing statute, the National Bank Act. Although certain of the activities that she has criticized for increasing systemic risk are conducted by bank affiliates, not all of them are: national banks conduct significant derivative activities, certain capital markets activities are bank permissible, and numerous bank activities implicate the broad definition of proprietary trading contained in the Volcker Rule. Even in the absence of revisiting, for example, the National Bank Act interpretations relating to permissible derivatives activities, the OCC has the authority to examine all national bank activities. Those banking institutions with substantial businesses in areas that Professor Omarova has characterized as non-core and risk-creating should therefore expect a much stricter supervisory approach. The Volcker Rule regulations, which as revised still invite significant supervisory discretion in practice due to the difficulty of distinguishing between prohibited trading and permissible activities like risk-mitigating hedging, could well see ramped up examination interest, and expectations of compliance programs could increase.

4. Innovation and Fintechs

There are currently several pressing fintech-related issues at the OCC. First is the question of whether the OCC will grant a national bank charter to a company that proposes to make loans but not take FDIC-insured deposits, and that is not a statutorily authorized national trust bank. The OCC has claimed the authority under the National Bank Act to issue such a charter, but it has not acted on one such application, and it has been sued in federal court by state banking supervisors who believe that granting such a charter goes beyond the business of banking in the National Bank Act. Professor Omarova’s statements on the potential perils of innovation for supervisors and her general “public interest” concerns may well be relevant on this question.

Second, shortly before and just after President Biden was inaugurated, the OCC granted three trust company charters to digital currency companies, and issued a broad interpretation of permissible digital currency activities under the National Bank Act. The OCC is currently re-examining the bases for such charters, with Acting Comptroller Hsu expressing safety and soundness concerns over certain virtual currency activities. For Professor Omarova, virtual currencies and other digital assets are one of the areas where innovation is most likely to cause systemic risk.[28]

Third, Professor Omarova will be a voting member of the FDIC Board, which determines whether a state industrial bank may receive deposit insurance, and which also must approve any change of control transaction involving an FDIC-insured industrial bank. Under Chair Jelena McWilliams – but with a Republican-appointed Comptroller and Republican-appointed Director of the Consumer Financial Protection Bureau – the FDIC Board approved two such applications, one for Square and one for Nelnet. In one of her earliest articles, Professor Omarova analyzed the historical exemption for industrial banks in the Bank Holding Company Act,[29] and since that writing, Congress has refused to repeal the exemption, and the FDIC has finalized a framework for supervising the parents of industrial banks. It is certainly possible that given her preference was “narrow” banking, Professor Omarova would wish to see a linkage to traditional banking activities, with ancillary activities being preferable when conducted in an agency capacity, when considering such applications.

Finally, many fintechs operate via bank partnerships. Under the Trump Administration, the OCC issued fintech-friendly interpretations regarding the “true lender” and “valid when made” doctrines, which engendered opposition from consumer groups and certain state regulators and attorneys general. Congress used the Congressional Review Act this summer to void the “true lender” rule, but the “valid when made” interpretation remains. Professor Omarova’s criticism of the elasticity of the OCC’s interpretations of the National Bank Act on derivatives matters during the 1990s could extend beyond the derivatives area to bank-fintech partnership issues. Demonstrating a lack of increased risk to banks and the system from such partnerships, therefore, could become significant.

5. The Quarles/Brainard Divide – Likely Positioning

It is also important to note that Professor Omarova’s appointment is not taking place in a vacuum. In several weeks, Vice Chair Randal Quarles’s term as the Federal Reserve Governor in charge of bank supervision will come to an end, although a mere Governor Quarles could remain at the Federal Reserve for another decade. During the last four years, Vice Chair Quarles has shepherded through a number of “reforms to the reform” wrought by the Dodd-Frank Act. Many of the more important actions drew dissents from Governor Lael Brainard, who is one of the contenders to be Governor Quarles’ successor. Of these actions, quite a few implicated rules promulgated by the OCC as well as the Federal Reserve:

Loosening the regulatory restrictions of the Volcker Rule
Tailoring capital and liquidity requirements for an institution’s asset size and other factors, with institutions between $100 billion and $250 billion in assets particularly benefiting
Reducing margin requirements for inter-affiliate uncleared swap transactions
Proposing to reduce the enhanced supplementary leverage ratio for the largest banks and their holding companies

From her articles, Professor Omarova would appear to be decidedly in Governor Brainard’s camp on these four issues.

Conclusion: The Limits of Bank Supervision and Regulation

In her writings, Professor Omarova is a strong proponent for government intervention in the financial system, and a skeptic of a light-touch supervisory approach. In this way, she is reminiscent of the first de facto Federal Reserve Governor for bank supervision, another banking law professor turned regulator, Daniel Tarullo. Governor Tarullo, of course, oversaw the implementation of a highly prescriptive top-down approach to bank supervision at the Federal Reserve, which even he noted in his “farewell address” may have gone too far in some areas, particularly for non-systemic banks.[30] Professor Omarova also has quite a bit in common with former FDIC Chair Sheila Bair, who herself was a professor of regulatory policy, was critical of bank derivative activities, and pushed the Collins Amendment to the Dodd-Frank Act because of her suspicions regarding internal bank financial models.

But it is also fair to say that neither Governor Tarullo nor Chair Bair appeared to have quite as skeptical views on the limitations of bank supervision and regulation as Professor Omarova. What will a proponent of a new paradigm approach to the American banking industry do in the absence of any legislative appetite for departing from the reigning paradigm since the New Deal?

This is perhaps the most difficult question of all to answer. A logical response, however, is that in those areas that are perceived to pose the greatest risk, such a proponent would double down on the supervisory tools that are currently available in order to counter perceived risks at inception. Large federal banking institutions that depart from core deposit and lending activities should therefore expect searching supervisory reviews of their non-traditional activities.

_________________________

[1] Saule T. Omarova, “The Quiet Metamorphosis: How Derivatives Changed the ‘Business of Banking,’” 63 U. Miami L. Rev. 1041 (2009); Saule Omarova, “From Gramm-Leach-Bliley to Dodd-Frank: The Unfulfilled Promise of Section 23A of the Federal Reserve Act,” 89 N.C. L. Rev. 1683 (2011); Saule T. Omarova and Margaret E. Tahyar, “That Which We Call a Bank: Revisiting the History of Bank Holding Company Regulation in the United States,” 31 Rev. Banking & Fin. L. 113 (2012).

[2] Saule T. Omarova, “Bank Governance and Systemic Stability: The ‘Golden Share’ Approach,” 68 Ala. L. Rev. 1029 (2017); Saule T. Omarova, “New Tech v. New Deal: Fintech as a Systemic Phenomenon,” 36 Yale J. on Reg. 735 (2019); Saule T. Omarova, “Ethical Finance as a Systemic Challenge: Risk, Culture, and Structure,” 27 Cornell J.L. & Pub. Pol’y 797 (2018); Saule T. Omarova, “The ‘Too Big to Fail’ Problem,” 103 Minn. L. Rev. 2495 (2019).

[3] “The ‘Too Big to Fail’ Problem,” supra note 2.

[4] Id.

[5] Id.

[6] “Ethical Finance as a Systemic Challenge: Risk, Culture, and Structure,” supra note 2.

[7] “Bank Governance and Systemic Stability: The ‘Golden Share’ Approach,” supra note 2.

[8] Meinhard v. Salmon, 164 N.E. 528 (N.Y. 1928).

[9] Saule T. Omarova, “What Kind of Finance Should There Be?”, 83 Law & Contemp. Probs. 195 (2020).

[10] “The Quiet Metamorphosis: How Derivatives Changed the ‘Business of Banking,’” supra note 1.

[11] Saule T. Omarova, “The Merchants of Wall Street: Banking, Commerce, and Commodities,” 98 Minn. L. Rev. 265 (2013).

[12] See https://www.federalreserve.gov/newsevents/pressreleases/bcreg20140114a.htm.

[13] Saule T. Omarova, “The Dodd-Frank Act: A New Deal for A New Age?”, 15 N.C. Banking Inst. 83 (2011)

[14] See https://www.federalreserve.gov/boarddocs/press/boardacts/1996/19961220/ (increasing limit on bank ineligible revenues for Section 20 companies to 25 percent of total revenues).

[15] “What Kind of Finance Should There Be?”, supra note 9.

[16] “From Gramm-Leach-Bliley to Dodd-Frank: The Unfulfilled Promise of Section 23A of the Federal Reserve Act,” supra note 1.

[17] “The Quiet Metamorphosis: How Derivatives Changed the ‘Business of Banking,’” supra note 1.

[18] “New Tech v. New Deal: Fintech as a Systemic Phenomenon,” supra note 2.

[19] “The ‘Too Big to Fail’ Problem,” supra note 2.

[20] “Bank Governance and Systemic Stability: The ‘Golden Share’ Approach,” supra note 2.

[21] “The ‘Too Big to Fail’ Problem,” supra note 2.

[22] Saule T. Omarova, “Bankers, Bureaucrats, and Guardians: Toward Tripartism in Financial Services Regulation,” 37 J. Corp. L. 621 (2012).

[23] Robert C. Hockett & Saule T. Omarova, “Private Wealth and Public Goods: A Case for a National Investment Authority,” 43 J. Corp. L. 437 (2018).

[24] Saule T. Omarova, “License to Deal: Mandatory Approval of Complex Financial Products,” 90 Wash. U. L. Rev. 63 (2012).

[25] 12 U.S.C. § 1828(c).

[26] Akayla Gardner & Ben Bain, “Wall Street Pay Clawback Rule to Get New Push at SEC,” Bloomberg News (September 22, 2021).

[27] 12 C.F.R. Part 30 (Appendix D).

[28] “New Tech v. New Deal: Fintech as a Systemic Phenomenon,” supra note 2.

[29] “That Which We Call a Bank: Revisiting the History of Bank Holding Company Regulation in the United States,” supra note 1.

[30] See https://www.federalreserve.gov/newsevents/speech/tarullo20170404a.htm.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The torrid pace of new securities class action filings over the last several years slowed a bit in the first half of 2021, a period in which there have been many notable developments in securities law. This mid-year update briefs you on major developments in federal and state securities law through June 2021:

In Goldman Sachs, the Supreme Court found that lower courts should hear evidence regarding the impact of alleged misstatements on the price of securities to rebut any presumption of classwide reliance at the class-certification stage, and that defendants bear the burden of persuasion on this issue.
Just before its summer recess, the Supreme Court granted certiorari in Pivotal Software, teeing up a decision on whether the PSLRA’s discovery-stay provision applies to state court actions, which may impact forum selection in private securities actions.
We explore various developments in Delaware courts, including the relative decline of appraisal litigation, and the Court of Chancery’s (1) decision to enjoin a poison pill, (2) rejection of a claim that the COVID-19 pandemic constituted a material adverse effect, (3) approach in a potential bellwether SPAC case, and (4) analysis of post-close employment opportunities with respect to Revlon fiduciary duties.
We continue to survey securities-related lawsuits arising in connection with the coronavirus pandemic, including securities class actions, stockholder derivative actions, and SEC enforcement actions.
We examine developments under Lorenzo regarding disseminator liability and under Omnicare regarding liability for opinion statements.
Finally, we explain important developments in the federal courts, including (1) the widening circuit split regarding the jurisdictional reach of the Exchange Act based on recent decisions in the First and Second Circuits, (2) the Eighth Circuit’s holding that class action allegations, including those under Section 10(b), can be struck from pleadings, (3) Congress’s codification of the SEC’s disgorgement authority in the National Defense Authorization Act, (4) a federal district court’s holding that a forum selection clause superseded anti-waiver provisions in the Exchange Act, and (5) the Ninth Circuit’s broad interpretation of the PSLRA’s safe harbor for forward-looking statements.

I. Filing and Settlement Trends

According to Cornerstone Research, both the number of new filings and the average approved settlement amount in securities class actions decreased relative to the same period last year and historically. However, the number of approved settlements is the highest it has been since the second half of 2017, indicating that 2021 may be on track to set a record in terms of the number of approved securities class action settlements even if the total dollar amount falls short of last year.

The decline in total filings is driven by a sharp decline in new mergers and acquisitions filings, which are at the lowest level since the second half of 2014. Despite the decline in filings, 2021 has nonetheless already set a record for new SPAC-related filings by doubling both the 2020 and 2019 full-year totals in this category.

A. Filing Trends

Figure 1 below reflects filing rates for the first half of 2021 (all charts courtesy of Cornerstone Research). The first half of the year saw 112 new class action securities filings, a nearly 40% decrease from the same period last year and a 25% decrease from the second half of 2020. The decrease is largely driven by a drop in new M&A filings, from 64 and 35 in the two halves of 2020, respectively, to 12 in the first half of 2021. This represents a 66% decline in M&A filings from the second half of 2020, and 83% decline against the biannual average for M&A filings dating back through 2016.

Figure 1:

Semiannual Number of Class Action Filings (CAF Index^®)
January 2012 – June 2021

B. Industry and Other Trends in Cases Filed

Keeping with recent trends, new filings against consumer non-cyclical firms continued to make up the majority of new federal, non-M&A filings in the first half of 2021, as shown in Figure 2 below. New filings against communications and technology sector firms remained fairly steady, and an increase in filings against firms in the consumer cyclical and energy sectors partially offset the decline in filings against firms in the basic materials, industrial and financial sectors.

Figure 2:

Core Federal Filings by Industry
January 1997 – June 2021

As noted at the start and illustrated in Figure 3 below, the number of SPAC-related filings in the first half of 2021 exceeds those filed in both 2019 and 2020 combined. The increase is driven by filings in the consumer cyclical industry, and specifically, firms in the Auto manufacturers and Auto Parts & Equipment industries. In addition to notable activity in the SPAC space, cybersecurity-, cryptocurrency- and cannabis-related filings are all on pace to meet or exceed the 2020 totals, and 2021’s increased activity in ransomware attacks has already resulted in an uptick in cybersecurity filings in the second half of 2021. On the other hand, the majority of the new filings related to COVID-19 occurred earlier in the year, indicating that, as mentioned below, it is still too early to tell what the full year brings in terms of filings related to COVID-19.

Figure 3:

Summary of Trend Case Filings
January 2017 – June 2021

C. Settlement Trends

As shown in Figure 4, the total settlement dollars, adjusted for inflation, is down 72.7% against the same period last year despite a 35% increase in the number of settlements approved. Two settlements in the first half of 2021 exceeded $100 million, as compared to six such settlements last year and four in 2019, and the median value of approved settlements through the first half of the year is $7.9 million, reflecting an 18% decline against the same period last year. The difference between the magnitude of the decline in settlement amounts is likely driven by an outlier settlement in first half of last year.

Figure 4:

Total Settlement Dollars (in billions)
January 2016 – June 2021

II. What to Watch for in the Supreme Court

A. Supreme Court Issues Narrow Decision in Price-Impact Case

As we previewed in our 2020 Year-End Securities Litigation Update, in Goldman Sachs Group Inc. v. Arkansas Teacher Retirement System, 141 S. Ct. 1951 (2021), the Supreme Court this Term considered questions regarding price-impact analysis at the class-certification stage in securities class actions. Recall that in Halliburton Co. v. Erica P. John Fund, Inc., 573 U.S. 258 (2014) (“Halliburton II”), the Supreme Court preserved the “fraud-on-the-market” theory that enables courts to presume classwide reliance in Rule 10b-5 cases, but also permitted defendants to rebut that presumption with evidence that the alleged misrepresentation did not affect the issuer’s stock price.

Goldman Sachs presented the Court with the opportunity to decide how courts can address cases in which plaintiffs plead fraud through the “inflation maintenance” price impact theory, which claims that misstatements caused a preexisting inflated price to be maintained instead of causing the artificial inflation in the first instance. In granting certiorari, the Supreme Court accepted two questions for review: (1) “[w]hether a defendant in a securities class action may rebut the presumption of classwide reliance recognized in Basic Inc. v. Levinson, 485 U.S. 224 (1988), by pointing to the generic nature of the alleged misstatements in showing that the statements had no impact on the price of the security, even though that evidence is also relevant to the substantive element of materiality,” and (2) “[w]hether a defendant seeking to rebut the Basic presumption has only a burden of production or also the ultimate burden of persuasion.” Petition for a Writ of Certiorari at I, Goldman Sachs, 141 S. Ct. 1951 (No. 20-222).

In its June 21, 2021 decision, the Court declined to take a position on the “validity or . . . contours” of the inflation-maintenance theory in general, which it has never directly approved. Goldman Sachs, 141 S. Ct. at 1959 n.1. On the first question, the Court unanimously agreed with the parties that lower courts should hear evidence—including expert evidence—and rely on common sense to make determinations at the class-certification stage as to whether the alleged misrepresentations were so generic that they did not distort the price of securities. Id. at 1960. This analysis is permitted at the class-certification stage even though such evidence may also be relevant to the question of materiality, which is reserved for the merits stage. Id. at 1955 (citing Amgen Inc. v. Connecticut Ret. Plans and Tr. Funds, 568 U.S. 455, 462 (2013)). Importantly, the Court noted that in the context of an inflation-maintenance theory, the mismatch between generic misrepresentations and later, specific corrective disclosures will be a key consideration in the price-impact analysis. Goldman Sachs, 141 S. Ct. at 1961. “Under those circumstances, it is less likely that the specific disclosure actually corrected the generic misrepresentation, which means that there is less reason to infer front-end price inflation—that is, price impact—from the back-end price drop.” Id. The Court, with only Justice Sotomayor dissenting, then remanded the case for further consideration of the generic nature of the statements at issue here, explicitly directing the Second Circuit to “take into account all record evidence relevant to price impact, regardless whether that evidence overlaps with materiality or any other merits issue.” Id. (emphasis in original).

As to the second question, the Court held by a 6–3 majority that defendants at the class-certification stage bear the burden of persuasion on the issue of price impact in order to rebut the presumption of reliance—that is, to convince the court, by a preponderance of the evidence, that the challenged statements did not affect the price of securities. The Court determined that this rule had already been established by its previous decisions in Basic and Halliburton II: Basic recognized that defendants could rebut the presumption of classwide reliance by making “[a]ny showing that severs the link between the alleged misrepresentation and . . . the price,” and in Halliburton II, the Court again referenced defendants’ ability to rebut the Basic presumption with a “showing.” Id. at 1962 (internal citations omitted). The majority rejected an argument by the defendants, taken up by Justice Gorsuch (joined by Justices Thomas and Alito), that these references to a “showing” by the defense imposed only a burden of production. Id. at 1962; see also id. at 1965–70 (Gorsuch, J., concurring in part and dissenting in part). That reading would have allowed defendants to rebut the presumption of reliance “by introducing any competent evidence of a lack of price impact”—and would have imposed on plaintiffs the requirement to “directly prov[e] price impact in almost every case,” a requirement that had been rejected in Halliburton II. Id. at 1962–63 (emphasis in original). However, the Court noted that imposing the burden of persuasion on defendants would be unlikely to alter the outcome in most cases, as the “burden of persuasion will have bite only when the court finds the evidence is in equipoise—a situation that should rarely arise.” Id. at 1963.

B. Supreme Court to Decide whether the PSLRA’s Discovery Stay Applies in State Court

On July 2, 2021, just before its summer recess, the Court granted certiorari in Pivotal Software, Inc. v. Tran, No. 20-1541, which raises the question of whether the Private Securities Litigation Reform Act’s (“PSLRA”) discovery-stay provision applies to state court actions in which a private party raises a Securities Act claim. The PSLRA provides that the stay applies “[i]n any private action arising under” the Securities Act before a court has addressed a motion to dismiss, 15 U.S.C. § 77z-1-(b)(1), but state courts are sharply divided over whether the stay applies to suits in state court, rather than only to those in federal court. In opposition, respondent plaintiffs argued that not only is the issue moot (because they have agreed to adhere to the stay provision and the state court will have issued a decision on the motion to dismiss before the Supreme Court can issue an opinion), but also that no court of appeals has ever decided the issue. Brief in Opposition at 7–16, Pivotal Software, Inc. v. Tran, No. 20-1541. Petitioners countered that the issue will only ever arise in state courts and that state trial courts are divided, with at least a dozen decisions refusing to apply the stay and seven applying it, with many more decisions unreported. Moreover, the issue evades appellate review because it is time-sensitive and unlikely to affect a final judgment, rendering any error harmless. Reply Brief for Petitioners at 1–12, Pivotal Software, Inc. v. Tran, No. 20-1541.

Given the costs of discovery in securities actions, Pivotal could have a lasting impact on both the choice of forum in which securities actions are brought and on how discovery progresses in the early stages of a case.

C. The Court Addresses Constitutional Challenges to Administrative Adjudicators

Recall that in Lucia v. SEC, 138 S. Ct. 2044 (2018), the Court held that the SEC’s administrative law judges (“ALJs”) were “Officers of the United States” who must be appointed by the President, a court of law, or the SEC itself. Building on Lucia, the Supreme Court issued two decisions this Term that raised further questions on the constitutionality of administrative officers’ appointments.

Following Lucia, the petitioners in Carr v. Saul and Davis v. Saul sought judicial review of administrative decisions of the Social Security Administration (“SSA”), challenging in the district courts for the first time the constitutionality of SSA ALJ appointments. Carr v. Saul, 141 S. Ct. 1352, 1356–57 (2021). The district courts split on the question of whether petitioners had been required to raise their constitutional challenges during their administrative hearings in the first instance, but both the Eighth and Tenth Circuits agreed that the challenges had been forfeited. Id. at 1357. In its April 22, 2021 decision in these consolidated cases, the Supreme Court unanimously reversed, holding that the petitioners were not required to raise the appointments issue in SSA administrative proceedings, though the Justices were split in their reasoning. Id. at 1356.

The majority opinion held that the benefits claimants were not required to administratively exhaust the appointment issue, in the absence of any statutory or regulatory requirement, for three primary reasons. First, the Court had previously held that the SSA’s Appeals Council conducts proceedings that are more “inquisitorial” than “adversarial,” and that in the absence of “adversarial development of issues by the parties” before the agency tribunal, there was no basis for requiring a petitioner to raise all claims before the agency in order to preserve the issues for judicial review. Id. at 1358–59 (citing Sims v. Apfel, 530 U.S. 103, 112 (2000)). The Court applied the Sims rationale to SSA ALJs who, like the Appeals Council, conduct “informal, nonadversarial proceedings,” even though SSA ALJ proceedings may be considered “relatively more adversarial.” Id. at 1359–60. Second, as the Court has “often observed,” agency decision-makers “are generally ill suited to address structural constitutional challenges, which usually fall outside the adjudicators’ areas of technical expertise.” Id. at 1360. And third, the Court recognized that requiring issue exhaustion here would be futile as the agency adjudicators “are powerless to grant the relief requested.” Id. at 1361. The Court’s consolidated decision in Carr and Davis was dependent on features specific to the SSA’s review, so the question of whether issue exhaustion is required may be answered differently if it arises in future cases, either in the context of an agency with more adversarial administrative review procedures or if the constitutional challenge at issue is “[outside] the context of [the] Appointments Clause.” Id. at 1360 n.5.

In United States v. Arthrex, Inc., 141 S. Ct. 1970 (2021), the Court took up the question of whether administrative patent judges (“APJs”) in the Patent and Trademark Office (“PTO”) are “principal” or “inferior” officers under the Appointments Clause. (Readers should note that Gibson Dunn represented the private parties arguing alongside the government that APJs are inferior officers permissibly appointed by the Secretary of Commerce.) By a 5–4 vote, the majority held that the “unreviewable authority” of APJs to resolve inter partes review proceedings was incompatible with their appointment to an inferior office because “[o]nly an officer properly appointed to a principal office may issue a final decision binding the Executive Branch.” Id. at 1985.

In fashioning a remedy supported by seven Justices, the Court opted for a “tailored approach,” rather than striking down the entire inter partes review regime as unconstitutional. Id. at 1987. Specifically, the Court severed a provision of the statutory scheme that prevented the PTO Director from reviewing APJ decisions. Id. According to the Chief Justice, this remedy would align the Patent Trial and Appeal Board adjudication scheme with others in the Executive Branch and within the PTO itself. Id. In finding that the Constitutional violation is the restraint on the Director’s review authority rather than the APJs’ appointment by the Secretary, the Court found that the proper remedy was remand to the Director rather than to a new panel of APJs for rehearing. Id. at 1987–88.

The majority opinion drew opinions concurring and dissenting in part by Justice Gorsuch (objecting to the Court’s severability analysis) and Justice Breyer (joined by Justices Sotomayor and Kagan, agreeing with Justice Thomas’s analysis on the merits, but supporting the Court’s remedy), as well as a full dissent by Justice Thomas, who criticized the Court’s failure to take a clear position on whether APJs are inferior officers and whether their appointment complies with the Constitution. Id. at 1988–2011. He also disagreed with the Court’s modification of the statutory scheme because, in his view, APJs “are both formally and functionally inferior to the Director and to the Secretary,” and those officers already had sufficient control over APJs. Id. at 2011 (Thomas, J., dissenting).

III. Delaware Developments

**A. Court of Chancery Invalidates Poison Pill under Second Unocal Prong**

In February, the Court of Chancery in Williams Companies Stockholder Litigation, 2021 WL 754593 (Del. Ch. Feb. 26, 2021), enjoined a stockholder rights plan, also known as a “poison pill.” In March 2020, The Williams Companies, Inc. (“Williams”), a natural gas infrastructure company, adopted a stockholder rights plan after the company’s stock price declined substantially due to fallout from the COVID‑19 pandemic, which decreased demand and lowered prices in the global natural gas markets. Id. at *1. Williams adopted the plan in response to multiple perceived threats, including stockholder activism generally, concerns that activist investors may pursue disruptive, short-term agendas, and the potential for rapid and undetected accumulation of Williams stock (a “lightning strike”) by an opportunistic outside investor. Id. at *2.

The court employed the two-part Unocal standard of review to analyze whether (1) the Williams Board had a reasonable basis to implement a poison pill to respond to a legitimate threat, and (2) the reasonableness of the actual terms of the poison pill in relation to the threat posed. Id. at *22 (citing Unocal Corp. v. Mesa Petroleum Co., 493 A.2d 946 (Del. 1985)). Assuming for the sake of analysis that the “lightning strike” concern constituted a legitimate corporate objective, the court held that the plan’s terms were unreasonable. Id. at *33–34. The plan included a triggering ownership threshold of just 5%, compared to a typical market range of 10% to 15%. Id. at *35–36. It also contained an expansive definition of “beneficial ownership” that covered even synthetic interests, an expansive definition of “acting in concert” that covered any parallel conduct by multiple parties, and a relatively narrow definition of the term “passive investor,” which limited the number of investors exempt from the plan’s provisions. Id. at *35. The court concluded that the combined impact of these terms went well beyond that of comparable rights plans and could impermissibly stifle legitimate stockholder activity. Id. at *35–40. Notably, the court looked beyond the stated rationales listed in board resolutions, board minutes, and company disclosures, and instead sought to determine the actual intent of the directors based on testimony and other evidence. Id. The ruling offers an important reminder that rights plans have limits and that the Court of Chancery will not hesitate to assess a board’s subjective basis for implementing a rights plan and its specific terms.

B. Court of Chancery Rejects Claim that Pandemic Constituted a Materially Adverse Effect

In April, the Court of Chancery in Snow Phipps Group, LLC v. KCake Acquisition, Inc., 2021 WL 1714202 (Del Ch. Apr. 30, 2021), rejected a claim that the COVID‑19 pandemic constituted a material adverse effect (“MAE”) under the agreement at issue. There, a private equity firm buyer signed a $550 million agreement with Snow Phillips to purchase DecoPac, a company that supplies cake decorations and equipment to grocery stores. Id. at *1, *9–10. The deal coincided with the early months of the COVID-19 pandemic, which caused a significant decline in DecoPac’s sales. Id. at *1–2. The buyer subsequently attempted to terminate the agreement when it was unable to secure financing based on the target’s revised sales projections. Id. at *24–25.

In the ensuing litigation, the buyer alleged that DecoPac breached a representation that no change or development had, or “would reasonably be expected to have,” an MAE on DecoPac’s finances. Id. at *10. The court rejected this argument, observing—consistent with Delaware precedent—that the existence of an MAE must be judged in terms of DecoPac’s long-term financial prospects (measured in “years rather than months”). Id. at *30. Further, the court noted that the reduction in sales fell within a carve-out from the MAE representation, namely, effects arising from changes in laws or governmental orders. Id. at *35. The decision is notable not just for reaffirming the difficulty of invoking MAE clauses, but also for its broad discussion of how MAE clause carve-outs might negate the occurrence of an existing MAE.

C. Bellwether SPAC Litigation Remains in Initial Stages

In June, the defendants in In re MultiPlan Corp. Stockholders Litigation, Cons. C.A. No. 2021-0300-LWW, filed their motion to dismiss a closely watched consolidated class action filed by the stockholders of MultiPlan, a provider of cost management technology services to insurance agencies. MultiPlan was partially acquired in October 2020 via a reverse merger with a Special Purpose Acquisition Company (“SPAC”), Churchill Capital Corp. III. Most notably, the complaint contends that SPAC structures create inherent conflicts, alleging that MultiPlan’s business prospects have weakened and its stock price has decreased approximately 30% since the acquisition, but the personal investments of individuals managing the SPAC entity have increased materially. The plaintiff stockholders accuse the SPAC, its sponsor, and other directors of issuing misleading and deficient disclosures and of grossly mispricing the transaction.

Although some commentators have characterized the case as a bellwether and the claims asserted as novel, the defendants’ motion to dismiss tracks familiar arguments for attacking complaints concerning merger transactions at the pleading stage. For example, the defendants characterize the claims as derivative and urge dismissal for failure to make a demand. The defendants alternatively assert that, if the claims are direct, they are subject to the business judgment rule and warrant dismissal. More notably, the defendants contend that claims regarding plaintiffs’ redemption rights cannot proceed as fiduciary duty claims because they arise solely from contract. A decision on the pending MultiPlan motion to dismiss may have significant implications for the very active SPAC market, as the Court of Chancery weighs in on the efficacy of these entities and any implications their structure may have for deal disclosures.

D. Court of Chancery Determines CEO Breached Fiduciary Duty and Financial Advisor Aided and Abetted That Breach in Course of Executing a Merger

In Firefighters’ Pension System of the City of Kansas City, Missouri Trust v. Presidio, Inc., 2021 WL 298141 (Del. Ch. Jan. 29, 2021), the Court of Chancery denied motions to dismiss by Presidio’s CEO for allegedly breaching his fiduciary duty and Presidio’s financial advisor for allegedly aiding and abetting that breach, but dismissed claims against the controlling stockholder and other board members. The class action suit challenged a merger of Presidio, a controlled company, with an unaffiliated third party. The court held that a number of actions the CEO allegedly took, if credited, would yield an unreasonable sales process under Revlon. Id. at 267–68. For example, the court credited allegations that the CEO inappropriately steered the bidding process in favor of a private equity buyer that was more eager to retain existing management and simultaneously downplayed to the board of directors the interests of a strategic bidder. Although the strategic bidder allegedly had the capability to pay a higher price as a result of the synergies, it was more likely to replace the CEO. Id. at 267. The court also credited allegations that Presidio’s financial advisor had tipped the potential private equity buyer to confidential information that enabled it to structure its proposed terms into the ultimately bid-winning offer. Id. Presidio has the potential to serve as informative precedent for transactions entailing potential post-close employment opportunities for executives who guide the company’s sale process.

E. Appraisal Litigation Continues Its Steady Decline

The frequency of appraisal litigation continues to decline, with just four appraisal actions filed in the Delaware Court of Chancery in the first half of 2021, compared to the 13 actions filed in the first half of 2020. Going forward, we expect to see appraisal actions concentrated to a subset of deals involving alleged conflicts, process issues, or a limited market check.

Recent appraisal actions that have proceeded continue to reinforce the rulings in DFC Global Corp. v. Muirfield Value Partners, L.P., 172 A.3d 346 (Del. 2017) and Dell, Inc. v. Magnetar Global Event Driven Master Fund Ltd., 177 A.3d 1 (Del. 2017): objective market evidence—including deal price (potentially less synergies) and unaffected market price—generally provides the best indication of a company’s fair value. In In re Appraisal of Regal Entertainment Group, 2021 WL 1916364 (Del. Ch. May 13, 2021), for example, the Court of Chancery awarded a relatively modest 2.6% increase over the original merger price. The court held that the best evidence of the target’s fair value was the deal price, adjusted for post-signing value increases. Id. at *58. The court rejected arguments that Regal’s stock price was the best indicator of fair value, finding that “the sale process that led to the Merger Agreement was sufficiently reliable to make it probable that the deal price establishes a ceiling for the determination of fair value.” Id. at *34.

In the absence of reliable market-based indicators, the Court of Chancery has demonstrated a willingness to fall back on potentially more subjective valuation techniques, including discounted cash flow and comparable company analyses. In January 2021, the Delaware Supreme Court affirmed a Court of Chancery decision awarding a 12% premium on the merger price based solely on a discounted cash flow (“DCF”) valuation. SourceHOV Holdings, Inc. v. Manichaean Capital, LLC, 246 A.3d 139 (Del. 2021). The Court of Chancery’s exclusive use of the petitioner’s DCF valuation was premised on the Respondent’s failure to prove a fair value for the transaction, with the court noting it was “struck by the fact that [Respondent] disagreed with its own valuation expert, relied on witnesses whose credibility was impeached and employed a novel approach to calculate SourceHOV’s equity beta that is not supported by the record evidence. In a word, Respondent’s proffer of fair value is incredible.” Manichaean Capital, LLC v. SourceHOV Holdings, Inc., 2020 WL 496606, at *2 (Del. Ch. Jan. 30, 2020).

IV. Further Development of Disseminator Liability Theory Upheld in Lorenzo

As we initially discussed in our 2019 Mid-Year Securities Litigation Update, in March 2019, the Supreme Court held in Lorenzo v. SEC, 139 S. Ct. 1094 (2019), that those who disseminate false or misleading information to the investing public with the intent to defraud can be liable under Section 17(a)(1) of the Securities Act and Exchange Act, Rules 10b-5(a) and 10b-5(c), even if the disseminator did not “make” the statement within the meaning of Rule 10b-5(b). In practice, Lorenzo creates the possibility that secondary actors—such as financial advisors and lawyers—could face liability under Rules 10b-5(a) and 10b-5(c) (known as the “scheme liability provisions”) simply for disseminating the alleged misstatement of another, if a plaintiff can show that the secondary actor knew the alleged misstatement contained false or misleading information.

In 2021, courts have continued to grapple with Lorenzo’s application, particularly “whether Lorenzo’s language can be read to stretch scheme liability to cases in which plaintiffs are specifically alleging that the defendant did ‘make’ misleading statements (or omissions) as prohibited in Rule 10b5-(b),” or if “Lorenzo merely extends scheme liability to those who ‘disseminate false or misleading statements’ but that it does not hold that ‘misstatements [or omissions] alone are sufficient to trigger scheme liability’” absent additional conduct. Puddu v. 6D Global Techs., Inc., 2021 WL 1198566, at *10 (S.D.N.Y. Mar. 30, 2021) (quoting SEC v. Rio Tinto PLC, 2021 WL 818745, at *2 (S.D.N.Y. Mar. 3, 2021)) (summarizing the divergent views of various district courts).

In June, the Ninth Circuit, in In re Alphabet, Inc. Securities Litigation, 1 F.4th 687 (9th Cir. 2021) (“Alphabet”), signaled its support for the view that disseminator liability does not require “conduct other than misstatements.” Alphabet involved allegations that executives at Google and its holding company, Alphabet, were aware of security vulnerabilities on the Google+ social network. Id. at 693–97. Plaintiffs brought a claim against Alphabet under Rule 10b-5(b), in addition to scheme liability claims under Rule 10b-5(a) and (c), alleging a scheme to defraud shareholders by withholding material and damaging information about the security vulnerabilities from Alphabet’s quarterly filings. See id. at 698. The district court granted Alphabet’s motion to dismiss in full, finding that plaintiffs had failed to adequately allege a misrepresentation or omission of a material fact and failed to adequately allege scienter for the purposes of their Rule 10b-5 claims. Id.

On appeal, the Ninth Circuit reversed in part, holding that that the trial court erred by dismissing the claims under Rule 10b-5(a) and (c) because defendants had not specifically moved to dismiss those claims but instead moved to dismiss only on the basis of Rule 10b-5(b) and Rule 10b-5 generally. Id. at 709. Notably, the panel also disagreed with Alphabet’s “argument that Rule 10b-5(a) and (c) claims cannot overlap with Rule 10b-5(b) statement liability claims” because such an argument “is foreclosed by Lorenzo, which rejected the petitioner’s argument that Rule 10b-5(a) and (c) ‘concern “scheme liability claims” and are violated only when conduct other than misstatements is involved.’” Id. (quoting Lorenzo, 139 S. Ct. at 1101–02).

At the same time, district courts within the Second Circuit are considering the breadth of Lorenzo. See In re Teva Sec. Litig., 2021 WL 1197805, at *5 (D. Conn. Mar. 30, 2021) (summarizing the divergent views). As the Teva court explained, “[s]ome district courts in this circuit apparently agree with the” view that Lorenzo “abrogated the rule that ‘scheme liability depends on conduct that is distinct from an alleged misstatement,’” “[b]ut other district courts cabin Lorenzo and read it more restrictively” to only hold that “‘those who disseminate false or misleading statements to potential investors with the intent to defraud can be liable under [Rule 10b-5(a) and (c)], not that misstatements alone are sufficient to trigger scheme liability.’” Id. (quoting Rio Tinto PLC, 2021 WL 818745, at *2–3).

The Second Circuit itself has not yet squarely addressed the scope of Lorenzo. However, earlier this year, the district court in SEC v. Rio Tinto PLC, 2021 WL 1893165 (S.D.N.Y. May 11, 2021), certified an interlocutory appeal to the Second Circuit, following its dismissal of scheme liability claims where the SEC failed to “allege that Defendants disseminated [the] false information, only that they failed to prevent misleading statements from being disseminated by others.” At the time of this update, the Second Circuit had not ruled on whether it will hear the appeal. Gibson Dunn represents Rio Tinto in this and other litigation.

As these developments suggest, the application of the Lorenzo disseminator liability theory continues to evolve among and within the circuits. We will continue to monitor closely the changing applications of Lorenzo and provide a further update in our 2021 Year-End Securities Litigation Update.

Although the stock market has largely stabilized since COVID-19 first impacted the United States in 2020, courts are still feeling the effects of the economic disruption and attendant securities litigation arising out of the pandemic. While the first series of COVID-19 securities lawsuits focused on select industries, such as travel and healthcare, plaintiffs eventually set their sights on other industries. We surveyed a select number of these cases in our 2020 Year-End Securities Litigation Update.

Since then, there have been several dismissals of COVID-19-related securities cases, including dismissals of some of the earliest cases brought in March 2020 concerning the travel industry. Nevertheless, lawsuits for misstatements regarding safety and risk disclosures are still being brought, and now that the “Delta” variant has spread throughout the United States, such lawsuits may continue for the foreseeable future.

Although it is too soon to tell whether the midpoint of COVID-19 securities litigation has passed, we will continue to monitor developments in this area. Additional resources regarding the legal impact of COVID-19 can be found in the Gibson Dunn Coronavirus (COVID-19) Resource Center.

A. Securities Class Actions

1. False Claims Concerning Commitment to Safety

Douglas v. Norwegian Cruise Lines, No. 20-cv-21107, 2021 WL 1378296 (S.D. Fla. Apr. 12, 2021): As we discussed in our 2020 Mid-Year Securities Litigation Update, the COVID-19 pandemic birthed an entire category of class action lawsuits concerning service companies’ commitments to safety, including a proposed class action lawsuit against Norwegian Cruise Lines. In April 2021, Judge Robert Scola, Jr. dismissed the lawsuit, which had originally alleged that Norwegian violated securities laws by minimizing the impact of the COVID-19 outbreak on its operations and failing to disclose allegedly deceptive sales practices that downplayed COVID-19. Id. at *2–3. Judge Scola, Jr. concluded that “[a]ll the challenged statements constitute corporate puffery” such that no reasonable investor would have relied on them. Id. at *4.

In re Carnival Corp. Securities Litigation, No. 20-cv-22202, 2021 WL 2583113 (S.D. Fla. May 28, 2021): Similarly, in May 2021, a year after plaintiffs filed the complaint, Judge K. Michael Moore dismissed a putative class action against Carnival that alleged that Carnival misrepresented the effectiveness of its health and safety protocols during the COVID-19 outbreak. Id. at *1–3. The court held that the plaintiffs-investors had failed to show that Carnival’s “statements affirming compliance with then-existing regulatory requirements [were] materially false or misleading” because the plaintiffs’ argument relied on the inference that “passengers would ultimately fall ill aboard Carnival’s ships—just as people did in other venues across the globe.” Id. at *15. Accordingly, the court found the inference was “too tenuous to meet the heightened pleading standard applicable in the securities fraud context.” Id.

2. Failure to Disclose Specific Risks

Plymouth Cnty. Retirement Assoc. v. Array Techs., Inc., No. 21-cv-04390 (S.D.N.Y. May 14, 2021): Plaintiffs allege that Array, a solar panel manufacturer, along with several of its directors and underwriters, failed to disclose that “unprecedented” increases in steel and shipping costs negatively impacted the company’s quarterly results until the company’s CFO revealed the results in a conference call. Dkt. No. 1 at ¶¶ 10–42, 113–15. Upon the release of this news, Array’s stock price fell by $11.49 to close at $13.46. Id. at ¶ 118. Array had previously issued warnings on the “global shipping constraints due to COVID-19” but allegedly failed to disclose the impact of dramatically increasing supply prices and increasing freight costs. Id. at ¶¶ 103, 112. This case was later consolidated with Keippel v. Array Technologies, Inc., 21-cv-5658 (S.D.N.Y. June 30, 2021). Dkt. No. 61 at 1. The case remains pending.

Denny v. Canaan Inc., No. 21-cv-03299 (S.D.N.Y. Apr. 15, 2021): A shareholder of Canaan, a company that manufactures and sells Bitcoin mining machines, alleged that the company misleadingly issued positive statements about strong demand for bitcoin mining machines without disclosing how “ongoing supply chain disruptions” and the introduction of its latest machines had “cannibalized sales of [its] older product offerings,” which caused sales to decline. Dkt No. 1 at ¶ 4. Purportedly, Canaan did not reveal these issues until a conference call to discuss fourth quarter earnings, after which Canaan’s American Depository Receipts, which are a type of securities, declined by nearly 30%. Id. at ¶¶ 27–28.

3. Alleged Insider Trading and “Pump and Dump” Schemes

Tang v. Eastman Kodak Co., No. 20-cv-10462 (D.N.J. Aug. 13, 2020): In our 2020 Year-End Securities Litigation Update, we previously discussed this putative class action, in which stockholders contended Eastman Kodak violated securities law by failing to disclose that its officers were granted stock options prior to the company’s public announcement that it had received a loan to produce drugs for the treatment of COVID-19. Dkt. No. 1 at 2. On May 28, the New Jersey federal judge transferred the case to the Western District of New York, where the alleged misconduct occurred. Dkt. No. 62 at 1. In parallel, New York Attorney General Leticia James commenced an action under Section 34 of General Business Law to seek evidence of insider trading from Kodak. NYSCEF No. 451652/2021, Dkt. No. 1 at 1. On June 15, the court ordered Kodak’s executives to publicly testify. Dkt. No. 9 at 2.

B. Stockholder Derivative Actions

1. Disclosure Liability

Berndt v. Kelly, No. 21-cv-50422 (W.D. Wash. June 4, 2021): In this derivative suit, plaintiff alleges that CytoDyn Inc., which is developing a drug with potential benefits for HIV patients, misleadingly touted the drug as a potential COVID-19 treatment, resulting in a significant increase in the company’s stock price. Dkt. No. 1 at ¶¶ 2–4. “[W]hile the [c]ompany’s stock price was sufficiently inflated with the COVID-19 cure hype,” the complaint alleges, a close circle of long-term shareholders “dumped millions of shares.” Id. at ¶ 6. Following the alleged cash-out of company shares, the price of CytoDyn “dropped precipitously” after it was revealed that the COVID-19 treatment was not commercially viable. Id. at ¶ 8. The suit includes claims for breach of fiduciary duty, waste of corporate assets, unjust enrichment, and violations of the Exchange Act. Id. at ¶¶ 78–98.

Golubinski v. Douglas, No. 2021-0172 (Del. Ch. Apr. 20, 2021): An investor of Novavax Inc. derivatively sued the company’s directors and certain officers, claiming that they granted themselves a series of lucrative equity awards in 2020 with the knowledge that Novavax’s stock was going to increase nearly 700% based on promising COVID-19 vaccine news. Dkt. 1 at ¶¶ 5–13. The investor alleges that “management exploited its relationships with regulators and influential players in the vaccine community to both secure funding and position itself to receive even more funding for COVID-19 research prior to granting spring-loaded awards to [c]ompany insiders.” Id. at ¶ 15. The stock granted to executives in April and June 2020 allegedly rose in value within a few months, after the news became public that the company would be getting billions in funding through Operation Warp Speed, the U.S. government’s COVID-19 vaccine initiative. Id. at ¶¶ 9–13. The derivative suit seeks, among other things, to have the stock awards rescinded. Id. at ¶ 16.

2. Oversight Liability

Bhandari v. Carty, No. 2021-0090 (Del. Ch. Feb. 5, 2021): Two stockholders of YRC Worldwide, Inc. sued the company’s directors, claiming that they oversaw a fraudulent scheme to overcharge customers for freight cargo, and then sought a $700 million government bailout purportedly justified by fraudulent concerns relating to COVID-19. Dkt. 1 at ¶¶ 3–15. The bailout, which plaintiffs allege “made the company one of the largest recipients of taxpayer money meant to support businesses and workers struggling amid the coronavirus,” has now “come under scrutiny from” Congress, which is investigating whether it “was really worthy of a rescue,” according to the complaint. Id. at ¶ 15. Plaintiffs allege that the board “could and should have quickly and responsibly taken action to correct management’s wrongdoing,” but failed to do so. Id. at ¶ 5.

3. Insider Trading

Lincolnshire Police Pension Fund v. Kramer, No. 21-cv-01595 (D. Md. June 29, 2021): Plaintiff sued directors of Emergent BioSolutions Inc. derivatively for claims that the board members allegedly sold a combined $20 million of personally held Emergent shares “on the basis of the nonpublic information about the problems at the Bayview Facility,” where the company was working on a COVID-19 vaccine for Johnson and Johnson. Dkt. 1 at ¶¶ 9, 15–26, 89, 101. The fund claims that the directors allegedly “used their knowledge of Emergent’s material, nonpublic information to sell their personal holdings while the Company’s stock was artificially inflated.” Id. at ¶ 89. Specifically, the allegations are that the directors were supposedly aware of Bayview’s history of internal control failures and inability to handle the “massive and critical work required to manufacture [the COVID-19] vaccines.” Id. at ¶ 3.

In Delaware, another Emergent stockholder brought a Section 220 action against Emergent to enforce his statutory right to inspect the company’s books and records. See Elton v. Emergent BioSolutions, Inc., No. 2021-0426 (Del. Ch. May 21, 2021). There, too, the stockholder alleged that there was a “credible basis to infer the Company’s fiduciaries sold Company stock while in possession of material, non-public information” relating to Emergent’s alleged “regulatory, compliance, and manufacturing failures.” Dkt. 1 at ¶ 3.

C. SEC Cases

SEC v. Arrayit Corp., No. 21-cv-01053 (N.D. Cal. Feb. 11, 2021): As we discussed in our 2020 Year-End Securities Litigation Update, the SEC charged Mark Schena, the President of Arrayit Corporation, a healthcare technology company, for “making false and misleading statements about the status of Arrayit’s delinquent financial reports.” SEC v. Schena, No. 20-cv-06717 (N.D. Cal. Sept. 25, 2020), Dkt. No. 1 at ¶ 1. That case was stayed, pending the resolution of a criminal case against Mr. Schena. Dkt. 23. Since then, the SEC has brought a separate case against Arrayit itself, as well as Mark Schena’s wife, who served as Arrayit’s CEO, CFO, and chairman for over a decade. No. 5:21-cv-01053, Dkt. No. 1 at ¶¶ 1, 11. The new claims brought under Sections 10(b) and 13(a) mirror those in the prior action against Mr. Schena, namely that the defendants allegedly misrepresented the company’s capability to develop COVID-19 tests. Id. at ¶ 1. The parties settled on a neither-admit-nor-deny basis, with Ms. Schena also agreeing to a $50,000 penalty. Dkt. No. 11 at 1–3; Dkt No. 12 at 2.

SEC v. Parallax Health Sciences, Inc., No. 21-cv-05812 (S.D.N.Y. July 7, 2021): This enforcement action, brought under Section 17(a)(1)(3) of the Securities Act and Section 10(b) of the Exchange Act, resulted from a series of seven press releases issued by Parallax, a healthcare company, about its ability to capitalize on the COVID-19 pandemic. Dkt. No. 1 at ¶¶ 1, 4. The SEC’s complaint alleges that Parallax falsely claimed that its COVID-19 screening test would be “available soon” despite the company’s insolvency and the company’s own internal projections showing that, even if it had the funds, other factors prevented the company from acquiring the needed equipment. Id. at ¶¶ 1–2. Parallax, its CEO, and CTO settled with the SEC on a neither-admit-nor-deny basis, and agreed to penalties of $100,000, $45,000, and $40,000, respectively. Dkt. No. 4 at 1, 4.

SEC v. Wellness Matrix Grp., Inc., No. 21-cv-1031 (C.D. Cal. June 11, 2021): The SEC charged Wellness Matrix, a wellness company, and its controlling shareholder for allegedly misleading investors about the availability and approval status of its at-home COVID-19 testing kits and disinfectants in violation of Section 10(b) and Rule 10b-5. Dkt. No. 1 at ¶¶ 6–7, 9. The SEC alleges that the company’s claims were false and, to the contrary, defendants knew its distributor was unable to fulfill the order and the products were neither FDA- nor EPA-approved. Id. at ¶¶ 44–48. The SEC had suspended trading in Wellness Matrix’s securities approximately two months before bringing the action. Id. at ¶ 68.

VI. Falsity of Opinions – Omnicare Update

As we discussed in our prior securities litigation updates, lower courts continue to examine the standard for imposing liability based on a false opinion as set forth by the Supreme Court in Omnicare, Inc. v. Laborers District Council Construction Industry Pension Fund, 575 U.S. 175 (2015). In Omnicare, the Supreme Court held that “a sincere statement of pure opinion is not an ‘untrue statement of material fact,’ regardless whether an investor can ultimately prove the belief wrong,” but that an opinion statement can form the basis for liability in three different situations: (1) the speaker did not actually hold the belief professed; (2) the opinion contained embedded statements of untrue facts; or (3) the speaker omitted information whose omission made the statement misleading to a reasonable investor. Id. at 184–89.

In 2021, federal courts have continued to grapple with whether Omnicare—which was decided in the context of a Section 11 claim—applies to claims brought under the Exchange Act. In April, the Ninth Circuit extended the Omnicare standard to claims brought under Exchange Act Section 14(a) and Rule 14a-9. Golub v. Gigamon Inc., 994 F.3d 1102, 1107 (9th Cir. 2021). The court reasoned that such claims contain a “virtually identical limitation on liability” to claims under Section 11 and Rule 10b-5, to which the Ninth Circuit held Omnicare applies. Id.; see also City of Dearborn Heights Act 345 Police & Fire Ret. Sys. v. Align Tech., Inc., 856 F.3d 605 (9th Cir. 2017).

Two additional cases addressing Omnicare’s application to the Exchange Act came down in the District of New Jersey, with one of them ultimately deciding to apply the Omnicare standard for falsity to claims brought under Section 10(b) and Rule 10b-5. Ortiz v. Canopy Growth Corp., No. 2:19-cv-20543, 2021 WL 1967714 (D.N.J. May 17, 2021). Recognizing the majority view outside the Third Circuit that Omnicare applies to such claims, the court in Ortiz “s[aw] no reason to apply a different rule.” Id. at *33. However, after finding that the alleged statements were actionable under Omnicare, the court still dismissed the complaint for failure to plead scienter. Id. at *44. While plaintiffs adequately pled that defendants did not believe certain statements when they were made and misleadingly omitted certain material facts, plaintiffs could not overcome the PLSRA’s high bar for scienter. Id. at *38–39. The court found that plaintiffs failed to plead facts to support a “strong inference” of scienter because, based on several factors, another more “innocent explanation” was plausible. Id. at *42–43. In another case, a District of New Jersey court found evaluation of Omnicare unnecessary for the same reason: Plaintiffs did not plead facts to “support a ‘strong inference’ of scienter.” In re Amarin Corp. PLC Sec. Litig., No. 3:19-cv-06601, 2021 WL 1171669 at *19 (D.N.J. Mar. 29, 2021). These cases suggest Omnicare may rarely be outcome-determinative for Section 10(b) and Rule 10b-5 claims because opinions that may be actionable under Omnicare may often lack an “intent to deceive, manipulate, or defraud,” as required to demonstrate scienter. See Ortiz, 2021 WL 1967714, at *10.

Omnicare has remained a significant pleading barrier in the first half of 2021. In Salim v. Mobile Telesystems PJSC, No. 19-cv-1589, 2021 WL 796088 (E.D.N.Y. Mar. 1, 2021), the Eastern District of New York held that a statement about potential liability resulting from investigations into alleged FCPA violations “would have necessarily been a statement of opinion until the company could give a reasonable estimate of its potential losses.” Because plaintiff failed to allege sufficient facts to show that defendant did not actually believe what it stated, the court granted defendants’ motion to dismiss. Id. at *8–9. Similarly, in City of Miami Fire Fighters’ and Police Officers’ Retirement Trust v. CVS Health Corp., the District of Rhode Island held that reported results of goodwill assessments conducted under Generally Accepted Accounting Principles are opinion statements that must be assessed under Omnicare because “[e]stimates of goodwill depend on management’s determination of the fair value of the assets acquired and liabilities assumed, which are not matters of objective fact.” No. 19-437-MSM-PAS, 2021 WL 515121, at *9 (D.R.I. Feb. 11, 2021). In granting defendants’ motion to dismiss, the court found allegations “amount[ing] to a retrospective disagreement with [defendant’s] judgment” inadequate “without sufficient facts to undermine the assumptions [defendant] used when it made its goodwill assessments.” Id. at *10.

Other recent district court decisions illustrate the narrow situations in which plaintiffs have overcome Omnicare’s high bar. For instance, in Howard v. Arconic Inc., defendants argued that aluminum manufacturer Arconic’s statement that it “believes it has adopted appropriate risk management and compliance programs to address and reduce” certain risks was a non-actionable opinion under Omnicare. No. 2:17-cv-1057, 2021 WL 2561895, at *7 (W.D. Pa. June 23, 2021). The court disagreed, holding that the statement “conveyed to investors that there was a reasonable basis for [defendants’] belief about the adequacy of the compliance/risk management programs,” but facts regarding Arconic’s practice of selling hazardous products “call[ed] into question the reasonableness of that belief.” Id.

Finally, in SEC v. Bluepoint Investment Counsel, LLC, the SEC claimed that the investment-advisor defendants had defrauded investors by reporting misleading and unreasonable valuations of fund assets in order to charge excessive management and other fees. No. 19-cv-809, 2021 WL 719647, at *1 (W.D. Wis. Feb. 24, 2021). The court held that the statements were actionable, consistent with Omnicare, because “the SEC has alleged specific facts which, taken as true, involve valuations containing embedded statements of fact that were untrue.” Id. at *17. Specifically, defendants had stated that the valuations would be “based on underlying market driven events,” but the SEC alleged that the appraisal process was far less thorough. Id. This method, the court reasoned, “reflects the kind of ‘baseless, off-the-cuff judgment[]’ that an investor reasonably would not expect in the context of a third-party appraisal that is then relied upon in an investor fund’s financial statements.” Id.

As shareholder litigation arising from the economic impact of COVID-19 continues, including a handful of cases targeting vaccine development and efficacy, Omnicare will likely play a significant role. See Complaint for Violations of the Federal Securities Law, In re AstraZeneca PLC Sec. Litig., No. 1:21-cv-00722 (S.D.N.Y. Jan. 26, 2021) (containing various allegations based on statements or omissions relating to clinical trials for the COVID-19 vaccine). Disclosures and accounting estimates impacted by the rapidly evolving circumstances presented by the pandemic, and other statements and estimates involving interpretation of complex scientific data, are at the heart of Omnicare analysis. We will continue to monitor developments in these and similar cases.

VII. Halliburton II Market Efficiency and “Price Impact” Cases

As previewed in our last two updates, and discussed above in our Supreme Court roundup, the Supreme Court issued its decision in Goldman Sachs Group, Inc. v. Arkansas Teacher Retirement System on June 21. 141 S. Ct. 1951 (2021) (“Goldman Sachs”). Practitioners now have confirmation from the Supreme Court that courts must consider the generic nature of allegedly fraudulent statements at the class certification stage when necessary to determine whether the statements impacted the issuer’s stock price, even though that analysis will often overlap with the merits issue of materiality. See id. at 1960–61. The Court also resolved the question of which party bears what burden when defendants offer evidence of a lack of price impact to rebut the presumption of reliance, placing the burdens of both production and persuasion on defendants. See id. at 1962–63.

Recall that in Halliburton Co. v. Erica P. John Fund, Inc., 573 U.S. 258 (2014) (“Halliburton II”), the Supreme Court preserved the “fraud-on-the-market” presumption of class-wide reliance in Rule 10b-5 cases, but also permitted defendants to rebut this presumption at the class certification stage with evidence that the alleged misrepresentation did not impact the issuer’s stock price. Since that decision, as we have detailed in these updates, lower courts have struggled with several recurring questions, including: (1) how to reconcile Halliburton II with Erica P. John Fund, Inc. v. Halliburton Co., 563 U.S. 804 (2011) (“Halliburton I”) and Amgen Inc. v. Connecticut Retirement Plans and Trust Funds, 568 U.S. 455 (2013), in which the Court held that loss causation and materiality, respectively, were not class certification issues, but instead should be addressed at the merits stage; (2) who bears what burden when defendants present evidence of a lack of price impact; and (3) what evidence is sufficient to rebut the presumption. The Court has now resolved the first two questions in Goldman Sachs.

In its most recent decision, the Second Circuit held that the generic nature of Goldman Sachs’s allegedly fraudulent statements was irrelevant at the class-certification stage and instead should be litigated at trial, and that defendants bore both the burden of production and persuasion in rebutting the presumption of reliance. Ark. Tchr. Ret. Sys. v. Goldman Sachs Grp., Inc., 955 F.3d 254, 265–74 (2d Cir. 2020). As detailed above, the Supreme Court disagreed with the first holding but agreed with the second. Because it was unclear whether the Second Circuit properly considered Goldman Sachs’s price impact evidence, the Court remanded for further consideration. Goldman Sachs, 141 S. Ct. at 1961. The Court also confirmed that the Second Circuit allocated the parties’ burdens correctly, because the defendant “bear[s] the burden of persuasion to prove a lack of price impact by a preponderance of the evidence,” including at the class-certification stage. Id. at 1958. The Court clarified that its opinions had already placed that burden on defendants—although “the allocation of burden is unlikely to make much difference on the ground,” and will “have bite only when the court finds the evidence in equipoise.” Id. at 1963.

Most importantly, an eight-justice majority made clear that even when the question of price impact overlaps with merits questions, all relevant evidence on price impact must be considered at the class certification stage. Goldman Sachs, 141 S. Ct. at 1960–61 (citing Halliburton II, Comcast Corp. v. Behrend, 569 U.S. 27 (2013), and Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011)). This is the case even though “materiality and price impact are overlapping concepts” and “evidence relevant to one will almost always be relevant to the other.” Id. at 1961 n.2. In other words, the Supreme Court has now confirmed that Halliburton I, Amgen, and Halliburton II are consistent because plaintiffs do not need to prove materiality and loss causation to invoke the presumption of reliance, but defendants can use price impact evidence—including evidence of immateriality or a lack of loss causation—to defeat the presumption of reliance at the class certification stage.

Despite its relevance to the case, the Court declined to offer a view on the validity of the inflation-maintenance theory, under which plaintiffs frequently argue that price movements associated with negative news can be attributed to earlier, challenged statements. See id. at 1959 n.1. However, the Court underscored that the connection between a statement and a corrective disclosure is particularly important in inflation-maintenance cases. Id. at 1961. As the Court noted, the inference that a subsequent price drop proves there was previous inflation “starts to break down when there is a mismatch between the contents of the misrepresentation and the corrective disclosure,” which can occur “when the earlier misrepresentation is generic . . . and the later corrective disclosure is specific.” Id.

The Second Circuit has now remanded to the district court to examine all relevant evidence of price impact in the first instance. Arkansas Tchr. Ret. Sys. v. Goldman Sachs Grp., Inc., No. 18-3667, 2021 WL 3776297, at *1 (2d Cir. Aug. 26, 2021). We will continue to monitor this and related cases.

VIII. Other Notable Developments

A. Morrison Domestic Transaction Test

The circuit split concerning the application of the domestic transaction test from Morrison v. National Australia Bank Ltd., 561 U.S. 247 (2010), has widened in the first half of this year. In Morrison, the Supreme Court held that the Exchange Act only applied to “transactions in securities listed on domestic exchanges, and domestic transactions in other securities.” Id. at 267. This holding was premised on “the focus of the Exchange Act,” which is “not upon the place where the deception originated, but upon purchases and sales of securities in the United States.” Id. at 266. Thereafter, courts have held that a security that is not traded on a domestic exchange satisfies the second prong of Morrison, “if irrevocable liability is incurred or title passes within the United States.” Absolute Activist Value Master Fund Ltd. v. Ficeto, 677 F.3d 60, 67 (2d Cir. 2012).

This January, in Cavello Bay Reinsurance Ltd. v. Shubin Stein, 986 F.3d 161 (2d Cir. 2021), the Second Circuit reaffirmed its prior holding in Parkcentral Global Hub Ltd. v. Porsche Automobile Holdings SE, 763 F.3d 198 (2d Cir. 2014), that the traditional “irrevocable liability” test is necessary, but not sufficient to bring a claim under the Exchange Act. Instead, a plaintiff must additionally show that the transaction was not “‘so predominantly foreign’ as to be impermissibly extraterritorial.” Cavello Bay, 986 F.3d at 165 (citing Parkcentral, 763 F.3d at 216). The Second Circuit considered that this test “uses Morrison’s focus on the transaction rather than surrounding circumstances, and flexibly considers whether a claim—in view of the security and the transaction as structured—is still predominantly foreign.” Id. at 166–67. Under this framework, the court affirmed the dismissal of an action based on “a private offering between a Bermudan investor . . . and a Bermudan issuer” because it was predominantly foreign, even though the fact that the contract was countersigned in the United States may have been sufficient to incur irrevocable liability in the United States. Id. at 167–68.

On the other hand, in its first application of Morrison, the First Circuit, “[l]ike the Ninth Circuit . . . reject[ed] Parkcentral as inconsistent with Morrison.” Sec. & Exch. Comm’n v. Morrone, 997 F.3d 52, 60 (1st Cir. 2021). Because “Morrison says that § 10(b)’s focus is on transactions,” the court found that “[t]he existence of a domestic transaction suffices to apply the federal securities laws under Morrison” and “[n]o further inquiry is required.” Id.

B. Eighth Circuit Strikes Class Allegations under Rule 12(f)

In Donelson v. Ameriprise Financial Services, Inc., 999 F.3d 1080 (8th Cir. 2021), the Eighth Circuit struck class allegations pursuant to Rule 12(f) of the Federal Rules of Civil Procedure, which permits a court to strike from a pleading “any insufficient defense or any redundant, immaterial, impertinent, or scandalous matter.” Id. at 1091 (quoting Fed. R. Civ. P. 12(f)). The court “agree[d] with the Sixth Circuit that a district court may grant a motion to strike class-action allegations prior to the filing of a motion for class-action certification” when certification is a “clear impossibility,” noting that other federal courts have reached the conclusion that this was not permissible. Id. at 1092.

Donelson concerned an investor’s claims, including under Section 10(b) of the Securities Exchange Act, against a broker and investment advisor for mishandling and making misrepresentations about his investment account. Id. at 1086. The plaintiff sought to bring claims on behalf of a class of individuals who had allegedly suffered similar harms. While the agreement governing the plaintiff’s account contained a mandatory arbitration clause, there was an exception for “putative or certified class actions.” Id. The court found that the class allegations should be stricken because they were not “cohesive” and would require “a significant number of individualized factual and legal determinations to be made,” including specifically whether the defendants made misrepresentations to each investor, whether those misrepresentations were material, whether the investor relied upon them, and whether the investor suffered economic harm. Id. at 1092–93. Furthermore, the court found that the circumstances warranted striking the class allegations because delaying the inevitable decision would “needlessly force the parties to remain in court when they previously agreed to arbitrate.” Id. at 1092.

C. Congress Codifies SEC Disgorgement Remedy

On January 1, 2021, Congress codified the SEC’s right to disgorgement remedies as part of the National Defense Authorization Act (“NDAA”). While the SEC has often sought—and courts have often granted—disgorgement remedies, the new law codifies this right and also adds guidance as to the parameters. Section 6501 of the NDAA amends the Exchange Act to allow any United States District Court to “require disgorgement…of any unjust enrichment by the person who received such unjust enrichment as a result of [violations under the securities laws].” Previously, disgorgement was awarded pursuant to the court’s equitable power, rather than statutorily mandated in cases of unjust enrichment.

Significantly, the amendment also provides for a 10-year statute of limitations that applies to “[any actions for disgorgement arising out] of the securities laws for which scienter must be established.” 15 U.S.C. § 78u(d)(8)(A)(ii). The law further provides for a 10-year statute of limitations for “any equitable remedy, including for an injunction or for a bar, suspension, or cease and desist order” irrespective of whether the underlying securities law violation carries a scienter requirement. 15 U.S.C. § 78u(d)(8)(B). The law expands disgorgement to “any equitable remedy” and ensures that a court awards disgorgement in these cases. Moreover, for the purposes of calculating any limitations period under this paragraph, “any time in which the person . . . is outside of the United States shall not count towards the accrual of that period.” 15 U.S.C. § 78u(d)(8)(C).

D. Delaware Exclusive Forum Bylaws Applicable to Section 14

A recent federal decision in the Northern District of California precluded plaintiffs from bringing Section 14(a) claims in the face of an exclusive forum selection clause in a company’s bylaws. Lee v. Fisher, 2021 WL 1659842 (N.D. Cal. Apr. 27, 2021). In Lee, plaintiffs brought derivative claims on behalf of The Gap, Inc. for violation of Section 14(a) of the Securities Exchange Act as a result of allegedly misleading statements about the Gap’s commitment to diversity. Id. at *1. The defendants moved to dismiss the claims on forum non conveniens grounds based on the forum selection clause in Gap’s bylaws, which provided that any action had to be brought in Delaware Chancery Court. Id. at *2. In granting the motion and dismissing the claims, the court noted a strong policy in favor of enforcing forum selection clauses where practicable. Id. at *3. In response to the plaintiff’s objection that Section 14(a) claims must be asserted in federal court because of its exclusive jurisdiction and that the anti-waiver provisions in the Securities Act preclude waiving the jurisdictional requirement, the court noted Ninth Circuit precedent has held that the policy of enforcing forum selection clauses supersedes anti-waiver provisions like those in the Exchange Act. Id. In addition, enforcement of the exclusive forum selection clause would not leave the plaintiff without a remedy because the plaintiff could file separate state law derivative claims in Delaware, even if such action could not include a federal securities law claim. The plaintiffs have filed a notice of appeal in the Ninth Circuit.

E. Ninth Circuit Upholds Broad Protection for Forward-Looking Statements

In Wochos v. Tesla, Inc., 985 F.3d 1180 (9th Cir. 2021), the Ninth Circuit upheld a broad interpretation of the safe harbor protections afforded by the PSLRA. The PSLRA’s safe harbor for forward-looking statements protects against liability that is premised upon statements made about a company’s plans, objectives, and projections of future performance, along with the assumptions underlying such statements. In Wochos, the Ninth Circuit held that this protection applies even when the statements touch on the current state of affairs.

The plaintiffs in Wochos alleged that statements by Tesla officers that the company was “on track” to meet certain production goals was misleading because the company was facing manufacturing problems that made these production goals difficult to attain. Id. at 1185–86. Plaintiffs claimed that the statements were not protected under the PSLRA’s safe harbor provisions because these “predictive statements contain[ed] embedded assertions concerning present facts that are actionable.” Id. at 1191 (emphasis in original). The court disagreed, finding that the definition of forward-looking statements “expressly includes ‘statement[s] of the plans and objectives of management for future operations,’” and “‘statement[s] of the assumptions underlying or relating to’ those plans and objectives.” Id. (emphases in original). Even though Tesla’s statements touched on the current state of the business, the court found that they were forward-looking because “any announced ‘objective’ for ‘future operations’ necessarily reflects an implicit assertion that the goal is achievable based on current circumstances.” Id. at 1192 (emphasis in original). The court reasoned that the safe harbor would be rendered moot if it “could be defeated simply by showing that a statement has the sort of features that are inherent in any forward-looking statement.” Id. (emphasis in original).

The following Gibson Dunn attorneys assisted in preparing this client update: Jeff Bell, Shireen Barday, Monica Loseman, Brian Lutz, Mark Perry, Avi Weitzman, Lissa Percopo, Michael Celio, Alisha Siqueira, Rachel Jackson, Andrew Bernstein, Megan Murphy, Jonathan D. Fortney, Sam Berman, Fernando Berdion-Del Valle, Andrew V. Kuntz, Colleen Devine, Aaron Chou, Luke Dougherty, Lindsey Young, Katy Baker, Jonathan Haderlein, Marc Aaron Takagaki, and Jeffrey Myers.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the Securities Litigation practice group:

Monica K. Loseman – Co-Chair, Denver (+1 303-298-5784, mloseman@gibsondunn.com)
Brian M. Lutz – Co-Chair, San Francisco/New York (+1 415-393-8379/+1 212-351-3881, blutz@gibsondunn.com)
Craig Varnen – Co-Chair, Los Angeles (+1 213-229-7922, cvarnen@gibsondunn.com)
Shireen A. Barday – New York (+1 212-351-2621, sbarday@gibsondunn.com)
Jefferson Bell – New York (+1 212-351-2395, jbell@gibsondunn.com)
Matthew L. Biben – New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Celio – Palo Alto (+1 650-849-5326, mcelio@gibsondunn.com)
Paul J. Collins – Palo Alto (+1 650-849-5309, pcollins@gibsondunn.com)
Jennifer L. Conn – New York (+1 212-351-4086, jconn@gibsondunn.com)
Thad A. Davis – San Francisco (+1 415-393-8251, tadavis@gibsondunn.com)
Ethan Dettmer – San Francisco (+1 415-393-8292, edettmer@gibsondunn.com)
Mark A. Kirsch – New York (+1 212-351-2662, mkirsch@gibsondunn.com)
Jason J. Mendro – Washington, D.C. (+1 202-887-3726, jmendro@gibsondunn.com)
Alex Mircheff – Los Angeles (+1 213-229-7307, amircheff@gibsondunn.com)
Robert F. Serio – New York (+1 212-351-3917, rserio@gibsondunn.com)
Robert C. Walters – Dallas (+1 214-698-3114, rwalters@gibsondunn.com)
Avi Weitzman – New York (+1 212-351-2465, aweitzman@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

I. Introduction: Themes and Notable Developments

This mid-year update marks the first six months of the Commission under the Biden administration. Change came swiftly, yet is only just beginning. In this update, we look at the significant developments from the first six months of 2021, and consider what to expect from new leadership at the Commission and the Enforcement Division. In sum, it is safe to say that the next four years will see a return to increasing regulatory oversight and escalated enforcement of market participants.

As predicted in our 2020 Year-End Securities Enforcement Update, promptly after President Biden was inaugurated, the White House substituted then Acting Chairman Elad Roisman with the senior Democratic Commissioner, Allison Herren Lee.[1] Under Acting Chair Lee’s leadership, the Commission began a number of initiatives that immediately signaled more aggressive and proactive regulatory oversight, including in areas of climate and environmental, social and governance (ESG) disclosure and investment management, and special purpose acquisition companies (SPACs), both of which are discussed further below. At the same time, Republican Commissioners often issued statements raising concerns about the approach being taken by the Commission in areas such as ESG disclosure and cryptocurrency.[2]

Shortly after her appointment to the Acting Chair position, Acting Chair Lee announced changes to the enforcement process that facilitated the opening of formal investigations and also added uncertainty to the settlement process for companies and SEC registered firms. In February, Acting Chair Lee restored the delegated authority of senior Enforcement Division staff to issue formal orders of investigation, which authorize the staff to issue subpoenas for documents and testimony.[3] The re-delegation of authority reversed the 2017 decision under the Trump administration which restricted authority to issue formal orders to the Director of the Enforcement or the Commissioners. Acting Chair Lee cited the need to allow investigative staff “to act more swiftly to detect and stop ongoing frauds, preserve assets, and protect vulnerable investors.”[4] Immediately following that pronouncement, the Commission announced an end to the practice of permitting settling parties to make contingent settlement offers—offers to resolve an investigation contingent on receiving from the Commission a waiver of collateral consequences, such as disqualifications from regulatory safe harbors, which would otherwise arise from the violations. In her statement, Acting Chair Lee noted that “waivers should not be used as ‘a bargaining chip’ in settlement negotiations, nor should they be considered a ‘default position’ under the SEC.”[5] Following the announcement, Commissioners Hester Peirce and Elad Roisman, both Republicans, issued a joint statement criticizing the impact of the policy reversal on parties seeking to resolve an investigation through a settlement “because it undercuts the certainty and finality that settlement might otherwise provide.”[6]

In April, Gary Gensler was sworn in as Chairman of the SEC.[7] Before joining the SEC, Chairman Gensler was Chairman of the Commodity Futures Trading Commission in the Obama administration and presided over a period of heightened financial regulation and aggressive enforcement against major financial institutions.

In June, Chairman Gensler appointed Gurbir Grewal, the Attorney General for the State of New Jersey, as the new Director of the Division of Enforcement.[8] Mr. Grewal will begin his role as Division Director on July 26. With the appointment of Mr. Grewal, Chairman Gensler continues a trend, begun in the wake of the 2008 financial crisis, of appointing former prosecutors to the that position. Before becoming New Jersey Attorney General, Mr. Grewal had been the Bergen County Prosecutor, and Assistant U.S. Attorney in the District of New Jersey (where he was Chief of the Economic Crimes Unit) and in the Eastern District of New York (where he was assigned to the Business and Securities Fraud Unit). Mr. Grewal also worked in private practice from 1999 to 2004 and 2008 to 2010.

Now that the new Commission leadership is taking shape, we expect the coming months to reflect increasingly the influence of the new administration. Undoubtedly, this will translate into heightened scrutiny on legal and compliance departments and financial reporting functions of financial institutions, investment advisers, broker-dealers, and public companies.

A. Climate and ESG Task Force

In March, Acting Chair Lee announced the creation of a Climate and ESG Task Force.[9] The task force is composed of 22 members drawn from various Commission offices and specialized units. The Climate and ESG task force is charged with developing initiatives to identify ESG-related misconduct and analyzing data to identify potential violations. Additionally, the task force aims to identify misstatements in issuers’ disclosure of climate risks and to analyze disclosure and compliance issues related to ESG stakeholders and investors. The SEC has also established a website and intake submission form for tips, referrals, and whistleblower complaints for ESG-related issues. The task force will work closely with other SEC Divisions and Offices, including the Division of Corporation Finance, Investment Management, and Examinations.

In April, the Division of Examinations issued a Risk Alert detailing its observations of deficiencies and internal control weaknesses from examinations of investment advisers and funds regarding investing that incorporates ESG factors.[10] The Division’s Risk Alert provides a useful roadmap to assist investment advisers in developing, testing and enhancing their compliance policies, procedures and practices. Please see our prior client alert on this subject for an analysis of the lessons learned from the Division’s Risk Alert.

B. Focus on SPACs

Over the course of the first half of this year, the SEC has been intensifying its focus on SPACs. Also referred to as blank check companies, SPACs are shell companies which offer private companies an alternative path to the public securities markets instead of an IPO. A SPAC transaction proceeds in two phases: (i) an initial phase in which the shell company raises investor funds to finance all or a portion of a future acquisition of a private company and (ii) a de-SPAC phase in which the SPAC merges with a private target company. During the de-SPAC phase, investors in the initial SPAC either sell their shares on the secondary market or have their shares redeemed. After the de-SPAC, the entity continues to operate as a public company. Typically, SPACs have two years to complete a merger with a private company.

Earlier this year, senior SEC officials in the Division of Corporation Finance and Office of the Chief Accountant issued a string of pronouncements concerning the risks posed by the explosion of SPAC initial public offerings in 2020 and early 2021, including a potential misalignment of interests and incentives between SPAC sponsors and shareholders.[11] Last week the Commission announced an enforcement action against a SPAC, the SPAC sponsor, and the CEO of the SPAC, as well as the proposed merger target and the former CEO of the target for misstatements in a registration statement and amendments concerning the target’s technology and business risks.[12]

In a separate alert, we analyzed the important implications this enforcement action has for SPACs, their sponsors and executives for their diligence on proposed acquisition targets. To emphasize the point, SEC Chairman Gary Gensler took the unusual step of providing comments that echoed the concerns of senior officials and sent a clear message that even when the SPAC is “lied to” by the target, the SPAC and its executives are at risk for liability under the securities laws if their diligence fails to uncover misrepresentations or omissions by the target. Chairman Gensler stated, “This case illustrates risks inherent to SPAC transactions, as those who stand to earn significant profits from a SPAC merger may conduct inadequate due diligence and mislead investors. . . . The fact that [the target] lied to [the SPAC] does not absolve [the SPAC] of its failure to undertake adequate due diligence to protect shareholders.”

C. Focus on Cybersecurity Risks

For a number of years, the Commission has been increasing its focus on controls and disclosures related to the risks of cyberattacks. In June, the Division of Enforcement publicly disclosed that it was conducting an investigation regarding a cyberattack involving the compromise of software made by the SolarWinds Corp.[13] As part of that investigation, the Division staff issued letters to a number of entities requesting information concerning the SolarWinds compromise. The inquiry is notable both for its public nature as well as the scope of the requests and signals a heightened scrutiny of how companies manage cyber-related risks.

D. Shifting Approach to Penalties against Public Companies

In addition to the overarching expectations for increasingly aggressive enforcement under this administration, the first half of this year also revealed indications that the Commission’s approach to corporate penalties may be undergoing a transition.

For many years the Commission has debated whether, and to what extent, public companies should be subject to monetary penalties in settlement of enforcement actions based on allegations of improper accounting or financial reporting or misleading disclosures. On one hand, advocates for the imposition of substantial penalties argue that they are a statutorily authorized remedy that serves regulatory goals of specific and general deterrence and, since the creation of fair funds, the potential goal of financial remediation. On the other hand, imposing penalties on a public company is simply taking value away from current shareholders of the company, some of whom may also have been the victims of the alleged financial reporting misconduct, and, in the absence of a fair fund, simply transferring that value to the U.S. Treasury. In the wake of the corporate accounting scandals of the 2000s, the SEC’s penalties against public companies rose to the hundreds of millions of dollars, leading to calls for a framework for the determination of appropriate penalties.

In an effort to bring some consistency to the Commission’s and the Enforcement Division’s approach to negotiating corporate penalties, in 2006 the Commission unanimously issued guidance on whether, and to what extent, the Commission should seek to impose penalties against public companies.[14] Rooting the guidance in the legislative history of the 1990 Congressional authorization of SEC penalty authority, the Commission’s 2006 guidance identified two principal factors to determine whether a penalty against a public company would be appropriate: (1) whether the company received a direct financial benefit as a result of the alleged violation, and (2) the extent to which a penalty would recompense or harm injured shareholders. Although the 2006 guidance identified other relevant factors—such as the need for deterrence, egregiousness of the harm from the violation, level of intent, corporate cooperation—the first two factors were of paramount importance. As a general matter, in the years following the 2006 Guidance, the size of corporate penalties in financial reporting cases moderated.

In March of this year, Commissioner Caroline Crenshaw, a Democrat, delivered a speech[15] in which she criticized the 2006 guidance. Calling the guidance “myopic” and “fundamentally flawed,” Commissioner Crenshaw argued that the Commission should not treat the presence or absence of a corporate benefit as a threshold issue to imposing a penalty. Instead, the Commission should focus on factors such as: (1) the egregiousness of the misconduct, (2) the extent of the company’s self-reporting, cooperation and remediation, (3) the extent of harm to victims, (4) the level of complicity of senior management within the company in the alleged misconduct, and (5) the difficulty of detecting the alleged misconduct. Anecdotal experience suggests that a majority of the Commissioners, and consequently, the staff of the Enforcement Division, are following the principles outlined in Commissioner Crenshaw’s speech.

The significance of this for public companies is that the Commission’s approach to corporate penalties diverges from its statutory underpinnings. The securities laws provide for prescribed penalty amounts per violation.[16] In general, in litigated cases, district courts and administrative law judges have generally imposed reasonable limits on the penalties sought by the Commission.[17] If the Commission is no longer following the 2006 guidance, then untethered from a consideration of corporate benefit or shareholder cost-benefit, the Commission’s posture on corporate penalties is vulnerable to subjective assessments of egregiousness and corporate cooperation. Moreover, unlike calculations under the US Sentencing Guidelines, there is no public disclosure of exactly how the SEC reaches a particular penalty, leaving companies and counsel unable to understand the basis for any negotiated penalty amount.

E. Litigation Developments

In the SEC’s ongoing litigation against Ripple Labs, there were notable developments in the defendants’ ability to obtain discovery of the SEC Staff’s prior policy positions concerning whether digital currencies constitute securities. In the pending litigation against Ripple, filed at the end of 2020, the SEC alleges that Ripple’s sales of digital token XRP constituted unregistered securities offerings. In April, a Magistrate Judge hearing discovery disputes granted the defendants’ motion seeking discovery of internal SEC Staff documents bearing on whether XRP tokens are similar to other cryptocurrencies that the SEC Staff has deemed not to be securities. More recently, in July, the Magistrate Judge ordered that the defendants could take the deposition of William Hinman, the former Director of the SEC’s Division of Corporation Finance, regarding a speech he delivered as Division Director concerning whether, in the Staff’s view, certain digital tokens constitute securities. These discovery decisions provide notable precedent for obtaining discovery of evidence relevant to the positions of Commission Staff on policy issues that may be relevant to the issues pending in particular enforcement litigation.

F. Other Senior Staffing Updates

In addition to the confirmation of Chairman Gensler and appointment of Enforcement Director Grewal, there were a number of other changes in the senior staffing of the Commission:

In April, Jane Norberg, Chief of the SEC’s Office of the Whistleblower, left the agency. Ms. Norberg had been with the Office of the Whistleblower since near its inception in 2012. The Office’s Deputy Chief, Emily Pasquinelli, has been serving as Acting Chief pending appointment of a new Chief.
In May, Joel R. Levin, the Director of the Chicago Regional Office, left the SEC.[18] He had served as Director of the Chicago office since 2018. Associate Directors Kathryn A. Pyszka and Daniel Gregus have been serving as Regional Co-Directors pending appointment of a new Regional Director.
In June, Chairman Gensler announced additions to his executive staff, including Amanda Fischer as Senior Counselor; Lisa Helvin as Legal Counsel; Tejal D. Shah as Enforcement Counsel; Angelica Annino as Director of Scheduling and Administration; Liz Bloom as Speechwriter to the Chair; Basmah Nada as Digital Director; and Jahvonta Mason as Special Assistant to the Chief of Staff.
Also in June, Renee Jones joined the SEC as Director of the Division of Corporation Finance, while the Acting Director of the Division, John Coates, was named SEC General Counsel.[19] Jones previously served as Professor of Law and Associate Dean for Academic Affairs at Boston College Law School, is a member of the American Law Institute and has served as the Co-Chair of the Securities Law Committee of the Boston Bar Association. Mr. Coates had previously served as the SEC’s Acting Director of the Division of Corporate Finance since February 2021. Before joining the SEC, he was Professor of Law and Economics at Harvard University.

G. Whistleblower Awards

Coming off another record year of whistleblower awards in 2020, the Commission has continued to issue awards at a record pace in the first half of 2021. There is no reason to believe that these awards will slow down given the importance of the program to the Commission. Through June of this year, the SEC’s whistleblower program has awarded nearly $200 million to 45 separate whistleblowers. That is almost $100 million more than the first half of 2020, which was $115 million to 15 individuals. Overall, the SEC’s whistleblower program has paid out approximately $937 million to 178 individuals since the start of the program.

In April, the SEC announced an award of over $50 million to joint whistleblowers for information that alerted the SEC to violations involving highly complex transactions that would have “been difficult to detect without their information.”[20] This award is the second largest in the history of the program and reflects the Commission’s dedication to recovering funds for harmed investors.

Other significant whistleblower awards granted during the first half of this year include:

Four awards in January, including an award of almost $500,000 to three whistleblowers in connection with two related enforcement actions; nearly $600,000 to a whistleblower whose information caused the opening of an investigation, and for the whistleblower’s ongoing assistance in the SEC’s investigation; an award of more than $100,000 to a whistleblower whose independent analysis led to a successful enforcement action;[21] and an award of $600,000 to a whistleblower whose tip led to the success of an enforcement action.[22]
Five awards in February, including a $9.2 million award to a whistleblower who provided information that led to successful related actions by the Department of Justice.[23] Additional awards in February included two awards totaling almost $3 million to two separate whistleblowers whose high quality information led to an enforcement action that resulted in millions of dollars to harmed clients;[24] and two awards totaling more than $1.7 million to two whistleblowers in separate proceedings relating to the new Form TCR filing requirement set forth in Securities Exchange Act Rule 21F-9(e).[25]
Four awards in March, including over $500,000 to two whistleblowers for tips that revealed ongoing fraud;[26] an award of over $5 million to joint whistleblowers whose tip resulted in the opening of an investigation;[27] approximately $1.5 million to a whistleblower whose information and assistance led to a successful SEC enforcement action;[28] and an award of more than $500,000 to a whistleblower for information and assistance that led to the shutting down of an ongoing fraudulent scheme.[29]
Three awards in April, including an award of approximately $2.5 million to a whistleblower whose information and assistance to the SEC contributed to the success of an SEC enforcement action;[30] a $3.2 million award to a whistleblower who alerted the SEC to violations and provided subject matter expertise to the staff that conserved SEC resources; and a $100,000 award to a whistleblower for significant information and ongoing assistance.[31]
Six awards in May, including two awards totaling $31 million to four whistleblowers, two of which received $27 million for providing the SEC with new information and assistance during an existing investigation; and two others who received $3.76 million and $750,000 respectively for independently providing the SEC with information that assisted an ongoing investigation.[32] Additional awards in May include an award of approximately $22 million to two whistleblowers for information and assistance that was “crucial” to a successful enforcement action brought against a financial services firm;[33] a $3.6 million award to a whistleblower whose information and assistance led to a successful enforcement action;[34] an award of more than $28 million to a whistleblower for information that caused both the SEC and another agency to open investigations that resulted in significant enforcement actions;[35] and an award of more than $4 million to a whistleblower who alerted the SEC to certain violations that led to the opening of an investigation.[36]
Five awards in June, including an award of more than $23 million to two whistleblowers whose information and assistance led to successful SEC and related actions;[37] an award of $3 million to two whistleblowers who separately and independently provided the SEC with valuable information and ongoing assistance;[38] two awards totaling nearly $5.3 million to four whistleblowers who provided information that prompted the opening of two separate investigations;[39] and an award of more than $1 million to a whistleblower whose information and assistance led to multiple successful SEC enforcement actions.[40]

II. Public Company Accounting, Financial Reporting and Disclosure Cases

A. Financial Reporting Cases

Cases Against Public Companies and Executives

In February, the SEC announced settled charges against the former CEO and CFO of a company that provides Flexible Spending Account services for allegedly making false and misleading statements and omissions that resulted in the company’s improper recognition of revenue related to a contract with a large public-sector client.[41] The SEC’s order alleged that one of the company’s large public sector clients stated on multiple occasions that it did not intend to pay for certain development and transition work associated with an existing contract. The CEO and CFO allegedly directed the company to recognize $3.6 million in revenue related to this work without disclosing to internal accounting staff or to the company’s external auditor that the client’s employees denied that it owed these amounts to the company. Without admitting or denying the SEC’s findings, the CEO and CFO agreed respectively to cease and desist from further violations of the charged provisions, pay penalties of $75,000 and $100,000, and reimburse the company for incentive-based compensation received on the basis of the alleged violations.

In May, the SEC instituted a settled action against a sports apparel manufacturer for allegedly misleading investors as to the bases of its revenue growth and failing to disclose known uncertainties concerning its future revenue prospects.[42] The SEC’s order alleged that the company accelerated, or “pulled forward,” a total of $408 million in existing orders that customers had requested be shipped in future quarters and that the company attributed its revenue growth during the relevant period to a variety of other factors without disclosing to investors material information about the impact of its pull forward practices. The company agreed to cease and desist from further violations and to pay a $9 million penalty without admitting or denying the findings in the SEC order.

Cases Against Auditors and Accountants

In February, the SEC suspended two former auditors from practicing before the SEC in connection with settled charges alleging improper professional conduct during an audit of a now defunct, not-for-profit educational institution.[43] The auditors allegedly issued an audit report without following Generally Accepted Auditing Standards by, among other things, failing to obtain sufficient appropriate audit evidence or to properly prepare audit documentation. The resultant financial statements allegedly fraudulently overstated the college’s net assets by $33.8 million. Without admitting or denying the findings, the auditors agreed to the suspension with the right to apply for reinstatement after three years and one year, respectively.

In April, the SEC instituted administrative proceedings against a Texas-based CPA for allegedly failing to register his firm with the Public Company Accounting Oversight Board (PCAOB) and alleged failures in auditing and reviewing the financial statements of a public company client.[44] The CPA allegedly failed to complete his application to register with the PCAOB and performed an audit while the application was incomplete. The audit allegedly failed to comply with multiple PCAOB Auditing Standards as well. The proceedings will be scheduled for a public hearing before the Commission.

B. Disclosure Cases

In February, the SEC announced settled charges against a gas exploration and production company and its former CEO for failing to properly disclose as compensation certain perks provided to the CEO and certain related personal transactions.[45] The alleged failures to disclose included approximately $650,000 in the form of perquisites, including costs associated with the CEO’s use of the company’s chartered aircraft and corporate credit card. The SEC took into account the company’s significant cooperation efforts when accepting the settlement offer. The Company and CEO agreed, without admitting or denying to the SEC’s findings, to cease-and-desist from further violations. Additionally, the CEO agreed to pay a civil penalty in the amount of $88,248.

In April, the SEC instituted a settled action against eight companies for allegedly failing to disclose in SEC Form 12b-25 “Notification of Late Filing” forms (known as Form NT) that their requests for seeking a delayed quarterly or annual reporting filing was caused by an anticipated restatement or correction of prior financial reporting.[46] The orders found that each company announced restatements or corrections to financial reporting within four to fourteen days of their Form NT filings despite failing to disclose that anticipated restatements or corrections were among the principal reasons for their late filings. The companies, without admitting or denying the findings, agreed to cease-and-desist-orders and paid penalties of either $25,000 or $50,000.

In May, the SEC announced settled charges against a firm that produces, maintains, licenses, and markets stock market indices.[47] The SEC’s order alleged failures relating to a previously undisclosed quality control feature of one of the firm’s volatility-related indices, which allegedly led it to publish and disseminate stale index values during a period of unprecedented volatility. The allegedly undisclosed feature was an “Auto Hold”, which is triggered if an index value breaches certain thresholds, at which point the immediately prior index value continues to be reported. Without admitting or denying the SEC’s findings, the firm agreed to a cease-and-desist order and to pay a $9 million penalty.

C. Disclosure and Internal Controls Case against Ratings Agency

In February, the SEC filed a civil action against a former credit ratings agency. The SEC’s complaint alleged that the agency violated disclosure and internal control provisions in rating commercial mortgage-backed securities (CMBS).[48] According to the complaint, the credit ratings agency allowed analysts to make undisclosed adjustments to ratings models and did not establish and enforce effective internal controls over these adjustments for 31 transactions.

III. Investment Advisers and Broker-Dealers

A. Investment Advisers

In late May, the SEC filed a civil action against two investment advisers and their portfolio managers for allegedly misleading investors about risk management practices related to their short volatility trading strategy.[49] According to the SEC’s complaint, the investment advisers made misleading statements about their risk management practices. During a period of historically low volatility in late 2017, the investment adviser firms increased the level of risk in the portfolios while assuring investors that the portfolios’ risk profiles remained stable. The SEC’s complaint alleged that a sudden spike in volatility in early 2018 led to trading losses exceeding $1 billion over two trading days. The SEC separately settled related charges with the Firm’s Chief Risk Oficer.

In mid-June, the SEC announced that it had obtained an asset freeze and filed charges against a Miami-based investment professional and two investment firms for engaging in a “cherry-picking” scheme in which they allegedly channeled trading profits to preferred accounts.[50] The SEC alleged that beginning in September 2015, the firms diverted profitable trades to accounts held by relatives and allocated losing trades to other clients by using a single account to place trades without specifying the intended recipients of the securities at the time of the trade. According to the SEC’s complaint, the preferred clients received approximately $4.6 million in profitable trades while the other clients experienced over $5 million in first-day losses.

B. Broker-Dealer Reporting and Recordkeeping

In May, the SEC announced settled charges against a Colorado-based broker-dealer for failing to file Suspicious Activity Reports (SARs).[51] The purpose of SARs is to identify and investigate potentially suspicious activity. The SEC’s order alleged that for a three-year period, the broker-dealer failed to file SARs—or filed incomplete SARs—while it was aware that there were attempts to use improperly obtained personal identifying information to gain access to the retirement accounts of individual plan participants at the broker-dealer. The SEC’s order noted significant cooperation by the broker-dealer and remedial efforts including anti-money laundering systems, replacing key personnel, clarifying delegation of responsibility, and implement new SAR-related policies and training.

IV. Cryptocurrency and Digital Assets

A. Registration Case

In May, the SEC filed a civil action against five individuals for allegedly promoting unregistered digital asset securities.[52] The defendants worked as promoters for an open-source cryptocurrency, raising over $2 billion dollars from retail investors. The SEC’s complaint alleged that from January 2017 to January 2018, the promoters advertised the cryptocurrency’s “lending program” by creating “testimonial” style videos that appeared on YouTube. According to the complaint, the defendants did not register as broker-dealers and also did not register the securities offering. The complaint seeks injunctive relief, disgorgement, and civil penalties from all five defendants.

B. Fraud Case

In February, the SEC filed a civil action against three defendants, a founder of two digital currency companies and promoters for the companies, for allegedly defrauding hundreds of retail investors out of over $11 million through digital asset securities offerings.[53] The SEC’s complaint alleged that from December 2017 to January 2018, the individuals induced investors to purchase securities in the companies by claiming their trading platform was the “largest” and “most secure” Bitcoin exchange. The defendants then promoted the unregistered initial coin offering of their cryptocurrency, referred to as B2G tokens by telling investors that their cryptocurrency would be built on the Ethereum blockchain and would launch in April 2018. Instead, the SEC claims, the defendants misappropriated the investor funds for their personal benefit. The complaint seeks injunctive relief, disgorgement, and penalties, along with an officer and director bar for the founder and one promoter. The U.S. Attorney’s Office for the Eastern District of New York and the Department of Justice Fraud Section announced parallel criminal charges against the promoter.

V. Meme Stocks

In the first half of this year, the SEC responded to the growing presence of ‘meme stocks,’ which undergo spikes of rapid growth in short periods of time largely in response to social media activity. In January, following a period of increased market activity in GameStop stock fueled by posts on the social media aggregator site Reddit, the SEC released an alert that warned investors against “jump[ing] on the bandwagon” and emphasized avoiding making investment decisions based on social media posts.[54]

A. Trading Suspensions

In February, the SEC suspended trading in an inactive company due to potentially manipulative social media activity attempting to artificially inflate the company’s stock price.[55] The SEC’s trading suspension order stated that in January 2021, several social media accounts coordinated to increase the share price of stocks for a Minnesota-based medical device company, although the company had not filed reports with the SEC since 2017 and its website and contact information were non-functional. During this time, the share price and trading volume of the company’s securities increased. A few weeks later, the SEC suspended trading in the securities for 15 companies again in response to social media activity relating to the issuers, none of which had filed information with the SEC for over a year.[56] In total, the SEC suspended trading for 24 companies in February because of suspicious social media posts.

B. Fraud Case

In March, the SEC announced a filed civil action and an asset freeze against a California-based trader for allegedly using social media to post false information about a company, while selling his own holdings in the company’s stock.[57] The SEC’s complaint alleged that the defendant purchased 41 million shares of stock from a defunct company with publicly traded securities. In the same day, the trader allegedly made over 120 tweets containing false information about the company, including that the company recently revived its operations and expanded its business. As an example, one of the posts alleged that the company had “huge” investors and the CEO had “big plans” for the company’s future. In the following days, the company’s share price increased by over 4,000 percent, at which point the defendant sold his shares for a profit of over $929,000 dollars and continued to post on Twitter about the company’s success. The complaint seeks a permanent injunction, disgorgement, and a civil penalty. The SEC also temporarily suspended trading in the company’s securities.[58]

VI. Insider Trading

In March, the SEC filed settled charges against a California individual for perpetuating a scheme to sell “insider tips” on the dark web.[59] This is the SEC’s first enforcement action involving alleged securities violations on the dark web, a platform allowing users to access the internet anonymously. The complaint alleged that the individual falsely claimed to possess material, nonpublic information, which he sold on the dark web. Several investors purchased the individual’s purported tips and traded on the information he provided. The individual agreed to a bifurcated settlement (which reserves the determination of disgorgement and penalties for a later date); the U.S. Attorney’s Office for the Middle District of Florida announced parallel criminal charges.

In June 2021, the SEC announced settled charges against a New York-based couple for insider trading relating to the stock of a pharmaceutical company where one of them worked as a clinical trial project manager.[60] According to the SEC’s complaint, the project manager learned of negative results from the drug trial she oversaw, and tipped another individual who sold all of his stock in the pharmaceutical company ahead of the public news announcement. The individual also tipped his uncle, who also sold all of his stock. After the negative news was announced, the company stock fell approximately 50%, which would have led to losses of over $100,000 for the individuals had the individuals not sold their stock. The individuals have agreed to pay around $325,000 to settle the charges.

VII. Regulation FD

In the twenty years since the adoption of Regulation FD, which prohibits selective disclosure by public companies of material, non-public material information, the Commission has filed only two litigated enforcement actions alleging violation of the Rule. The first case, filed against Seibel Systems in 2005, ended swiftly when the district court granted the defendants’ motion to dismiss the Commission’s complaint for failure to state a claim.[61] More than fifteen years later, in March of this year, the SEC filed a litigated action against AT&T and three investor relations employees.[62] The complaint alleges that the three IR employees selectively released material financial data in March and April of 2016. Specifically, the SEC alleges that the IR employees disclosed material nonpublic information to a group of analysts at twenty research firms in an effort to avoid the Company’s quarterly revenue falling short of the analyst community’s estimates. AT&T issued a statement in response explaining that any information discussed in communications with analysts was public and immaterial.[63] Among other things, AT&T noted that the information discussed with analysts “concerned the widely reported, industry-wide phase-out of subsidy programs for new smartphone purchases and the impact of this trend on smartphone upgrade rates and equipment revenue…. Not only did AT&T publicly disclose this trend on multiple occasions before the analyst calls in question, but AT&T also made clear that the declining phone sales had no material impact on its earnings.” Notably, AT&T highlighted the fact that the Commission’s complaint “does not cite a single witness involved in any of these analyst calls who believes that material nonpublic information was conveyed to them.”

VIII. Offering Frauds

The SEC continued to bring a large number of offering fraud cases in the first half of 2021.

A. Investment Frauds

In January, the SEC filed two civil actions; the first was against a real estate broker and his company for raising $58 million from investors in two real estate funds by using a fabricated investment record.[64] The SEC’s complaint also alleged that the broker, who had no investment management experience, misappropriated over $7 million in investor assets to conceal losses that ultimately forced the funds to wind down. In the second action, the SEC filed a complaint against an entertainment company and its founder for using a “boiler room” sales scheme to raise money from investors.[65] According to the complaint, the company employed salespeople who utilized high-pressure tactics and made misrepresentations about the company’s growth in order to raise $14 million from individual investors. Both complaints seek disgorgement, injunctive relief, and civil penalties.

In early March, the SEC filed charges against seven individuals and a technology company for an alleged scheme to raise the price of the company’s stock, after which they sold their shares for proceeds of over $22 million.[66] The complaint also alleged that during this campaign, approximately $22.8 million was raised from investors who were allegedly misled about the true nature of the company and that a large portion of the money raised from investors was used for personal expenses. The complaint seeks disgorgement, civil penalties, and injunctive relief.

In mid-March, the SEC announced three cases relating to investor frauds. The SEC filed a civil complaint against a New Jersey resident for defrauding potential investors, most of whom were members of the Orthodox Jewish community, including friends and family of the defendant.[67] According to the complaint, the defendant raised millions of dollars using misleading and false representations regarding his real estate investment company, which purchased and owned apartment complexes. The individual defendant agreed to settle the charges against him subject to court approval; the U.S. Attorney’s Office for the District of New Jersey filed parallel criminal charges. The SEC also filed a civil complaint against an individual who raised money from investors in his company by making representations that was an environmentally friendly drink bottling and manufacturing company.[68] The complaint alleged that in reality, the company had no operations, and the money was used by the defendant for personal expenses. The SEC obtained emergency relief in this matter and the seeks complaint injunctive relief and civil penalties. Finally, the SEC filed charges against the two co-founders of a San Francisco-based biotech company for raising funds from investors by misrepresenting their company as a fast-growing medical company that could improve people’s lives via new inventions in the “microbiome industry.”[69] The complaint alleged that the co-founders’ claims regarding their clinical testing were based on false medical tests and other improper practices. The U.S. Attorney’s Office for the Northern District of California filed parallel criminal charges against the co-founders.

In April, the SEC filed a pair of civil actions against firms and their executives for conduct which resulted in significant investor losses. In the first action, the SEC alleged that an Israeli-based company and two of its former executives created a binary option securities trading platform in which investor losses were probable, and failed to inform investors that their partners were counterparties on the options.[70] In the second action, the SEC alleged that an individual and investment adviser misled investors regarding the strategy for his fund, and induced them to invest in highly illiquid companies and real estate rather than liquid assets as promised.[71] The complaint further alleged that the individual misappropriated fund assets for personal uses and failed to disclose all conflicts of interest. The U.S. Attorney’s Office for the Southern District of New York filed parallel criminal charges against the individual.

In May, the SEC filed charges against a New Jersey-based healthcare company and its founder for fraudulently raising money from investors by selling them membership interests in a company that purportedly offered employers a supplemental medical reimbursement plan.[72] The complaint alleged that the individual defendant raised money from investors through various misrepresentations, including failing to disclose his prior felony convictions and history of regulatory violations. The complaint seeks disgorgement, injunctive relief, and civil penalties.

B. Ponzi-Like Schemes

In February, the SEC filed a civil action against three individuals and their affiliated entities alleging that they conducted a Ponzi-like scheme that raised more than $1.7 billion.[73] The complaint alleged that the defendants promised investors an 8% annualized distribution payment, and represented that it was generated by portfolio companies when it was in fact sourced from other investor money. The complaint seeks disgorgement and civil penalties.

In March, the SEC filed a settled complaint against an individual for operating a decade-long fraud in which he transferred poorly performing assets from a fund controlled by him to two private hedge funds.[74] The defendant told investors that these funds were generating positive returns when a substantial number of the investments were actually used to make Ponzi-like payments to prior investors. The defendant agreed to settle to these charges, and also pled guilty to related criminal charges in the District of New Jersey.

In April, the SEC filed two civil actions alleging Ponzi-like schemes. In the first action, the SEC alleged that an actor raised $690 million by promising investors high returns by telling them that they were buying film rights which he would resell to HBO and Netflix.[75] The defendant allegedly paid investors the returns using new investments, and also misappropriated investor funds for his personal use. In the second action, the SEC’s complaint alleged that the defendant raised more than $17.1 million from over 100 investors by promising investors annual returns between 10% and 60% on resale of “customer lead generation campaigns.”[76] According to the complaint, the defendant instead use the investments to make payments to other investors and entities, as well as for personal expenses.

____________________________

[1] SEC Press Release, Allison Herren Lee Named Acting Chair of the SEC (January 21, 2021), available at https://www.sec.gov/news/press-release/2021-13.

[2] https://www.sec.gov/news/public-statement/peirce-roisman-coinschedule; https://www.sec.gov/news/public-statement/rethinking-global-esg-metrics.

[3] SEC Press Release, U.S. Sec. & Exch. Comm’n, Statement of Acting Chair Allison Herren Lee on Empowering Enforcement to Better Protect Investors (Feb, 9, 2021), https://www.sec.gov/news/public-statement/lee-statement-empowering-enforcement-better-protect-investors.

[4] Id.

[5] See Allison Herren Lee, Acting Chair, Statement of Acting Chair Allison Herren Lee on Contingent Settlement Offers (Feb. 11, 2021), https://www.sec.gov/news/public-statement/lee-statement-contingent-settlement-offers-021121.

[6] See Hester M. Peirce & Elad L. Roisman, Commissioners, Statement of Commissioners Hester M. Peirce and Elad L. Roisman on Contingent Settlement Offers (Feb. 12, 2021), https://www.sec.gov/news/public-statement/peirce-roisman-statement-contingent-settlement-offers-021221.

[7] SEC Press Release, Gary Gensler Sworn in as Member of the SEC (April 17, 2021), available at https://www.sec.gov/news/press-release/2021-65.

[8] SEC Appoints New Jersey Attorney General Gurbir S. Grewal as Director of Enforcement, Rel. No. 2021-114, June 29, 2021, available at https://www.sec.gov/news/press-release/2021-114.

[9] SEC Press Release, SEC Announces Enforcement Task Force Focused on Climate and ESG Issues (March 4, 2021), https://www.sec.gov/news/press-release/2021-42.

[10] The Division of Examinations’ Review of ESG Investing, April 9, 2021, available at https://www.sec.gov/files/esg-risk-alert.pdf.

[11] March 31, 2021 Staff Statement on Select Issues Pertaining to Special Purpose Acquisition Companies, available at https://www.sec.gov/news/public-statement/division-cf-spac-2021-03-31; March 31, 2021 Public Statement: Financial Reporting and Auditing Considerations of Companies Merging with SPACs, available at https://www.sec.gov/news/public-statement/munter-spac-20200331; Apr. 8, 2021 Public Statement: SPACs, IPOs and Liability Risk under the Securities Laws, available at https://www.sec.gov/news/public-statement/spacs-ipos-liability-risk-under-securities-laws; Apr. 12, 2021 Public Statement: Staff Statement on Accounting and Reporting Considerations for Warrants Issued by Special Purpose Acquisition Companies (“SPACs”), available at https://www.sec.gov/news/public-statement/accounting-reporting-warrants-issued-spacs; SEC Official Warns on Growth of Blank-Check Firms, Wall St. Journal (Apr. 7, 2021), available at https://www.wsj.com/articles/sec-official-warns-on-growth-of-blank-check-firms-11617804892.

[12] Press Release, Securities and Exchange Commission, SEC Charges SPAC, Sponsor Merger Target, and CEOs for Misleading Disclosures Ahead of Proposed Business Combination (July 13, 2021), available at https://www.sec.gov/news/press-release/2021-124.

[13] In the Matter of Certain Cybersecurity-Related Events (HO-14225) FAQs, available at https://www.sec.gov/enforce/certain-cybersecurity-related-events-faqs.

[14] Statement of the Securities and Exchange Commission Concerning Financial Penalties, Rel. 2006-4, Jan. 4, 2006, available at https://www.sec.gov/news/press/2006-4.htm.

[15] Moving Forward Together – Enforcement for Everyone, Commissioner Caroline A. Crenshaw, March 9, 2021, available at https://www.sec.gov/news/speech/crenshaw-moving-forward-together.

[16] See, e.g., Securities Exchange Act of 1934, Section 21(d)(3) (15 U.S.C. § 78u).

[17] See, e.g., In re Total Wealth Management, Inc., Initial Dec. No. 860 (Aug. 17, 2005) (finding Enforcement Division staff’s argument that each investor constitutes a separate violation “arbitrary” and “overly simplistic” and may “lead to wildly disproportionate penalty amounts.”).

[18] SEC Press Release, Joel R. Levin, Director of Chicago Regional Office, to Leave SEC, (April 16, 2021), available at https://www.sec.gov/news/press-release/2021-63.

[19] SEC Press Release, Renee Jones to Join SEC as Director of Corporation Finance; John Coates Named SEC General Counsel, (June 14, 2021), available at https://www.sec.gov/news/press-release/2021-101.

[20] SEC Press Release, SEC Awards Over $50 Million to Joint Whistleblowers (April 15, 2021), available at https://www.sec.gov/news/press-release/2021-62.

[21] SEC Press Release, SEC Issues Over $1.1 Million to Multiple Whistleblowers (January 7, 2021), available at https://www.sec.gov/news/press-release/2021-2.

[22] SEC Press Release, SEC Awards Nearly $600,000 to Whistleblower (January 14, 2021), available at https://www.sec.gov/news/press-release/2021-7.

[23] SEC Press Release, SEC Awards Almost $3 Million Total in Separate Whistleblower Awards (February 19, 2021), available at https://www.sec.gov/news/press-release/2021-31.

[24] SEC Press Release, SEC Awards More Than $9.2 Million to Whistleblower for Successful Related Actions, Including Agreement with DOJ (February 23, 2021), available at https://www.sec.gov/news/press-release/2021-30.

[25] SEC Press Release, SEC Issues Whistleblower Awards Totaling Over $1.7 Million (February 25, 2021), available at https://www.sec.gov/news/press-release/2021-34.

[26] SEC Press Release, SEC Awards Over $500,000 to Two Whistleblowers (March 1, 2021), available at https://www.sec.gov/news/press-release/2021-37.

[27] SEC Press Release, SEC Issues Over $5 Million to Joint Whistleblowers Located Abroad (March 4, 2021), available at https://www.sec.gov/news/press-release/2021-41.

[28] SEC Press Release, SEC Awards Approximately $1.5 Million to Whistleblower (March 9, 2021), available at https://www.sec.gov/news/press-release/2021-44.

[29] SEC Press Release, SEC Awards Over $500,000 to Whistleblower Under “Safe Harbor” for Internal Reporting and Surpasses Record for Individual Awards (March 29, 2021), available at https://www.sec.gov/news/press-release/2021-54.

[30] SEC Press Release, SEC Awards Approximately $2.5 Million to Whistleblower (April 9, 2021), available at https://www.sec.gov/news/press-release/2021-60.

[31] SEC Press Release, SEC Awards More Than $3 Million to Whistleblowers in Two Enforcement Actions (April 23, 2021), available at https://www.sec.gov/news/press-release/2021-70.

[32] SEC Press Release, SEC Awards More Than $31 Million to Whistleblowers in Two Enforcement Actions (May 17, 2021), available at https://www.sec.gov/news/press-release/2021-85.

[33] SEC Press Release, SEC Awards $22 Million to Two Whistleblowers (May 10, 2021), available at https://www.sec.gov/news/press-release/2021-81.

[34] SEC Press Release, SEC Awards Approximately $3.6 Million to Whistleblower (May 12, 2021), available at https://www.sec.gov/news/press-release/2021-83.

[35] SEC Press Release, SEC Awards More Than $28 Million to Whistleblower Who Aided SEC and Other Agency Actions (May 19, 2021), available at https://www.sec.gov/news/press-release/2021-86.

[36] SEC Press Release, SEC Awards More Than $4 Million to Whistleblower (May 27, 2021), available at https://www.sec.gov/news/press-release/2021-88.

[37] SEC Press Release, SEC Awards More Than $23 Million to Whistleblowers (June 2, 2021), available at https://www.sec.gov/news/press-release/2021-91.

[38] SEC Press Release, SEC Awards Approximately $3 Million to Two Whistleblowers (June 14, 2021), available at https://www.sec.gov/news/press-release/2021-100.

[39] SEC Press Release, SEC Issues Whistleblower Awards Totaling Nearly $5.3 Million (June 21, 2021), available at https://www.sec.gov/news/press-release/2021-106.

[40] SEC Press Release, SEC Awards More Than $1 Million to Whistleblower (June 24, 2021), available at https://www.sec.gov/news/press-release/2021-110.

[41] SEC Press Release, SEC Charges Former Executives of San Francisco Bay Area Company With Accounting Violations (Feb. 2, 2021), available at https://www.sec.gov/news/press-release/2021-23.

[42] SEC Press Release, SEC Charges Under Armour Inc. With Disclosure Failures (May 3, 2021), available at https://www.sec.gov/news/press-release/2021-78.

[43] SEC Press Release, SEC Charges Two Former KPMG Auditors for Improper Professional Conduct During Audit of Not-for-Profit College (Feb. 23, 2021), available at https://www.sec.gov/news/press-release/2021-32.

[44] SEC Press Release, Auditor Charged for Failure to Register with PCAOB and Multiple Audit Failures (Apr. 5, 2021), available at https://www.sec.gov/news/press-release/2021-56.

[45] SEC Press Release, SEC Charges Gas Exploration and Production Company and Former CEO with Failing to Disclose Executive Perks (Feb. 24, 2021), available at https://www.sec.gov/news/press-release/2021-33.

[46] SEC Press Release, SEC Charges Eight Companies for Failure to Disclose Complete Information on Form NT (Apr. 29 2021), available at https://www.sec.gov/news/press-release/2021-76.

[47] SEC Press Release, SEC Charges S&P Dow Jones Indices for Failures Relating to Volatility-Related Index (May 17, 2021), available at https://www.sec.gov/news/press-release/2021-84.

[48] SEC Press Release, SEC Charges Ratings Agency With Disclosure And Internal Controls Failures Relating To Undisclosed Model Adjustments (February 16, 2021), available at https://www.sec.gov/news/press-release/2021-29.

[49] SEC Press Release, SEC Charges Mutual Fund Executives with Misleading Investors Regarding Investment Risks in Funds that Suffered $1 Billion Trading Loss (May 27, 2021), available at https://www.sec.gov/news/press-release/2021-89.

[50] SEC Press Release, SEC Charges Investment Advisers With Cherry-Picking, Obtains Asset Freeze (June 17, 2021), available at https://www.sec.gov/news/press-release/2021-105.

[51] SEC Press Release, SEC Charges Broker-Dealer for Failures Related to Filing Suspicious Activity Reports (May 12, 2021), available at https://www.sec.gov/news/press-release/2021-82.

[52] SEC Press Release, SEC Charges U.S. Promoters of $2 Billion Global Crypto Lending Securities Offering (May 28, 2021), available at https://www.sec.gov/news/press-release/2021-90.

[53] SEC Press Release, SEC Charges Three Individuals in Digital Asset Frauds (Feb. 1, 2021), available at https://www.sec.gov/news/press-release/2021-22.

[54] SEC Investor Alert, Thinking About Investing in the Latest Hot Stock? (Jan. 30, 2021), available at https://www.sec.gov/oiea/investor-alerts-and-bulletins/risks-short-term-trading-based-social-media-investor-alert.

[55] SEC Press Release, SEC Suspends Trading in Inactive Issuer Touted on Social Media (Feb. 11, 2021), available at https://www.sec.gov/news/press-release/2021-28.

[56] SEC Order of Suspension of Trading, In the Matter of Bebiba Beverage Co., et. al. (Feb. 25, 2021), available at https://www.sec.gov/litigation/suspensions/2021/34-91213-o.pdf.

[57] SEC Press Release, SEC Obtains Emergency Asset Freeze, Charges California Trader with Posting False Stock Tweets (Mar. 15, 2021), available at https://www.sec.gov/news/press-release/2021-46.

[58] SEC Order of Suspension of Trading, In the Matter of Arcis Resources Corporation (Mar. 2, 2021), available at https://www.sec.gov/litigation/suspensions/2021/34-91245-o.pdf.

[59] SEC Press Release, SEC Charges California-Based Fraudster With Selling “Insider Tips” on the Dark Web (March 18, 2021), available at https://www.sec.gov/news/press-release/2021-51.

[60] SEC Press Release, SEC Charges Couple With Insider Trading on Confidential Clinical Trial Data (June 7, 2021), available at https://www.sec.gov/news/press-release/2021-94.

[61] SEC v. Siebel Systems, Inc., 384 F. Supp. 2d 694 (S.D.N.Y. 2005).

[62] SEC Press Release, SEC Charges AT&T and Three Executives with Selectively Providing Information to Wall Street Analysts (Mar. 5, 2021), available at https://www.sec.gov/news/press-release/2021-43.

[63] AT&T Disputes SEC Allegations, Mar. 5, 2021, available at https://www.prnewswire.com/news-releases/att-disputes-sec-allegations-301241737.html.

[64] SEC Press Release, SEC Charges Real Estate Fund Manager With Misappropriating Over $7 Million From Retail Investors (Jan. 12, 2021), available at https://www.sec.gov/news/press-release/2021-4.

[65] SEC Press Release, SEC Charges Vuuzle Media Corp. and Affiliated Individuals in Connection With $14 Million Offering Fraud (Jan. 27, 2021), available at https://www.sec.gov/news/press-release/2021-18.

[66] SEC Press Release, SEC Charges Seven Individuals for $45 Million Fraudulent Scheme (Mar. 2, 2021), available at https://www.sec.gov/news/press-release/2021-38.

[67] SEC Press Release, SEC Charges Owner of Real Estate Investment Company with Defrauding Investors (Mar. 18, 2021), available at https://www.sec.gov/news/press-release/2021-48.

[68] SEC Press Release, SEC Obtains Emergency Asset Freeze, Charges Colorado Resident with Fraud Involving Sham Bottling Company (Mar. 18, 2021), available at https://www.sec.gov/news/press-release/2021-50.

[69] SEC Press Release, SEC Charges Co-Founders of San Francisco Biotech Company With $60 Million Fraud (Mar. 18, 2021), available at https://www.sec.gov/news/press-release/2021-49.

[70] SEC Press Release, SEC Charges Binary Options Trading Platform and Two Top Executives with Fraud (Apr. 19, 2021), available at https://www.sec.gov/news/press-release/2021-66.

[71] SEC Press Release, SEC Charges Fund Manager and Former Race Car Team Owner with Multimillion Dollar Fraud (Apr. 23, 2021), available at https://www.sec.gov/news/press-release/2021-71-0.

[72] SEC Press Release, SEC Charges Healthcare Company and Its Founder with Multimillion Dollar Fraud (May 19, 2021), available at https://www.sec.gov/news/press-release/2021-87.

[73] SEC Press Release, SEC Charges Investment Adviser and Others With Defrauding Over 17,000 Retail Investors (Feb. 4, 2021), available at https://www.sec.gov/news/press-release/2021-24.

[74] SEC Press Release, SEC Charges Unregistered Investment Adviser with Defrauding Investors in Decade-Long Scheme (Mar. 9, 2021), available at https://www.sec.gov/news/press-release/2021-45.

[75] SEC Press Release, SEC Obtains Emergency Asset Freeze, Charges Actor with Operating a $690 Million Ponzi Scheme (Apr. 6, 2021), available at https://www.sec.gov/news/press-release/2021-58.

[76] SEC Press Release, SEC Obtains Emergency Relief, Charges Florida Company and CEO with Misappropriating Investor Money and Operating a Ponzi Scheme (Apr. 26, 2021), available at https://www.sec.gov/news/press-release/2021-74.

The following Gibson Dunn lawyers assisted in the preparation of this client update: Mark Schonfeld and Tina Samanta.

Gibson Dunn is one of the nation’s leading law firms in representing companies and individuals who face enforcement investigations by the Securities and Exchange Commission, the Department of Justice, the Commodities Futures Trading Commission, the New York and other state attorneys general and regulators, the Public Company Accounting Oversight Board (PCAOB), the Financial Industry Regulatory Authority (FINRA), the New York Stock Exchange, and federal and state banking regulators.

Our Securities Enforcement Group offers broad and deep experience. Our partners include the former Director of the SEC’s New York Regional Office, the former head of FINRA’s Department of Enforcement, the former United States Attorneys for the Central and Eastern Districts of California, and former Assistant United States Attorneys from federal prosecutors’ offices in New York, Los Angeles, San Francisco and Washington, D.C., including the Securities and Commodities Fraud Task Force.

Securities enforcement investigations are often one aspect of a problem facing our clients. Our securities enforcement lawyers work closely with lawyers from our Securities Regulation and Corporate Governance Group to provide expertise regarding parallel corporate governance, securities regulation, and securities trading issues, our Securities Litigation Group, and our White Collar Defense Group.

Securities Enforcement Practice Group Leaders:
Richard W. Grime – Washington, D.C. (+1 202-955-8219, rgrime@gibsondunn.com)
Mark K. Schonfeld – New York (+1 212-351-2433, mschonfeld@gibsondunn.com)

Please also feel free to contact any of the following practice group members:

New York
Zainab N. Ahmad (+1 212-351-2609, zahmad@gibsondunn.com)
Matthew L. Biben (+1 212-351-6300, mbiben@gibsondunn.com)
Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com)
Joel M. Cohen (+1 212-351-2664, jcohen@gibsondunn.com)
Lee G. Dunst (+1 212-351-3824, ldunst@gibsondunn.com)
Barry R. Goldsmith (+1 212-351-2440, bgoldsmith@gibsondunn.com)
Mary Beth Maloney (+1 212-351-2315, mmaloney@gibsondunn.com)
Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com)
Avi Weitzman (+1 212-351-2465, aweitzman@gibsondunn.com)
Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com)
Tina Samanta (+1 212-351-2469, tsamanta@gibsondunn.com)

Washington, D.C.
Stephanie L. Brooker (+1 202-887-3502, sbrooker@gibsondunn.com)
Daniel P. Chung (+1 202-887-3729, dchung@gibsondunn.com)
M. Kendall Day (+1 202-955-8220, kday@gibsondunn.com)
Jeffrey L. Steiner (+1 202-887-3632, jsteiner@gibsondunn.com)
Patrick F. Stokes (+1 202-955-8504, pstokes@gibsondunn.com)
F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com)

San Francisco
Winston Y. Chan (+1 415-393-8362, wchan@gibsondunn.com)
Thad A. Davis (+1 415-393-8251, tadavis@gibsondunn.com)
Charles J. Stevens (+1 415-393-8391, cstevens@gibsondunn.com)
Michael Li-Ming Wong (+1 415-393-8234, mwong@gibsondunn.com)

Palo Alto
Michael D. Celio (+1 650-849-5326, mcelio@gibsondunn.com)
Paul J. Collins (+1 650-849-5309, pcollins@gibsondunn.com)
Benjamin B. Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

Denver
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
Monica K. Loseman (+1 303-298-5784, mloseman@gibsondunn.com)

Los Angeles
Michael M. Farhang (+1 213-229-7005, mfarhang@gibsondunn.com)
Douglas M. Fuchs (+1 213-229-7605, dfuchs@gibsondunn.com)
Nicola T. Hanna (+1 213-229-7269, nhanna@gibsondunn.com)
Debra Wong Yang (+1 213-229-7472, dwongyang@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On 21 May 2021, the Hong Kong government published the Consultation Conclusions[1] on legislative proposals to enhance anti-money laundering and counter-terrorist financing (“AML/CTF”) regulations in Hong Kong, including a proposal to introduce a licensing regime for virtual asset services providers (“VASPs”). This client alert discusses the proposed scope of the licensing regime, the proposed regulatory requirements for licence holders, implications for cryptocurrency trading platforms, and opportunities for the future development of such trading platforms in Hong Kong.

Note that the discussions in this alert are based on the Consultation Conclusions. While unlikely, there could still be further changes in the drafting of the legislation before the laws are passed. Importantly there will be further public consultation before the detailed regulatory regime for licence holders, including applicable guidelines, are published, as discussed below.

I. Why introduce a licensing regime for VASPs?

In recent years, the world has seen tremendous growth in the trading of virtual assets (“VAs”) including cryptocurrencies like bitcoin. This drew the attention of the Financial Action Task Force (“FATF”), which expressed concern about the perceived money laundering and terrorist financing (“ML/TF”) risks arising from the growing use of VAs. To address these ML/TF risks, the FATF updated the FATF Standards in February 2019[2] to require jurisdictions to subject VASPs to the same range of AML/CTF obligations as financial institutions. To fulfil its obligations as a member of FATF, the Hong Kong government launched a public consultation on 3 November 2020.[3] Amongst other things, the consultation proposed amendments to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”) to introduce a licensing regime for VASPs. The public consultation period ended on 31 January 2021, and the Consultation Conclusions were published on 21 May 2021.

II. Scope of proposed licensing regime for VASPs

The proposed licensing regime for VASPs would designate the business of operating a VA exchange as a “regulated VA activity”. As such, any person seeking to operate a VA exchange in Hong Kong would be required to apply for a licence[4] from the Hong Kong Securities and Futures Commission (“SFC”) to become a licensed VASP under the AMLO. The granting of the licence would be subject to meeting the SFC’s fit-and-proper test and other regulatory requirements, which we discuss further below.

The proposed definition of a “VA exchange” is any trading platform which:

Is operated for the purpose of allowing an invitation to be made to buy or sell any VA in exchange for any money or any VA; and
Comes into custody, control, power or possession of, or over, any money or any VA at any time during the course of its business.

Accordingly, a peer-to-peer trading platform would not fall within the definition of a VA exchange provided that the actual transactions in VAs are conducted outside the platform and the platform is not involved in the underlying transaction by coming into possession of any money or any VA at any point in time (i.e. platforms that only provide a forum for buyers and sellers to post their bids and offers, where the parties themselves transact outside the platform). As such, on the basis of the current drafting, it is possible that decentralised exchanges (“DEXs”) that operate on the basis of non-custodial storage (as opposed to centralised exchanges where users give up custody of their assets to the exchange) and without a centralised entity in charge of the order book, may not ultimately be caught by the definition of a VA exchange.

The proposed definition of “VA” means a digital representation of value that:

Is expressed as a unit of account or a store of economic value;
Functions (or is intended to function) as a medium of exchange accepted by the public as payment for goods or services or for the discharge of debt, or for investment purposes; and
Can be transferred, stored or traded electronically.

The definition of “VA” is therefore likely to include cryptocurrencies such as bitcoin and VAs backed by another asset for the purpose of stabilising its value (i.e. stablecoins). On the other hand, the definition of VA would not cover:

Digital representations of fiat currencies (such as digital currencies issued by central banks);
Financial products already regulated under the Securities and Futures Ordinance (“SFO”);
Closed-loop, limited purpose items that are non-transferable, non-exchangeable and non-fungible (e.g. air miles, credit card rewards, gift cards, customer loyalty points, gaming coins, etc.); and
Stored value facilities which are regulated under the Payment Systems and Stored Value Facilities Ordinance.

Depending on the final drafting of the legislative amendment to introduce the licensing regime for VASPs, it appears that non-fungible tokens (“NFTs”) may fall outside the definition of “VA”. In that scenario NFT trading platforms would also fall outside the scope of the licensing regime

III. Implications for non-Hong Kong cryptocurrency exchanges

The proposed licensing regime for VASPs would also extend to VA exchanges which operate outside of Hong Kong, but which actively market to the public of Hong Kong. This means that a cryptocurrency exchange that is based outside of Hong Kong will be prohibited from ‘actively marketing’ regulated VA activity (i.e. operating a VA exchange) to the public of Hong Kong unless they are a licensed VASP. This would be similar to existing prohibitions under the SFO[5] on actively marketing regulated activities to the public of Hong Kong (see below). In the context of the SFO, the meaning of actively markets is potentially broad, with some guidance available from the SFC[6] and in case law on its interpretation.

IV. Crypto assets which are securities or futures contracts are already regulated under the SFO

It is important to note that financial products which are already regulated under the SFO would not fall within the definition of “VA”, and therefore trading platforms which enable trading in such products would not fall within the licensing regime for VASPs. An example of such financial products is bitcoin futures which, depending on its terms and features, would likely either fall within the definition of “securities” or “futures contracts” under the SFO (and therefore would not be considered VAs).[7]

However, such trading platforms may already fall within the SFO regulatory regime for providing automated trading services, if it operates in or from Hong Kong, or actively markets to the public in Hong Kong (even if the platforms are based outside of Hong Kong). In this respect, in November 2019, the SFC published a position paper[8] which outlined the regulatory standards for the licensing of trading platforms that enable trading of crypto assets which have “securities” features.

V. Proposed licensing requirements for licensed VASPs

Eligibility: applicants must either be incorporated in Hong Kong, or non-Hong Kong incorporated companies which are registered in Hong Kong under the Companies Ordinance.
Fit-and-proper test: in considering whether or not an applicant is fit-and-proper to be granted a VASP licence, the SFC will take into account, among other matters, whether or not the applicant has been convicted of an ML/TF offence or other offence involving fraud, corruption or dishonesty, their experience and qualifications, their good standing and financial integrity, etc. This fit-and-proper test is likely to be very similar to, if not derived from, the well-established fit-and-proper test which applicants are required to satisfy to be granted a regulated activity licence under the SFO.
Two responsible officers: as with any firm currently licensed by the SFC, applicants will need to appoint at least two responsible officers to assume the responsibility of ensuring compliance with AML/CTF and other regulatory requirements, who may be held personally accountable in case of non-compliance.

VI. Regulatory requirements for licensed VASPs

Licensed VASPs will be subject to the AML/CTF requirements stipulated in Schedule 2 of the AMLO (i.e. the same as financial institutions), including customer due diligence and record-keeping requirements.

In addition to AML/CTF requirements, licensed VASPs will also be subject to regulatory requirements designed to protect market integrity and investor interests. These requirements will be set out in codes and guidelines to be published by the SFC. Licensed VASPs would be required to comply with these requirements under licensing conditions imposed by the SFC. These requirements are likely to be wide-ranging in scope, with prescribed requirements covering, among other things, financial resources, risk management, segregation and management of client assets, financial reporting, prevention of market manipulative and abusive activities, prevention of conflicts of interest, etc.

Notably, licensed VASPs will only be able to provide services to professional investors, i.e. high net worth and institutional investors. This means that after the commencement of the licensing regime for VASPs, licensed VASPs cannot provide services to retail investors.

VII. Supervisory powers of the SFC over licensed VASPs

The SFC will be given broad powers to supervise the AML/CTF and regulatory compliance of licensed VASPs. This will include powers to enter business premises, to request the production of documents and records, to investigate non-compliance and to impose sanctions (including orders for remedial actions, civil penalties and suspension or revocation licence) for non-compliances. The SFC will also have intervention powers to impose restrictions and prohibitions against the operations of licensed VASPs and their associated entities where the circumstances warrant, such as to prohibit further transactions or restrict the disposal of property. These powers enable the SFC to protect client assets in the event of emergency and to prevent the dissipation of client assets in the case of misconduct by a licensed VASP.

VIII. Timing

The Hong Kong government aims to introduce the AMLO amendment bill into the Legislative Council in the 2021-22 legislative session, which is due to commence in October 2021. The SFC will also prepare and publish for consultation the regulatory requirements for licensed VASPs, before commencement of the licensing regime for VASPs. Considering the above, the licensing regime is unlikely to commence before 2022. In any event there will be a 180-day transitional period from the commencement of the licensing regime to facilitate licence applications by interested parties.

IX. Conclusion

While the primary motivation for introducing the licensing regime for VASPs is to ensure that Hong Kong meets the latest FATF Standards, the Hong Kong authorities are also focused on promoting the protection of market integrity and investor interests, and the regulatory requirements for licensed VASPs extend beyond AML/CTF requirements by seeking to regulate matters including customer type (i.e. professional investors only), prevention of market manipulative and abusive activities, and prevention of conflicts of interest.

As Mr. Christopher Hui, Secretary for Financial Services and the Treasury, recently said in his remarks at a fintech forum,[9] the introduction of the licensing regime for VASPs is intended to facilitate the development of such an industry by providing a clear regulatory framework for the industry to operate within. Notably, the original proposal for the licensing regime has now been amended to allow non-Hong Kong companies to apply for a VASP licence[10] which may help to attract overseas crypto asset trading platforms that wish to develop their business within the Hong Kong regulatory framework.

For current VASPs contemplating applying for a VA licence when the licensing regime commences, we would recommend starting by reviewing their existing AML/CTF policies and systems and controls to identify gaps with the requirements under Schedule 2 of the AMLO. This is because these requirements are unlikely to be significantly modified during the legislative process, and it may take time and resources to design and implement. VASPs should also be alert to future consultations by the SFC on the codes and guidelines for licensed VASPs in order to identify the detailed regulatory requirements which licensed VASPs would need to comply with. Implementing these requirements will likely require preparing written policies and procedures, upgrading systems and controls, and potentially restructuring aspects of their business and operations to address potential conflicts of interest.

__________________________

[1] Consultation Conclusions on Public Consultation on Legislative Proposal to Enhance Anti-Money Laundering and Counter-Terrorist Financing Regulation in Hong Kong (May 2021), published by the Financial Services and the Treasury Bureau, available at: https://www.fstb.gov.hk/fsb/en/publication/consult/doc/consult_conclu_amlo_e.pdf

[2] Public Statement – Mitigating Risks from Virtual Assets (22 February 2019), published by FATF, available at: https://www.fatf-gafi.org/publications/fatfrecommendations/documents/regulation-virtual-assets-interpretive-note.html

[3] Government launches consultation on legislative proposal to enhance anti-money laundering and counter-terrorist financing regulation (3 November 2020), Hong Kong government press release, available at: https://www.info.gov.hk/gia/general/202011/03/P2020110300338.htm

[4] There will be an exception for a VA exchange that is already regulated as a licensed corporation in the voluntary opt-in regime supervised by the SFC pursuant to the SFO.

[5] Section 115 of the SFO.

[6] “Actively markets” under section 115 of the SFO (last updated 17 March 2003), published by the SFC, available at: https://www.sfc.hk/en/faqs/intermediaries/licensing/Actively-markets-under-section-115-of-the-SFO#9CAC2C2643CF41458CEDA9882E56E25B

[7] Circular to Licensed Corporations and Registered Institutions on Bitcoin futures contracts and cryptocurrency-related investment products (11 December 2017), published by the SFC, available at: https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=17EC79

[8] Position paper: Regulation of virtual asset trading platforms (6 November 2019), published by the SFC, available at: https://www.sfc.hk/-/media/EN/files/ER/PDF/20191106-Position-Paper-and-Appendix-1-to-Position-Paper-Eng.pdf

[9] Secretary for Financial Services and the Treasury, Mr. Christopher Hui, remarks at StartmeupHK Festival – Virtual FinTech Forum on 27 May 2021, available at: https://www.news.gov.hk/eng/2021/05/20210527/20210527_131949_094.html

[10] The non-Hong Kong incorporated company would need to be registered in Hong Kong under the Companies Ordinance.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you would like to discuss further, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Financial Institutions practice group, or the following authors:

Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Sébastien Evrard – Hong Kong (+852 2214 3798, sevrard@gibsondunn.com)
Arnold Pun – Hong Kong (+852 2214 3838, apun@gibsondunn.com)

Please also feel free to contact any of the following practice leaders and members:

Matthew L. Biben – New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Mylan L. Denerstein – New York (+1 212-351- 3850, mdenerstein@gibsondunn.com)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)
Matthew Nunan – London (+44 (0) 20 7071 4201, mnunan@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, jsteiner@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

This week, there were important virtual currency developments at two of the principal federal banking agencies, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC). Both of these developments occurred as the markets for digital currencies showed substantial volatility. First, in testimony before Congress on Wednesday, Acting Comptroller of the Currency Michael Hsu expressed concerns about the OCC’s recent actions for digital currency companies and stated that he had “asked staff to review these actions.”[1] Second, the FDIC published a request for information (RFI) about digital assets and the banking system.[2] Comments on the RFI are due by July 16, 2021.

I. Office of the Comptroller of the Currency

Prior to Acting Comptroller Hsu’s appointment by Treasury Secretary Yellen, the OCC was the federal banking agency that had taken the lead on digital currencies, recently approving three applications by digital currency companies. Of these actions, Acting Comptroller Hsu stated his “broad[] concern . . . that these initiatives were not done in full coordination with all stakeholders. Nor do they appear to have been part of a broader strategy related to the regulatory perimeter.”[3]

The OCC approvals involved two applications for conversion from state trust companies to national trust banks, those of Anchorage Digital Bank, National Association, and Protego Trust Bank, National Association, and one application for a new national trust bank charter, for Paxos National Trust.[4] Each approval therefore involved a type of national bank specifically authorized by Congress, and not a special purpose “fintech” charter.

The activities that the OCC stated were permissible for national banks in the approvals covered many digital currency activities, including:

fiduciary custody of digital assets
custody of client cash deposits
providing on-chain governance services allowing clients to participate in the governance of the underlying protocols on which their digital assets operate
operating validator nodes
providing staking as a service
providing clients the ability to delegate staking to third-party validators
settling transactions facilitated by affiliates, third-party brokers and clients
determining that customers should claim forked assets
custody and management of U.S. dollar stablecoin reserves
payment, exchange, and other agent services
trading services and enabling partners to buy and sell cryptocurrency
“know your customer” as a service, including customer identification, sanctions screening, enhanced due diligence, customer risk rating, and other related services[5]

It is not clear what form the OCC staff review mandated by Acting Comptroller Hsu will take. It does appear from the rest of his testimony, however, that the OCC will no longer “go it alone” when it comes to digital assets. As Mr. Hsu – formerly a career supervisor at the Federal Reserve – stated, “[r]ecognizing the OCC’s unique authority to grant charters, we must find a way to consider how fintechs and payments platforms fit into the banking system, and we must do it in coordination with the FDIC, Federal Reserve, and the states.”[6] Mr. Hsu also warned of the potential of systemic risk from digital activities, stating that he was feeling “some déjà vu,” having seen the financial disintermediation of the late 1990s and 2000s that contributed to the Great Recession.[7]

II. Federal Deposit Insurance Corporation

If the OCC appears to be putting on the brakes, the FDIC – the primary federal supervisor for insured state banks, including industrial banks, that are not members of the Federal Reserve system, the U.S. deposit insurer, and the U.S. bank resolution authority – signaled that it wishes to know more about digital assets and the banking system. On May 17, it issued a request for information, soliciting comments regarding insured depository institutions’ (IDIs) current and potential digital asset activities.[8] The FDIC noted that banks are exploring several roles in the digital asset ecosystem, with digital use cases and related activities potentially falling into the following categories:

Technology solutions, such as those involving closed and open payment systems, other token-based systems for banking activities other than payments (g., lending), and acting as nodes in networks (e.g., distributed ledgers)
Asset-based activities, such as investments, collateral, margin lending and liquidity facilities
Liability-based activities, such as deposit services and where deposits serve as digital asset reserves
Custodial activities, such as providing digital asset safekeeping and related services, such as secondary lending, as well as acting as a qualified custodian on behalf of investment advisors
Other activity including market-making and decentralized financing

Current and Potential Use Cases

The RFI seeks information regarding current and potential use cases of digital assets, including categories of digital assets and related activities, activities or use cases that IDIs are currently engaging in or considering, and the demand for digital asset-related services.

Risk and Compliance Management

The RFI asks for comment regarding risk and compliance management, including IDIs’ existing risk and compliance management frameworks; unique risks that are challenging to measure, monitor, and control for the various digital asset use cases; unique benefits to operations from the various digital asset use cases; the integration of operations related to digital assets with legacy banking systems; potential benefits and unique risks of particular digital asset product offerings or services to IDI customers; and the integration of new technologies into existing cybersecurity functions.

Supervision and Activities

The RFI requests information regarding supervision and activities, including the unique aspects of digital asset activities that the FDIC should take into account from a supervisory perspectives; areas in which the FDIC should clarify or expand existing supervisory guidance to address digital asset activities; the difference between the custody of digital assets and the custody of traditional assets; and the interaction of digital assets with the FDIC’s Part 362 application procedures, which cover applications by insured state nonmember banks to conduct principal activities that have not been approved for national banks.

Deposit Insurance and Resolution

The RFI asks for information regarding deposit insurance and resolution, including steps to ensure customers can distinguish between uninsured digital asset products and insured deposits; distinctions or similarities between fiat-backed stablecoins and stored value products where the underlying funds are held at IDIs and for which pass-through deposit insurance may be available; and complexities that might be encountered in valuing, marketing, operating, or resolving digital asset activity in the resolution process or in a receivership capacity.

Conclusion

This week’s actions demonstrate that, as the Biden Administration takes shape, there is a change in banking agency approach to digital assets and that addressing the issues raised by digital assets remains a considerable regulatory priority. It appears that the OCC, Federal Reserve Board and FDIC will take a more coordinated approach to digital assets, one result of which may be that certain state bank regulatory agencies may take the lead on innovative proposals in the short term. For example, most of the activities that the OCC permitted in its digital currency approvals before Acting Comptroller Hsu was appointed had previously been deemed permissible for state-licensed trust companies.

____________________

[1] Statement of Michael J. Hsu, Acting Comptroller of the Currency, Committee on Financial Services, United States House of Representatives, May 19, 2021 (Hsu Statement).

[2] FDIC, Request for Information and Comment on Digital Assets (May 17, 2021), available at https://www.fdic.gov/news/press-releases/2021/pr21046a.pdf.

[3] Hsu Statement.

[4] Letter from Stephen A. Lybarger, Deputy Comptroller Licensing, OCC, to Nathan McCauley, President & Director, Anchorage Trust Company, Application by Anchorage Trust Company, Sioux Falls, South Dakota to Convert to a National Trust Bank (Jan. 13, 2021); Letter from Stephen A. Lybarger, Deputy Comptroller Licensing, OCC, to Greg Gilman, Founder & Executive Chair, Audaces Fortuna Inc., Application by Protego Trust Company, Seattle, Washington, to Convert to a National Trust Bank (Feb. 4, 2021); Letter from Stephen A. Lybarger, Deputy Comptroller Licensing, OCC, to Daniel Burstein, General Counsel and Chief Compliance Officer, Paxos, Application to Charter Paxos National Trust, New York, New York (Apr. 23, 2021).

[5] See id., available at https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-6a.pdf; https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-19a.pdf; and https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-49a.pdf.

[6] Hsu Statement.

[7] Hsu Statement

[8] FDIC, Request for Information and Comment on Digital Assets (May 17, 2021), available at https://www.fdic.gov/news/press-releases/2021/pr21046a.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long and Samantha Ostrom.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Financial Institutions practice group:

Matthew L. Biben – New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Mylan L. Denerstein – New York (+1 212-351- 3850, mdenerstein@gibsondunn.com)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)
Matthew Nunan – London (+44 (0) 20 7071 4201, mnunan@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, jsteiner@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Each month, Gibson Dunn’s Media, Entertainment and Technology Practice Group highlights notable developments and rulings that may impact future litigation in this area. This month we focus on the increasingly popular digital asset known as non-fungible tokens or “NFTs” and related issues in the entertainment space and beyond.

Issue: Non-Fungible Tokens (NFTs)

Summary: NFTs have gone mainstream in what some have called a new “gold rush.” An NFT sold for almost $70 million at a Christie’s auction last month, NFTs of basketball video highlights have generated hundreds of millions of dollars in sales on the NBA Top Shot platform, and NFTs even were the subject of a skit on a recent episode of Saturday Night Live. Some consider them a fad or a bubble, citing the almost $600,000 sale of an image of an animated flying cat with a pop-tart body that anyone can download from the internet for free. But in one form or another, NFTs are here to stay. Even if the market matures and interest wanes in some unconventional pieces of digital art, NFTs will continue to offer a significant potential revenue stream for artists and entities in the film and television, music, and online gaming industries, among many others. We highlight below some of the emerging legal and policy issues related to NFTs, which include intellectual property law, profit participation issues, securities law, and even climate change.

What do the music group Megadeth, former University of Iowa basketball player Luka Garza, and New York City track and field center The Armory have in common? In the span of 24 hours earlier this month, each of them entered the rapidly expanding NFT market. They joined a number of artists and entertainers who have led the charge in selling NFTs. As film studios and other entities with large content libraries consider following suit, they will need to consider a number of deeply rooted legal issues against a relatively new technological backdrop.

I. Background

There are widely varied understandings of NFTs and related issues concerning tokens and blockchain technology. While many of our readers are familiar with these terms, a brief introduction is helpful to frame the issues that follow.

A. What are NFTs and What is the Blockchain?

An NFT, or “non-fungible token,” is a unique unit of data stored on a public ledger of transactions called a blockchain. The unique data could represent an image, an electronic deed to a piece of property, or a digital ticket for a particular seat at a sporting event. In contrast to these “non-fungible” tokens, cryptocurrencies such as Bitcoin and Ether—just like U.S. dollars, British pounds and other “fiat” government-issued currencies—are fungible; one penny in your pocket has the same intrinsic value as the penny under your couch cushion.

Today, NFTs generally reside on the Ethereum blockchain, which also supports, among other things, the cryptocurrency Ether—the second largest cryptocurrency in terms of market capitalization and volume after Bitcoin. While other blockchains can have their own versions of NFTs, right now Ethereum is the most widely used (though NBA Top Shot uses the Flow blockchain).

But what is a blockchain? As noted above, it is an electronic database or ledger showing a history of transactions. Each transaction is represented by an entry into the electronic ledger and multiple ledger entries are ordered in data batches known as “blocks” to await verification on the network. New blocks are added after the current block reaches its data limit. The blocks are connected using cryptography: each block contains a “hash” (a sort of coded electronic signature linking it to the previous block), which is how the blockchain gets its name.

A key feature of the Ethereum blockchain that distinguishes it from a database one might have at a business or law firm is that the blockchain is decentralized across a community of servers. Data is not stored in any one location or managed by any particular body. Rather, it exists on multiple computers simultaneously, with network participants holding identical copies of the ledger reflecting the encrypted transactions.

That is why blockchains are touted as both verifiable and secure. It is similar to the tracking details showing each step in a package’s journey from the shipper to its final delivery destination. Unlike the tracking details provided by a shipping company, however, on the blockchain no one person can alter that record to change the encrypted data without the network’s users noticing and rejecting the fraudulent version. And if any one computer system fails, there are duplicate images of the tracking details on the blockchain ledger available on other computers around the world.

B. What Do You Get When You Buy An NFT?

While an NFT is unique, it is important to keep in mind what that unique digital item actually is. In most cases the NFT is a digital identifier recording ownership, not—to borrow an example from the above—the actual image of the pop-tart cat. What amounts to your “receipt” is reflected in the blockchain, but the image file itself resides elsewhere.

This has to do with blockchain storage limitations and costs. The digital image itself theoretically can be stored in metadata on the blockchain, but in the vast majority of cases it is hosted on a regular website or the decentralized InterPlanetary File System (IPFS). The identifier is logged on the blockchain, but if the image is taken down from its non-blockchain location—say, because it violates someone’s copyright—the NFT could end up being a unique digital path to a closed door (even if there may be seemingly identical “copies” of the digital asset elsewhere). The immutable purchase record would remain on the blockchain, but the original image might not be viewable.

Almost uniformly, the NFT transfer conveys an interest in a licensed copy while copyright ownership of the underlying image or song is not transferred. The NFT may be in a limited edition and it may have some additional perceived value because it is officially authorized by the copyright holder or originated from the address of the copyright holder. But while the underlying copyright can be transferred when the NFT is sold or licensed, typically it isn’t. The terms and conditions of an NFT platform may reveal the limits of what actually is being transferred and how it might be used.

Under NBA Top Shot’s terms, for example, the purchaser who obtains a license to a “Moment” cannot use it for a commercial purpose, modify it, or use the image alongside anything the NBA considers offensive or hateful. An NFT platform that controls the image file is able to remove that file from its platform.

* * *

Monetization strategies for NFTs are constantly evolving, so one cannot generalize and say that all NFTs fall in one legal bucket or another. An NFT can be fair use of a copyright or it can violate it. An NFT likewise could be a simple collectible or it may be offered in such a way to convert it into a security subject to myriad regulations and disclosure requirements. It depends on the NFT. But as the market evolves, complicated questions will need to be answered by NFT creators, platforms, and, potentially, courts.

II. Intellectual Property

Any NFT platform must be particularly focused on the intellectual property rights underlying the NFTs stored, sold, or licensed on the platform. A single NFT may include various copyrightable elements, including a video clip and any accompanying music. Whereas the platform may be able to invoke a statutory liability protection with respect to some potential claims—like defamation—certain intellectual property claims are not precluded.

Specifically, Section 230 of the Communications Decency Act of 1996 shields certain online service providers from liability for hosting content that someone else created. In particular, Section 230(c)(1) states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

To the extent Section 230 applies to a particular NFT platform, the law’s broad protection still has carve-outs. Among other things, it does not apply to “any law pertaining to intellectual property.” Courts have different interpretations of the scope of Section 230’s reference to “intellectual property.” In Perfect 10 v. CCBill, 488 F.3d 1102 (9th Cir. 2007), the Ninth Circuit ruled that Section 230 permitted claims under federal intellectual property laws but preempted state intellectual property claims alleging a violation of the plaintiff’s right of publicity. In Atlantic Recording Corp. v. Project Playlist, Inc., 603 F. Supp. 2d 690 (S.D.N.Y. 2009), a Southern District of New York court reached the opposite conclusion, holding that the “intellectual property” carve-out extended beyond intellectual property claims under federal law to include state-law claims.

Whether or not an NFT platform would be subject to potential liability for violating someone’s state-law right in her or his name and likeness, federal intellectual property law still would apply. And offering an NFT that potentially infringes a copyright could result in liability for the platform if, for example, it does not take the necessary steps under the Digital Millennium Copyright Act. That risk is heightened for some platforms given how easy it is to tokenize someone else’s work. Speculators can turn any digital image into an NFT that they can then try to sell, even if the original creator does not agree to that use or even know about it.

Studios and other intellectual property rights holders will need to be especially vigilant in protecting their intellectual property—and NFT platforms likewise will need to promptly remove content if a copyright owner notifies it of an infringement—as the market for small pieces of content expands.

III. Profit Participations

Especially in the current NFT environment, it is not difficult to imagine the potential value of tokenized iconic moments from movies and television. Of course, there would be a number of contractual issues for a rightsholder to navigate, which would vary from deal to deal. Valuable clips might come from movies dating back long before the advent of NFTs, the internet, or even computers. The relevant agreements certainly would not address NFTs, but even analogous provisions might be difficult to identify. Agreements may refer to “clips,” for example, but typically a clip is used to promote the full program or film rather than to be monetized on its own.

Depending on what it depicts, an NFT might not be a “clip” at all. Again using NBA Top Shot as an example, a “Moment” is not just a short video excerpt showing a pass or dunk; it is a package of on-court video, still photographs, digital artwork, and game information. Contracts would need to be analyzed to determine if the NFT should be categorized as a clip, a derivative production, merchandising, promotional material, or something else, with potential consequences on the calculation of gross receipts and any corresponding rights to profit participations or Guild royalties.

Exclusivity provisions in film or television licenses to third parties might bar or limit a studio from “minting” an NFT from a work in its library. Other considerations might also limit a rightsholder’s willingness to enter the NFT space. With vast libraries of well-known and high‑quality content, however, studios are better positioned than most to take advantage of the increased interest and marketability of discrete portions of a film or program.

IV. Securities Law

Particularly in light of the SEC’s increased focus on cryptocurrencies, including its recent lawsuit accusing Ripple Labs Inc. and two of its executives of engaging in an unregistered “digital asset securities offering,” anyone involved in marketing an NFT should give careful consideration to whether the NFT is a security under U.S. law.

This should be of particular concern to the celebrities marketing their own NFTs. Several years ago, in response to celebrity endorsements for cryptocurrency Initial Coin Offerings (ICOs), the SEC warned that “[a]ny celebrity or other individual who promotes a virtual token or coin that is a security must disclose the nature, scope, and amount of compensation received in exchange for the promotion.”[1] A failure to do so would be “a violation of the anti-touting provisions of the federal securities laws.”[2] The same principle would apply to NFTs, with the key question being whether an NFT is a security. This issue has significant bearing on the NFT platform as well. If an NFT is a security, the offeror must follow securities law disclosure requirements and restrictions on who may invest.

The term “security” in U.S. securities laws includes an “investment contract” as well as other instruments like stocks and bonds. Both the SEC and federal courts often use the “investment contract” analysis to determine whether unique instruments, such as digital assets, are securities subject to federal securities laws.

To determine whether a digital asset has the characteristics of an investment contract, courts apply a test derived from the U.S. Supreme Court’s decision in SEC v. W.J. Howey Co., 328 U.S. 293 (1946). Under that Howey test, federal securities laws apply where

there is an investment of money or some other consideration,
in a common enterprise,
with a reasonable expectation of profits,
to be derived from the efforts of others.

Again, it would depend on the NFT, but transactions that resemble a fan buying a collectible likely would not be securities under this test. The notion that an NFT is non-fungible also makes it less likely to be a security.

Nevertheless, the NFT market is a creative one. Many NFTs, for example, are configured through the “smart contracts”—which are essentially computer programs—to automatically pay out royalties to the digital artwork’s original creator with every future sale of the NFT on that platform; the artist could package those royalty rights for sale to potential investors.

NFT issuers also can sell fractional interests in NFTs or groups of NFTs. As prices for some NFTs climb into the stratosphere, this approach becomes more appealing to potential buyers who want a piece of the NFT but are unwilling or unable to pay for the whole thing. According to recent statements by SEC Commissioner Hester Peirce, however, doing so increases the likelihood that the NFT would be deemed a security under the Howey test.[3] That likelihood grows where the NFT issuer or a third party claim to be able to help increase the NFT’s value.

V. Climate Change

A major issue that has arisen related to NFTs— and cryptocurrency generally—is their believed effect on the environment. Articles abound comparing the energy consumption of the Ethereum blockchain to entire countries. An analysis by Cambridge University asserts that what it calls the “Bitcoin network” uses more energy than Argentina.[4] NFTs thus have proven somewhat controversial, with one online marketplace for digital artists dropping its plans to launch an NFT platform after backlash that included an artist labeling NFTs an “ecological nightmare pyramid scheme.”[5]

Some contend that these ecological concerns are exaggerated and misleading, noting that NFTs themselves do not cause carbon emissions. As one platform wrote in a recent blog post, “Ethereum has a fixed energy consumption at a given point of time.”[6] The carbon footprint of the Ethereum blockchain would be the same if people minted more NFTs or stopped minting them altogether. But even the post acknowledges that “[i]t is true that Ethereum is energy intensive.”[7]

The crypto energy consumption issue relates to how blockchain technology currently operates. To validate a transaction—and engender trust in a system that is not backed by any central bank or other government authority—the blockchain network relies on a method called “Proof of Work.” The hashing function described above that allows the blocks to be chained together requires complex mathematical equations that only powerful computers can solve. “Miners” must solve these equations to add a new block to the chain. As incentive to solve the mathematical puzzles, the miner receives a reward of new tokens or transaction fees.

The energy costs to complete the hash functions under the Proof of Work model can be high, with miners using entire data centers to compete to solve the puzzles first and garner the reward. To mitigate any environmental effects, mining sites may increasingly rely on renewable energy and “stranded” energy, which is surplus energy created, for example, by excess power that some hyrdroelectric dams around the world generate during rainy seasons.

Another option, at least for the Ethereum blockchain, is moving to a “Proof of Stake” model. Rather than relying on miners using significant amounts of electricity in a race to solve an equation the fastest, the Proof of Stake model involves validators of transactions who are assigned randomly via an algorithm. These validators also have to commit some of their own cryptocurrency, giving them a “stake” in keeping the blockchain accurate.

Reports indicate that Ethereum may move to the Proof of Stake model as soon as this year.[8] Doing so would decrease energy consumption associated with NFTs, allow more transactions per second than in the Proof of Work model, and seemingly remove (or at least mitigate) an apparent drag on the willingness of some to embrace NFTs.

At the same time, one recent article noted what a crypto-mining finance company executive called the “‘inherent security issue of using the native tokens of a blockchain to decide the future of those tokens or the blockchain.’”[9] If the value of the tokens fall, the value of a validator’s stake falls along with it. The validator then has less to lose if they decide to propose an incorrect transaction or otherwise misbehave.

VI. Conclusion

NFTs present significant opportunities for content creators and owners, but they also present novel legal and policy issues across a wide range of areas as the technology continues to evolve. Beyond those listed here, areas of potential concern include Commodities/Derivatives, Tax, Data Privacy, and Cross-Border Transactions. Understanding the potential complications of moving into the NFT space is a necessity in anticipation of the regulatory scrutiny and litigation that often follow similar explosions of interest and investment.

_______________________

[1] https://www.sec.gov/news/public-statement/statement-potentially-unlawful-promotion-icos (Nov. 1, 2017).

[2] Id.

[3] https://cointelegraph.com/news/sec-s-crypto-mom-warns-selling-fractionalized-nfts-could-break-the-law (Mar. 26, 2021).

[4] https://www.bbc.com/news/technology-56012952 (Feb. 10, 2021).

[5] https://www.theverge.com/2021/3/15/22328203/nft-cryptoart-ethereum-blockchain-climate-change (Mar. 15, 2021).

[6] https://medium.com/superrare/no-cryptoartists-arent-harming-the-planet-43182f72fc61 (Mar. 2, 2021).

[7] Id.

[8] https://www.coindesk.com/ethereum-proof-of-stake-sooner-than-you-think (Mar. 17, 2021).

[9] https://cryptonews.com/exclusives/proof-of-disagreement-bitcoin-s-work-vs-ethereum-s-planned-s-9788.htm (Apr. 3, 2021).

The following Gibson Dunn lawyers assisted in the preparation of this client update: Michael Dore and Jeffrey Steiner.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s Media, Entertainment & Technology Practice Group:

Scott A. Edelman – Co-Chair, Media, Entertainment & Technology Practice, Los Angeles (+1 310-557-8061, sedelman@gibsondunn.com)
Kevin Masuda – Co-Chair, Media, Entertainment & Technology Practice, Los Angeles (+1 213-229-7872, kmasuda@gibsondunn.com)
Orin Snyder – Co-Chair, Media, Entertainment & Technology Practice, New York (+1 212-351-2400, osnyder@gibsondunn.com)
Brian C. Ascher – New York (+1 212-351-3989, bascher@gibsondunn.com)
Michael H. Dore – Los Angeles (+1 213-229-7652, mdore@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Ilissa Samplin – Los Angeles (+1 213-229-7354, isamplin@gibsondunn.com)
Nathaniel L. Bach – Los Angeles (+1 213-229-7241,nbach@gibsondunn.com)

Please also feel free to contact the following members of the firm’s Digital Currencies and Blockchain Technology team:

Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, jsteiner@gibsondunn.com)
Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, tkim@gibsondunn.com)
Judith Alison Lee – Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com)
Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com)
S. Ashlie Beringer – Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
Michael H. Dore – Los Angeles (+1 213-229-7652, mdore@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On February 18, 2021, the U.S. Office of Foreign Assets Control (OFAC), an agency of the Treasury Department that administers and enforces U.S. economic and trade sanctions, issued an enforcement release of a settlement agreement with BitPay, Inc. (BitPay) for apparent violations relating to Bitpay’s payment processing solution that allows merchants to accept digital currency as payment for goods and services.[1] OFAC found that BitPay allowed users apparently located in sanctioned countries and areas to transact with merchants in the United States and elsewhere using the BitPay platform, even though BitPay had Internet Protocol (IP) address data for those users. The users in sanctioned countries were not BitPay’s direct customers, but rather its customer’s customers (in this case the merchants’ customers).

The BitPay action follows an OFAC December 30, 2020 enforcement release of a settlement agreement with BitGo, Inc. (BitGo), also for apparent violations related to digital currency transactions.[2] BitGo offers, among other services, non-custodial secure digital wallet management services, and OFAC found that BitGo failed to prevent users located in the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria from using these services. OFAC determined that BitGo had reason to know the location of these users based on IP address data associated with the devices used to log into its platform.

This Alert discusses these developments.

I. OFAC’s Enforcement Against BitGo

BitGo, which was founded in 2013 and is headquartered in Palo Alto, California, is self-described as “the leader in digital asset financial services, providing institutional investors with liquidity, custody, and security solutions.”[3] As OFAC explained in its enforcement release, the company agreed to remit $98,830 to settle potential civil liability related to 183 apparent violations of multiple sanctions programs. OFAC specifically claimed that between 2015 and 2019, deficiencies in BitGo’s sanctions compliance procedures led to BitGo’s failing to prevent individuals located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using BitGo’s non-custodial secure digital wallet management service despite having reason to know that these individuals were located in sanctioned jurisdictions. Reason to know was based on BitGo’s having IP address data associated with the devices that these individuals used to log in to the BitGo platform. According to OFAC, BitGo processed 183 digital currency transactions on behalf of these individuals, totaling $9,127.79.

According to the OFAC release, prior to April 2018, BitGo had allowed individual users of its digital wallet management services to open an account by providing only a name and email address. In April 2018, BitGo supplemented this practice by requiring new users to verify the country in which they were located, with BitGo generally relying on the user’s attestation regarding his or her location rather than performing additional verification or diligence on the user’s location. In January 2020, however, BitGo discovered the apparent violations of multiple sanctions compliance programs. It thereupon implemented a new OFAC Sanctions Compliance Policy and undertook significant remedial measures. This new policy included appointing a Chief Compliance Officer, blocking IP addresses for sanctioned jurisdictions, and keeping all financial records and documentation related to sanctions compliance efforts.

II. OFAC’s Enforcement Against BitPay

BitPay, which was founded in 2011 and is headquartered in Atlanta, Georgia, provides digital asset management and payment services that enable consumers “to turn digital assets into dollars for spending at tens of thousands of businesses.”[4] As OFAC explained in its enforcement release, BitPay agreed to remit $507,375 to settle potential civil liability related to 2,102 apparent violations of multiple sanctions programs. OFAC specifically claimed that between 2013 and 2018, deficiencies in BitPay’s sanctions compliance procedures led to BitPay’s allowing individuals who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform despite BitPay having location data, including IP addresses, about those individuals prior to effecting the transactions.

BitPay allegedly “received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then relayed that currency to its merchants.” According to OFAC, BitPay processed 2,102 such transactions totaling $128,582.61. Although BitPay had (i) screened its direct customers (i.e., its merchant customers) against OFAC’s List of Specially Designated Nationals and Blocked Persons and (ii) conducted due diligence on the merchants to ensure they were not located in sanctioned jurisdictions, BitPay failed to screen location data that it obtained about its merchants’ buyers—BitPay had begun receiving buyers’ IP address data in November 2017, and prior to that received information that included buyers’ addresses and phone numbers. BitPay had implemented sanctions compliance controls as early as 2013, including conducting due diligence and sanctions screening on its merchants, and formalized its sanctions compliance program in 2014. However, following its apparent violations, BitPay supplemented its program with the following:

Blocking IP addresses that appear to originate in Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payment;
Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
Launching “BitPay ID,” a new customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above $3,000. As part of BitPay ID, the merchant’s customer must provide an email address, proof of identification/photo ID, and a selfie photo.

III. Conclusion

The major takeaway from these two enforcement cases is that OFAC expects digital asset companies to use IP address data or other location data—even for their customers’ customers—to screen that location information as part of their OFAC compliance function. OFAC will undoubtedly be considering whether a company has screened such information in assessing whether to impose a penalty. More guidance on OFAC’s perspective on the essential components of a sanctions compliance program is available in A Framework for OFAC Compliance Commitments, which OFAC published in May 2019. In addition, we anticipate ongoing scrutiny by OFAC of digital asset companies, given that key Treasury Department policymakers continue to express concerns about digital assets being used to avoid economic sanctions and anti-money laundering compliance.[5]

_____________________

[1] OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Feb. 18, 2021), available at https://home.treasury.gov/system/files/126/20210218_bp.pdf.

[2] OFAC Enters Into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Dec. 30, 2020), available at https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.

[3] See BitGo Announces $16 Billion in Assets Under Custody (December 21, 2020), available at https://www.bitgo.com/newsroom/press-releases/bitgo-announces-16-billion-in-assets-under-custody.

[4] See For a Limited Time BitPay and Simplex Partner to Offer Zero Fees on Crypto Purchases for All of Europe (EEA) (February 15, 2021), available at https://www.businesswire.com/news/home/20210215005244/en/For-a-Limited-Time-BitPay-and-Simplex-Partner-to-Offer-Zero-Fees-on-Crypto-Purchases-for-All-of-Europe-EEA.

[5] U.S. Treasury Department Holds Financial Sector Innovation Policy Roundtable (February 10, 2021), available at https://home.treasury.gov/news/press-releases/jy0023.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long, Judith Alison Lee, Jeffrey Steiner and Rama Douglas.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Financial Institutions, Derivatives, or International Trade practice groups:

Financial Institutions and Derivatives Groups:
Matthew L. Biben – New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Mylan L. Denerstein – New York (+1 212-351- 3850, mdenerstein@gibsondunn.com)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, jsteiner@gibsondunn.com)

International Trade Group:
Judith Alison Lee – Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com)
Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Now that the first 100 days of the Biden Administration are in full swing, its financial regulatory priorities are becoming clearer. In this Client Alert, we discuss where we expect the Administration to focus, with respect to the banking, fintech, and derivatives sectors.

We believe these to be the principal takeaways:

The Administration’s whole-of-government emphasis on climate change issues should inform the regulatory agencies’ agendas far more than in the past.
The Administration’s focus on racial justice will likely lead to increased enforcement activities, particularly by the Consumer Financial Protection Bureau (CFPB), as well as to a reexamination of the Office of the Comptroller of the Currency’s (OCC) recently revised Community Reinvestment Act (CRA) regulations.
President Biden’s choices to head the OCC, Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) will have significant input into the regulation of digital assets and fintech, with certain Trump-era regulations likely being subject to reexamination.
The CFPB can be expected to return to Obama Administration priorities and enforcement activity, with large financial institutions the likely targets.
The CFTC is likely to increase its aggressive enforcement in the derivatives and commodities markets, as well as maintain a keen focus on climate-related risks in those markets.
At the federal legislative level, Representative Maxine Waters (D-CA) and Senator Sherrod Brown (D-OH), both committee chairs, will likely focus on pandemic relief, inequity in housing, consumer protection, and climate change; in addition, cannabis banking legislation may finally be advanced.
In the immediate future, Congress is focused on the market volatility brought to light by the GameStop short squeeze, including a House Financial Services Committee hearing currently scheduled for February 18th with high-level executives of Robinhood, Citadel, Reddit, and Melvin Capital testifying. The House Financial Services Committee and Senate Banking Committee are also likely to consider legislation to ensure more market stability and possibly regulate order-flow payments.

A. Overarching Administration Priorities: Combatting Climate Change and Advancing Racial Justice

1. Climate Change

Climate change will be a new priority for the financial regulators. At her confirmation hearing, Treasury Secretary Janet Yellen called climate change an “existential threat” and stated that she plans to create a special unit, led by a senior official, to examine the risks that climate change poses to the financial system.[1] It is therefore reasonable to expect that the Financial Stability Oversight Council (FSOC), which Secretary Yellen chairs, will investigate climate-related risks. In December 2020, Senator Dianne Feinstein (D-CA) introduced the Addressing Climate Financial Risk Act, which among other things would establish a permanent FSOC committee to advise the FSOC in producing a report on how to improve the ability of the financial regulatory system to identify and mitigate climate risk.[2] Although Senator Feinstein’s bill will have to be reintroduced this year in the new Congress, Senator Feinstein has called on Secretary Yellen to implement key provisions of the bill via executive action.[3]

In a September 2020 report, titled “Managing Climate Risk in the U.S. Financial System” (the “Report”), the CFTC’s Climate-Related Market Risk Subcommittee of the Market Risk Advisory Committee recommended that the FSOC incorporate climate-related financial risks into its existing oversight function.[4] The Report makes the following policy recommendations:

Congress should establish a price on carbon through legislation; this would be the single most important step to manage climate risk and drive an appropriate allocation of capital.
Financial regulators should actively promote, and in some cases require, better understanding, quantification, disclosure, and management of climate-related risks by financial institutions and other market participants.
Financial regulators should undertake and assist financial institutions to undertake their own pilot climate-risks stress testing.
International collaboration and harmonization should be sought, and indeed, are critical for success in this area.

The Federal Reserve too has started to focus on climate issues. It created a Supervision Climate Committee, a system-wide group meant to build out the Federal Reserve’s capacity to understand the potential implications of climate change for financial institutions, infrastructure, and the markets.[5] In addition, the Federal Reserve is continuing its engagement with the Basel Committee on Banking Supervision’s Task Force on Climate-Related Financial Risks to develop recommendations for effective supervisory practices to mitigate climate-related financial risks, and has started to incorporate climate analysis into its Financial Stability Report and Supervision and Regulation Report.[6] And in December, the Federal Reserve became a full member of the Network for Greening the Financial System, a group of central banks and supervisors working to define and promote green finance best practices.[7] In addition, just this month, a paper published by the Federal Reserve Bank of San Francisco noted that the Federal Reserve has begun incorporating the impacts of global warming into its regulations, including by using climate stress tests and climate scenario analysis to measure banks’ vulnerability to climate-related losses.[8]

2. Advancing Racial Justice

The financial regulatory agency most likely to take the lead on racial justice issues is the CFPB. Acting CFPB Director Dave Uejio recently wrote that, in addition to pandemic-related relief, racial equity was his top priority, and that fair lending enforcement would be a major part of this focus.[9] On February 4^th, Acting Director Uejio stated that he was asking the CFPB’s Division of Research, Markets, and Regulations to

prepare an analysis on housing insecurity, including mortgage foreclosures, mobile home repossessions, and landlord-tenant evictions;
prepare an analysis of the most pressing consumer finance barriers to racial equity to inform research and rulemaking priorities;
explicitly include in policy proposals the racial equity impact of the policy intervention;
resume data collections paused at the beginning of the pandemic, including HMDA quarterly reporting and the CARD Act data collection, as well as the previously completed 1071 data collection and the ongoing PACE data collection;

focus the mortgage servicing rulemaking on pandemic response to avert, to the extent possible, a foreclosure crisis when the COVID-19 forbearances end in March and April; and
explore options for preserving the status quo with respect to Qualified Mortgage and debt collection rules.[10]

Through such actions, the Biden CFPB would join in the efforts of certain states that have made strides in fair lending regulation, passing legislation to regulate more strictly student loan servicers[11] and to mandate small business truth-in-lending disclosures.[12] One should also expect the CFPB to investigate algorithmic models used in credit underwriting as to whether those models disparately impact minority borrowers.

The CRA will be another focus. In May 2020, under Acting Comptroller Brooks, the OCC finalized a substantial change to its CRA regulations, which community groups severely criticized.[13] The Federal Reserve and Federal Deposit Insurance Corporation declined to join the OCC’s action, and in October 2020, the Federal Reserve published an Advanced Notice of Proposed Rulemaking to solicit input regarding modernizing its CRA regulatory and supervisory framework, taking a different approach from the OCC’s.[14] We expect that a Biden-appointed Comptroller of the Currency is likely to revisit Acting Comptroller Brooks’ revisions.

B. Other Expected Priorities

1. Digital Assets and Cryptocurrencies

How President Biden staffs the heads of three regulatory agencies – the SEC, OCC and CFTC – may have significant effects on the regulation of digital assets and cryptocurrencies.[15] Gary Gensler, nominated to head the SEC and the former Chair of the CFTC, is now a Senior Faculty Advisor to the Digital Currency Initiative at MIT’s Sloan School of Management, where he teaches classes on blockchain technology and digital currencies.[16] Michael Barr, a Treasury official in both the Clinton and Obama Administrations, has been identified as a leading candidate to head the OCC; Mr. Barr has served as an advisor to Ripple, on Lending Club’s board, and on the fintech advisory council for the Bill and Melinda Gates Foundation.[17] And Chris Brummer, a Georgetown Law professor who was twice nominated as a CFTC Commissioner in the Obama Administration, has been mentioned as a potential CFTC Chair; when at Georgetown Law, he founded DC Fintech Week.[18]

Each of these agencies will have important digital asset and cryptocurrency issues on its agenda. Just at the end of the Trump Administration, the SEC brought an enforcement action against Ripple Labs Inc. and two of its executives on the grounds that the sale of Ripple’s digital asset, XRP, was an unregistered securities offering under the federal securities laws.[19] A Gensler-led SEC will need to decide whether to continue this action, whether to provide guidance on which digital tokens are securities, and whether digital asset exchanges have to register as national securities exchanges or alternative trading systems.[20] Although Mr. Gensler has espoused openness to helping digital assets and cryptocurrencies reach their “real potential in the world of finance,” even if doing so requires “tailor[ing] some of th[e] rules and regulations” to their ecosystem, he has also taken the view that “100 to 200” exchanges “are basically operating outside of U.S. law.”[21]

A second issue that the Gensler-led SEC will need to address is custody. During the Trump Administration, the SEC issued a statement and requested comments regarding the application of the Customer Protection Rule (Rule 15c3-3) to cryptocurrencies and other digital assets. Similar to a safe-harbor provision, the statement essentially maps a path for specialized broker-dealers to operate for five years without fear of an enforcement action in this area where they maintain physical possession or control of digital asset securities.[22] With the request for comment, however, the SEC suggests that it is looking to establish permanent rules in this area.

At the end of the Trump Administration, the OCC moved to the forefront of cryptocurrency regulation by approving the charter conversion application of Anchorage Trust Company.[23] A second charter conversion application was approved just last week, for Protego Trust Company.[24] Whether the OCC will continue to stake out this leadership position under a new Comptroller is therefore a significant question. On these issues, the fact that there has been controversy about who the new Comptroller will in fact be – progressives have been pushing President Biden to name Professor Mehrsa Baradaran, in part because of her skepticism about fintech, rather than Michael Barr – makes it more difficult to offer definitive predictions.

The CFTC, moreover, remains an important regulator in the area. It has jurisdiction over futures and other derivatives contracts on cryptocurrencies, which continue to be developed, and it also has jurisdiction over manipulation in the spot markets for cryptocurrencies that are not securities (e.g., bitcoin and ether) if such manipulation affects a CFTC-regulated futures market. Given the recent significant volatility and meteoric rise in prices in Bitcoin and other cryptocurrencies, the CFTC’s aggressiveness in exercising its legal authority in these areas could have substantial effects.

2. Fintech: The OCC and Trump Administration Rulemakings

Before leaving government service, Trump Acting Comptroller of the Currency Brian Brooks oversaw several important actions of particular relevance to fintech companies.

The first relates to the so-called “Special Purpose National Bank Charter” for financial technology companies, which was first announced by Obama Administration Comptroller of the Currency Thomas Curry in late 2016.[25] The New York State Department of Financial Services (NYDFS) reacted to this development by suing the OCC, arguing that the OCC did not have the authority under the National Bank Act to grant such charters. A district judge in the United States District Court for the Southern District of New York agreed with NYDFS,[26] and this case is on appeal to the Second Circuit Court of Appeals.[27] In November 2020, the OCC accepted a charter application by the fintech Figure Technologies, Inc. and was shortly thereafter sued again – this time by the Conference of State Bank Supervisors Inc. (CSBS) in federal district court in Washington, DC.[28] The new Comptroller will have to determine whether to press ahead with – and defend in court – the “Special Purpose National Bank” and other non-traditional charters.

The other significant actions taken by the OCC under Acting Comptroller Brooks were two rules passed in response to the 2015 Second Circuit decision, Madden v. Midland Funding LLC.[29] Madden limited the application of National Bank Act preemption of state usury laws in the case of nonbanks that purchase debt originated by a national bank.[30] For many fintechs and other nonbank lenders that partner with loan-originating banks, the Madden decision increased uncertainty as to whether nonbanks become subject to state interest rate caps upon purchasing a loan that, at the time of origination, was not subject to the same requirements. In 2020, the OCC issued the “valid-when-made” rule, which took the position that “interest permissible before [a loan] transfer continues to be permissible after the transfer,”[31] and the “true lender” rule, which stated that a national bank is the “true lender” for a loan if the national bank is either named as such on the loan documents or funds the loan.[32]

As in the case of the “Special Purpose National Bank” charter, certain states challenged the rules in federal court.[33] The states argued that the OCC exceeded its statutory authority in issuing the rules and also focused on the rules’ effects on the states’ authority to regulate interest rates and enforce consumer protection laws more broadly, claiming that the rules are “contrary to Congressional actions to rein in the OCC’s ability to preempt state consumer protection laws.”[34] Briefing is underway on cross-motions for summary judgment regarding the “valid-when-made” rule, and a hearing is calendared for mid-March.[35] With the proceedings regarding the true lender rule only a few months behind, these two cases may provide early indications about the new Comptroller’s priorities.

3. An Invigorated CFPB

Rohit Chopra, President Biden’s appointee for the CFPB Director, served in the Obama Administration as the CFPB’s expert on the student loan industry; he also served as a Democratic FTC Commissioner during the Trump Presidency. If confirmed, his appointment suggests that the CFPB will become a more active enforcement agency, as was the case in the Obama Administration. Mr. Chopra’s public statements while FTC Commissioner have encompassed the following important themes: (i) a focus of enforcement efforts on larger firms rather than small businesses; (ii) targeting firms that facilitate and profit from the largest frauds; (iii) shifting from one-off enforcement actions to systemic enforcement efforts; (iv) making greater use of rulemaking, including by codifying enforcement policy; and (v) co-operating with state attorneys general in the enforcement process.[36] The CFPB may also be expected – like the OCC as described above – to revisit certain Trump-era rulemakings, such as its rulemakings on payday lending, qualified mortgages, and debt collection.

4. Shifting Priorities and Continuing Enforcement at the CFTC

Like the SEC, the CFTC will become a majority-Democratic Commission. It is possible that a new CFTC may seek to revisit some of the rules that were finalized on party-line votes under the Trump Administration. For example, in July 2020, the CFTC approved, by a 3-2 party line vote, a final rule addressing cross-border application of the swap dealer and major swap participant registration requirements.[37] In dissent, Commissioner Rostin Behnam criticized the final rule as “refusing to appropriately retain jurisdiction . . . over transactions that are arranged, negotiated or executed in the United States by non-U.S. [swap dealers].”[38] Commissioner Dan Berkovitz critiqued the final rule for “par[ing] back . . . extraterritorial application” of the Commodity Exchange Act (CEA) and setting “a weak and vague standard” for substituted compliance under a “comparable” regulatory regime.[39] Although Professor Brummer, a contender to lead the CFTC, has written extensively about the role of supervisory cooperation and coordination among international regulators,[40] he has also emphasized that the U.S. should “lead by example” and first “commit to the highest standards” before partnering with regulators abroad “who are like-minded,” indicating that he too would support a stronger cross-border rule.[41]

A changed CFTC is likely to result in increased enforcement and collaboration between the CFTC and other agencies, like the Department of Justice. For instance, in October 2020, the DOJ and the CFTC brought related actions against BitMEX based on allegations that BitMEX illegally operated a cryptocurrency derivatives trading platform and violated the anti-money laundering provisions of the Bank Secrecy Act.[42] In December 2020, the CFTC announced a settlement with Vitol, Inc., marking the CFTC’s first public action coming out of its initiative to pursue violations of the CEA involving foreign corruption.[43] The CFTC worked with the Department of Justice and the United States Attorney’s Office for the Eastern District of New York, which announced a Deferred Prosecution Agreement with Vitol the same day.

C. Congressional Priorities

With a Democratic majority in both houses of Congress, legislative priorities will be shaped by the two relevant Committee chairs, Maxine Waters (D-CA) and Sherrod Brown (D-OH).

In December 2020, Representative Waters sent President Biden a public letter with recommendations on areas where she thinks immediate action should be taken.[44] These include:

Promoting stable and affordable housing;
Increasing CFPB enforcement of consumer financial protection laws;
Restoring and enhancing regulatory safeguards on the financial system, including reversing rules that eased prudential requirements for large banks and strengthening the capital regulatory framework;
Addressing discriminatory lending issues; and
Focusing on climate risks, particularly in the insurance sector.

The hearings scheduled by the House Financial Services Committee also provide insight into what issues the committee believes are the most pressing, including the need for additional pandemic relief, particularly for small and minority-owned businesses, climate change, and lending discrimination. Given recent events, the Committee has also scheduled hearings on the recent market volatility involving GameStop and domestic terrorist financing.[45]

In the Senate, Sherrod Brown (D-OH), the chairman of the Senate Banking Committee, is likely to take a more aggressive stance toward the financial services industry than his predecessor, Senator Mike Crapo (R-ID). Senator Brown is known as one of Congress’s fiercest critics of Wall Street, and plans to reorient the focus of the Banking Committee on addressing the fallout of the pandemic and climate change, and strengthening regulations.[46] Senator Brown’s focus in the immediate future is extending protections from eviction, and affordable housing and housing access will continue to be a priority for the committee.[47] Senator Brown is also keen on a public-banking option and caps on interests rates for payday loans, and has said he intends to investigate the relationship among stock prices, executive compensation, and workers’ wages.[48]

A final area of potential legislative action is cannabis banking. In Congress, the SAFE Banking Act, a bill that would enable banks to offer financial services to legitimate marijuana- and hemp-related businesses, could be re-introduced. Because cannabis remains classified as a Schedule I controlled substance, most financial institutions refrain from providing services to legal cannabis businesses out of fear of adverse regulatory and supervisory action and federal forfeiture based on racketeering or trafficking charges. The SAFE Banking Act would prohibit such regulatory actions and shield banks from liability premised solely on the provision of financial services to a marijuana- or hemp-related business. The SAFE Banking Act passed the House with bipartisan support in 2019, and was originally included in the Heroes Act, passed by the House in May 2020 in response to the COVID-19 pandemic. However, the bill was dropped from the COVID relief measures ultimately enacted in December 2020, and the bill has not come up for a vote yet in the Senate despite some bipartisan support.

______________________

[1] Zachary Warmbrodt, Yellen vows to set up Treasury team to focus on climate, in victory for advocates, Politico (Jan. 19, 2021), https://www.politico.com/news/2021/01/19/yellen-treasury-department-climate-change-460408.

[2] Senator Dianne Feinstein, Press Releases, Feinstein Introduces Bill to Minimize Climate Change Risk in Financial System (Dec. 17, 2020), https://www.feinstein.senate.gov/public/index.cfm/press-releases?ID=27A04819-E44D-435C-AB06-FBC9D6051EB2.

[3] Senator Dianne Feinstein, Press Releases, Feinstein to Secretary Yellen: Use Financial System to Mitigate Climate Change Risk (Jan. 28, 2021), https://www.feinstein.senate.gov/public/index.cfm/press-releases?id=F494CF21-B927-404B-876A-CF80D3231985.

[4] U.S. Commodity Futures Trading Commission Climate-Related Market Risk Subcommittee, Managing Climate Risk in the U.S. Financial System (2020), available at https://www.cftc.gov/sites/default/files/2020-09/
9-9-20%20Report%20of%20the%20Subcommittee%20on%20Climate-Related%20Market%20
Risk%20-%20Managing%20Climate%20Risk%20in%20
the%20U.S.%20Financial%20System%20for%20posting.pdf.

[5] Fed. Reserve Bank of N.Y., Press Release, Kevin Stiroh to Step Down as Head of New York Fed Supervision to Assume New System Leadership Role at Board of Governors on Climate (Jan. 25, 2021), https://www.newyorkfed.org/newsevents/news/aboutthefed/2021/20210125.

[6] Lael Brainerd, Strengthening the Financial System to Meet the Challenge of Climate Change (Dec. 18, 2020), available at https://www.federalreserve.gov/newsevents/speech/brainard20201218a.htm.

[7] See Central Banks and Supervisors Network for Greening the Financial System, https://www.ngfs.net/en.

[8] Glenn D. Rudebusch, FRBSF Economic Letter, Climate Change Is a Source of Financial Risk, Fed. Reserve Bank of S.F. (Feb. 8, 2021), https://www.frbsf.org/economic-research/publications/economic-letter/2021/february/climate-change-is-source-of-financial-risk/.

[9] Dave Uejio, The Bureau is taking much-needed action to protect consumers, particularly the most economically vulnerable (Jan. 28, 2021), https://www.consumerfinance.gov/about-us/blog/the-bureau-is-taking-much-needed-action-to-protect-consumers-particularly-the-most-economically-vulnerable/.

[10] Dave Uejio, The Bureau is working hard to address housing insecurity, promote racial equity, and protect small businesses’ access to credit (February 4, 2021), https://www.consumerfinance.gov/about-us/blog/the-bureau-is-working-hard-to-address-housing-insecurity-promote-racial-equity-and-protect-small-businesses-access-to-credit/.

[11] See, e.g., Jeremy Sairsingh, State Regulation of Student Loan Servicing Continues to Evolve, Am. Bar Assoc. (July 13, 2020), https://www.americanbar.org/groups/business_law/
publications/committee_newsletters/consumer/2020/202007/state-regulation/.

[12] See, e.g., Dafina Williams, Policies to Require Transparency in Small Business Lending Gain Momentum, Opportunity Fin. Network (Oct. 14, 2020), https://ofn.org/articles/policies-require-transparency-small-business-lending-gain-momentum.

[13] See, e.g., Nat’l Cmty. Reinvestment Coal., et al., Joint Statement on CRA Rule Changes from OCC (May 21, 2020), https://ncrc.org/joint-statement-on-cra-rule-changes-from-occ/.

[14] Community Reinvestment Act, 12 C.F.R. 228 (proposed Oct. 19, 2020).

[15] Ephrat Livni, What’s Next for Crypto Regulation, N.Y. Times (Jan. 30, 2021), https://www.nytimes.com/2021/01/30/business/dealbook/crypto-regulation-blockchain.html.

[16] See Gary Gensler Faculty Advisor Profile, available at https://dci.mit.edu/team.

[17] John Adams, Biden’s OCC expected to chart new course for fintechs, crypto, AML, Am. Banker (Jan. 27, 2021), https://www.americanbanker.com/news/bidens-occ-expected-to-chart-new-course-for-fintechs-crypto-aml.

[18] See About DC Fintech Week, available at https://www.dcfintechweek.org/; Chris Brummer, Faculty Profile, https://www.law.georgetown.edu/faculty/chris-brummer/.

[19] Complaint, SEC v. Ripple Labs, Inc., No. 1:20-cv-10832 (S.D.N.Y. Dec. 22, 2020).

[20] Although the SEC brought its first enforcement action for operating an unregistered exchange in 2018, and has brought at least one other such action, these matters have not been as significant as the Ripple action. See SEC, Press Release, SEC Charges EtherDelta Founder with Operating an Unregistered Exchange (Nov. 8, 2018), https://www.sec.gov/news/press-release/2018-258; SEC, Press Release, SEC Charges Dallas Company and its Founders with Defrauding Investors in Unregistered Offering and Operating Unregistered Digital Asset Exchange (Aug. 29, 2019), https://www.sec.gov/news/press-release/2019-164. For additional discussion of crypto securities registration cases, see our bi-annual Securities Enforcement updates, available here.

[21] Annalieae Milano, Everything Ex-CFTC Chair Gary Gensler Said About Cryptos Being Securities, Coindesk (Apr. 24, 2018), https://www.coindesk.com/ex-cftc-chair-gary-gensler-on-tokens-securities-and-the-sec.

[22] SEC, Press Release, SEC Issues Statement and Requests Comment Regarding the Custody of Digital Asset Securities by Special Purpose Broker-Dealers (Dec. 23, 2020), https://www.sec.gov/news/press-release/2020-340.

[23] OCC, News Release 2021-6, OCC Conditionally Approves Conversion of anchorage Digital Bank (Jan. 13, 2021), https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-6.html.

[24] OCC, News Release 2021-19, OCC Conditionally Approves Conversion of Protego Trust Bank (Feb. 5, 2021), https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-19.html.

[25] OCC, Exploring Special Purpose National Bank Charters for Fintech Companies (Dec. 2016), https://www.occ.gov/publications-and-resources/publications/banker-education/files/pub-special-purpose-nat-bank-charters-fintech.pdf.

[26] Vullo v. Office of Comptroller of Currency, 378 F. Supp. 3d 271, 292 (S.D.N.Y. 2019) (finding that “the term ‘business of banking,’ as used in the [National Bank Act], unambiguously requires receiving deposits as an aspect of the business”); Lacewell v. Office of the Comptroller of the Currency, 2019 WL 6334895, at * 1–2 (S.D.N.Y. Oct. 21, 2019) (prohibiting the OCC from issuing charter to non-depository fintech applicants).

[27] See Lacewell v. Office of the Comptroller of the Currency, No. 19-4271 (2d Cir. Dec. 16, 2020), ECF No. 108.

[28] Complaint at ¶¶ 1, 3, Conference of State Bank Supervisors v. Office of the Comptroller of the Currency, No. 20-cv-3797 (D.D.C. Dec. 22, 2020).

[29] See generally Madden v. Midland Funding, LLC, 786 F.3d 246 (2d Cir. 2015).

[30] Id. at 250–51.

[31] Permissible Interest on Loans That Are Sold, Assigned, or Otherwise Transferred, 85 Fed. Reg. 33,530 (June 2, 2020) (to be codified at 12 CFR Parts 7 and 160).

[32] National Banks and Federal Savings Associations as Lenders, 85 FR 68742 (Oct. 30, 2020) (to be codified at 12 CFR Part 7).

[33] See Sylvan Lane, Seven states sue regulator over ‘true lender’ rule on interest rates, The Hill (Jan. 5, 2021), https://thehill.com/policy/finance/532759-seven-states-sue-regulator-over-true-lender-rule-on-interest-rates?rl=1.

[34] Complaint at ¶¶ 11–12, People of the State of New York v. Office of the Comptroller of the Currency, No. 21-cv-00057 (S.D.N.Y Jan. 5, 2021) (challenging “true lender” rule); accord Complaint at ¶¶ 7–9, People of the State of California v. Office of the Comptroller of the Currency, No. 20-cv-05200 (N.D. Cal., July 29, 2020) (challenging valid-when-made rule).

[35] Order Granting As Modified Joint Stipulation, No. 20-cv-05200 (N.D. Cal. Oct. 5, 2020) (setting briefing schedule).

[36] See https://www.ftc.gov/about-ftc/biographies/rohit-chopra/speeches-articles-testimonies.

[37] CFTC, Press Release, CFTC Approves Final Cross-Border Swaps Rule and an Exempt SEF Amendment Order at July 23 Open Meeting (July 23, 2020), https://www.cftc.gov/PressRoom/PressReleases/8211-20.

[38] Public Statement, Dissenting Statement of Commissioner Rostin Behnam Regarding the Cross-Border Application of the Registration Thresholds and Certain Requirements Applicable to SDs and MSPs – Final Rule (July 23, 2020), https://www.cftc.gov/PressRoom/SpeechesTestimony/behnamstatement072320

[39] Public Statement, Dissenting Statement of Commissioner Dan M. Berkovitz on the Final Rule for Cross-Border Swap Activity of Swap Dealers and Major Swap Participants (July 23, 2020), https://www.cftc.gov/PressRoom/SpeechesTestimony/berkovitzstatement072320 (quoting Kadhim Shubber, US regulator investigates oil fund disclosures, Fin. Times (July 15, 2020), available at https://www.ft.com/content/1e689137-2d1f-4393-a18f-fe0da02141cc.)

[40] See, e.g., Limiting the Extraterritorial Impact of Title VII of the Dodd-Frank Act: Before the House Financial Services Committee, 112th Cong. (2012) (Written Testimony of Chris Brummer, Professor of Law, Georgetown University Law Center), https://financialservices.house.gov/uploadedfiles/hhrg-112-ba-wstate-cbrummer-20120208.pdf.

[41] Nominations of Christopher James Brummer and Brian D. Quintenz to be Commissioners of the Commodity Futures Trading Commission: Hearing before the Committee on Agriculture, Nutrition, and Forestry, 114th Cong. (2016) (testimony by Christopher James Brummer, Nominee), https://www.congress.gov/114/chrg/shrg23593/CHRG-114shrg23593.htm.

[42] CFTC, Press Release, CFTC Charges BitMEX Owners with Illegally Operating a Cryptocurrency Derivatives Trading Platform and Anti-Money Laundering Violations (Oct. 1, 2020), https://www.cftc.gov/PressRoom/PressReleases/8270-20.

[43] Gibson Dunn, What the CFTC’s Settlement with Vitol Inc. Portends about Enforcement Trends (Jan. 20, 2021) https://www.gibsondunn.com/what-the-cftcs-settlement-with-vitol-inc-portends-about-enforcement-trends/; see also CFTC, Press Release, CFTC Orders Vitol Inc. to Pay $95.7 Million for Corruption-Based Fraud and Attempted Manipulation (Dec. 3, 2020), https://www.cftc.gov/PressRoom/PressReleases/8326-20.

[44] Letter from Rep. Maxine Waters, Chairwoman, U.S. House of Representatives Committee on Financial Services, to President-elect Joseph Biden (Dec. 4, 2020), available at https://financialservices.house.gov/uploadedfiles/120420_cmw_ltr_to_biden.pdf.

[45] U.S. House Comm. On Fin. Servs., Press Releases, Waters Announces February Hearing Schedule (Feb. 1, 2021), https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=407103.

[46] See, e.g., Zachary Warmbrodt, Wall Street scourge Sherrod Brown to get ‘gigantic megaphone’ as Senate Banking chair, Politico (Jan. 11, 2021), https://www.politico.com/news/2021/01/11/sherrod-brown-senate-banking-chair-457692.

[47] Sylvan Lane, Brown puts housing, eviction protections at top of Banking panel agenda, The Hill (Jan. 12, 2021), https://thehill.com/policy/finance/533911-brown-puts-housing-eviction-protections-at-top-of-banking-panel-agenda.

[48] Emily Flitter, Next Senate Banking Chairman Sets Lowe-Income and Climate Priorities, N.Y. Times (Jan. 12, 2021), https://www.nytimes.com/2021/01/12/business/banking-environment-housing-democrats-sherrod-brown.html.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Financial Institutions or Derivatives practice groups, or the following authors:

Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, jsteiner@gibsondunn.com)
Roscoe Jones, Jr. – Washington, D.C. (+1 202-887-3530, rjones@gibsondunn.com)
Rachel N. Jackson – New York (+1 212-351-6260, rjackson@gibsondunn.com)
Amalia Reiss – Washington, D.C. (+1 202-955-8281, areiss@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The New York State Department of Financial Services (“DFS”) is the state’s primary regulator of financial institutions and activity, with jurisdiction over approximately 1,500 financial institutions and 1,800 insurance companies. Heading into 2021, DFS stands ready to expand its regulatory footprint, with increased efforts in new areas following the 2020 Presidential Election and a consistent focus on regulating emerging issues of significance such as financial technology and data privacy.

This year was of course marked by the sweeping COVID-19 pandemic, which affected financial institutions, insurers, and consumers around the world. That was nowhere more true than in New York, which sat at an epicenter of the crisis. As expected, DFS was active throughout the year, taking a preeminent role in mitigating the effects of the disaster by imposing new measures in a dizzying array of areas ranging from health and travel insurance to mortgages and student loans. Unfortunately, the crisis is unlikely to abate in the immediate future. Despite the preliminary rollout of a COVID-19 vaccine, the agency’s efforts are likely to continue into 2021. Just this month, Governor Andrew Cuomo proposed “comprehensive reforms to permanently adopt COVID-19-era innovations that expanded access to physical health, mental health and substance use disorder services,” including requiring commercial health insurers to offer a telehealth program, ensuring that telehealth is reimbursed at rates that incentivize use when appropriate, and mandating that insurers offer e-triage platforms, all of which could fall within the regulatory ambit of DFS.

More broadly, the agency has continued its focus on areas that it previously expressed were principal concerns. This Spring, for example, DFS will host a “Techsprint” in order to promote digital reporting for virtual currency companies. The agency also will continue expanding consumer protection through increased focus on prescription drug prices and has continued to increase pressure on companies regarding data protection. Looking forward this year, DFS has been signaling that it expects a change in tone and agenda on environmental matters from the new federal administration, and that it will stay the course on increasing efforts to mitigate the effects of climate change. Indeed, DFS has indicated that it is “developing a strategy for integrating climate-related risks into its supervisory mandate” and that it intends to publish detailed guidance and best practices with input from industry in the future.

This DFS Round-Up summarizes recent key developments regarding the agency. Those developments are organized by subject.

To view the Round-Up, click here.

The following Gibson Dunn lawyers assisted in preparing this client update: Mylan Denerstein, Akiva Shapiro, Seth Rokosky, Bina Nayee and Lavi Ben Dor.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Public Policy practice group, or the following in New York:

Mylan L. Denerstein – Co-Chair, Public Policy Practice (+1 212-351-3850, mdenerstein@gibsondunn.com)
Akiva Shapiro (+1 212-351-3830, ashapiro@gibsondunn.com)
Seth M. Rokosky (+1 212-351-6389, srokosky@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In honor of Data Privacy Day—a worldwide effort to raise awareness and promote best practices in privacy and data protection—we offer this ninth edition of Gibson Dunn’s United States Cybersecurity and Data Privacy Outlook and Review.

2020 was a year of tremendous upheaval and disruption; the privacy and cybersecurity space was no exception. The COVID-19 pandemic, which continues to devastate communities worldwide, raised new and challenging questions about the balance between data protection and public health. Unprecedented cyberattacks by, among others, foreign state actors, highlighted vulnerabilities in both the private and public sectors. Sweeping new privacy laws were enacted, and came into effect. The full ramifications of these changes and challenges are extraordinary, and stand to impact almost every person and company in the country.

This Review places these and other 2020 developments in broader context, addressing: (1) the regulation of privacy and data security, including key updates related to the COVID-19 pandemic, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy in areas including privacy class actions, digital communications, and biometric information privacy laws; and (3) the collection of electronically stored information by government actors, including the extraterritoriality of subpoenas and warrants and the collection of data from electronic devices. While we do not attempt to address every development that occurred in 2020, this Review examines a number of the most significant developments affecting companies as they navigate the evolving cybersecurity and privacy landscape.

This Review focuses on cybersecurity and privacy developments within the United States. For information on developments outside the United States, please see Gibson Dunn’s International Cybersecurity and Data Privacy Outlook and Review, which addresses developments in 2020 outside the United States that are of relevance to domestic and international companies alike. We have adopted the practice of referring to companies by generic descriptors in the body of this Review; for further details, please see the endnotes.

________________________

I. REGULATION OF PRIVACY AND DATA SECURITY

A. Biden Administration and Presidential Transition

1. Data Privacy
2. Consumer Protection

B. COVID-19 and Privacy

1. Federal Regulatory Efforts
2. State Regulatory Efforts

C. Legislative Developments

1. State Legislative Developments
2. Federal Legislative Developments

D. Enforcement and Guidance

1. Federal Trade Commission
2. Department of Health and Human Services and HIPAA
3. Securities and Exchange Commission
4. Other Federal Agencies
5. State Attorneys General and Other State Agencies

II. CIVIL LITIGATION

A. Data Breach Litigation

B. Computer Fraud and Abuse Act (CFAA) Litigation

C. Telephone Consumer Protection Act (TCPA) Litigation

D. California Consumer Privacy Act (CCPA) Litigation

E. Illinois Biometric Information Privacy Act (BIPA) Litigation

F. Other Notable Cases

III. GOVERNMENT DATA COLLECTION

A. Collection of Cell Phone Data

B. Extraterritorial Warrants and Data Transfers

C. Other Notable Developments

IV. CONCLUSION

________________________

I. REGULATION OF PRIVACY AND DATA SECURITY

A. Biden Administration and Presidential Transition

The year 2021 brings with it a new administration under President Biden and a potential shift from the deregulatory priorities often pursued under President Trump. With a closely divided Congress, defined by extremely narrow Democratic majorities in the House and Senate, much of the movement on the legislative and regulatory front may depend on the new administration’s ability to find common ground for bipartisan efforts; however, we do anticipate ramped-up legislation, regulation, and enforcement efforts in the data privacy and consumer protection space under the Biden administration.

1. Data Privacy

Republican and Democratic policymakers alike have recognized the need for federal privacy legislation, but persistent differences in approach have foiled efforts to enact a comprehensive legislative scheme so far. Key points of contention around potential federal legislation have included whether and to what extent that legislation should preempt more stringent state laws and whether the legislation should include a private right of action. But as momentum builds among states to enact increasingly stringent data privacy and breach notification laws, so too does the pressure on policymakers seeking to enact meaningful privacy legislation at the federal level. For example, and as we detail further at Section I.C.1., California voters passed an initiative last November to strengthen existing legislation through the California Privacy Rights and Enforcement Act of 2020, and several other states have similar bills in committee at their state legislatures.[1] And, as state privacy laws become more rigorous, it may be more difficult for federal legislation to preempt those state laws entirely because the federal framework would need to be that much more stringent.

That said, the Democratic Party Platform on which President Biden ran provides some additional insight into potential legislative initiatives of the new administration. For example, the platform indicates that President Biden intends to renew the Consumer Privacy Bill of Rights, originally proposed by President Obama, which would seek to add strong national standards protecting consumers’ privacy rights.[2] The Platform also indicates that President Biden intends to prioritize updating the Electronic Communications Privacy Act (ECPA) to afford protections for digital content equaling those for physical content.[3]

Policymakers on both sides of the aisle also have expressed concern about Section 230 of the Communications Decency Act and, in particular, the scope of immunity that courts have accorded to social media companies under the statute. The Department of Justice (DOJ) has proposed revisions to the law, including significant limitations on immunity.[4] It is unclear, however, whether legislators will be able to agree on the scope of changes to that immunity, with Republicans voicing concerns about perceived anti-conservative bias in the ways that social media companies self-regulate speech and Democrats raising concerns about the spread of misinformation and hate speech.

Outside of ongoing legislative efforts, the Biden administration’s short-term focus likely will center on administrative action, including promoting federal investigations and enforcement, issuing informal guidance, and initiating formal rulemaking relating to privacy. Such activity would be consistent with Vice President Harris’s background as former Attorney General of California and her previous privacy enforcement efforts, including the creation of California’s Privacy Enforcement and Protection Unit.[5]

With respect to such federal regulatory enforcement action, it is worth noting that the Federal Trade Commission (FTC) had, at the end of the Trump administration, a Republican Chairman and a 3-2 Republican majority. Yet after President Biden took office, FTC Chairman Joseph Simons announced he would resign effective January 29, 2021, clearing the way for President Biden to appoint a Democratic commissioner and designate a new chair.[6] Further, insofar as FTC Commissioner Rohit Chopra has been nominated as permanent Director of the Consumer Financial Protection Bureau (CFPB), a further FTC vacancy may soon need to be filled.[7]

In the health care arena, we have seen a recent focus on patient privacy rights under HIPAA. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced more than a dozen settlements related to “right of access” provisions under HIPAA during the past year, which we discuss further herein at Section I.D.2. The Biden administration has indicated a desire to continue to promote patient control and use of data, and likely will continue to focus on “right of access” enforcement actions.

Beyond the federal level, states remained active in bringing enforcement actions regarding data security and data breach response throughout the Trump administration’s term. Given the strong ties that President Biden and Vice President Harris each have to state Attorneys General,[8] cooperation between federal and state enforcement authorities is likely to increase even further under the Biden administration.

2. Consumer Protection

The Consumer Financial Protection Bureau (CFPB), an agency formed during the Obama administration in 2010 following the financial crisis, saw decreased enforcement activity under the Trump administration, in part because President Trump replaced the Bureau’s original director in 2017. Since President Biden took office, however, former CFPB director Kathy Kraninger stepped down at the President’s request, and Dave Uejio, who previously served as CFPB’s strategy program manager, took over as the CFPB’s acting director. President Biden has also nominated current FTC Commissioner Rohit Chopra to serve as the permanent CFPB director, a nomination the Senate is expected to consider soon.[9]

On another note, in early 2020 Congress passed, and President Trump signed into law, the Coronavirus Aid, Relief and Economic Security Act (CARES Act), which, among other things, provided forgivable loans to small businesses and placed payment forbearance obligations on financial institutions for mortgage and student loan borrowers and other prohibitions on negative credit reporting due to the COVID-19 pandemic.[10] The CARES Act small business loans were extended by Congress in December. The Biden administration could seek to enact into law additional COVID-19 stimulus legislation to supplement already-existing laws; indeed, President Biden has already called for a $1.9 trillion stimulus package.[11] In the short term, and particularly as the COVID-19 pandemic continues to have devastating economic impacts on millions of Americans, CFPB enforcement will likely entail closer monitoring of banks and financial institutions for compliance with the CARES Act, especially related to ensuring compliance with the small business loan provisions.

In addition, the Biden administration likely will bring several Obama-era priorities back into focus, including regulation of payday lenders, student loan servicers, affordable credit, credit reporting, and discriminatory lending practices against minority borrowers.[12] Federal-state cooperation is likely here as well, and such cooperation already has begun. In September 2020, for example, the FTC partnered with three other federal agencies and 16 states to conduct “Operation Corrupt Collector” in an effort to challenge debt-collection practices.[13] We anticipate these kinds of enforcement partnerships to continue under the Biden administration.

B. COVID-19 and Privacy

1. Federal Regulatory Efforts

i. Two COVID-19 Privacy Bills Introduced in Congress

In May of 2020, during the last Congress, federal lawmakers introduced two competing privacy bills aimed at protecting privacy interests related to data collection in connection with the COVID-19 response.

The COVID-19 Consumer Data Protection Act (CCDPA), introduced by Senator Jerry Moran (R-KS), requires companies under the jurisdiction of the FTC to obtain affirmative consent for data collection processes related to tracking the spread of COVID-19.[14] The bill would have covered geolocation data, proximity data, and personal health information related to tracking COVID-19 spread; applications measuring compliance with social distancing guidelines; and contact tracing efforts. Additionally, the bill outlined definitions for data deidentification standards and would have established security requirements for companies collecting covered data.

The bill would only have applied for the duration of the COVID-19 health emergency, as declared by the Secretary of Health and Human Services,[15] and it would have established an exclusion for employee health data collected for COVID-19 workplace safety. Importantly, the CCDPA would have expressly preempted existing state laws with respect to COVID-19 data. Proponents of the bill suggested that this would have allowed companies to strike the right balance between individual privacy and innovation, but others argued it would have resulted in less protection for people in states, such as California or Illinois, where current state laws may already provide broader privacy protections.[16] The CCDPA also lacked a private right of action; only the FTC and state Attorneys General would have had enforcement power.

Alternatively, Senator Richard Blumenthal (D-CT) introduced the Public Health Emergency Privacy Act (PHEPA) in an effort to regulate entities that use contact tracing and digital monitoring tools to stop the spread of COVID-19.[17] Like Senator Moran’s bill, PHEPA called for requiring user consent and reasonable data security practices. Unlike the CCDPA, however, Senator Blumenthal’s proposal would not have preempted existing state privacy laws, would have created a private right of action, and would have applied to government entities in addition to private businesses.[18] Additionally, the bill would have required federal agencies to report on the potential impact of data collection on civil rights, and would have expressly barred using the data to restrict any individual’s right to vote.

Ultimately, neither bill moved forward in the last Congress, and so to the extent such proposals remain salient in 2021 (the 117th Congress), they would need to be reintroduced.

ii. HIPAA Guidance and Enforcement Discretion in Response to COVID-19

In response to the challenges presented by the pandemic, the Federal Government, through the Department of Health and Human Services Office for Civil Rights (OCR), has relaxed HIPAA enforcement and issued new guidance to reassure companies assisting in the fight against COVID-19.

In March 2020, OCR announced it would exercise its enforcement discretion and not impose penalties for noncompliance against health care providers “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”[19] OCR subsequently extended that discretion to violations associated with good faith disclosures to public health authorities and participation in COVID-19 testing sites.[20]

That same month, OCR also issued new guidance to ensure HIPAA compliance in the wake of COVID-19. This guidance addressed how covered entities may disclose protected health information to law enforcement, paramedics, and other first responders so as to comply with HIPAA and still facilitate the sharing of real-time information to keep themselves and the public safe.[21] Additional guidance addressing how health care providers may identify and contact recovered COVID-19 patients about blood and plasma donation without violating HIPAA followed in June.[22]

The Centers for Disease Control (CDC) Vaccination Program Interim Playbook includes a data sharing plan that asks states to provide personal information from residents as part of the CDC’s vaccine distribution program.[23] Personal information requirements include recipient name, address, date of birth, and other datapoints, which has raised concerns around the security of the CDC’s data systems and use of the information for non-vaccination purposes (although most states have signed onto the data sharing agreement).[24]

2. State Regulatory Efforts

As states look to technological solutions to mitigate the spread of COVID-19, protecting consumer data is at the forefront of many legislators’ minds. In 2020 many states considered laws that would have limited how contact tracing apps and individual contact tracers could use, store, and share location data. To date, though, very few states have passed such measures. New York also has introduced a broader privacy bill that covers the security obligations of many different classes of entities that are responding to the COVID-19 pandemic.[25] In addition, as discussed below, state Attorneys General have been reaching out to corporations to address privacy concerns the pandemic may have exacerbated. We detail recent state legislative initiatives below.

i. Enacted State Laws

California. California enacted AB 713 in September 2020. Although not a direct response to COVID-19, the bill’s exemption of certain forms of deidentified health data from the California Consumer Privacy Act (CCPA) may aid in COVID-19 research.[26] AB 713 exempts certain information from the CCPA, provided it is: (1) deidentified under HIPAA; (2) derived from medical information; and (3) not subsequently reidentified. It also “except[s] information that is collected for, used in, or disclosed in research” from the CCPA,[27] which could lower the cost of compliance for health care researchers already complying with HIPPA and increase access to data for further COVID‑19 research.

AB 713 also allows for the reidentification of deidentified data for a “HIPAA covered entity’s treatment, payment, or health care operation”; public health purposes; and research.[28] It also permits reidentification of data to test or validate a data deidentification technique, but only if the contract for that work bans any other uses or disclosures of the information and requires the return or destruction of the information when the contract ends.[29]

In addition, the bill requires that any business that sells or discloses deidentified patient information disclose in its privacy policy that it does so and that it identify which deidentification method it uses.[30] It also requires that contracts for the sale or license of deidentified information include a requirement that the purchaser or licensee may not further disclose the information to any third party not contractually bound by the same or stricter standards, as well as contractual terms prohibiting reidentification.[31]

Kansas. Kansas is one of the few states to have passed a COVID-19 privacy bill, HB 2016. Unlike other contact tracing bills, it specifically rejects the use of cell phone location data for contact tracing. HB 2016 specifies that contact data, or “information collected through contact tracing,” including “medical, epidemiological, individual movement or mobility, names, or other data,” shall only be used “for the purpose of contact tracing and not for any other purpose,” and may not be disclosed for any reason besides contact tracing.[32] The bill further states that the data should be destroyed when no longer needed for tracing efforts, and that participation in contact tracing is voluntary. It also requires that contact tracers not obtain contact tracing information from a third party, unless the affected party consents or the information was obtained pursuant to a valid warrant. HB 2016 is slated to expire May 1, 2021.

New York. New York recently passed S8450C / A10500C, which limits law and immigration officials from accessing contact tracing information, acting as contact tracers, or receiving information from contact tracers. That law also requires individuals to give “written, informed and voluntary” consent to waive confidentiality and limits the disclosure to the purposes listed in the waiver.[33]

ii. State Laws under Consideration

Alabama. Alabama legislators prefiled a COVID-19 privacy bill, SB1, for their 2021 legislative session. SB1 would prohibit the use of contact tracing data for any other purpose. The bill authorizes the Alabama State Health Officer to adopt rules to implement the act, including defining the types of data that may be collected. With respect to retention, the data must be destroyed “when no longer necessary for contact tracing,” but the act does not set out a specific schedule for deletion.[34] SB1 provides a private right to enjoin violations of the statute, and knowing violations of the act would constitute a class C misdemeanor.[35] In its current form, SB1 has a repeal date of May 1, 2022.

New Jersey. New Jersey’s COVID-19 bill, A4170, covers contact tracing efforts using both verbal interviews and Bluetooth or GPS services and provides a framework for how contact tracing information may be used, who may have access to it, how it may be stored, and for how long. It also outlines penalties for violations of the bill’s usage and deletion guidelines.[36] Information gained from contact tracing efforts may only be used for that purpose and must be deleted from both the public health entity’s records and the records of any third party with whom the information is shared within 30 days of its collection.[37] The public health entity also would be required to list the third parties with whom it shares information on the public health entity’s website.

Third parties who use the contact tracing information for purposes other than contact tracing, or who fail to delete information in the time specified, are subject to a civil penalty of up to $10,000.[38] The Commissioner of Health would be required to publish proposed guidance on how data collected from contact tracing may be used by public health officials and third parties and how those entities will be required to ensure the security and confidentiality of the data, including any auditing provisions, within 30 days of the effective date of the act.

New York. In 2020, New York legislators, including State Senator Kevin Thomas (a past sponsor of a comprehensive New York data privacy bill[39] and proposed amendments to New York’s data breach notification law),[40] introduced S8448D / A10583C, an act “relat[ing] to requirements for the collection and use of emergency health data and personal information and the use of technology to aid during COVID-19.”[41] This bill would have applied to a wide set of “covered entities,” including “any person, including a government entity[,] that collects, processes, or discloses emergency health data … electronically or through communication by wire or radio,” as well as any entity that “develops or operates a website, web application, mobile application, mobile operating system feature, or smart device application for the purpose of tracking, screening, monitoring, contact tracing, or mitigation, or otherwise responding to the COVID-19 public health emergency.”[42]

S8448D / A10583C would have required all covered entities to obtain informed, opt-in consent before collecting or using any “emergency health information,” defined as “data linked or reasonably linkable to an individual, household, or device … that concerns the public COVID‑19 health emergency.” This category would have included, for example, genetic, geolocation, demographic, contact tracing, or device information. Further, the act would have imposed strict limits on how and for what purpose covered entities could have processed, shared, or retained such emergency health data.

In terms of information security, the act would have required covered entities to implement reasonable security procedures and practices. It also would have required all covered entities to undergo regular data protection audits—conducted by third-parties—to assess if they had lived up to any promises made to consumers in their privacy notices. Such audits also would have been charged with assessing the relative benefits and costs of the technology a covered entity utilized, along with “the risk that the technology may result in or contribute to inaccurate, unfair, biased, or discriminatory decisions.”[43] Finally, the act would have authorized New York’s Attorney General to undertake enforcement actions and impose “civil penalties up to $25,000 per violation or up to four percent of annual revenue.”[44] In the 2020 legislative session, S8448D / A10583C passed a vote in the New York State Senate. At the start of the 2021 session, the New York State Senate and New York State Assembly each reintroduced versions of the bill.[45]

iii. State Laws Not Enacted

California. California considered two 2020 bills, AB 660 and AB 1782, that aimed to preserve the privacy of data gathered through contact tracing, but neither made it out of the California Senate Appropriations Committee.

AB 660 sought to “prohibit data collected, received, or prepared for purposes of contact tracing from being used, maintained, or disclosed for any purpose other than facilitating contact tracing efforts.”[46] It also sought to prohibit any law enforcement official from engaging in contact tracing and required deletion of all information collected through contact tracing within 60 days, except for when in the possession of a health department.[47] The proposed bill also included a private right of action for injunctive relief and attorneys’ fees.

AB 1782, the Technology-Assisted Contact Tracing Public Accountability and Consent Terms (TACT-PACT) Act, was a broader bill aimed at businesses engaging in technology-assisted contact tracing (TACT). Under the bill, such businesses were to “provide a simple mechanism for a user to revoke consent for the collection, use, maintenance, or disclosure of data and permit revocation of consent at any time.”[48] The bill also would have required any businesses not affiliated with a public health entity to disclose that fact conspicuously. The TACT-PACT Act sought to require businesses or public health entities offering TACT to issue public reports at least every 90 days containing certain information, such as the “number of individuals whose personal information was collected, used, or disclosed pursuant to TACT,” and the categories and recipients of the information.[49] The bill also would have imposed encryption requirements for information collected using TACT and provided that the California Attorney General, district attorneys, city attorneys, and members of the public could bring civil actions against businesses for relief from violations of this act’s provisions.[50]

Minnesota. Introduced in June 2020, Minnesota’s HF 164 would have authorized contact tracing using electronic means and would have prohibited mandatory tracking or mandatory disclosure of health status; further, that law would have forbidden mandatory health tracking by employers. HF 164 would have allowed any person “aggrieved by a violation of this section” to bring a civil action where they could have been awarded “up to three times the actual damages suffered due to the violation,” punitive damages, costs and attorney fees, and injunctive or other equitable relief the court deems appropriate.[51] HF 164 did not become law in the 2020 session, and has not been subsequently reintroduced.

Ohio. Ohio bill HB 61 / SB 31 sought to establish guidelines for all future contact tracing efforts but failed to pass that state’s senate. This failed bill specified that contact tracing is voluntary, that information acquired during contact tracing is not a public record, and that consent is requisite to beginning any contact tracing.[52]

iv. State Attorneys General and COVID-19 Privacy

State Attorneys General Joint Letter. In June of 2020, approximately 40 Attorneys General sent a joint letter to two large technology companies regarding the companies’ effort to develop an application programming interface (API) for public health authorities to use in creating contact tracing applications.[53] The Attorneys General raised concerns that entities other than public health authorities might use this new API in ways that could “pose a risk to consumers’ privacy.” The Attorneys General therefore called on the companies to: (1) verify that any contact tracing application using this API was, in fact, affiliated with a public health authority; (2) remove from their mobile-app marketplaces those apps that could not be so verified; and (3) remove all contact tracing applications from their respective mobile-app marketplaces at the end of the COVID-19 national emergency.[54]

New York Consent Agreement with Videoconferencing Business. Despite requests from industry groups to delay enforcement due to COVID-19, New York began enforcement of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in March of 2020. A videoconferencing software made more popular during the pandemic was the first target of a SHIELD-like enforcement action, one that yielded a significant consent decree.[55] Although not technically brought under the SHIELD Act, the consent decree included many provisions aimed at ensuring compliance with the Act’s mandates, including requirements to maintain a comprehensive data security program involving regular security risk assessments, to report those assessments to the office of the New York Attorney General, and to enhance encryption protocols. The videoconferencing business also agreed to stop sharing user data with social media companies and to give videoconference hosts more control over outside access to videoconferences.[56]

C. Legislative Developments

1. State Legislative Developments

i. California

a. California Consumer Privacy Act (CCPA)

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) aims to give California consumers increased visibility into and control over how companies use and share their personal information. The CCPA applies to all entities that conduct business in California and collect California consumers’ personal information if those entities meet certain thresholds relating to their annual revenue or volume of data processing.[57]

Despite initially passing in 2018 and coming into effect early in 2020, the CCPA has continued to evolve throughout 2020, as reported in detail in Gibson Dunn’s prior CCPA updates.[58] On August 14, 2020, California Attorney General Xavier Becerra announced that the state’s Office of Administrative Law approved the final CCPA regulations.[59] The approved regulations—which took effect immediately on August 14, 2020—largely track the final regulations proposed by the Attorney General on June 1, 2020, and include regulations focused on key definitions, notices to consumers, business practices for handling consumer requests, verification of requests, special rules regarding consumers under 16 years of age, and anti-discrimination rules.[60]

On October 12, 2020 and December 10, 2020, Attorney General Becerra submitted additional modifications to the regulations, clarifying the opt-out requirement for the sale of personal information.[61] Specifically, these modifications reintroduce the requirement that businesses that substantially interact with consumers offline must provide an offline notice of a consumer’s ability to opt out of the sale of personal information. In addition, the modifications reintroduce language requiring that the methods used by businesses for submitting requests to opt out “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.” The modifications also provide a uniform opt-out button companies may choose to use.[62]

b. California Privacy Rights and Enforcement Act (CPRA)

On November 3, 2020, only four months after the CCPA became enforceable by the California Attorney General, Californians voted in favor of California Proposition 24, and with it, the California Privacy Rights and Enforcement Act (CPRA), which further amends but does not replace the CCPA. Of note, the CPRA will become law as written and cannot be readily amended by the state legislature. Instead, any significant changes to the law would require further voter action. Although the CPRA will not go into effect until January 1, 2023, it provides consumers with rights relating to personal information collected during the prior 12 months, thus extending the CPRA’s reach to personal information collected on or after January 1, 2022. The CCPA will remain in full force and effect, as previously drafted, until the effective date of the further amendments under the CPRA.

As reported in Gibson Dunn’s prior CPRA updates,[63] the CPRA expands upon the CCPA in granting the right to limit the use of consumers’ sensitive personal information, the right to correct personal information, the right to data minimization, and a broader right to opt out of the sale of personal information; in imposing requirements and restrictions on businesses, including new storage limitation requirements, restrictions on automated decision-making, and audit requirements; and in expanding breach liability. The CPRA also amends the definition of covered “businesses” by increasing the threshold number of consumers or households (and eliminating the consideration of “devices” from this number)[64] from 50,000 to 100,000 (exempting certain smaller businesses)[65] and broadening the threshold percentage of annual revenue to also include revenue derived from sharing personal information.[66] Further, it expands the definition of “publicly available information” to include information “that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media,” as well as “information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.”[67] The CPRA also expands the definition of “selling” to expressly include sharing and cross-context behavioral advertising.[68]

Additionally, the CPRA establishes an entirely new enforcement agency—the California Privacy Protection Agency (CPPA)—that will have co-extensive enforcement authority with the California Attorney General. The CPPA will have administrative enforcement authority, while the Attorney General will have civil enforcement authority to impose civil penalties of up to $2,500 per violation or $7,500 per intentional violation or violation involving a minor’s protected personal information.

ii. Other States’ Laws

Aside from the CPRA, several other states considered, passed, or began enforcement on their own data privacy and consumer protection laws in 2020, though to date none have been as far‑reaching as those of California.

a. Maine

Maine’s “Act To Protect the Privacy of Online Customer Information” went into effect July 1, 2020.[69] The Act prohibits Internet providers from using, disclosing, selling or permitting access to customer personal information unless the customer consents, and the provider may not refuse to serve a customer or penalize a customer that does not consent.[70] The Act does provide for some exceptions from obtaining customer consent—specifically, for the purpose of providing the service, advertising the Internet provider’s own services, protecting against fraudulent or unlawful use of the services, providing emergency services, and facilitating payment.[71]

b. Nevada

On October 1, 2019 Nevada’s “Act relating to Internet privacy” went into effect, requiring website operators to permit consumers to opt out of the sale of personal information to third parties.[72] However, as of this writing there has not been news of any enforcement under this law.

A second Nevada privacy law came into effect on January 1, 2021, in the form of amendments to NRS 603A.210 that require government agencies maintaining records that contain personal information about Nevada residents to comply with the current version of the Center for Internet Security Controls or corresponding standards adopted by the National Institute of Standards and Technology of the United States Department of Commerce.[73] Furthermore, the amendment requires Nevada’s Office of Information Security of the Division of Enterprise Information Technology Services of the Department of Administration to create and make available a public list of controls with which the state must comply.[74] Additionally, before disposing of electronic waste, Nevada’s courts must first permanently remove any data stored on such objects.[75]

c. New York

As noted previously, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into effect in March of 2020.[76] The SHIELD Act amends the state’s existing data breach notification law to impose an affirmative duty on covered entities to implement reasonable data security to protect the “private information” of New York residents (with a more flexible standard for small businesses).[77] To provide “reasonable data security,” a person or business that collects or maintains the private information of New York residents must implement a data security program with specified administrative, technical, and physical safeguards, including disposal of data after that data is no longer necessary for business purposes and designating an employee to oversee the data security program.[78] The Act, however, specifies that entities that are compliant with certain federal statutes, such as the Gramm‑Leach‑Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA) are also deemed compliant with the SHIELD Act.[79] The SHIELD Act grants the Attorney General enforcement authority and the power to bring suit for a failure to provide reasonable data security, but does not allow for private action.[80]

Separately, Governor Cuomo recently proposed a comprehensive New York data privacy bill, titled the “New York Data Accountability and Transparency Act” (NYDAT), as part of his 2021 budget.[81] Similar to the CPRA, NYDAT would grant New York residents the right to request that a business destroy or correct that resident’s personal information, as well as the right to opt out of the sale of personal information. The Act would also carry data minimization requirements, and would allow consumers to enforce this and other requirements through a private right of action. Furthermore, NYDAT would create a new data privacy agency, the Consumer Data Privacy Advisory Board, which would be empowered with rulemaking authority.[82]

In prior legislative sessions, comprehensive data privacy bills with even stronger protections have been proposed, such as the New York Privacy Act.[83] That proposal would have imposed on covered entities a “data fiduciary duty,” and would have granted New York residents a private right of action for any violation of the bill.[84] Given newly-elected Democratic supermajorities in both houses of New York’s state legislature,[85] any final NYDAT bill may well end up including some of these heightened protections or broader enforcement mechanisms.

d. Oregon

Oregon’s “Act Relating to actions with respect to a breach of security that involves personal information” went into effect January 1, 2020.[86] The Act defines a covered entity as a person that owns, licenses, maintains, stores, manages, collects, processes, acquires, or otherwise possesses personal information in the course of the person’s business, vocation, occupation, or volunteer activities.[87] Under the Act, covered entities must notify customers and the Attorney General of any breach of security regarding personal information.[88] The Act amended, broadened, and renamed the Oregon Consumer Identity Theft Protection Act, defined “covered entities,” and specifically required vendors to report security breaches.[89] The Act also added usernames (and other methods of identifying a consumer for the purpose of permitting access to a user’s account) to the definition of “Personal information.”[90] Notably, “Personal information” under the Act includes data from automatic measurements of a consumer’s physical characteristics, such as fingerprint, retina, and iris data.[91]

Similarly, Oregon’s “Act Relating to security measures required for devices that connect to the Internet” went into effect January 1, 2020.[92] The Act requires manufacturers to equip Internet‑connected devices with “reasonable” security, which may consist of external authentication or compliance with federal law for such devices. This is similar to California’s Security of Connected Devices law, which also took effect January 1, 2020.[93]

e. Washington

Washington’s “Act relating to the use of facial recognition services,” which will go into effect July 1, 2021, regulates the use of facial recognition technology by state and local governments.[94] The Act requires government agencies that intend to develop, procure, or use facial recognition services to specify the purpose of the technology, produce an accountability report, and ensure that decisions made by such a service are subject to human review if they have legal effect. Such agencies are further required to test the service’s operational conditions, conduct periodic training of individuals who operate the service or process acquired personal data, and, where information gathered by such services is to be used in prosecutions, disclose use of the service to criminal defendants in a timely manner prior to trial.[95] Furthermore, under the Act, state and local agencies must require their providers of facial recognition services to make available an application programming interface (API) or other technical capability to ensure independent review regarding the accuracy and fairness of performance across subpopulations divided by race and other protected characteristics.[96]

f. Additional State Laws Under Consideration and Local Laws Passed

A number of other states continued to consider passing comprehensive privacy laws, both in 2020 and at the start of 2021. In Washington State, for instance, Senator Reuven Carlyle has released the draft Washington Privacy Act 2021 for review and public comment,[97] which marks the third introduction of the Washington Privacy Act. The draft Act seeks to provide consumers the right to access, correct, and delete personal data, and to opt out of collection and use of personal data for certain purposes.[98] Furthermore, the Act would seek to protect use of personal and public health data during the global pandemic as technological innovations emerge, especially in relation to contact tracing.[99]

Several other states also considered biometric privacy legislation in 2020, including Massachusetts, Hawaii, and Arizona.[100] On this point, a growing number of municipalities passed laws or ordinances in 2020 that banned or limited the use of facial recognition technology, including Boston, Pittsburgh, Oakland, San Francisco, Portland (Maine), and Portland (Oregon).[101] Pittsburgh, for its part, enacted a law that limits police use of facial recognition to instances in which its city council finds that acquisition, retention, and use of such technology does not perpetuate bias or pose risks to the civil rights and liberties of residents.[102] Portland, Oregon’s ban, meanwhile, is the first to limit private businesses’ use of facial recognition technology in public places—that ordinance went into effect January 1, 2021.[103] Diverging privacy protections granted across states (and cities) will continue to pose serious questions for businesses navigating this complex compliance environments.

2. Federal Legislative Developments

i. Comprehensive Privacy Legislation

As the patchwork of federal, state, and local privacy regulations grows more complex, comprehensive federal privacy legislation remains a popular, but elusive goal, often divided along partisan lines.[104] Democratic legislators, in general, favor federal privacy legislation that includes a private right of action, while Republicans tend to favor legislation that explicitly preempts state privacy laws.[105] With a Democratic administration and (narrow) Democratic majorities in Congress, the chances of passing federal privacy legislation may be greater now than in past years. At the same time, because many states and cities have made noteworthy legislative developments in 2020 (as outlined above), Democratic legislators may feel less incentive to compromise on a federal privacy law if it means accepting federal preemption of such state- and city-level efforts.[106]

In any case, with the 2020 election behind us, 2021 may well see a renewed push for a comprehensive federal privacy law. Several bills introduced during 2020, as discussed below, provide insight into the type of legislation we may see in the months and years ahead. But it remains to be seen which, if any, of these approaches will gain traction in 2021, particularly as any such bills from the last Congress would need to be reintroduced in the current one.

a. Republican-Backed Legislation

The Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act),[107] introduced in the last Congress by Senator Roger Wicker (R-MS)—the leading Republican on the Senate Commerce, Science, and Transportation Committee—has been called the “strongest piece of [privacy] legislation put forth by Senate Republicans to date.”[108] Introduced and referred to the Committee on Commerce, Science, and Transportation in September 2020, the SAFE DATA Act was largely an updated version of the U.S. Consumer Data Privacy Act (CDPA), which had been introduced by Republicans towards the end of 2019.[109] The SAFE DATA Act also drew upon two prior bipartisan proposals—the Filter Bubble Transparency Act,[110] and the Deceptive Experiences To Online Users Reduction Act (DETOUR Act).[111] Key features of the SAFE DATA Act included: (1) requiring companies to obtain express consent before processing sensitive data or using personal data for behavioral or psychological studies; (2) providing users with the right to access, correct and delete their data, as well as data portability; (3) requiring companies to notify users if personal data is used with an “opaque” algorithm to select content that the user sees, and to offer users a version of the platform that uses an “input‑transparent” algorithm instead; and (4) creating a victims’ relief fund within the Treasury Department to provide consumers with monetary relief for privacy violations.[112] The bill remained consistent with the two pillars of other Republican-backed efforts by expressly preempting state laws and many federal laws, and by not providing for a private right of action.[113]

Senator Jerry Moran (R-KS) also introduced the Consumer Data Privacy and Security Act of 2020 (CDPSA),[114] which would have provided for the broad preemption of all related state and local laws, and would not have included a private right of action.[115] This bill was referred to the Committee on Commerce, Science, and Transportation in March,[116] but did not become law.

b. Democratic-Backed Legislation

The Data Broker Accountability and Transparency Act of 2020 (DATA Act) was introduced in the House and referred to the House Committee on Energy and Commerce in May,[117] though the last Congress did not enact it as law. This proposal was the House version of a bill introduced in the Senate in September 2019.[118] The DATA Act would have provided individuals with a right to access their data, dispute that data’s accuracy, and opt out of the use of their data for marketing purposes.[119] Additionally, the Act would have required data brokers to inform consumers on how to exercise their rights, and establish procedures to ensure the accuracy of collected personal information.[120] However, it did not include a private right of action—enforcement would have been left to the FTC and to state Attorneys General.[121]

Additionally, Senator Kirsten Gillibrand (D-NY) introduced the Data Protection Act of 2020 to create an independent national Data Protection Agency (DPA) that would have been empowered to promulgate rules and initiate enforcement actions to protect individual privacy—thus taking enforcement out of the FTC’s hands.[122] In particular, the bill’s supporters were concerned that a comprehensive federal privacy law without a private right of action could leave the FTC alone to enforce privacy rights, “which [Democrats] are convinced would lead to weak enforcement.”[123] Senator Gillibrand’s bill would have worked to address this concern by creating a new independent agency tasked with enforcing individual privacy rights instead.[124] The DPA would have had the authority to investigate and issue subpoenas against covered entities on its own initiative, or individual consumers could have themselves brought complaints and requests to the DPA.[125]

Finally, last June Senator Sherrod Brown (D-OH), the top Democrat on the Senate Banking, Housing, and Urban Affairs Committee, released a discussion draft of the Data Accountability and Transparency Act of 2020.[126] Although it was not formally introduced in the last Congress, the Act was noteworthy in that rather than depend on the usual consent-based privacy framework that requires users to agree to privacy policies to use online services, this proposal would have completely banned the collection, use and sharing of personal data in most circumstances.[127] Additionally, it would have outlawed facial recognition technology and would have created a new agency with enforcement authority to protect privacy.[128]

c. Bipartisan-Backed Legislation

The Application Privacy, Protection and Security Act of 2020 (APPS Act)[129] was one of the only bipartisan comprehensive privacy laws proposed in the last Congress. First introduced in 2013, the APPS Act was reintroduced by Representative Hank Johnson (D-GA) and cosponsored by Representative Steve Chabot (R-OH).[130] It was referred to the House Committee on Energy and Commerce in May,[131] though it ultimately failed to become law. The APPS Act would have established new rules governing the collection and use of consumer data by applications on mobile devices.[132] It would have required developers to take “reasonable and appropriate measures” to secure personal data from unauthorized access, although it did not offer standards for what would be considered “reasonable.”[133] The proposal would also have required developers to provide specific information on the types of data that the application collects, the purpose of the collection, and the developer’s data retention policy.[134] Consumers, in turn, would have been given the right to opt out of data collection and delete previously collected data.[135] The APPS Act would only have preempted state laws that directly conflicted with it or provided a lower “level of transparency, user control, or security” than the APPS Act itself.[136] Finally, the proposal would not have provided a private right of action—instead, it would have been enforced by the FTC and by state Attorneys General.[137]

ii. Other Federal Legislation

In addition to the comprehensive privacy proposals considered in 2020, additional federal legislation was proposed, and in some cases enacted, on narrower and more specific topics related to data privacy and cybersecurity. Below are proposals that gained traction in 2020 or that may gain legislative momentum in 2021.

a. Internet of Things Cybersecurity Improvement Act

The Internet of Things Cybersecurity Improvement Act of 2020 (IoT Cybersecurity Improvement Act) was signed into law by President Trump on December 4, 2020.[138] The Act mandates certain security requirements for IoT devices purchased by the federal government.[139] These guidelines will be issued by the Office of Management and Budget, consistent with the National Institute of Standards and Technology’s (NIST) recommendations.[140] NIST will be tasked with working with the Department of Homeland Security to create these guidelines to help ensure that federal government devices and networks are secure from malicious cyberattacks.[141]

b. Biometric and Facial Recognition Legislation

Three federal legislative proposals were introduced in 2020 regarding the use of biometric and facial recognition technology. In part because this technology has been shown to disproportionately misidentify women and people of color,[142] legislators, and particularly Democratic legislators, have prioritized this space in order to better ensure equity and protect individuals’ privacy and safety. While none were enacted in the last Congress, each reflects the increased emphasis placed on this issue:

The Ethical Use of Facial Recognition Act was introduced by Senators Jeff Merkley (D-OR) and Cory Booker (D-NJ), and would have placed a moratorium on the use of facial recognition technology by the federal government until Congress passed legislation regulating its use.[143]
The Facial Recognition and Biometric Technology Moratorium Act of 2020 was a bicameral proposal[144] that would have barred federal government use of biometric technology, a ban which could only be lifted through a subsequent act of Congress.[145] The bill included a prohibition on the use of such data in judicial proceedings and a private right of action for individuals whose data is used in violation of the Act.[146] Senators Bernie Sanders (I-VT) and Elizabeth Warren (D‑MA) co-sponsored the Senate proposal,[147] while the House bill was co‑sponsored by seventeen Democratic House members.[148]
The National Biometric Information Privacy Act of 2020 was introduced in the Senate by Senators Jeff Merkley (D-OR) and Bernie Sanders (I-VT).[149] The bill would have prohibited private companies from collecting biometric data without consumer or employee consent.[150] Additionally, it would have limited the ability to retain, buy, sell and trade biometric information without written consent.[151] The bill would have been enforced by state Attorneys General, as well as by individuals through a private right of action.[152]

c. Lawful Access to Encrypted Data Act

The Lawful Access to Encrypted Data Act was a Republican bicameral proposal that would have required device manufacturers and service providers to assist law enforcement in accessing encrypted data if a proper warrant were obtained, and which would have directed the United States Attorney General to create a prize competition to award participants who create a lawful access solution to an encrypted environment.[153]

d. USA FREEDOM Reauthorization Act of 2020

In March 2020, as discussed in more detail at Section III.B., three Foreign Intelligence Surveillance Act (FISA) authorities lapsed: (1) Section 215 of the USA Patriot Act, also known as the “business records” provision;[154] (2) the “lone wolf” authority;[155] and (3) the “roving wiretap” authority.[156] Initially, this appeared to provide an opportunity for changes to be made to FISA, and the Senate passed several bipartisan FISA amendments aimed at strengthening various privacy protections.[157] However, the House rejected these amendments, and as of this writing, these authorities continue to remain lapsed unless and until the current Congress reauthorizes them.

e. Attempts to Weaken Section 230 of the Communications Decency Act

Under Section 230 of the Communications Decency Act (Section 230)[158] online platforms and technology companies are shielded from liability for content posted by certain third parties.[159] Several legislative proposals in the last Congress directly aimed at curtailing this immunity, and while none became law, similar efforts will almost surely be made in 2021.[160] Key 2020 bills included:

The Limiting Section 230 Immunity to Good Samaritans Act (Good Samaritans Act) was introduced by Senator Josh Hawley (R-MO) in June of 2020.[161] That bill would have required companies that want to receive Section 230 immunity to contractually bind themselves to a duty of good faith when enforcing their terms of service in order to avoid discriminatorily applying such terms, or risk a $5,000 fine per violation.[162] Sponsoring senators stated that the bill’s goal was to decrease technology companies’ ability to silence conservative political speech.[163]
Senate Judiciary Chairman Lindsey Graham (R-SC) and bipartisan co‑sponsors introduced the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020 (EARN IT Act).[164] Upon introduction, the EARN IT Act was referred to the Committee on the Judiciary, where it was unanimously approved.[165] On July 20, the proposal was placed on the Senate Legislative Calendar.[166] As of November, the EARN IT Act had a total of sixteen bipartisan co-sponsors,[167] though ultimately the last Congress did not enact it into law. The proposal would have established a national commission to determine best practices for technology companies to prevent the exploitation of children online. It also would have created an incentive for technology companies to follow those practices by removing Section 230 immunity for child sexual abuse posted on their platforms.[168]
The Behavioral Advertising Decisions Are Downgrading Services Act (BAD ADS Act) was introduced by Senator Josh Hawley (R-MO) and referred to the Committee on Commerce, Science, and Transportation in July.[169] Had it become law, the BAD ADS Act would have required large technology companies to stop personalized behavioral advertising in order to maintain their Section 230 immunity.[170]

f. Amendments to the Children’s Online Privacy Protection Act of 1998

In 2019, the FTC launched a broad review of the Children’s Online Privacy Protection Act of 1998 (COPPA)[171] in an effort to modernize the statute and provide greater protections for children online.[172] Two pieces of legislation were proposed in the House in January 2020 to amend and update COPPA as a result of this initiative, though neither ultimately became law.

First, the bipartisan PROTECT Kids Act would have: (1) raised the minimum age under which parental consent must be obtained before a company can collect personal data from 13 to 16 years old; (2) clarified that COPPA applies to mobile applications; and (3) added geolocation and biometric data as categories of personal data protected under COPPA.[173] Second, the Democratic-supported PRIVACY Act would have modified requirements for commercial entities with respect to information collected from children under 13, and “young consumers” under 18 years old.[174] For example, it would have required: (1) securing such information and periodically testing security measures; (2) obtaining consent to process such information; and (3) providing consumers the right to access and delete it.[175]

D. Enforcement and Guidance

1. Federal Trade Commission

As in past years, in 2020 the Federal Trade Commission (FTC) was one of the federal government’s foremost enforcers in the area of privacy and data security. In this section, we discuss the FTC’s robust enforcement actions during 2020. We also preview an important legal challenge for the FTC at the Supreme Court, where the Court is poised to resolve a split among the Circuit Courts of Appeals regarding the FTC’s authority to seek monetary relief under Section 13 of the FTC Act.[176]

i. Data Security and Privacy Enforcement

The FTC pursued a number of significant enforcement, and related, actions in 2020 relating to data privacy.

Section 6(b) Study Related to Social Media and Video Streaming Companies. In mid‑December, the FTC issued orders to nine major technology companies, requiring them to provide the FTC with information regarding how the companies collect, use, and present personal information; their advertising and user engagement practices; and how their practices affect minors.[177] The FTC issued these orders under Section 6(b) of the FTC Act, which gives the FTC authority to conduct broad studies without first identifying a specific law enforcement purpose. These types of studies typically lead to reports and potentially legislative proposals.

Landmark Settlement. In April, the U.S. District Court for the District of Columbia approved a landmark $5 billion settlement with a major technology company over allegations by the FTC that the company misled users into thinking certain settings would protect their information, including pictures and videos, when instead such information was allegedly shared by the company with advertisers and other third parties.[178] In a statement at the time, FTC Chairman Joe Simons indicated that the settlement was “by far the largest monetary penalty ever obtained by the United States on behalf of the FTC and the second largest in any context.”[179]

Significant Consent Breach Settlement. In August, a major social media platform announced that it expects to pay up to $250 million to resolve charges by the FTC that the company had breached a 2011 consent decree by using data that users provided for security purposes, such as phone numbers and email addresses, to target such users with advertisements.[180] The company initially entered into the 2011 consent decree, which remains in effect until 2031, after hackers were able to gain unauthorized control over users’ accounts on the company’s platform, including access to some users’ private messages.

Cybersecurity Practices Settlement. In November, the FTC announced a major, albeit nonmonetary, settlement with a leading digital communications company over allegations that the company engaged in unfair and deceptive practices by issuing misleading statements regarding the company’s cybersecurity practices.[181] The FTC alleged that the company represented to users that it used end-to-end encryption on all teleconferences, when in fact it only used such encryption when a call was hosted on a customer’s server. The FTC also alleged that the company advertised itself as using 256-bit encryption despite actually using a lower level of encryption; that the company advertised that it immediately encrypted and stored teleconference recordings when in fact such recordings remained unencrypted for 60 days; and that the company circumvented certain browser privacy safeguards and failed to disclose this circumvention.

Children’s Privacy Consent Decree. In July, media reports indicated that the FTC was investigating the developer of a popular social media application for alleged violations of a 2019 consent decree geared toward protecting children’s privacy.[182] The consent decree required the company to delete videos and personal information relating to users under the age of 13. The FTC has not yet commented on the investigation, but two unidentified individuals have reported being interviewed by the FTC in connection with this investigation.

ii. Supreme Court to Rule on FTC’s Monetary Relief Authority

The FTC typically seeks monetary relief in privacy and cybersecurity actions under Section 13(b) of the FTC Act, which states that, “Whenever the Commission has reason to believe … that any person, partnership, or corporation is violating, or is about to violate any provision of law enforced by the Federal Trade Commission[,]” the Commission may seek “a temporary restraining order or a preliminary injunction[.]”[183] As discussed in last year’s Review, despite the lack of any express reference to monetary remedy or relief, the FTC views its authority to recover monetary relief under Section 13(b) as well settled. But in 2019, the Court of Appeals for the Seventh Circuit created a circuit split by holding in FTC v. Credit Bureau Center, LLC[184] that Section 13(b) does not authorize the FTC to seek monetary awards, breaking with eight other circuits and with its own prior precedent. The Seventh Circuit reached this decision by relying on the textualist observation that Section 13(b) “authorizes only restraining orders and injunctions,”[185] and although the court conceded that it had previously “endorsed [the FTC’s] starkly atextual interpretation,” it ultimately determined that “[s]tare decisis cannot justify adherence to [that] approach.”[186]

In July, the U.S. Supreme Court granted certiorari[187] in a related case, AMG Capital Management, LLC v. FTC,[188] to resolve whether Section 13(b) does confer the authority to impose monetary awards.[189] In AMG, the Ninth Circuit affirmed an approximately $1.27 billion equitable monetary award the FTC obtained under Section 13(b) against a payday lender. Although the Ninth Circuit observed that Plaintiff’s argument regarding the FTC’s authority to obtain monetary judgments under Section 13(b) “ha[d] some force,” it concluded such an argument was “foreclosed by our precedent.”[190] Should the Supreme Court ultimately hold that the FTC lacks such authority, the ruling could have seismic implications on how the FTC goes about enforcing federal data privacy and security laws, an outcome that would likely lead to new legislation.

2. Department of Health and Human Services and HIPAA

As discussed above, in 2020 the Department of Health and Human Services (HHS) grappled with unprecedented patient privacy challenges caused by the COVID-19 pandemic. While HHS continued to conduct investigations and issue civil penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), it also allowed for some leniencies, especially with regard to telehealth regulations. The Office for Civil Rights (OCR) at HHS was particularly active in 2020 through its new HIPAA Right of Access Initiative, which it launched toward the end of 2019. The OCR settled more than a dozen Right of Access Initiative investigations in 2020, with entities ranging from hospital systems to solo practitioners—all in an effort to ensure patients have timely and affordable access to their own medical records.

Also to that end, in December 2020, HHS OCR proposed significant changes to the HIPAA Privacy Rule via a Notice of Proposed Rulemaking (NPRM). These proposed changes seek to increase patients’ access to their electronic health information, advance the state of coordinated health care, and reduce the regulatory burdens on the healthcare industry more broadly. These developments are further addressed below.

i. HHS OCR Enforcement

In 2020, the OCR continued to enforce privacy protections for patients through investigations and settlements, especially as part of its Right of Access Initiative. 2020 also saw the second‑largest settlement in OCR’s history ($6.85 million paid by a large health insurer). However, the numerous smaller-dollar settlements that the OCR reached with a diverse range of health care entities, including solo practitioners and non-profits, tend to reflect HHS’s “high‑volume, low‑penalty focus” as announced in April 2019.[191] The following are notable HIPAA‑related settlements from 2020:

Large Health Insurer Malware Attack. The largest settlement of the year, at $6.85 million, involved a large regional health insurer that was subject to a malware attack that compromised the health data of over 10 million individuals. The attack was perpetrated using a phishing email that gained access to the insurer’s IT system. The OCR investigation found “systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.”[192] The insurer agreed to two years of monitoring, in addition to the monetary penalty.

Low Penalty Settlements. As part of HHS OCR’s recent “high-volume, low-penalty focus,” HHS OCR also reached multiple settlements with individual health care providers and other smaller entities. As one example, a Utah-based solo practitioner settled with the OCR for $100,000 following an investigation that revealed a “failure to implement basic HIPAA requirements.”[193] This case, and other similarly small settlements reached in 2020, demonstrate that HHS is increasingly interested in ensuring HIPAA compliance at all levels of the health care sector.

Right of Access Settlements. HHS also reached a number of settlements under the Right of Access Initiative, which is intended to enforce HIPAA provisions aimed at ensuring patients have access to their own medical records. As just one example, a small psychiatry office in Colorado agreed to pay $10,000 to the OCR in response to a complaint that it had failed to comply with the HIPAA Privacy Rule’s right of access provision. Many of the other Right of Access Initiative settlements in 2020 involved similarly low monetary settlement amounts, with the focus instead being placed on corrective action.[194]

ii. Involvement by State Attorneys General

In recent years, state Attorneys General have been increasingly involved in enforcing HIPAA regulations, a trend which continued in 2020. Most notably, in September, a 43-state coalition of Attorneys General reached a settlement with a major health insurer over the largest health data breach in United States history, which occurred between December 2014 and January 2015. The insurer’s $39.5 million settlement with the Attorneys General followed its record-setting $16 million settlement with the OCR in 2018,[195] and the approval, also in 2018, of a $115 million class action settlement in the Northern District of California.[196] We expect that state Attorneys General will continue taking an active enforcement and investigatory role with respect to health care data privacy protections going forward.

iii. COVID-19 Regulations and Guidance

The pandemic has raised many challenging patient privacy issues, requiring HHS to balance the desire for robust privacy protections with the necessity of timely and widespread access to testing and care. HHS has been active in issuing guidelines in response to the novel issues posed in 2020, as demonstrated by the following:

Patient-Provider Communications. In March 2020, HHS announced it would “exercise its enforcement discretion and … waive potential penalties for HIPAA violations against health care providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.”[197] This Notification of Enforcement Discretion (NDE) cleared providers for the good faith use of videoconferencing services, such as FaceTime and Skype, when communicating with patients remotely. The NDE currently has no expiration date.[198]
COVID-19 Testing Sites. In April 2020, HHS announced it would not impose penalties “for violations of the HIPAA Rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency.”[199] This NDE allowed those companies and agencies equipped to facilitate COVID-19 testing to launch efforts without being stalled by the need to ensure robust HIPAA protections.
Blood and Plasma Donation. In June 2020, HHS issued guidance that “covered health care providers [can] contact their patients who have recovered from COVID‑19 to inform them about how they can donate their blood and plasma containing antibodies to help other patients with COVID-19.”[200] In August 2020, the Trump administration amended this guidance to further provide that hospitals, pharmacies, laboratories, and health plans may also contact recovered patients about blood donation.[201]

iv. Request for Public Comments on HHS’s Notice of Proposed Rulemaking (HIPAA Privacy Rule)

On December 10, 2020, HHS announced an NPRM with respect to HIPAA’s Privacy Rule as part of its Regulatory Sprint to Coordinated Care initiative. The initiative, launched under HHS Secretary Alex Azar, broadly seeks to “promote value-based health care by examining federal regulations that impede efforts among health care providers and health plans to better coordinate care for patients.”[202]

The currently proposed changes to HIPAA, in particular, would facilitate increased patient and caregiver access to medical records, as well as decrease regulatory barriers to information sharing between providers for the purposes of care coordination and case management.[203] The NPRM was published in the Federal Register on January 21, 2021, and stakeholders have until March 22, 2021 to submit comments.[204]

3. Securities and Exchange Commission

The Securities and Exchange Commission (SEC) is increasingly focused on digital practices and risks, as evidenced by its recent guidance on privacy and cybersecurity and its prioritization of information security issues. For example, a review of SEC enforcement actions in 2020 shows that cryptocurrency and initial coin offerings remained a central focus for the Commission. The Commission also filed two enforcement actions related to web-based market manipulation schemes. That said, the SEC announced no new enforcement actions related to account intrusions, hacking, or cybersecurity controls and safeguarding customer information in 2020.

i. Data Privacy Guidance and Examination Priorities

On January 7, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released its 2020 Examination Priorities for registered firms.[205] The Priorities make clear that companies could face regulatory action if they materially understate their digital risks, avoid discussing significant incidents they have already experienced, or publicly overstate their data security or privacy practices. The Priorities emphasize that registrants’ use of non-traditional sources of data from inputs like mobile device geolocations, consumer credit card records, and other Internet-based information, will be a particular focus of examination review.[206] The Priorities also establish that OCIE will prioritize cyber and other information security risks.[207]

On January 27, 2020, OCIE also issued guidance regarding data loss prevention policies, scrutiny of third-party vendors, and the use of detailed and routinely tested incident response plans to prepare for issues in the cybersecurity space.[208] This guidance prominently features data loss prevention policies, and recommends that firms regularly scan for vulnerabilities in their systems, establish patch management programs, and screen for insider threats by monitoring suspicious activity.

Further, on July 28, 2020, the SEC announced the creation of a new specialized unit within OCIE designed to rapidly respond to current market threats and critical matters.[209] In light of the SEC’s increased focus on digital risks, this Event and Emerging Risks Examination Team (EERT) was specifically tasked with addressing cybersecurity incidents (in addition to other significant market events that could have a systemic impact or that place investors assets at risk).

ii. Cryptocurrency

The SEC also focused substantial enforcement resources on combatting unregistered or fraudulent initial coin offerings (ICOs) to the public, filing no fewer than 23 individual enforcement actions related to digital assets or ICOs in the 2020 calendar year.[210] Two cases were particularly significant because the courts affirmed an expansive interpretation of the SEC’s regulatory authority:

On June 26, 2020, the SEC won a cryptocurrency enforcement decision before the U.S. District Court for the Southern District of New York, ultimately resulting in an $18.5 million civil penalty.[211] Addressing the plaintiff’s earlier motion for a preliminary injunction, the court found that the digital assets in question were, in fact, subject to applicable securities laws, and that the SEC had shown a substantial likelihood of success in proving that the defendants had engaged in an unregistered offering of securities in their sale of digital tokens to investors.[212] By focusing on “economic reality” and piercing through contractual representations and warranties to decide whether a token sale should be regulated under the securities laws, the court articulated a broad interpretation of the SEC’s enforcement authority.[213]
Similarly, on September 30, 2020, U.S. District Court for the Southern District of New York gave the SEC another significant victory, this time against a mobile messenger application company, alleging that the company had engaged in an unregistered offer and sale of digital asset securities. The Court again emphasized the “economic realities” of the transactions at issue and found that under the Supreme Court’s test in SEC v. W.J. Howey Co.,[214] the company’s token sales were a single integrated offering and so needed a registration statement.[215]

In addition to obtaining these significant decisions, the Commission filed many other cryptocurrency-related actions over the course of the year, with claims ranging from defrauding investors to engaging in unauthorized sales of securities.[216] This underscores the emphasis the Commission continues to place on enforcement in this area.

iii. Web-Based Market Manipulation

2020 also saw the SEC zero in on web-based market manipulation concerns. For example, towards the beginning of the year, the Commission filed a complaint against a Russian national (and entities he controlled) for allegedly participating in a plot to lure investors into purchasing fictitious certificates of deposit promoted through internet advertising and “spoofed” websites that imitate the actual sites of legitimate financial institutions.[217] On December 23, 2020, the Court entered default judgment for the SEC based on the defendants’ failure to respond.[218] Likewise, later in 2020, the Commission filed charges against a former day trader for his alleged role in a market manipulation scheme in which he and several other individuals fabricated online rumors about publicly traded companies in order to trade around the temporary price increases caused by the dissemination of the false information.[219] Taken together, these developments suggest that web-based manipulation will also be an important area of enforcement (consistent with the Commission’s renewed focus on cybersecurity and data integrity discussed above).

4. Other Federal Agencies

In addition to the FTC, HHS, and SEC, other federal government entities continue to make headlines in the data security, privacy, and consumer protection space. This past year, there were notable developments at the Federal Communications Commission (FCC), the Department of Justice (DOJ), the Department of Defense (DoD), and the Department of Transportation (DOT).

i. Federal Communications Commission

a. Telephone Consumer Protection Act

While COVID-19 has slowed down many federal agencies, the pandemic has not impacted the pace of enforcement related to the Telephone Consumer Protection Act (TCPA). Indeed, new developments continue to arise daily at the time of this writing.

Under the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), passed in December of 2019, the Federal Communications Commission (FCC) was required to clarify exemptions to the TCPA by December 30, 2020.[220] To that end, the FCC has now issued a Notice of Proposed Rulemaking[221] that could bring about substantial changes to TCPA enforcement—including making certain classes of non-commercial calls to residential phone lines, which were previously exempt, actionable under the TCPA.[222]

Additionally, two major cases involving interpretation and enforcement of the TCPA are currently making their way through the federal court system. The U.S. Supreme Court heard oral arguments in Facebook, Inc. v. Duguid on December 8, 2020—a case centered on a dispute over the definition of the term “autodialer” under the TCPA.[223] Additionally, in Carlton & Harris Chiropractic Inc. v. PDR Network, LLC, the Fourth Circuit set up another TCPA issue that may ultimately reach the Supreme Court when it ruled that FCC interpretation of portions of the TCPA is not subject to Chevron deference, as had been widely assumed.[224] District courts have given the FCC strong deference with respect to their interpretations of the TCPA for over a decade;[225] however, the result of PDR Network—if it stands—would allow courts to apply a much more relaxed form of deference, and to more frequently override the FCC’s interpretations of the TCPA.

b. Enforcement against Telecommunications Firms

In addition to its rulemaking function, the FCC has continued to actively enforce privacy and consumer protection laws under its purview. In late February 2020, for example, the FCC handed down over $200 million in fines against several of the nation’s major mobile carriers.[226] The fines resulted from a 2017 investigation into Securus, a prison phone company, which revealed that company’s plans to share users’ real-time location tracking information—obtained from the major mobile carriers—with law enforcement.[227] Press reports later confirmed that customer information from mobile carriers ended up in the hands of law enforcement officers without a warrant or any other valid legal orders.[228]

ii. Department of Justice

Although the DOJ has not traditionally played a leading role in enforcing privacy, cybersecurity, or consumer protection laws, in 2020 the DOJ took action significantly implicating all three areas.

First, in October 2020, the DOJ announced that it was moving forward with a high-profile antitrust investigations into the country’s largest technology companies. In what will likely become the largest antitrust lawsuit in more than two decades, the DOJ took aim at the tech industry and sued a large search engine platform and technology business.[229] Attorney General William Barr accused the search engine of using “its monopoly power … to lock up key pathways to search on mobile phones, browsers, and next generation devices [such] that no one can feasibly challenge [the search engine’s] dominance.”[230] Just two months later, the DOJ’s suit against the search engine was followed by federal and state antitrust cases against a large social media company, alleging similarly anticompetitive behavior.[231] We will continue to monitor the progress of both lawsuits throughout 2021 and beyond as a new Attorney General inherits these current actions from the previous administration.

Second, also in October, the DOJ made statements on two emerging technologies with privacy implications—encryption and cryptocurrency—sharing concerns about both. Both technologies have become widely used in numerous industries and have afforded users a newfound ability to protect the privacy of their data online.

On October 1, 2020, the DOJ published a comprehensive, 83-page strategy outlining the Department’s attitude towards cryptocurrency—both the underlying blockchain technology itself and the more esoteric markets for trading various forms of cryptocurrency.[232] In the report, the DOJ revealed an intention to litigate perceived abuses in both domestic and international cryptocurrency exchanges.

Later that month, the Attorney General co-signed a statement from the law enforcement branches of seven nations—the United States, the United Kingdom, Australia, New Zealand, Canada, India, and Japan—urging the tech “industry to address [the governments’] serious concerns” about end-to-end encryption.[233] In this statement, the DOJ called on tech companies to “include mechanisms in the design of their encrypted products and services [to allow governments to] gain access to data in a readable and usable format.”[234] While the debate about including a “backdoor” to encrypted devices and data has been raging for over a decade, this joint statement signals increased government pressure on companies to include such an ability, or else to curtail the use of end-to-end encryption in consumer devices entirely.[235]

iii. Department of Defense

On December 1, 2020 the DoD’s Cyber Maturity Model Certification (CMMC) finally came into effect after a rule change was delayed earlier in the year.[236] CMMC now requires that all contractors with the DoD achieve one of five levels of cybersecurity, based on the sensitivity of the contracted-for products and services.[237] Furthermore, CMMC has created a board of certified accreditors who will test all potential DoD contractors to determine their level of cybersecurity.[238] Companies must receive the proper CMMC accreditation before signing future contracts with the DoD. This represents a fundamental shift for the agency, whose cyber policy used to simply require contractors to self-certify compliance with a given standard of security.[239]

iv. Department of Transportation & National Institute of Standards and Technology

On January 8, 2020 the DOT published Ensuring American Leadership in Automated Vehicles 4.0 (AV 4.0) which laid out the federal government’s position towards the development and deployment of autonomous vehicles.[240] The report focused on three key areas: (1) the U.S. Government autonomous vehicle (AV) principles; (2) administration efforts supporting AV technology growth and leadership; and (3) U.S. Government activities and opportunities for collaboration.[241] While the report offered many suggestions for safety, security and privacy, AV 4.0 stopped short of issuing any concrete regulations.[242] However, the Department signaled that more concrete regulations may be on the horizon when it issued an Advance Notice of Proposed Rulemaking on November 23, 2020.[243]

The National Institute of Standards and Technology (NIST) also released two concurrent publications in May that provide guidance on cybersecurity precautions that manufacturers should incorporate into all devices with Internet connectivity[244]—part of the IoT Cybersecurity Improvement Act,[245] as referenced above in Section I.C.2. This guidance will encourage companies to implement appropriate security measures by evaluating the device in connection with its user interactions and other systems that the device may interact with.

5. State Attorneys General and Other State Agencies

As evident from the above discussions, state Attorneys General continued their work in the data privacy and cybersecurity space throughout 2020, often collaborating to bring enforcement actions involving large-scale data breaches, as well as consumer protection actions aimed at regulating the technology industry.

i. State Attorneys General Enforcement Actions

Health Insurance Company. As noted above, in September 2020, a health insurance company agreed to pay $39.5 million to resolve claims brought by the Attorneys General of 42 states and the District of Columbia after a 2015 data breach exposed personal information of nearly 80 million consumers.[246] The Attorneys General alleged the insurance company violated state laws and HIPAA by not encrypting consumers’ personal information.[247] As part of the settlement, the company also agreed to implement a comprehensive security program.[248]

Home Improvement Retailer. A coalition of the Attorneys General of 46 states and the District of Columbia entered into a settlement with a home improvement company in November 2020 over allegations regarding a data breach that compromised the financial information of over 40 million consumers.[249] The Attorneys General claimed that a 2014 data breach allowed hackers to access the payment information of consumers who used the company’s self-checkout lanes throughout the United States.[250] Under the settlement, the company agreed to pay $17.5 million and to implement a comprehensive information security program designed to protect and secure the confidentiality of consumers’ personal information.[251]

Videoconferencing Platform. As discussed in Section I.B.2, in May 2020, the New York Attorney General’s Office entered into a letter agreement with a videoconferencing business that became more popular during the pandemic, settling an investigation into the company’s privacy and data security practices.[252] In March, the New York Attorney General’s Office began investigating the company’s cybersecurity, citing specifically to vulnerabilities that could enable uninvited third parties to interrupt conferences and access consumer webcams.[253] Recognizing the cooperation of the videoconferencing platform in the investigation, the agreement was focused mainly on forward-looking, rather than punitive, remedies, such as requiring the company to implement new security and privacy measures, to establish a comprehensive data security program, and to better encrypt users’ information.[254]

Search Engine Platform and Technology Company. The Arizona Attorney General filed a complaint against a search engine platform and technology company in May 2020, alleging the company’s collection of location data violated the Arizona Consumer Fraud Act.[255] The complaint, filed in Maricopa County Superior Court, specifically alleges that the company continues to collect information regarding users’ location even if users turn off the smartphone operating system’s digital tracking features.[256] Arizona’s Attorney General further alleges that the company misled consumers to believe location tracking was controlled by a single setting, while making other location‑tracking settings difficult for users to locate.[257] The court denied a motion to dismiss the complaint in September 2020.[258]

California Attorney General CCPA Enforcement Letters. Despite protests from industry groups seeking additional time for compliance in light of COVID-19, the office of the California Attorney General, as scheduled, began enforcing the California Consumer Privacy Act (CCPA) starting July 1, 2020. This enforcement has thus far consisted of sending out enforcement letters informing businesses of their current non-compliance with the CCPA. Businesses have 30 days from the receipt of such letters to remedy any alleged violations—and failure to do so can lead to a civil action brought by the Attorney General. To date, these letters do not appear to have targeted a particular industry or sector, though this may change during 2021.

New Massachusetts Data Privacy and Security Division. On August 13, 2020, the Massachusetts Attorney General announced the creation of the Data Privacy and Security Division (DPSD) within the Massachusetts Attorney General’s office. The Division will focus on investigating and enforcing potential violations of the state’s consumer protection and data breach laws.[259]

ii. New York Department of Financial Services

As noted in our 2019 Review, in May 2019, New York’s Department of Financial Services (DFS) announced the creation of a Cybersecurity Division.[260]

On July 21, 2020 the DFS joined the ranks of cybersecurity regulators by announcing charges against an insurer for violations of the DFS’s cybersecurity regulations.[261] According to the DFS’s Statement of Charges and Notice of Hearing, the insurer had an alleged vulnerability in its information system, resulting in the potential exposure of millions of documents containing sensitive personal information.[262] The DFS claims that the insurer knew about the vulnerability but underestimated the level of risk associated with it.[263] The insurer is strongly contesting the charges, noting that only 32 clients may have had their nonpublic information compromised.[264] In any case, this matter should shine some additional light on the expansiveness of DFS’s cybersecurity policies and the extent of its authority.[265]

In October 2020, DFS also issued a report criticizing a social media company for becoming prey to a “simple” hacking technique earlier that summer.[266] Hackers accessed accounts of high‑profile individuals and companies to send out fraudulent messages, resulting in the unlawful attainment of over $118,000 of Bitcoin.[267] DFS urged lawmakers to establish a regulator to “monitor and supervise” mainstream social media platforms, arguing the hack demonstrated the dangerous ability to “weaponize” such platforms.[268]

Lastly, on October 15, 2020, DFS announced plans for its first ever “tech sprint” to develop a set of common standards and an open source technical framework to be adopted by DFS and other regulatory agencies with the goal of speeding up collection of supervisory data needed to monitor financial firms.[269] The multi-day event, set for early 2021, will host teams of fintech (financial technology) professionals, compliance experts and others to respond to the need for more up-to-date information about the health of banks and other financial institutions.[270] DFS said it selected cryptocurrency companies as the starting point, with future events in the series to potentially focus on other types of nonbank financial firms.[271]

II. CIVIL LITIGATION

A. Data Breach Litigation

After 2019 was declared “the worst year on record” for data breaches,[272] breaches and other security lapses continued to occur at a high rate in the past year. As COVID-19 forced many people to work remotely, a survey conducted by a cybersecurity company found that remote work led to security breaches at up to 20% of companies surveyed in 2020.[273] Indeed, some of the world’s largest businesses experienced data breaches in 2020, including technology giants, hospitality and entertainment chains, and health care companies. Various parts of the United States government also recently were found to have suffered a major, months-long data breach.[274] Unsurprisingly, a number of these breaches have spawned class action or shareholder derivative litigation. The past year also saw several major settlements resolving data breach cases from prior years.

1. Class Action and Shareholder Derivative Litigation

Social Networking Platform. A shareholder derivative lawsuit in the U.S. District Court for the Northern District of California, originating from a March 2018 report that a third party wrongfully obtained information about the users of a large social networking platform, remains ongoing, with an amended complaint filed against the social media company on December 17, 2019.[275] In response to the social media company’s renewed motion to dismiss, plaintiffs have argued that their amended complaint now alleges sufficient demand futility based on new information regarding the founder and CEO’s control over the company’s board. The court has yet to rule on the renewed motion to dismiss.[276]

Online Retailer and Technology Company. In April 2020, the U.S. District Court for the Western District of Washington denied a large retailer and technology company’s motion to compel arbitration in a class action discussed in last year’s Review.[277] In this case, plaintiffs allege that the company used voice-enabled devices to build a “massive database of billions of voice recordings” containing private information of children without the consent of the children or their parents. The company has since appealed the ruling.[278]

Videoconferencing Provider. In April 2020, a major videoconferencing provider was sued in a putative class action in the U.S. District Court for the Northern District of California for allegedly having “inadequate data privacy and security measures” and making false assertions that its videoconference service was end-to-end encrypted.[279] While the lawsuit does not allege that the company actually suffered any data breach, it does allege security vulnerabilities and cites security-related investigations into the company by the New York and Connecticut state Attorneys General.[280] The lawsuit also alleges that the company’s executives impermissibly dumped stock prior to stock price declines caused by disclosures relating to the company’s security vulnerabilities.[281] Similar allegations caused the company to reach a settlement with the FTC in November 2020, as well, as discussed in further detail in Section II.D.1.

Two months later, in June 2020, the company, its CFO, and all but one of its nine board members were sued in U.S. District Court for the District of Delaware in a shareholder derivative action.[282] The derivative suit specifically alleges that a number of defendants, including the company’s CEO, breached their fiduciary duties and profited from “lucrative insider sales” made while in possession of material nonpublic information about the company’s alleged security vulnerabilities.[283]

Clinical Laboratory Company. In April 2020, a company that operates a network of clinical laboratories, along with several of its directors and officers, was sued in the Delaware Court of Chancery in a shareholder derivative action alleging breaches of fiduciary duties relating to two data breaches.[284] The suit alleges that the first data breach resulted in the exposure of credit card information, personally identifiable information, and personal health information, while the second breach resulted in the exposure of further personal health information.[285] The suit also alleges insufficient data security measures and practices and conscious disregard or delay in disclosing the breaches.[286]

Search Engine Platform and Technology Company. On August 7, 2020, a proposed class action lawsuit was filed against a search engine platform and technology company for allegedly recording consumers via the company’s connected, voice-activated home devices.[287] The complaint alleges that the company thereby violated the California Invasion of Privacy Act, the California Consumer Privacy Act, as well as the federal Wiretap Act, by recording consumers using sensitive microphones in the company’s devices without user consent.[288] The company has moved to consolidate this claim with other pending litigation on a similar issue.[289]

Cloud Computing Company. In August 2020, a cloud computing company was sued in a putative class action in the U. S. District Court for the District of South Carolina.[290] The suit alleges that “negligent conduct” on the part of the defendant made the personal information of the defendant’s customers vulnerable to hackers.[291] Specifically, the suit alleges that a three‑month ransomware attack, occurring between February and May 2020, exposed the personal information of “students, patients, donors, and other individual users,” and that the defendant did not notify the persons whose data had been exposed until July or August 2020.[292] Although the defendant has asserted that social security, credit card, and bank account numbers were not exposed by the breach, the suit alleges that that the defendant “cannot be assured” such data was not exposed.[293]

Financial Services Company. In November 2020, a financial services company and several of its officers and directors were sued in the U.S. District Court for the District of Delaware in a shareholder derivative action alleging Securities Act violations and breaches of fiduciary duties relating to an alleged security flaw that persisted for years before being exposed in May 2019.[294] The suit alleges that publicly accessible URLs hosted by the company exposed customers’ sensitive personal information, including names, addresses, birth dates, social security numbers, bank account numbers, and more.[295] The suit alleges that the company failed to remedy this vulnerability even after it was exposed by a penetration test conducted in December 2018.[296] The suit also alleges that the company’s CEO profited by selling stock after the vulnerability was detected but before it was publicly exposed.[297]

2. Key Settlements

Technology Company. The U.S. District Court for the Northern District of California approved a $13 million cy pres settlement of claims against a major search engine platform and technology company that allegedly gathered information from unencrypted Wi-Fi networks using its geo‑mapping car fleet.[298] The settlement, which a class member has appealed to the U.S. Court of Appeals for the Ninth Circuit, includes a $10 million grant to data security charities in lieu of a distribution to class members. Although the district court stated the settlement ultimately benefits class members by protecting their interest in internet security through the work of these charities, the objecting class member is arguing that plaintiffs’ counsel breached their duty to class members by negotiating a deal that would provide monetary disbursements to third parties rather than their clients.[299] The Ninth Circuit has yet to rule on the appeal.[300]

Technology Company. In June 2020, the U.S. District Court for the Northern District of California preliminarily approved a $7.5 million class action settlement for claims filed in 2018 relating to data breaches affecting a since-discontinued social media service.[301] The parties agreed to the terms of the settlement in January 2020.[302]

Web Services Company. In July 2020, the U.S. District Court for the Northern District of California approved a $117.5 million class action settlement for claims stemming from data breaches that affected at least 194 million customers between 2012 and 2016.[303] The order approving the settlement is notable due to the detailed analysis evaluating the reasonableness of the settlement, in which the court compared the settlement to another large data breach settlement approved in 2018.[304] The Court used a number of factors, including the per capita recovery and other remedies under the settlement, the multiplicity of the breaches, the time period over which the breaches occurred, the companies’ denials regarding the breaches, the companies’ promptness in notifying users of the breaches, the sensitivity of the exposed data, and more.[305] These factors may be applied in future data breach cases to determine the reasonableness of settlement terms.

B. Computer Fraud and Abuse Act (CFAA) Litigation

The scope of the Computer Fraud and Abuse Act (CFAA) has divided the federal circuit courts, but some clarity may be on the horizon. The CFAA provides for criminal penalties and private civil remedies against anyone who accesses a computer “without authorization” or who “exceeds” their “authorized access” to such a computer.[306] Circuit courts are divided over whether a person who is authorized to access information on a computer for certain purposes “exceeds authorized access” in violation of the CFAA by accessing the same information, but for other, unauthorized purposes. The First, Fifth, Seventh, and Eleventh Circuits have held that the CFAA imposes liability in such circumstances.[307] By contrast, the Second, Fourth, Sixth, and Ninth Circuits have held that the CFAA does not reach such conduct.[308]

On April 20, 2020, the U.S. Supreme Court agreed to hear Van Buren v. United States, which may resolve this circuit split.[309] In Van Buren, the Eleventh Circuit upheld the CFAA conviction of a Georgia police officer who was paid by an informant to look up license-plate information in a database that could only be used for law-enforcement purposes.[310] The Court agreed to consider whether the officer violated the CFAA when he used that database for an unauthorized purpose.[311] At oral argument in November, the officer’s attorney and the government sparred over whether upholding the conviction would create an interpretation of the CFAA that would criminalize common activities, such as employees accessing social media websites while at work. Indeed, Justice Gorsuch warned that a broad interpretation of the CFAA could end up “making a federal criminal of us all” and Justice Sotomayor worried that the CFAA is “dangerously vague.”[312] A decision is expected later in 2021.

Although Van Buren is a criminal case, its outcome will have implications for civil CFAA cases as well, particularly those involving the collection of information from publicly available websites. In fact, the petitioner in LinkedIn v. hiQ Labs, Inc. has urged the Supreme Court to grant its petition for certiorari to address whether other companies may use automated software to “scrape” or harvest large amounts of data from public websites such as the appellant’s professional social networking website.[313] The Ninth Circuit held that such automated mass data collection is not a CFAA violation where the information can be collected without circumventing a login or other authorization procedure.[314] The appellant, however, argues that this “scraping” is a CFAA violation because the social networking website denied authorization to data harvesters by sending a cease-and-desist letter and by employing technical measures to thwart such scraping.[315] The Court has not yet acted on the petition.

More targeted efforts at collecting data from public-facing websites have also raised CFAA concerns. One such effort is at issue in Sandvig v. Barr.[316] In that case, a group of researchers brought a pre-enforcement challenge in U.S. District Court for the District of Columbia, alleging that the CFAA violated the First Amendment as applied to the researchers’ intended conduct of intentionally violating employment websites’ terms of service in order to research whether such websites engage in race- or gender-based discrimination. The researchers intended to use fake candidate profiles (a terms of service violation) to test various publicly accessible websites for employment discrimination. The researchers alleged that the CFAA would criminalize such conduct, and thereby violate their First Amendment rights. The trial court concluded that the researchers would risk CFAA liability only if they planned to bypass the websites’ authentication mechanisms, such as a requirement to enter a password. Because the planned conduct would not have bypassed such login procedures, the court found the researches would not have violated the CFAA. The court reasoned that “[c]riminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature.”[317] The court concluded that, in light of this holding, the researchers’ First Amendment claims were moot. The researchers have appealed the decision, which is currently pending in the D.C. Circuit.[318]

C. Telephone Consumer Protection Act (TCPA) Litigation

The past year also brought several significant actions and noteworthy developments related to civil litigation under the Telephone Consumer Protection Act (TCPA).

First, at the start of the year, the Eleventh Circuit joined the Third and D.C. Circuits in adopting a narrow reading of what constitutes an automatic telephone dialing system (ATDS) under the TCPA.[319] The court determined that the TCPA’s phrase “using a random or sequential number generator” modifies both the “stor[age]” and “produc[tion]” of numbers.[320] As such, the court found that the TCPA only covers devices that both “store numbers using a random or sequential number generator, or produce such numbers using a random or sequential number generator and dial them.”[321] Shortly thereafter, the Seventh Circuit denied a petition for rehearing in a case on this issue, joining the Third, D.C., and Eleventh Circuits in adopting a narrow reading of what amounts to an ATDS under the TCPA.[322]

These rulings deepened the circuit split created by the Ninth Circuit’s September 2018 decision in Marks v. Crunch San Diego, LLC, which interpreted the TCPA’s definition of an ATDS broadly to apply to any equipment with the capacity to store and automatically dial numbers, even if the device cannot itself store or produce the numbers using a random or sequential number generator.[323] In April, the Second Circuit became the first federal appellate court to join the Ninth Circuit in adopting this broad interpretation of autodialers under the TCPA.[324] The Sixth Circuit followed suit a few months later, applying a broad interpretation of ATDS in its decision in Allan v. Pennsylvania Higher Education Assistance Agency.[325]

With the scope of the TCPA’s definition of ATDS continuing to divide the circuit Courts of Appeal, on July 9, 2020, the Supreme Court granted certiorari in Facebook v. Duguid, responding to the social media company’s petition filed in late 2019.[326] The case is expected to provide some much-needed clarity as to what constitutes an ATDS under the TCPA. In September, the federal government filed an amicus brief in support of the social media company and joined the company in urging the Supreme Court to reject the Ninth Circuit’s broad view of devices subject to the TCPA’s autodialer restrictions.[327] The Court heard arguments in early December and is expected to reach a decision by the spring of 2021.[328] Whichever side the Court comes out on, the decision will have drastic implications for TCPA liability. But in any case, the decision is likely to provide businesses currently subject to divergent TCPA standards throughout the country with more concrete direction.

In addition to agreeing to hear Facebook v. Duguid, the Supreme Court addressed another aspect of the TCPA in Barr v. American Association of Political Consultants, Inc.[329] The Court there upheld the TCPA’s sweeping ban on autodialed calls to cell phones, but struck down an exception for calls made to collect federally backed debts, reaching this result on First Amendment grounds.[330] Between a plurality opinion and various concurrences, six justices found that the TCPA’s robocall restrictions and the government-debt exception amounted to content-based speech restrictions that were impermissible under the First Amendment.[331] In this view, the TCPA’s robocall restriction was content-based because it favored speech made for purposes of collecting government debt over speech made for political or other important purposes.[332] Justice Sotomayor, acting as the sixth vote to strike down the government exception, agreed that the exception violated the First Amendment, but found that the appropriate standard was intermediate scrutiny, rather than strict scrutiny.[333] With six justices finding the government-debt exception for robocalls unconstitutional, the Court then considered whether to invalidate the TCPA’s robocall restriction in its entirety, or to instead sever the government-debt exception while upholding the remainder of the restriction. Applying “traditional severability principles,” the Court decided to uphold the TCPA’s sweeping ban on robocalls while invalidating and severing the government-debt exception from the remainder of the statute.[334] Given the varied rationales among the Court’s plurality and concurring opinions, however, the case’s broader First Amendment ramifications remain to be seen.

D. California Consumer Privacy Act (CCPA) Litigation

1. Broadening the Scope of a “Data Breach”

Since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, various consumers have filed suits seeking relief for CCPA violations. In particular, the CCPA includes a private right of action in the context of a data breach, allowing consumers, both individually and as a class, to initiate a civil suit when their personal information is subject to an “unauthorized access and exfiltration, theft, or disclosure as a result of the business’[s] violation of the duty to implement and maintain reasonable security procedures and practices.”[335] Despite the limited basis for a private right of action under the CCPA, litigants have attempted to enlarge its scope by including CCPA-based claims in such data privacy actions.

Videoconferencing Company. On March 30, 2020, a class action was filed in the federal district court for the Northern District of California against a videoconferencing company.[336] In their original complaint, plaintiffs alleged that the defendant unlawfully shared user data with a social media partner in violation of the CCPA.[337] This case, however, does not allege a conventional data breach claim. Instead, the plaintiffs claimed that the voluntary data sharing arrangement between these companies itself constituted a breach.[338] Interestingly, in a recent filing, the plaintiffs dropped this CCPA claim as a distinct cause of action, instead simply asserting the alleged violation in passing.[339] A motion to dismiss has been filed and is currently pending.[340]

Retailers and Loss Prevention Service Provider. On July 7, 2020, a similar class action was filed in the federal district court for the Central District of California against several retail companies and a loss prevention service provider.[341] The plaintiffs’ allegations are based on the defendants’ voluntary sharing of consumer information with a third-party loss prevention service provider.[342] The plaintiffs alleged that the retailers’ sharing of information in an “unsecured, unrestricted manner” to create consumer reports and to generate a risk score which was shared with other defendants resulted in a widespread and unauthorized dissemination of personal information.[343] According to the amended complaint, the plaintiffs claim that the defendants violated the CCPA by: (1) collecting and using personal information without providing consumers with notice; (2) failing to inform users of personal information collected about them and the third parties with whom that information was shared; and (3) failing to prevent non‑encrypted and non-redacted personal information from unauthorized disclosure as a result of the defendants’ failure to implement and maintain reasonable security procedures and practices.[344] Notably, the first two violations are not subject to the CCPA’s private right of action, which is a trend in CCPA litigation that we cover in further detail below. Many of the retailers have now sought to compel arbitration and dismiss the claims.[345]

2. Expanding the Definition of “Personal Information”

The CCPA establishes a limited private right of action for when a consumer’s “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.”[346] However, the CCPA’s definition of “personal information” for this private right of action is narrower than the definition of “personal information” for the rest of the CCPA, including only: (1) Social Security number; (2) driver’s license number or California identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (4) medical information; or (5) health insurance information.[347] Recently, consumers have attempted to expand the types of information that would be actionable under the CCPA in the case of a data breach. Below, we highlight a salient example:

Software Company. On July 21, 2020, a class action was filed against a software company in the federal district court for the Central District of California.[348] The plaintiffs claimed that sensitive student information was unlawfully accessed after the defendant failed to maintain appropriate data safeguards in accordance with the CCPA.[349] The defendant filed a motion to dismiss, arguing that the plaintiffs’ allegations rely on a definition of “personal information” that was beyond the scope of the statute.[350] Specifically, the defendant argued that the CCPA does not protect student information like the “parent name, student name, student ID (School), physical resident address, email address, and password hashes” that were accessed in the case.[351] The court has not yet ruled on the motion to dismiss, and proceedings are currently stayed pending settlement discussions.[352]

3. Litigating Notice and Opt-Out Provisions

The CCPA’s larger regulatory scheme notably protects a consumer’s right to be notified about a business’s collection, use, sharing, or sale of their personal information, and to opt out of having such information sold to third parties.[353] While the California Attorney General is presently tasked with enforcing these broader provisions, consumers are limited to bringing actions for data breach-related claims under Section 1798.150.[354] The text of the CCPA explicitly prohibits private suits involving other provisions of the statute.[355] Nevertheless, litigants have still attempted to enforce the statute’s notice and opt-out provisions through private actions.

Videochat Application. On April 17, 2020, a class action was filed in the federal district court for the Southern District of California against the owners of a videochat application.[356] The plaintiffs claimed that the defendants failed to provide adequate notice of the application’s data collection activities and did not give consumers the opportunity to opt out of the sale of their personal information, including opt outs through the required “Do Not Sell My Personal Information” link.[357] The plaintiffs pursued a CCPA violation claim based on the alleged failure to provide notice, even though the CCPA does not provide for a private right of action for these types of claims. On August 4, 2020, the court granted the defendants’ motion to compel arbitration.[358]

Social Networking Platform. On May 20, 2020, a similar class action was filed against a social networking platform in the federal district court for the Central District of California.[359] The plaintiffs alleged that the platform’s facial recognition technology scanned videos, extracted biometric information, and stored data without notifying users.[360] The plaintiffs argued that the platform violated the CCPA by failing to provide notice and the opportunity to opt out of its third-party disclosure, as well as by collecting, retaining, and using customers’ biometric information without notice.[361] The complaint did not address the issue of whether these claims could be litigated in light of the statute’s restrictions on suits by private litigants. The case has since been consolidated and transferred to the federal district court for the Northern District of Illinois.[362]

4. CCPA Violations under the UCL

California’s Unfair Competition Law (UCL) creates a private right of action for consumers to enjoin and seek restitution for a business act or practice that is “unlawful,” “unfair,” or “fraudulent.”[363] Violations of other statutes can serve as a predicate for a UCL claim. However, the text and legislative history of the CCPA establish that consumers are prohibited from using CCPA violations as the basis for a cause of action under a separate statute, which seems to clearly preclude using the CCPA as the basis for liability under the UCL.[364] Nevertheless, consumers are testing the limits of this restriction.

Facial Recognition Technology Company. On February 27, 2020, a class action was filed against a technology company in the federal district court for the Southern District of California. The plaintiffs claimed that the defendant scraped and sold biometric information without adequate notice to consumers.[365] The plaintiffs therefore alleged that the defendant violated the UCL by failing to provide the appropriate notice under the CCPA.[366] On December 15, 2020, the United States Judicial Panel on Multidistrict Litigation consolidated and transferred the case to the federal district court for the Northern District of Illinois.[367]

Online Marketplace. On June 11, 2020, a class action was filed in the federal district court for the Northern District of California against an online marketplace for artists.[368] The plaintiffs alleged that the defendant’s insufficient security procedures breached its duty of care and allowed hackers to access consumer information in violation of the CCPA.[369] The plaintiffs also brought a separate UCL claim predicated on the defendant’s alleged unlawful conduct.[370] The parties are currently in arbitration-related discovery.[371]

E. Illinois Biometric Information Privacy Act (BIPA) Litigation

2020 was yet another active year for litigation under the Illinois Biometric Information Privacy Act (BIPA), which creates a private right of action against entities that fail to comply with the statute’s requirements for collection and storage of biometric data.[372] Courts examined a variety of issues in BIPA cases, including standing and preemption by other state statutes. The COVID-19 pandemic also introduced new types of BIPA litigation associated with health screenings and remote work. Courts have yet to decide on BIPA’s extraterritorial application and statute of limitations, the resolution of which could impact the viability of a number of BIPA cases.

Standing in Federal Court. As set out in last year’s Review, there has been a flood of class actions against large corporations following the Illinois Supreme Court’s decision in Rosenbach v. Six Flags, which conferred standing on plaintiffs who allege BIPA violations even without pleading an actual injury.[373] In 2020, the Seventh Circuit took a similar position in Bryant v. Compass Group USA, Inc., holding that a procedural violation of section 15(b) of BIPA is sufficient to constitute an injury for Article III standing.[374] Subsequently, in Fox v. Dakkota Integrated Systems, the Seventh Circuit held that federal courts can also hear claims under section 15(a) of BIPA when plaintiffs allege a “concrete and particularized harm,” such as an invasion of the privacy interest in biometric data.[375]

BIPA Settlements. The trend of sizeable settlements that we noted in last year’s Review has persisted throughout 2020, including a BIPA class action suit involving a large social media company that settled for $650 million in August 2020.[376] Given the law’s mandatory statutory penalties of $1,000 per negligent violation or $5,000 per intentional or reckless violation, even this settlement may represent only a small percentage of the possible statutory damages.[377] The decisions affirming plaintiffs’ standing to bring BIPA suits in at least some federal courts[378] and the large settlements at issue, indicate we will likely continue to see significant BIPA litigation in 2021.

Compelling Arbitration in Employment-Related BIPA Lawsuits. Lawsuits against employers that collect employees’ biometric data for timekeeping purposes continue to represent a significant portion of BIPA cases in state and federal courts.[379] In last year’s Review, we reported that some plaintiff-employees had successfully used BIPA to avoid being compelled into arbitration.[380] Although some plaintiffs achieved similar results in 2020,[381] other plaintiffs were indeed compelled into arbitration based on the courts’ analysis of the arbitration agreements at issue.[382]

BIPA Preemption by State Laws. Another 2020 development in employee-related BIPA litigation was an Illinois court decision holding that employees may pursue BIPA claims without preemption by the Illinois Workers’ Compensation Act, which is generally read to be an exclusive remedy for workplace injuries.[383] At the same time, however, courts continue to hold that BIPA is preempted by the Labor Management Relations Act[384] and Railway Labor Act.[385]

Extraterritorial Application of BIPA. On this point, in 2020 some employees attempted to bring BIPA claims not only against in-state employers but also against third-party operators of workplace systems that collect biometric data, even if not based in Illinois.[386] These and other suits against out-of-state companies have implicated questions about the extraterritorial scope of BIPA. In a recent case involving an insurer, the Illinois Supreme Court held that a statute can be applied extraterritorially even without “clear intent” in its statutory language if “the circumstances that relate to the disputed transaction occur primarily and substantially in Illinois.”[387] But the extent to which, under this holding, events must take place in Illinois for BIPA to apply to out‑of‑state entities remains an open question.

COVID-19-Related BIPA Litigation. The COVID-19 pandemic has also created additional BIPA litigation. Employees have alleged that certain COVID-19 safety protocols imposed by employers collect biometric information in violation of BIPA.[388] Parents have also brought lawsuits on behalf of their children using educational platforms for remote learning that allegedly collect and store biometric data in violation of BIPA.[389] We anticipate that more COVID‑19‑related BIPA litigation is likely to take place as workplaces and educational institutions impose screening measures on workers and students for identification remotely.

Statute of Limitations. The statute of limitations for BIPA remains unsettled, as the law contains no express provision establishing a statute of limitations. While a few state and federal courts have found that there is a five-year statute of limitations period for BIPA,[390] this question is currently pending in the Illinois First Appellate District in Tims v. Black Horse Carriers, Inc.[391] The Tims decision could have a substantial impact on the viability of future BIPA lawsuits, particularly if the court rules in favor of the defendants and holds that BIPA’s statute of limitations period is only one year.

F. Other Notable Cases

In addition to the cases described above, 2020 has seen important updates on cases previously reported in last year’s Review, as well as new matters concerning children’s privacy and remote learning, connected vehicles and devices, and new legal questions in the fintech space.

Technology Company – Location History. A technology company has been accused of withholding relevant information in connection with the proposed class action alleging the company illegally tracked and stored users’ location data.[392] The plaintiffs have moved to lift the stay on discovery requested by the technology company after they filed an amended complaint based on evidence surfaced by contemporaneous litigation brought by the Arizona Attorney General’s Office.[393] The court has yet to rule on the motion.[394]

Technology Company – Medical Records. In September, U.S. District Court for the Northern District of Illinois granted the motion to dismiss all claims in a suit concerning the release of depersonalized medical information by a university to a technology company as part of a research partnership.[395] The proposed class action had alleged that the technology company and the university engaged in deceptive business practices for turning over medical information on all patients who were treated at the university’s medical center from 2009 through 2016.[396] The court found that the plaintiff had not sufficiently alleged any harm as a result of this practice, and thus dismissed all claims. The plaintiff stated plans to appeal this decision.[397]

Connected Vehicles and Devices and the Internet of Things. Likewise, in March 2020, the U.S. District Court for the Southern District of Illinois dismissed a case against an automobile manufacturer alleging that defects in vehicle infotainment systems had left them vulnerable to hacking.[398] The court reasoned that the threat of future harm from such potential hacking did not constitute a sufficiently cognizable injury to give standing to the plaintiffs, who alleged that the vulnerabilities substantially undermined the value of the vehicles compared to what they had paid.[399] The plaintiffs have since appealed the decision to the United States Court of Appeals for the Seventh Circuit, arguing that the lower court did not properly consider the evidence of the vulnerabilities and the valuation decrease as a result.[400]

The Wiretap Act and Technology Companies. Additional connected-devices cases continue to work their way through the federal courts, raising both state and federal claims.[401] A case in the U.S. District Court for the District of New Jersey against electronics companies for harvesting data from “smart TVs,” which partially survived a motion to dismiss in 2019, has again survived dismissal of the amended complaint alleging federal Wiretap Act violations.[402] In its second order, the court restated its previous conclusion that the electronics companies do not constitute “parties” to the communications at issue (which could have exempted them from liability); rather, the court found them analogous to smartphone companies, entities that have been held to be “hosts,” not participants, and thus subject to the Wiretap Act.[403] The court also rejected an interlocutory appeal, finding that there were still factual issues to be resolved.[404] The electronics companies have now moved for a separation of the claims, arguing that moving forward in discovery as joint defendants with a rival company would materially harm their business interests.[405] The companies have also filed a motion to compel individual arbitration and strike the class claims. The court granted a motion to sever the claims, but has yet to rule on whether to compel arbitration.[406]

COPPA and Child Privacy Cases. Virtual learning and a renewed focus on children’s privacy during the pandemic have resulted in a new wave of litigation related to the collection of data from children, including under the Children’s Online Privacy Protection Rule promulgated under COPPA.[407] The State of New Mexico brought claims in federal court against a major technology company for collecting data from children using its free classroom services and computers provided to underserved communities for online learning.[408] The lawsuit alleged that the company used these free services to track the online activities of students without proper notice to or consent from the students or their parents.[409] Although the case was dismissed for insufficiently alleging a violation of COPPA because of disclosures on the company’s website about the services and data collection practices, the New Mexico Attorney General has appealed the dismissal, the resolution of which is still pending.[410]

The privacy of minors in online and mobile device gaming has also continued to make headlines. As we covered in last year’s Review, a class action against gaming and app creation companies in California survived a critical motion to dismiss in 2019.[411] The plaintiffs brought a proposed class action against these companies for allegedly selling information gathered from games aimed at children and adolescents without parental consent.[412] On August 5, 2020, the parties agreed to settle out of court. The proposed settlements do not include any monetary award for class members, but would limit the companies’ ability to collect information from children using their apps.[413] More recently, the FTC filed a complaint against a popular gaming app developer, alleging the company allowed third-party ad networks to collect information by tracking user behavior from child-directed apps without proper notice to or consent from the parents.[414] The action is pending in federal court.

Similarly, a video streaming company settled a case with the New York Attorney General and the FTC involving allegations of COPPA violations for tracking and targeting advertisements to users watching videos directed at children under 13 for a record $170 million.[415] Although this case has been settled, similar allegations have been raised in the UK in a suit alleging damages of over $2 billion.[416]

Fintech Litigation. Financial technology (fintech) companies have also increasingly become the target of privacy concerns for their collection of both personal banking data and transaction‑level data from users. On August 25, 2020, users of a fintech service brought a proposed class action in the U.S. District Court for the Northern District of California against a fintech company, alleging that the company mishandles sensitive user information. The plaintiffs claim that the company, which provides budgeting tools, savings trackers, account history information and account verification, invades the privacy of users by collecting transaction‑level data without the knowledge or consent of its users, and puts that sensitive information at risk by sending these consumer files to third-party buyers in an easily hackable format.[417] On November 4, 2020, the company filed a motion to dismiss the proposed class action suit for failure to state a claim, arguing that the company collects and sells the consumer data only after it has been anonymized and aggregated with the anonymized data of other consumers; therefore, consumers can have no reasonable expectation of privacy in it.[418] The court has yet to rule on this motion.[419]

On May 4, 2020, another fintech company whose product is utilized by banking and financial apps was accused of accessing, using, and selling app customers’ personal banking data without their consent, according to a proposed class action (also filed in the Northern District of California).[420] The parties are awaiting a decision on the company’s motion to dismiss.

III. GOVERNMENT DATA COLLECTION

A. Collection of Cell Phone Data

In 2020, a number of cases addressed the issue of individuals’ privacy rights with respect to digital data stored on cell phones and similar personal electronic devices. Several court decisions strengthened the government’s ability to collect and search data without warrants through the Fourth Amendment’s “third-party” doctrine, under which a person generally “has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”[421] However, courts have reached divergent conclusions regarding the government’s ability to collect digital data under the Foreign Intelligence Surveillance Act (FISA).

Cases Regarding the Collection of Personal Data. In June 2020, the U.S. Court of Appeals for the Fifth Circuit held that an individual does not have a Fourth Amendment privacy interest in the records of their Bitcoin transactions.[422] The court declined to extend the limitation of the third-party doctrine as it applies to cell phones to either Bitcoin’s public blockchain or to records from a virtual currency exchange.[423] The court analogized Bitcoin blockchain and the virtual currency exchange’s records to bank records and telephone call logs because: (1) they contain limited information; and (2) transferring and receiving Bitcoin requires an affirmative act, which is more akin to voluntarily placing a call than an unknowing collection of cell phone location data.[424] The court also noted that Bitcoin users are unlikely to expect that the Bitcoin transaction data will be kept private since every transaction is recorded in a publicly available blockchain.[425]

In United States v. Carme, a Barnstable police detective used BitTorrent-deciphering software to download 192 public files, which helped generate evidence against a criminal defendant.[426] When this tactic was challenged on Fourth Amendment grounds, the district court for the District of Massachusetts declined to expand privacy protections to file‑sharing software that makes it harder for third parties to view the entirety of a file (unlike traditional peer-to-peer file‑sharing, which makes such viewing easier).[427] In reaching this result, the court stressed that there is no reasonable expectation of privacy when a matter is voluntarily disclosed or entrusted to third parties, even if the particular file-sharing software gave the illusion of additional privacy by fragmenting the contents of shared files.[428]

In United States v. Trader, the Eleventh Circuit Court of Appeals similarly found that the government’s warrantless collection of a criminal suspect’s email address and internet protocol addresses from a third party’s business records was constitutional and did not violate the Fourth Amendment.[429] The Trader court emphasized that a business record that might incidentally reveal location information, such as an email address or internet protocol address, falls outside the narrow exception to the third-party doctrine as it applies to cell phone location records.[430]

Data Collection Pursuant to a FISA Order. In another notable development, this past year saw the federal courts further divide on when and under what conditions the government’s data collection under FISA might violate the Fourth Amendment.

On September 2, 2020, the Ninth Circuit ruled that the National Security Agency (NSA) violated Section 1861 of FISA by collecting phone records in bulk without showing their relevance to any specific, authorized, and existing investigation before collection.[431] The NSA collected from major telecommunication providers call records or telephony metadata for communications: (1) between the United States and abroad; and (2) wholly within the United States, including the defendant’s local phone calls.[432] These records included information such as the phone numbers involved in a call and the time and duration of the call, but not the voice content of any call.[433] The Ninth Circuit distinguished the data at issue from Smith v. Maryland,[434] a Supreme Court case that involved the government installing a “pen register,” a device that records numbers dialed from a phone.[435] Instead, analogizing the data at issue in this case to the cell phone location information in Carpenter v. United States,[436] the court found that an individual’s telephony metadata collected on a continuing basis is akin to 24-hour surveillance.[437] The Ninth Circuit did not, however, reach an ultimate conclusion on whether the government’s metadata collection program was therefore prohibited by the Fourth Amendment.

In a December 2019 decision, however, the U.S. Court of Appeals for the Second Circuit reached a contrasting result when applying the Fourth Amendment to email collection under FISA.[438] The court in that case, United States v. Hasbajrami, found the “incidental collection” of communications—the collection of the communications of individuals in the United States acquired in the course of the surveillance of individuals without ties to the United States and located abroad—was permissible under the Fourth Amendment.[439] The court noted that surveillance in Hasbajrami was permissible under Section 702 of FISA, and that the government does not have to return to the FISA court to seek approval before it undertakes surveillance of any specific individual.[440]

FISA Authorities Lapsed. As mentioned briefly above, in March 2020, three FISA authorities lapsed[441]: (1) Section 215 of the USA Patriot Act, also known as the “business records” provision;[442] (2) the “lone wolf” authority;[443] and (3) the “roving wiretap” authority.[444] Each has, in the past, been a prominent law enforcement tool. Under Section 215, the NSA can petition the Foreign Intelligence Surveillance Court (FISC) to order the production of business records and other tangible things relevant to specific investigations.[445] The lone wolf authority allows the FBI to surveil a non‑U.S. citizen who is suspected of planning a terrorist attack but cannot be linked to a foreign terrorist organization.[446] Finally, the roving wiretap authority enables the FBI to continue the wiretap of a criminal suspect, even if the suspect switches phones.[447] It is meant for individuals using burner phones or alternating between several devices.[448] To date, as set out at Section I.C.2., these sources of authority have not been reauthorized, setting the stage for further legislative action in 2021.

B. Extraterritorial Warrants and Data Transfers

In 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act).[449] A year later, the United Kingdom passed a similar law called the Crime (Overseas Production Orders) Act 2019.[450] Based on these mirroring statutes, the United States and the United Kingdom entered into the first-ever CLOUD Act bilateral pact: the US-UK Bilateral Data Access Agreement, known as “DICA” in 2019.[451] The Agreement came into force on July 8, 2020.[452]

While the United States had engaged in negotiations with Australia[453] and the European Union[454] to implement similar bilateral pacts in 2019, no agreement has been finalized. Nevertheless, Australia took several steps in 2020 suggesting an agreement may be close. In spring 2020, the Australian government introduced legislation that would provide the legal basis, where a designated international agreement is in place, for sending data requests directly to foreign providers, explicitly noting that “[t]he Bill provides the legislative framework for Australia to give effect to future bilateral and multilateral agreements for cross-border access to electronic information and communications data.”[455] The Australian Parliamentary Joint Committee on Intelligence and Security also issued a call for public comments concerning the legislation.[456] Many businesses and organizations responded with comments reflecting broader critiques of the CLOUD Act—such as the Australian Privacy Foundation’s statement that the bill is “deeply flawed.”[457] That said, although no additional CLOUD Act formal agreements were made in 2020, additional bilateral agreements may still be finalized in 2021.

There may be, however, a significant complicating factor for any EU-US bilateral agreement. On July 16, 2020, the Court of Justice of the European Union (CJEU) struck down the U.S.-EU Privacy Shield as legally invalid (Schrems II).[458] CJEU noted that, under the EU’s General Data Protection Regulation (GDPR), a transfer of personal data out of the EU may take place only if the third country ensures an adequate level of data protection. Maximilian Schrems, a resident of Austria, lodged a series of complaints with the Irish supervisory authority, the Data Protection Commission (DPC), seeking to prohibit the transfer of his personal data from the European subsidiary of a social media company to its parent corporation in the U.S.[459] In deciding Schrems’s case, CJEU found that limitations on the protection of personal data in the U.S. meant that country’s domestic law failed to meet EU requirements. Specifically, CJEU found that: (1) U.S. law does not adequately limit the personal data that U.S. public authorities may access and use through surveillance programs; and (2) the relevant provisions in U.S. law do not grant data subjects actionable rights before the courts as against U.S. governmental authorities.[460]

On August 10, 2020, the U.S. Department of Commerce and the European Commission announced, in response to the Schrems II decision, that they had initiated discussions to evaluate the potential for an enhanced U.S.-EU Privacy Shield framework to comply with the CJEU’s Schrems II ruling.[461] That same month, a European privacy group filed a lawsuit against over 100 websites, alleging the sites were still sending data to the United States in violation of the CJEU’s decision.[462]

C. Other Notable Developments

1. Police Use of Facial Recognition Software

Facial recognition software (FRS) gained publicity in 2020 not only for its potential use in controlling the spread of COVID-19,[463] but also for its widespread adoption by federal and local law enforcement. The technology’s accuracy has been called into question by an MIT study, which found that FRS results in a disproportionate number of misidentifications, particularly for individuals of color.[464] Tensions heightened after media reports revealed that several law enforcement agencies had contracted with an FRS company that had scraped over three billion images from publicly available social media websites without consent.[465] These reports gave rise to greater scrutiny, including a March 2020 action brought by the Vermont Attorney General[466] and a May 2020 action by the ACLU alleging violations of Illinois’s Biometric Information Privacy Act (BIPA).[467]

Cities and local governments have begun responding to this backlash. For example, the New York Police Department (NYPD) published protocols limiting its own use of facial recognition.[468] This updated policy requires that facial recognition technology only be used for legitimate law enforcement purposes, and that a facial recognition match may serve as a lead but does not constitute probable cause for an arrest.[469] Similarly, the Los Angeles Police Department (LAPD) has barred officers and detectives from using third-party facial recognition platforms in their investigations.[470] And as discussed at Section I.C.1., various municipalities have either banned or significantly curtailed the use of FRS.

2. Government Use of Aerial Surveillance

In a further development at the intersection of privacy and law enforcement, in recent years the Baltimore Police Department (BPD) launched its controversial “Aerial Investigation Research,” or “AIR,” program. Three aircraft equipped with high-definition cameras now fly above Baltimore for 12 hours each day to identify specific individuals who are suspected of committing or witnessing serious crimes, as well as those who crossed their paths before and after the crimes took place.[471] On April 9, 2020, community activists and city residents brought a 42 U.S.C. § 1983 action against the BPD, alleging this aerial surveillance violated their First Amendment associational rights and Fourth Amendment protection against unreasonable searches.[472] The district court denied the plaintiffs’ request for a preliminary injunction against the BPD program, likening it to conventional surveillance techniques the Supreme Court found to be permissible in Carpenter v. United States.[473]

On appeal, a panel of the Fourth Circuit upheld the program as constitutional, in part because the AIR cameras do not photograph a person’s features, but rather reduce each individual on the ground to a pixelated dot.[474] The court also noted that BPD officers can only access these photographs if specific violent crimes are reported in a particular location, and cannot identify someone photographed by AIR without relying on ground-based cameras.[475] The court also held the program does not violate a reasonable expectation of privacy because an individual has a limited expectation of privacy in public, and AIR only constitutes short-term surveillance of an individual’s public movements.[476] Finally, the court found that the program does not violate First Amendment rights to freely associate because individuals would not likely be deterred from associating simply to avoid showing up as dots in surveillance photographs.[477] However, an en banc rehearing request was granted by the full Fourth Circuit in December 2020, leaving the question far from settled.

Also this past year, the Los Angeles Department of Transportation (LADOT) renewed its One Year Dockless Mobility permit program for the operation of scooter ride-sharing businesses in Los Angeles. The program offers businesses a permit is contingent on such businesses sharing real-time location data with the city.[478] In March, the scooter ride-sharing subsidiary of a large ride-sharing business sued the LADOT over this data-sharing requirement, arguing that in practice, the rule operates as a warrantless administrative search. On this point, the scooter ride‑sharing subsidy claimed that LADOT or others can use the time-stamped geolocation data to identify individual users’ travel patterns.[479] The case was voluntarily dismissed without prejudice by the scooter-riding subsidiary on June 15, 2020 after that entity was acquired by a different scooter ride-sharing company.[480] In June, however, the ACLU filed a complaint on behalf of the scooter ride‑share users raising similar privacy arguments.[481] Of note, the LADOT’s scooter requirements underscore a limit in CCPA protections: because the location data is provided to the government and not for a commercial purpose, that law would not apply.

IV. CONCLUSION

2020 was, in every sense of the word, unprecedented. U.S. privacy and cybersecurity law and policy have been forced to evolve at a breakneck pace, both to face long-standing risks (like sophisticated, state-sponsored cybercriminals) and once-in-a-generation challenges (like a worldwide pandemic). These changes will reverberate throughout 2021 and beyond, shaping how companies, governments, and the general public use, protect, and regulate data. In the year ahead, we will continue to track these important issues.

____________________

[1] See Gretchen Ramos and Darren Abernathy, Additional U.S. States Advance the State Privacy Legislation Trend in 2020, National Law Review (Dec. 15, 2020), available at https://www.natlawreview.com/article/additional-us-states-advance-state-privacy-legislation-trend-2020.

[2] 2020 Democratic Party Platform (Aug. 18, 2020), available at https://www.demconvention.com/wp-content/uploads/2020/08/2020-07-31-Democratic-Party-Platform-For-Distribution.pdf.

[3] Id.

[4] Press Release, Department of Justice, The Justice Department Unveils Proposed Section 230 Legislation (Sept. 23, 2020), available at https://www.justice.gov/opa/pr/justice-department-unveils-proposed-section-230-legislation; Department of Justice’s Review of Section 230 of the Communications Decency Act of 1996, available at https://www.justice.gov/ag/department-justice-s-review-section-230-communications-decency-act-1996.

[5] Press Release, State of California Department of Justice, Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit (July 19, 2012), available at https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-privacy-enforcement-and-protection.

[6] See Reuters Staff, U.S. FTC chair says he will resign along with senior staff, Reuters (Jan. 19, 2021), available at https://www.reuters.com/article/us-ftc-simons/us-ftc-chair-says-he-will-resign-along-with-senior-staff-idUSKBN29O1XB.

[7] Michelle Price, Biden appoints U.S. consumer watchdog veteran as acting director after Trump appointee resigns, Reuters (Jan. 21, 2021), available at https://www.reuters.com/article/us-usa-biden-cfpb/biden-appoints-u-s-consumer-watchdog-veteran-as-acting-director-after-trump-appointee-resigns-idUSKBN29Q249.

[8] President Biden’s late son, Beau Biden, served as attorney general of Delaware, and Harris served as attorney general of California.

[9] Michelle Price, Biden appoints U.S. consumer watchdog veteran as acting director after Trump appointee resigns, Reuters (Jan. 21, 2021), available at https://www.reuters.com/article/us-usa-biden-cfpb/biden-appoints-u-s-consumer-watchdog-veteran-as-acting-director-after-trump-appointee-resigns-idUSKBN29Q249.

[10] H.R. 748, CARES Act, Public Law 116-136 (Mar. 27, 2020).

[11] See Stephen Carroll, Biden begins political battle for $1.9 trillion stimulus plan, France24 (Jan. 21, 2021), available at https://www.france24.com/en/tv-shows/business-daily/20210121-president-biden-begins-political-battle-for-1-9-trillion-stimulus-plan.

[12] See Eleanor Laise, Joe Biden Could Face an Uphill Battle to Restore Consumer Protections, Barron’s (Nov. 13, 2020), available at https://www.barrons.com/articles/whats-next-for-the-cfpb-and-why-it-matters-51605307530.

[13] Lesley Fair, Operation Corrupt Collector cracks down on illegal debt collection tactics, Federal Trade Commission (Sept. 29, 2020), available at https://www.ftc.gov/news-events/blogs/business-blog/2020/09/operation-corrupt-collector-cracks-down-illegal-debt.

[14] S. 3663, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3663/text.

[15] Id.

[16] Allison Grande, Sens. Float Privacy Bill To Protect Data In COVID-19 Era, Law 360 (Apr. 30, 2020) available at https://www.law360.com/articles/1269228/sens-float-privacy-bill-to-protect-data-in-covid-19-era; Adam Schwartz, Two Federal COVID-19 Privacy Bills: A Good Start and a Misstep, Electronic Frontier Foundation (May, 28, 2020), available at https://www.eff.org/deeplinks/2020/05/two-federal-covid-19-privacy-bills-good-start-and-misstep.

[17] S. 3749, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3749/text.

[18] Id.

[19] U.S. Department of Health & Human Services, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Mar. 30, 2020), available at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

[20] U.S. Department of Health & Human Services, OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency (Apr. 2, 2020), available at https://www.hhs.gov/about/news/2020/04/02/ocr-announces-notification-of-enforcement-discretion.html; U.S. Department of Health & Human Services, OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency (Apr. 9, 2020), available at https://web.archive.org/web/20210117020355/
https://www.hhs.gov/about/news/2020/04/09/ocr-announces-notification-enforcement-discretion-community-based-testing-sites-during-covid-19.html.

[21] U.S. Department of Health & Human Services, OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19 (Mar. 24, 2020), available at https://web.archive.org/web/20210117001045/
https://www.hhs.gov/about/news/2020/03/24/ocr-issues-guidance-to-help-ensure-first-responders-and-others-receive-protected-health-information-about-individuals-exposed-to-covid-19.html.

[22] U.S. Department of Health & Human Services, OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities (June 12, 2020), available at https://web.archive.org/web/20210116081727/
https://www.hhs.gov/about/news/2020/06/12/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-blood-and-plasma-donation.html.

[23] Centers for Disease Control and Prevention (CDC), COVID-19 Vaccination Program Interim Playbook for Jurisdiction Operations (Oct. 29, 2020) available at https://www.cdc.gov/vaccines/imz-managers/downloads/COVID-19-Vaccination-Program-Interim_Playbook.pdf.

[24] Sheryl Gay Stolberg, Some States Balk After C.D.C. Asks for Personal Data of Those Vaccinated, N.Y. Times (Dec. 8, 2020) available at https://www.nytimes.com/2020/12/08/us/politics/cdc-vaccine-data-privacy.html.

[25] Act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof, S.8848D (N.Y. 2020), available at https://legislation.nysenate.gov/pdf/bills/2019/S8448D.

[26] Cal. Civ. Code §§ 1798.130(a)(5)(D), 1798.146, and 1798.148.

[27] Act to amend Section 1798.130 of, and to add Sections 1798.146 and 1798.148 to, the Civil Code, relating to consumer privacy, and declaring the urgency thereof, to take effect immediately, A.B. 713 (Cal. 2020) (enacted), available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?
bill_id=201920200AB713.

[28] Cal. Civ. Code §§ 1798.130(a)(5)(D), 1798.146, and 1798.148.

[29] Id.

[30] Id.

[31] Id.

[32] Act concerning governmental response to the 2020 COVID-19 pandemic in Kansas, H.B. 2016 (Kan. 2020) (enacted), available at http://www.kslegislature.org/li_2020s/b2020s/
measures/documents/hb2016_enrolled.pdf.

[33] N.Y. Pub. Health Code § 2181 Act to amend the public health law, in relation to the confidentiality of contact tracing information, S.8450C (N.Y. 2020), available at https://legislation.nysenate.gov/pdf/bills/2019/S8450C.

[34] Act relating to contact tracing of the COVID-19 virus, S.B.1 (Ala. 2020), available at http://alisondb.legislature.state.al.us/ALISON/SearchableInstruments/2021RS/PrintFiles/SB1-int.pdf.

[35] Id.

[36] Act concerning data privacy related to certain health information and supplementing Title 26 of the Revised Statutes, A.4170 (N.J. 2020), available at https://www.njleg.state.nj.us/2020/Bills/A4500/4170_R1.HTM.

[37] Id.

[38] Id.

[39] An act to amend the general business law, in relation to the management and oversight of personal data [the “New York Privacy Act”], S. 5642, 2019-2020 Leg., Reg. Sess. (N.Y. 2019), available at https://legislation.nysenate.gov/pdf/bills/2019/S5642.

[40] An act to amend the general business law and the state technology law, in relation to notification of a security breach, S5575B, 2019-2020 Leg., Reg. Sess. (N.Y. 2019), available at https://www.nysenate.gov/legislation/bills/2019/s5575/amendment/b

[41] Act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof, S.8848D (N.Y. 2020), available at https://www.nysenate.gov/legislation/bills/2019/S8448.

[42] Id.

[43] Id.

[44] Id.

[45] See Act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof, S.301 (N.Y. 2021), available at https://www.nysenate.gov/legislation/bills/2021/S301; Act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof, H.687 (N.Y. 2021), available at https://legislation.nysenate.gov/pdf/bills/2021/A687.

[46] Act to add Title 1.81.10 (commencing with Section 1798.600) to Part 4 of Division 3 of the Civil Code, relating to personal information, A.B.660 (Cal. 2020), available at https://leginfo.legislature.ca.gov/faces/
billTextClient.xhtml?bill_id=201920200AB660.

[47] Id.

[48] Act to add Title 4.5 (commencing with Section 1924) to Part 4 of Division 3 of the Civil Code, to add Chapter 5 (commencing with Section 104000) to Part 2 of Division 102 of the Health and Safety Code, and to add Part 6 (commencing with Section 22360) to Division 2 of the Public Contract Code, relating to personal information, A.B.1782 (Cal. 2020), available at https://leginfo.legislature.ca.gov/faces/
billNavClient.xhtml?bill_id=201920200AB1782.

[49] Id.

[50] Id.

[51] Bill for an act relating to health, H.F.164 (Minn. 2020), available at https://www.revisor.mn.gov/bills/text.php?number=HF164&
type=bill&version=0&session=ls91&session_year=2020&session_number=1.

[52] See Act to Exempt EMS telecommunicator info from Public Records Law, S.B. 31 (Ohio 2020), available at https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA133-SB-31.

[53] See Press Release, Office of the Attorney General, Attorney General Herring Tells Tech Companies to Protect Public from Shady “Contact Tracing Apps” (June 17, 2020), available at https://www.oag.state.va.us/media-center/news-releases/1739
-june-17-2020-herring-tells-tech-companies-to-protect-public-from-shady-contact-tracing-apps.

[54] Id.

[55] See Press Release, N.Y. State Office of the Attorney General, Attorney General James Secures New Protections, Security Safeguards for All Zoom Users (May 7, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-secures-new-protections-security-safeguards-all-zoom-users.

[56] Id.

[57] See Cal. Civ. Code § 1798.140(c).

[58] See, e.g., California Approves Final CCPA Regulations, and Bill Extending Key Exemptions Moves Forward at the Legislature, Gibson Dunn (Aug. 20, 2020), available at https://www.gibsondunn.com/california-approves-final-ccpa-regulations-and-bill-extending-key-exemptions-moves-forward-at-the-legislature/; California Consumer Privacy Act Update: Attorney General Finalizes Regulations and Provides Interpretive Guidance, Gibson Dunn (June 12, 2020), available at https://www.gibsondunn.com/california-consumer-privacy-act-update-attorney-general-finalizes-regulations-and-provides-interpretive-guidance/; California Consumer Privacy Act Update: Attorney General Proposes Further Revisions to CCPA Regulations, Gibson Dunn (Mar. 17, 2020), available at https://www.gibsondunn.com/california-consumer-privacy-act-update-attorney-general-proposes-further-revisions-to-ccpa-regulations/; California Consumer Privacy Act Update: Attorney General Proposes Regulations Version 2.0, Gibson Dunn (Feb. 19, 2020), available at https://www.gibsondunn.com/california-consumer-privacy-act-update-attorney-general-proposes-regulations-version-2-0/.

[59] Final Text of Proposed Regulations, State Cal. Dep’t Just. Off. Att’y Gen. (Jan. 19, 2020), available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf?

[60] Id.

[61] Text of Fourth Set of Proposed Modifications, State Cal. Dep’t Just. Off. Att’y Gen. (Dec. 10, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-prop-mods-text-of-regs-4th.pdf; Text of Third Set of Proposed Modifications – Comparison Version, State Cal. Dep’t Just. Off. Att’y Gen. (Oct. 12, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-third-set-mod-101220.pdf?.

[62] Text of Fourth Set of Proposed Modifications, State Cal. Dep’t Just. Off. Att’y Gen. (Dec. 10, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-prop-mods-text-of-regs-4th.pdf; Text of Third Set of Proposed Modifications – Comparison Version, State Cal. Dep’t Just. Off. Att’y Gen. (Oct. 12, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-third-set-mod-101220.pdf?.

[63] See, e.g., The Potential Impact of the Upcoming Voter Initiative, the California Privacy Rights Act, Gibson Dunn (Sept. 29, 2020), available at https://www.gibsondunn.com/potential-impact-of-the-upcoming-voter-initiative-the-california-privacy-rights-act/; As California Consumer Privacy Act Enforcement Commences, a Tougher New Data Privacy Law Will Go Before California Votes in November, Gibson Dunn (July 1, 2020), available at https://www.gibsondunn.com/as-california-consumer-privacy-act-enforcement-commences-a-tougher-new-data-privacy-law-will-go-before-california-voters-in-november/.

[64] Whereas the CCPA defines “business” in part as a for-profit entity that collects consumers’ personal information, which does business in California and possesses “the personal information of 50,000 or more consumers, households, or devices,” Cal. Civ. Code § 1798.140(c)(1)(B) [prior CCPA text], the CPRA will remove such devices from consideration. See Cal. Civ. Code § 1798.140(d)(1) [as modified by CPRA].

[65] Compare Cal. Civ. Code § 1798.140(c)(1)(B) [prior CCPA text], with Cal. Civ. Code § 1798.140(d)(1)(B) [as modified by CPRA].

[66] Compare Cal. Civ. Code § 1798.140(c)(1)(C) [prior CCPA text], with Cal. Civ. Code § 1798.140(d)(1)(C) [as modified by CPRA].

[67] Compare Cal. Civ. Code § 1798.140(o)(2) [prior CCPA text] with Cal. Civ. Code § 1798.140(v)(2) [as modified by CPFRA].

[68] Compare Cal. Civ. Code § 1798.140(t) [prior CCPA text], with Cal. Civ. Code § 1798.140(ad) [as modified by CPRA].

[69] An Act to Protect the Privacy of Online Customer Information, S. P. 275, 2019 Leg., 129th Sess. (Me. 2019), available at http://www.mainelegislature.org/legis/bills/
getPDF.asp?paper=SP0275&item=9&snum=129.

[70] Id.

[71] Id.

[72] An Act relating to Internet privacy, S.B. 220, 2019 Leg., 80th Sess. (Nev. 2019), available at https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Text.

[73] An Act relating to public safety; designating the month of October of each year as “Cybersecurity Awareness Month”; revising requirements relating to emergency response plans for schools, cities, counties and resort hotels; clarifying the authority of the Governor to call members of the Nevada National Guard into state active duty upon a request for assistance from certain governmental entities that have experienced a significant cybersecurity incident; requiring each city or county to adopt and maintain a cybersecurity incident response plan; revising the duties of the Nevada Office of Cyber Defense Coordination of the Department of Public Safety; requiring the Office to submit a quarterly report to the Governor regarding cybersecurity; revising provisions relating to the disclosure of records by the Office; and providing other matters properly relating thereto, S.B. 69, 2019 Leg., 80th Sess. (Nev. 2019), available at https://www.leg.state.nv.us/Statutes/
80th2019/Stats201915.html#Stats201915_CH412.

[74] Id.

[75] Id.

[76] An act to amend the general business law and the state technology law, in relation to notification of a security breach, S5575B, 2019-2020 Leg., Reg. Sess. (N.Y. 2019), available at https://www.nysenate.gov/legislation/bills/2019/s5575/amendment/b.

[77] Id.

[78] Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), 2019-2020 Leg., Reg. Sess. S5575B (N.Y. 2019), available at https://legislation.nysenate.gov/pdf/bills/2019/S5575B.

[79] See id. § 899-BB(1)(a).

[80] Id.

[81] N.Y. Bar Ass’n, January 21, 2021 State Legislative Developments, NYBA Online (Jan. 22, 2021), available at https://www.nyba.com/NYBA/Publications/Friday_s_News/NYBA/
Publications/Fridays_News.aspx?hkey=79bbbf02-4315-4d19-8349-fe28b3a3de2e.

[82] NYDAT § 899-CC(7).

[83] An act to amend the general business law, in relation to the management and oversight of personal data [the “New York Privacy Act”], S. 5642, 2019-2020 Leg., Reg. Sess. (N.Y. 2019), available at https://legislation.nysenate.gov/pdf/bills/2019/S5642.

[84] Id.

[85] See Josefa Velasquez, New York’s State Senate Democrats Gain a Supermajority. What Could They Do With It?, The City (Nov. 23, 2020), available at https://www.thecity.nyc/2020/11/23/21612024/new-york-state-senate-democrats-gain-a-supermajority.

[86] An Act Relating to actions with respect to a breach of security that involves personal information, S.B. 684, 80th Or. Leg. Assemb., Reg. Sess. (O.r. 2019), available at https://olis.leg.state.or.us/liz/2019R1/
Downloads/MeasureDocument/SB684/Enrolled.

[87] Id.

[88] Id.

[89] Id.

[90] Id.

[91] Id.

[92] An Act Relating to security measures required for devices that connect to the Internet, H.B. 2395, 80th Leg. Assemb., Reg. Sess. (Or. 2019), available at https://olis.leg.state.or.us/liz/2019R1/Downloads/MeasureDocument/HB2395/Enrolled.

[93] Id.; An act to add Title 1.81.26 (commencing with Section 1798.91.04) to Part 4 of Division 3 of the Civil Code, relating to information privacy, S.B. 327, 2017-2018 Leg., Reg. Sess. (Cal. 2018), available at https://leginfo.legislature.ca.gov/faces/
billNavClient.xhtml?bill_id=201720180SB327.

[94] An Act Relating to the use of facial recognition services, S.B. 6280, 66th Leg., Reg. Sess. (Wash. 2020), available at http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/
Bills/Session%20Laws/Senate/6280-S.SL.pdf?q=20201214093740.

[95] Id.

[96] Id.

[97] For the bill’s current language, as submitted to the Washington State Legislature, see Wash. State Leg. Committee Schedule, Bill Req. S-4873.3/20 3rd draft [“Concerning the management and oversight of personal data”], available at https://app.leg.wa.gov/committeeschedules/Home/Document/208507; for the draft version bearing Senator Carlyle’s name, see @Reuvencarlyle, Twitter (Sept. 9, 2020), available at https://twitter.com/Reuvencarlyle/status/1303808769218945025.

[98] Reuven Carlyle, Washington Privacy Act 2021 (DRAFT), Senate Democrats (Aug. 5, 2020).

[99] Id.

[100] An Act relating to privacy, H.B. 2572, 30th Leg., Reg. Sess. (Haw. 2020), available at https://www.capitol.hawaii.gov/session2020/bills/HB2572_SD1_.pdf; An Act relative to consumer data privacy, Bill S.120, 191st General Court (Mass. 2019), available at https://malegislature.gov/Bills/191/S120/BillHistory; An Act relating to biological characteristics, H.B. 2478, 44th Leg., 1st Reg. Sess.(Ariz. 2019), available at https://www.azleg.gov/legtext/54leg/1R/bills/HB2478P.pdf.

[101] Henry Kenyon, Voters in Portland, Maine, vote to ban use of facial recognition tech, CQ Roll Call Washington Data Privacy Briefing (Nov. 6, 2020), available at https://today.westlaw.com/Document/Ia69ed770208c11ebbea4f0dc9fb69570/View/
FullText.html?transitionType=Default&contextData=(sc.Default)&
VR=3.0&RS=cblt1.0.

[102] Ashley Murray, City Council Approves Bill to Regulate Facial Recognition Technology, Pittsburgh Post-Gazette (Sept. 23, 2020), available at https://1.next.westlaw.com/Document/I6048e330fd7211eaadd8fa89d4036ae0/View/FullText.html?transitionType=Default&contextData=(sc.Default).

[103] Prohibit the use of Face Recognition Technologies by private entities in places of public accommodation in the City, Ordinance No. 190114 (Sept. 9, 2020), available at https://efiles.portlandoregon.gov/Record/13945283.

[104] See, e.g., Eric Newcomer, California Will Be Key Battleground in Tech Privacy Fight in 2020, Bloomberg (Jan. 2, 2020), available at https://www.bloomberg.com/news/articles/2020-01-02/privacy-fight-continues-in-california-dc-and-beyond.

[105] Id.

[106] Id.

[107] S. 4626, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4626/text.

[108] Muge Fazlioglu, Consolidating US Privacy Legislation: The SAFE DATA Act, iAPP (Sept. 21, 2020), available at https://iapp.org/news/a/consolidating-u-s-privacy-legislation-the-safe-data-act/.

[109] United States Consumer Data Privacy Act of 2019 Staff Discussion Draft (2019), available at https://privacyblogfullservice.huntonwilliamsblogs.com/wp-content/uploads/sites/28/2019/12/Nc7.pdf.

[110] S. 2763, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/2763/text.

[111] S. 1084, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/1084/text.

[112] S. 4626, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4626/text.

[113] Id.

[114] S. 3456, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3456/text.

[115] Id.

[116] Id.

[117] H.R. 6675, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/6675/text.

[118] S. 2577, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/2577/text.

[119] H.R. 6675, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/6675/text.

[120] Id.

[121] Id.

[122] S. 3300, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3300/text.

[123] Eric Newcomer, California Will Be Key Battleground in Tech Privacy Fight in 2020, Bloomberg (Jan. 2, 2020), available at https://www.bloomberg.com/news/articles/2020-01-02/privacy-fight-continues-in-california-dc-and-beyond.

[124] S. 3300, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3300/text.

[125] Id.

[126] Data Accountability and Transparency Act of 2020 Staff Discussion Draft (2020), available at https://www.law360.com/articles/1284404/attachments/0.

[127] Id.

[128] Id.

[129] H.R. 6677, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/6677/text.

[130] Id.

[131] Id.

[132] Id.

[133] Id.

[134] Id.

[135] Id.

[136] Id.

[137] Id.

[138] Internet of Things Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207, available at https://www.congress.gov/bill/116th-congress/house-bill/1668/text.

[139] Justin Katz, Senate Passes IoT Cybersecurity Bill, Federal Computer Week (Nov. 18, 2020), available at https://fcw.com/articles/2020/11/18/iot-cyber-bill-passes-senate.aspx.

[140] Id.

[141] Id.

[142] Chris Mills Rodrigo, Booker, Merkley Propose Federal Facial Recognition Moratorium, The Hill (Feb. 12, 2020), available at https://thehill.com/policy/technology/482815-booker-merkley-propose-facial-recognition-moratorium.

[143] S. 3284, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3284/text.

[144] See H.R. 7356, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/7356/text; S. 4084, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4084/text.

[145] Press Release, Ed Markey United States Senator for Massachusetts, Senators Markey and Merkley, and Reps. Jayapal, Pressley to Introduce Legislation to Ban Government Use of Facial Recognition, Other Biometric Technology (June 25, 2020), available at https://www.markey.senate.gov/news/press-releases/senators-markey-and-merkley-and-reps-jayapal-pressley-to-introduce-legislation-to-ban-government-use-of-facial-recognition-other-biometric-technology.

[146] Id.

[147] S. 4084, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4084/cosponsors.

[148] H.R. 7356, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/7356/cosponsors.

[149] S. 4400, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4400/actions.

[150] Id.

[151] Id.

[152] Id.

[153] See H.R. 7891, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/7891/text; S. 4051, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4051/text.

[154] 50 U.S.C. § 1861 (2018).

[155] 50 U.S.C. § 1801(b)(1)(C) (2015).

[156] 50 U.S.C. § 1805(c)(2)(B) (2018).

[157] H.R. 6172, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/6172/all-actions.

[158] Communications Decency Act of 1996, 47 U.S.C. § 230 (1996).

[159] Id.

[160] See, e.g., Jessica Guynn, Trump and Biden vs. Facebook: Why Section 230 could get repealed in 2021, USA Today (Jan. 4, 2021), available at https://www.usatoday.com/story/tech/2021/01/04/trump-biden-pelosi-section-230-repeal-facebook-twitter-google/4132529001/ (describing political support for Section 230 reform or repeal in 2021).

[161] S. 3983, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3983/text.

[162] Id.

[163] Press Release, Marco Rubio U.S. Senator for Florida, Rubio, Hawley Announce Bill Empowering Americans to Hold Big Tech Companies Accountable for Acting in Bad Faith (June 17, 2020), available at https://www.rubio.senate.gov/public/index.cfm/press-releases?
ContentRecord_id=47276D77-62D6-4E04-9FA2-1CD761179B90#:~
:text=The%20Limiting%20Section%20
230%20Immunity,if%20they%20violate%20those%20terms.

[164] S. 3398, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3398/actions.

[165] Id.

[166] Id.

[167] Id.

[168] Press Release, Committee on the Judiciary, Chairman Graham Applauds Senate Judiciary Committee for Unanimously Approving the EARN IT Act (July 2, 2020), available at https://www.judiciary.senate.gov/press/rep/releases/chairman-graham-applauds-
senate-judiciary-committee-for-unanimously-approving-the-earn-it-act#
:~:text=The%20EARN%20IT%20Act%20was,Against%20Online%20
Child%20Sexual%20Exploitation.%E2%80%9D.

[169] S. 4337, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4337/text.

[170] Id.

[171] Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501–6505 (1998).

[172] Press Release, Federal Trade Commission, FTC Seeks Comments on Children’s Online Privacy Protection Act Rule: FTC to host workshop on COPPA in October as part of initiative (July 25, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/07/ftc-seeks-comments-childrens-online-privacy-protection-act-rule.

[173] H.R. 5573, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/5573/text.

[174] H.R. 5703, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/5703/text.

[175] Id.

[176] 15 U.S.C. § 53(b); see AMG Capital Mgmt., LLC v. Fed. Trade Comm’n, No. 19-508, 2020 WL 3865250 (U.S. July 9, 2020).

[177] See Press Release, Federal Trade Commission, FTC Issues Orders to Nine Social Media and Video Streaming Services Seeking Data About How They Collect, Use, and Present Information (Dec. 14, 2020), available at https://www.ftc.gov/news-events/press-releases/2020/12/ftc-issues-orders-nine-social-media-video-streaming-services.

[178] United States v. Facebook, Inc., 456 F. Supp. 3d 115 (D.D.C. 2020).

[179] See Press Release, Federal Trade Commission, FTC Chairman’s Statement Regarding the Court’s Approval of the Facebook Settlement (Apr. 24, 2020), available at https://www.ftc.gov/news-events/press-releases/2020/04/ftc-chairmans-statement-regarding-courts-approval-facebook.

[180] See Kate Conger, F.T.C. Investigating Twitter for Potential Privacy Violations, N.Y. Times (Aug. 3, 2020), available at https://www.nytimes.com/2020/08/03/technology/ftc-twitter-privacy-violations.html.

[181] Agreement Containing Consent, In the Matter of Zoom Video Communications, Inc., File No. 1923167 (F.T.C. Nov. 9, 2020), available at https://www.ftc.gov/system/files/documents/cases/1923167zoomacco2.pdf.

[182] See Diane Bartz, Exclusive: U.S. probing allegations TikTok violated children’s privacy – sources, Reuters (July 7, 2020), available at https://www.reuters.com/article/us-tiktok-privacy-children-exclusive/exclusive-u-s-probing-allegations-tiktok-violated-childrens-privacy-sources-idUSKBN248373.

[183] 15 U.S.C. § 53(b).

[184] FTC v. Credit Bureau Ctr., LLC, 937 F.3d 764 (7th Cir. 2019).

[185] Id. at 767.

[186] Id.

[187] AMG Capital Mgmt., LLC v. Fed. Trade Comm’n, No. 19-508, 2020 WL 3865250 (U.S. July 9, 2020).

[188] AMG Capital Management, LLC v. FTC, 910 F.3d 417 (9th Cir. 2018).

[189] Initially Credit Bureau Center, LLC and AMG Capital Management, LLC were consolidated to be heard together, but on November 9, the Supreme Court withdrew its consolidation order and vacated its order granting certiorari in Credit Bureau Center, LLC. FTC v. Credit Bureau Ctr., No. 19-825, 2020 WL 6551765 (U.S. Nov. 9, 2020).

[190] AMG Capital Management, LLC, 910 F.3d at 426.

[191] Alexander Southwell, Ryan Bergsieker and Sarah Erickson, Where Data Privacy And CFPB Are Headed Under Biden, Law360 (Nov. 24, 2020), available at https://www.law360.com/articles/1331226/where-data-privacy-and-cfpb-are-headed-under-biden.

[192] Press Release, Department of Health and Human Services, Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (Sept. 25, 2020), available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/premera/index.html.

[193] Press Release, Department of Health and Human Services, Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements (Mar. 3, 2020), available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/porter/index.html.

[194] Press Release, Department of Health and Human Services, OCR Settles Five More Investigations in HIPAA Right of Access Initiative (Sept. 15, 2020), available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/right-of-access-initiative/index.html.

[195] Press Release, Department of Health and Human Services, Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History (Oct. 15, 2018), available at https://www.hhs.gov/guidance/document/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach.

[196] Steve Adler, Court Approves Anthem $115 Million Data Breach Settlement, HIPAA J. (Aug. 20, 2018), available at https://www.hipaajournal.com/court-approves-anthem-115-million-data-breach-settlement/.

[197] Press Release, Department of Health and Human Services, OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Mar. 30, 2020), available at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

[198] Department of Health and Human Services, FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency, available at https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.

[199] Press Release, Department of Health and Human Services, OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency (Apr. 9, 2020), available at https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf.

[200] Press Release, Department of Health and Human Services, OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities (Aug. 2020), available at https://www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-plasma-donation.pdf .

[201] New Release, Center for Medicare and Medicaid Services, CMS Snapshot (Aug. 27, 2020), available at https://www.cms.gov/files/document/snapshotupdate08272020.pdf.

[202] Press Release, Department of Health and Human Services, HHS Proposes Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens (Dec. 10, 2020), available at https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html.

[203] Department of Health and Human Services, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, available at https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf.

[204] Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (published Jan. 21, 2021), available at https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care.

[205] Press Release, U.S. Securities and Exchange Commission, SEC Office of Compliance Inspections and Examinations Announces 2020 Examination Priorities (Jan. 7, 2020), available at https://www.sec.gov/news/press-release/2020-4.

[206] Id.

[207] Id.

[208] SEC Office of Compliance Inspection and Examinations, Cybersecurity and Resiliency Observations (Jan. 27, 2020), available at https://www.sec.gov/files/
OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.

[209] Press Release, U.S. Securities and Exchange Commission, SEC Announces Creation of the Event and Emerging Risk Examination Team in the Office of Compliance Inspections and Examinations and the Appointment of Adam D. Storch as Associate Director (July 28, 2020), available at https://www.sec.gov/news/press-release/2020-165.

[210] U.S. Securities and Exchange Commission, Cyber Enforcement Actions: Digital Assets/Initial Coin Offerings (last updated Dec. 28, 2020), available at https://www.sec.gov/spotlight/cybersecurity-enforcement-actions.

[211] Final Judgment as to Defendants Telegram Group Inc. and Ton Issuer Inc., SEC v. Telegram Group Inc. et al., 1:19-cv-09439 (S.D.N.Y. June 26, 2020), ECF No. 242.

[212] Opinion and Order, SEC v. Telegram Group Inc. et al., 1:19-cv-09439 (S.D.N.Y. Mar. 24, 2020), ECF No. 227.

[213] Id.

[214] 328 U.S. 293 (1946).

[215] Opinion and Order, SEC v. Kik Interactive Inc., 1:19-cv-5244 (S.D.N.Y. Sept. 30, 2020), ECF No. 88.

[216] See, e.g., Complaint, SEC v. Ackerman, 1:20-cv-01181 (S.D.N.Y. Feb. 11, 2020), ECF No. 1 (complaint against Ohio-based businessman who allegedly orchestrated a digital asset scheme that defrauded approximately 150 investors, including many physicians); Complaint, SEC v. Meta 1 Coin Trust, et al., 1:20-cv-00273 (W.D. Tex. Mar. 16, 2020), ECF No. 1 (complaint against an unincorporated entity purporting to be an irrevocable trust, a former state senator, and two others for allegedly conducting a fraudulent ICO of unregistered digital asset securities, and secured a temporary restraining order against the parties); Complaint, SEC v. Dropil, Inc., et al., 8:20-cv-00793 (C.D. Cal. Apr. 23, 2020), ECF No. 1 (complaint against a digital currency company and its three founders for allegedly raising money from thousands of investors through a fraudulent ICO of unregistered digital asset securities); Complaint, SEC v. FLiK, et al., 1:20-cv-03739 (N.D. Ga. Sept. 10, 2020), ECF No. 1 (complaint against several Georgia-based individuals who allegedly promoted two unregistered and fraudulent ICOs); Tierion, Inc., Administrative Proceeding File No. 3-20188, Order Instituting Cease-and-Desist Proceedings Pursuant to Section 8A of the Securities Act of 1933, Making Findings, and Imposing Penalties and a Cease-and-Desist Order (Dec. 23, 2020) (cease-and-desist proceeding against blockchain startup for unregistered offering of securities via “token sale”; company agreed to return funds to investors, pay $250,000 penalty, and disable trading in its “tokens”).

[217] Complaint, SEC v. Sotnikov, et al., 1:20-cv-02784 (D.N.J. Mar. 13, 2020), ECF No. 1; Press Release, U.S. Securities and Exchange Commission, SEC Charges Russian National for Defrauding Older Investors of Over 26 Million in Phony Certificates of Deposit Scam (Mar. 13, 2020), available at https://www.sec.gov/news/press-release/2020-61.

[218] See id., Clerk’s Entry of Default (Dec. 23, 2020) [electronic order], ECF No. 23

[219] Complaint, SEC v. Ross, 1:20-cv-05140 (N.D. Ga. Dec. 18, 2020), ECF No. 1; U.S. Securities and Exchange Commission, SEC Charges Former Day Trader with Market Manipulation, Litigation Release No. 24989 (Dec. 18, 2020), available at https://www.sec.gov/litigation/litreleases/2020/lr24989.htm.

[220] Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, 47 U.S.C. § 227.

[221] 35 FCC Rcd 11186 (13) (2020).

[222] Id.

[223] See Facebook, Inc. v. Duguid, 141 S. Ct. 193 (2020).

[224] See Carlton & Harris Chiropractic, Inc. v. PDR Network, LLC, 982 F.3d 258 (4th Cir. 2020) (previously vacated and remanded by the Supreme Court in PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., 139 S. Ct. 2051 (2019)).

[225] Eric J. Troutman, A Jarring Shift, National Law Review (Dec. 11, 2020), available at https://www.natlawreview.com/article/jarring-shift-here-s-why-fourth-circuit-holding-fcc-tcpa-rulings-aren-t-entitled-to.

[226] See, e.g., Notice of Apparent Liability in the Matter of Sprint Corp., 35 FCC Rcd 1655 (2) (2020); Notice of Apparent Liability in the Matter of T-Mobile USA, Inc., 35 FCC Rcd 1785 (2) (2020); Notice of Apparent Liability in the Matter of Verizon Comm., 35 FCC Rcd 1698 (2) (2020).

[227] Jennifer Valentino-DeVries, Cellphone Carriers Face $200 Million Fine for Not Protecting Location Data, N.Y. Times (Feb. 28, 2020), available at https://www.nytimes.com/2020/02/28/technology/fcc-cellphones-location-data-fines.html.

[228] Jennifer Valentino-DeVries, Cellphone Carriers Face $200 Million Fine for Not Protecting Location Data, NY Times (Feb. 28, 2020), available at https://www.nytimes.com/2020/02/28/technology/fcc-cellphones-location-data-fines.html.

[229] William Barr, Statement of the Attorney General on the Announcement of Civil Antitrust Lawsuit Filed Against Google, U.S. Dep’t of Just. (Oct. 20, 2020), available at https://www.justice.gov/opa/pr/statement-attorney-general-announcement-civil-antitrust-lawsuit-filed-against-google.

[230] Id.

[231] Tony Romm, US, States Sue Facebook as an Illegal Monopoly, Setting Stage for Potential Breakup, Wash. Post (Dec. 9, 2020), available at https://www.washingtonpost.com/technology/2020/12/09/facebook-antitrust-lawsuit/.

[232] See Cryptocurrency: Enforcement Framework, Report of the Att’y Gen.’s Cyber Digital Task Force (Oct. 1, 2020), available at https://www.justice.gov/ag/page/file/1326061/download.

[233] International Statement: End-To-End Encryption and Public Safety, Dep’t of Just. Office of Public Affairs (Oct. 11, 2020), available at https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety.

[234] Id.

[235] Russel Brandom, US Joins Six Countries in New Call for Backdoor Encryption Access, The Verge (Oct. 12, 2020), available at https://www.theverge.com/2020/10/12/21513212/backdoor-encryption-access-us-canada-australia-new-zealand-uk-india-japan.

[236] Jackson Barnett, Final CMMC Acquisition Rule Goes Into Effect, Fed Scoop (Dec. 1, 2020), available at https://www.fedscoop.com/cmmc-rule-change-goes-effect/.

[237] Id.

[238] Jackson Barnett, The DoD Wants Better Cybersecurity for Its Contractors. The First Steps haven’t Been Easy, Fed Scoop (June 23, 2020), available at https://www.fedscoop.com/cmmc-dod-cybersecurity-requirments-contractors-timeline.

[239] See, e.g., Jackson Barnett, Final CMMC Acquisition Rule Goes Into Effect, Fed Scoop (Dec. 1, 2020), available at https://www.fedscoop.com/cmmc-rule-change-goes-effect/.

[240] See Ensuring American Leadership in Automated Vehicle Technologies, A Report by the Nat’l Sci. & Tech. Council and the U.S. Dep’t of Transportation (Jan. 2020), available at https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/360956/ensuringamericanleadershipav4.pdf.

[241] Id.

[242] Linda Chiem, NHTSA Eyes New Self-Driving Car Regulatory Framework, Law360 (Nov. 23, 2020), available at https://www.law360.com/articles/1331573/nhtsa-eyes-new-self-driving-car-regulatory-framework.

[243] Id.

[244] See Nat’l Inst. of Standards and Tech., Foundational Cybersecurity Activities for IoT Device Manufacturers, NISTIR 8259 (May 2020); Nat’l Inst. of Standards and Tech., IoT device Cybersecurity Capability Core Baseline, NISTIR 8259A (May 2020).

[245] Internet of Things Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207.

[246] Press Release, New York Attorney General, Attorney General James Helps Secure $39.5 Million After Anthem’s 2014 Data Breach (Sept. 30, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-helps-secure-395-million-after-anthems-2014-data-breach.

[247] Id.

[248] Id.

[249] Press Release, New York Attorney General, Attorney General James Helps Secure $17.5 Million After Data Breach at The Home Depot (Nov. 24, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-helps-secure-175-million-after-data-breach-home-depot.

[250] Id.

[251] Id.

[252] Press Release, New York Attorney General, Attorney General James Secures New Protections, Security Safeguards for All Zoom Users (May 7, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-secures-new-protections-security-safeguards-all-zoom-users.

[253] Danny Hakim & Natasha Singer, New York Attorney General Looks Into Zoom’s Privacy Practices, N.Y. Times (Mar. 30, 2020), available at https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html.

[254] Press Release, New York Attorney General, Attorney General James Secures New Protections, Security Safeguards for All Zoom Users (May 7, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-secures-new-protections-security-safeguards-all-zoom-users.

[255] Press Release, Arizona Attorney General, Attorney General Mark Brnovich Files Lawsuit Against Google Over Deceptive and Unfair Location Tracking (May 27, 2020), available at https://www.azag.gov/press-release/attorney-general-mark-brnovich-files-lawsuit-against-google-over-deceptive-and-unfair.

[256] Id.

[257] Id.

[258] Ruling, State of Arizona, et al. v. Google LLC, CV 2020-006219 (Super. Ct. Ariz. Maricopa Cnty. Sept. 25, 2020), available at https://www.azag.gov/sites/default/files/2020-10/CV2020-006219-926-09252020.pdf.

[259] Press Release, Office of Attorney General Maura Healey, AG Healey Announces New Division Focused on Protecting Data Privacy and Security of Massachusetts Consumers (Aug. 13, 2020), available at https://www.mass.gov/news/ag-healey-announces-new-division-focused-on-protecting-data-privacy-and-security-of.

[260] Twitter Investigation Report, N.Y. Dep’t Fin. Serv., Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security (Oct. 14, 2020), available at https://www.dfs.ny.gov/Twitter_Report.

[261] In the Matter of First American Title Insurance Company, No. 2020-0030-C (July 21, 2020), available at https://www.law360.com/articles/1301950/attachments/0.

[262] Id.

[263] Id.

[264] See, e.g., First American, “First American Reports Completion of Investigation into Customer Impact of Information Security Incident,” July 16, 2019, available at https://web.archive.org/web/20190827180436/
https://www.firstam.com/incidentupdate/update20190716.html.

[265] Id.

[266] Twitter Investigation Report, N.Y. Dep’t Fin. Serv., Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security (Oct. 14, 2020), available at https://www.dfs.ny.gov/Twitter_Report.

[267] Id.

[268] Id.

[269] Press Release, N.Y. Dep’t Fin. Serv., Superintendent Lacewell Announces DFS to Host First-Ever Techsprint to Advance the Department’s Regulator of the Future Vision (Oct. 15, 2020), available at https://www.dfs.ny.gov/reports_and_publications/
press_releases/pr202010151.

[270] Id.

[271] Id.

[272] See Risk-Based Security, Data Breach Quickview Report, 2019 Q3 Trends (Nov. 2019), available at https://pages.riskbasedsecurity.com/hubfs/Reports/
2019/Data%20Breach%20QuickView%20Report%202019%20Q3%20Trends.pdf.

[273] Twitter Investigation Report, N.Y. Dep’t Fin. Serv., Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security (Oct. 14, 2020), available at https://www.dfs.ny.gov/Twitter_Report.

[274] See, e.g., Christopher Bing, Suspected Russian Hackers Spied on U.S. Treasury Emails – Sources, Reuters (Dec. 13, 2020), available at https://www.usnews.com/news/top-news/articles/2020-12-13/exclusive-us-treasury-breached-by-hackers-backed-by-foreign-government-sources.

[275] Mot. to Dismiss Pls.’ First Am. Consolidated Shareholder Derivative Compl. Pursuant to Fed. R. Civ. P. 23.1 Or in the Alternative to Stay, In Re Facebook, Inc. Shareholder Derivative Privacy Litigation, No. 4:18-cv-01792-HSG (N.D. Cal. Feb. 18, 2020), ECF No. 145.

[276] Plaintiff’s Opp. to Facebook’s Mot. to Dismiss Plaintiff’s First Amended Consolidated Shareholder Derivative Complaint, In Re Facebook, Inc. Shareholder Derivative Privacy Litigation, No. 4:18-cv-01792-HSG (N.D. Cal. Apr. 20, 2020), EFC No. 153; see also Emilie Ruscoe, Citing Zuckerberg’s ‘Iron Glove,’ Facebook Investors Urge Trial, Law360 (Apr. 21, 2020), available at https://www.law360.com/articles/1265937.

[277] Order Adopting Report and Recommendation, B.F. and A.A. v. Amazon.com Inc., No. C19-910 RAJ-MLP (W.D. Wa. Apr. 9, 2020), ECF No. 137.

[278] Id.

[279] Drieu v. Zoom Video Communications, Inc., Case No. 3:20-cv-02353 (N.D. Cal. Apr. 7, 2020), ECF. No. 1.

[280] Id.

[281] Id.

[282] Gervat v. Yuan et al., Case No. 1:20-cv-00797-LPS (D. Del. June 11, 2020), ECF. No. 1.

[283] Id.

[284] Eugenio v. Berberian et al., Case No. 2020-0305-PAF (Del. Ch. Apr. 28, 2020).

[285] Id.

[286] Id.

[287] Complaint, Brekhus v. Google LLC, 5:20-cv-05488 (N.D. Cal. Aug. 7, 2020), ECF. No. 1.

[288] Id at 17.

[289] Plaintiff’s Response in Support of Administrative Motion to Consider Whether Cases Should be Related, Brekhus v. Google LLC, 5:20-cv-05488-NC (N.D. Cal. Aug. 18, 2020), ECF No. 10.

[290] Complaint, Allen v. Blackbaud, Inc., Case No. 2:20-cv-2930-RMG (D.S.C. Aug. 12, 2020), ECF No. 1.

[291] Id.

[292] Id.

[293] Id.

[294] Hollett v. Gilmore et al., Case No. 1:20-cv-01620-UNA (D.S.C. Nov. 25, 2020), ECF. No. 1.

[295] Id.

[296] Id.

[297] Id.

[298] Order Granting Final Approval of Settlement, In re Google Street View Elec. Commc’ns Litig., Case No. 10-md-02184-CRB (N.D. Cal. Mar. 18, 2020), ECF No. 184.

[299] Id.

[300] Benjamin Joffe, et al v. Google, Inc., Case No. 20-15616 (9th Cir. 2020).

[301] In re Google Plus Profile Litig., Case No. 5:18-cv-06164-EJD (N.D. Cal. June 10, 2020), ECF No. 13.

[302] Id.

[303] In re Yahoo! Inc. Customer Data Security Breach Litig., Case No. 5:16-md-02752-LHK (N.D. Cal. July 22, 2020), ECF No. 497.

[304] Id. (comparing settlement to the settlement in In re Anthem, Inc. Data Breach Litigation, 327 F.R.D. 299 (N.D. Cal. 2018)).

[305] Id.

[306] 18 U.S.C. § 1030(a)(2).

[307] See EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577, 581–83 (1st Cir. 2001); United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258, 1263–64 (11th Cir. 2010).

[308] See United States v. Valle, 807 F.3d 508, 523-28 (2d Cir. 2015); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012); Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 759–62 (6th Cir. 2020); United States v. Nosal, 676 F.3d 854, 856–64 (9th Cir. 2012) (en banc).

[309] Order List at 3, United States v. Van Buren, No. 19-783 (U.S. Apr. 20, 2020).

[310] Petition for Writ of Certiorari, Van Buren, No. 19-783 (U.S. Dec. 18, 2019).

[311] Id.; Order, Van Buren, No. 19-783 (U.S. Apr. 20, 2020).

[312] Transcript of Oral Argument at 48, 54, Van Buren, No. 19-783 (U.S. Nov. 30, 2020).

[313] Petition for Writ of Certiorari at 2–5, LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116 (U.S. Mar. 9, 2020).

[314] hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1003–04 (9th Cir. 2019).

[315] Petition for Writ of Certiorari at 3, LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116 (U.S. Mar. 9, 2020).

[316] 451 F. Supp. 3d 73 (D.D.C. 2020).

[317] Id. at 88.

[318] Notice of Appeal, Sandvig v. Barr, No. 1:16-cv-01368 (D.D.C. May 26, 2020).

[319] Glasser v. Hilton Grand Vacations Co., 948 F.3d 1301, 1306 (11th Cir. 2020); see also ACA Int’l v. Federal Commc’ns Comm’n, 855 F.3d 687 (D.C. Cir. 2018); Dominguez v. Yahoo, Inc., 894 F.3d 116 (3d Cir. 2018).

[320] Glasser, 948 F.3d at 1306.

[321] Id.

[322] Gadelhak v. AT&T Servs., Inc., 950 F.3d 458 (7th Cir. 2020); see also Glasser v. Hilton Grand Vacations Co., 948 F.3d 1301, 1306 (11th Cir. 2020); ACA Int’l v. Federal Commc’ns Comm’n, 855 F.3d 687 (D.C. Cir. 2018); Dominguez v. Yahoo, Inc., 894 F.3d 116 (3d Cir. 2018).

[323] Marks v. Crunch San Diego, LLC, 904 F.3d 1041 (9th Cir. 2018).

[324] Duran v. La Boom Disco, Inc., 955 F.3d 279 (2d Cir. 2020).

[325] Allan v. Pennsylvania Higher Education Assistance Agency, 968 F.3d 567 (6th Cir. 2020).

[326] Facebook, Inc. v. Duguid, 141 S. Ct. 193 L. Ed. 2d 1118 (2020) (granting certiorari).

[327] Christopher Cole, Gov’t Backs Facebook’s View of Autodialers at High Court, Law360 (Sept. 4, 2020), available at https://www.law360.com/articles/1307716/gov-t-backs-facebook-s-view-of-autodialers-at-high-court.

[328] Facebook, Inc. v. Duguid, No. 19-511 (U.S. Dec. 8, 2020) (arguments heard).

[329] Barr v. American Ass’n of Pol. Consultants, Inc., 140 S. Ct. 2335 (2020).

[330] Id. at 2341, 2353–56.

[331] Id. at 2346.

[332] Id.

[333] Id. at 2356–57.

[334] Id. at 2343, 2353–56.

[335] Cal. Civ. Code § 1798.150(a)(1).

[336] Complaint for Damages and Equitable Relief, In re: Zoom Video Commc’ns, Inc. Priv. Litig., No. 5:20-cv-02155 (N.D. Cal. Mar. 30, 2020), ECF No. 1. Note, the case was originally filed as Cullen v. Zoom Video Communications, Inc. before it was consolidated.

[337] Id.

[338] Id.

[339] First Amended Consolidated Class Action Complaint, In re Zoom Video Commc’ns, Inc. Priv. Litig., No. 5:20-cv-02155 (N.D. Cal. Oct. 28, 2020), ECF No. 126.

[340] Defendant Zoom Video Communications, Inc.’s Notice of Motion and Motion to Dismiss the First Amended Consolidated Class Action Complaint; Memorandum of Points and Authorities in Support Thereof, In re Zoom Video Commc’ns, Inc. Priv. Litig., No. 5:20-cv-02155 (N.D. Cal. Dec. 2, 2020), ECF No. 134.

[341] Class Action Complaint, Hayden v. The Retail Equation, Inc., 8:20-cv-01203 (C.D. Cal. July 7, 2020), ECF No. 1.

[342] Id. In the plaintiffs’ amended complaint, they now allege that several additional retailers shared data with The Retail Equation. First Amended Class Action Complaint, Hayden v. The Retail Equation, Inc., 8:20-cv-01203 (C.D. Cal. Aug. 3, 2020), ECF No. 15.

[343] Id.

[344] Id.

[345] See, e.g., Defendant The Gap, Inc.’s Notice of Motion and Motion to Compel Individual Arbitration and to Dismiss; Memorandum of Points and Authorities, Hayden v. The Retail Equation, Inc., 8:20-cv-01203 (C.D. Cal. Nov. 6, 2020), ECF No. 140.

[346] Id. In the plaintiffs’ amended complaint, they now allege that several additional retailers shared data with The Retail Equation. First Amended Class Action Complaint, Hayden v. The Retail Equation, Inc., 8:20-cv-01203 (C.D. Cal. Aug. 3, 2020), ECF No. 15.

[347] Cal. Civ. Code §§1798.81.5(d)(1), 1798.140(o)(1), 1798.150(a)(1).

[348] Class Action Complaint, Gupta v. Aeries Software, Inc., No. 8:20-cv-00995 (C.D. Cal. May 28, 2020), ECF No. 1.

[349] Id.

[350] Defendant Aeries Software, Inc.’s Notice of Motion and Motion to Dismiss Complaint Pursuant to Federal Rule of Civil Procedure 12(b)(6); Memorandum of Points and Authorities in Support, Gupta v. Aeries Software, Inc., No. 8:20-cv-00995 (C.D. Cal. July 21, 2020), ECF No. 20.

[351] Id.

[352] Order Granting Joint Stipulation to Stay Litigation Through January 4, 2021, Gupta v. Aeries Software, Inc., No. 8:20-cv-00995 (C.D. Cal. Nov. 24, 2020), ECF No. 40.

[353] Cal. Civ. Code § 1798.115(d).

[354] Cal. Civ. Code §§ 1798.110, 1798.115, 1798.120.

[355] Cal. Civ. Code § 1798.150(c).

[356] Complaint for Damages and Injunctive Relief for Violations of: (1) Negligence (2) Violation of Cal. Bus. & Prof. Code § 17200 (3) Breach of Implied Contract (4) Unjust Enrichment (5) Public Disclosure of Private Facts (6) Violation of California Consumer Privacy Act (7) Violation of Consumer Remedies Act, Sweeney v. Life on Air, Inc., No. 3:20-cv-00742 (S.D. Cal. Apr. 17, 2020), ECF No. 1.

[357] Id.

[358] Order Granting Defendants’ Motion to Compel Arbitration, Sweeney v. Life on Air, Inc., No. 3:20-cv-00742 (S.D. Cal. Aug. 4, 2020), ECF No. 15.

[359] Class Action Complaint and Demand for Jury Trial, G.R. v. TikTok, Inc., No. 2:20-cv-04537 (C.D. Cal. May 20, 2020), ECF No. 1.

[360] Id.

[361] Id.

[362] Conditional Transfer Order (CTO-1), G.R. v. TikTok, Inc., No. 1:20-cv-05212 (N.D. Ill. May 20, 2020), ECF No. 26.

[363] Cal. Bus. & Prof. Code § 17200.

[364] Cal. Civ. Code § 1798.150(c); S. Judiciary Comm., AB-375, 2017-2018 Sess. (Cal. 2018).

[365] Class Action Complaint, Burke v. Clearview AI, Inc., No. 3:20-cv-00370 (S.D. Cal. Feb. 27, 2020), ECF No. 1.

[366] Id.

[367] In re Clearview AI, Inc., Consumer Priv. Litig., MDL No. 2967, 2020 WL 7382590 (J.P.M.L. Dec. 15, 2020).

[368] Complaint for: (1) Violation of the California Consumer Privacy Act § 1798.150 (2) Violation of California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, et seq. (3) Negligence (4) Breach of Contract (5) Breach of Implied Contract, Atkinson v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal. June 11, 2020), ECF No. 1.

[369] Id.

[370] Id.

[371] Amended Stipulated Request for Order Changing Time Pursuant to Civil L.R. 6-2 and Order, Atkinson v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal. Dec. 1, 2020), ECF No. 35.

[372] 740 Ill. Comp. Stat. Ann. 14/20 (West 2008).

[373] 129 N.E.3d 1197, 1206 (Ill. 2019).

[374] 958 F.3d 617, 626–27 (7th Cir. 2020).

[375] 2020 WL 6738112, at *1 (7th Cir. Nov. 17, 2020).

[376] In re Facebook Biometric Info. Privacy Litig., 2020 WL 4818608, at *3 (N.D. Cal. Aug. 19, 2020).

[377] 740 Ill. Comp. Stat. Ann. 14/20 (West 2008).

[378] The Ninth Circuit has held that pleading a violation of either sections 15(a) or (b) is sufficient to constitute injury-in-fact. Patel v. Facebook, 932 F.3d 1264, 1273–74 (9th Cir. 2019). However, the Second Circuit held that alleging a BIPA violation does not meet the injury-in-fact requirement without a showing that biometric data has been compromised in some manner. Santana v. Take-Two Interactive Software, 717 Fed. App’x 12, 16–17 (2d Cir. 2017).

[379] See, e.g., Meegan v. NFI Indus., Inc., 2020 WL 3000281 (N.D. Ill. June 4, 2020); Frisby v. Sky Chefs, Inc., 2020 WL 4437805 (N.D. Ill. Aug. 3, 2020); Williams v. Jackson Park SLF, LLC, 2020 WL 5702294 (N.D. Ill. Sept. 24, 2020); Complaint, Bartucci v. 401 N. Wabash Venture, No. 2020CH05502 (Ill. Cir. Ct. Aug. 24, 2020); Complaint, Payne v. Yum! Brands, Inc., No. 2020CH06811 (Ill. Cir. Ct. Nov. 16, 2020).

[380] Liu v. Four Seasons Hotel, Ltd., 138 N.E.3d 201, 207 (Ill. App. Ct. 2019).

[381] See, e.g., Acaley v. Vimeo, Inc., 464 F. Supp. 3d 959 (N.D. Ill. 2020).

[382] See, e.g., Miracle-Pond v. Shutterfly, Inc., 2020 WL 2513099 (N.D. Ill. May 15, 2020); Kuznik v. Hooters of America, LLC, 2020 WL 5983879 (C.D. Ill. Oct. 8, 2020).

[383] McDonald v. Symphony Bronzeville Park LLC, 2020 WL 5592607 (Ill. App. Ct. Sept. 18, 2020).

[384] Gail v. Univ. of Chi. Med. Ctr., Inc., 2020 WL 1445608, at *4–*5 (N.D. Ill. Mar. 25, 2020); Peatry v. Bimbo Bakeries USA, Inc., 2020 WL 919202, at *3–*4 (Ill. Cir. Ct. Feb. 26, 2020).

[385] Miller v. Southwest Airlines Co., 926 F3d 898, 903–04 (7th Cir. 2019).

[386] See, e.g., Heard v. Becton, Dickinson & Co., 440 F. Supp. 3d 960 (N.D. Ill. 2020); Bray v. Lathem Time Co., 2020 WL 1492742 (C.D. Ill. Mar. 27, 2020); Figueroa v. Kronos Inc., 2020 WL 4273995 (N.D. Ill. July 24, 2020).

[387] Avery v. State Farm, 835 N.E.2d 801, 184–87 (Ill. 2005).

[388] Complaint, Jerinic v. Amazon.com, No. 2020CH6036 (Ill. Cir. Ct. Sept. 28, 2020).

[389] Complaint, H.K. v. Google, No. 5:20-cv-02257-NC (N.D. Cal. Apr. 2, 2020), ECF No. 1.

[390] See, e.g., Stauffer v. Innovative Heights Fairview Heights, LLC, 2020 WL 4815960 (S.D. Ill. Aug. 19, 2020); Robertson v. Hostmark Hosp. Grp., 2019 WL 8640568, at *4 (Ill. Cir. Ct. July 31, 2019); Heard v. THC-NorthShore, Inc., No. 17CH16918, at *10 (Ill. Cir. Ct. Dec. 12, 2019).

[391] No. 1-20-0563 (Ill. App. Ct.).

[392] Mot. to Reopen Discovery Pursuant to FRCP 1, 26, and 37, In Re Google Location History Litig., No. 5:18-cv-05062-EJD (N.D. Cal. Sept. 30, 2020), ECF No. 151.

[393] Id.

[394] Id.

[395] Memorandum Opinion and Order, Dinerstein v. Google Inc., No. 19 C 4311 (N.D. Ill. Sept. 4, 2020), ECF No. 85.

[396] Laurann Wood, “Google, U. of Chicago Want Out of Patient Disclosure Suit,” Law360 (Aug. 28, 2019), available at https://www.law360.com/articles/1193298?scroll=1&related=1.

[397] Memorandum Opinion and Order, Dinerstein v. Google Inc., No. 19 C 4311 (N.D. Ill. Sept. 4, 2020), ECF No. 85.

[398] Memorandum and Order, Flynn v. FCA US LLC, No. 15-cv-855-SMY (S.D. Ill. Mar. 27, 2020), ECF No. 650.

[399] Id.

[400] Linda Chiem, “Drivers Defend Standing In 7th Circ. Jeep-Hacking Class,” Law360 (June 19, 2020), available at https://www.law360.com/articles/1285000?scroll=1&related=1.

[401] See, e.g., Order, Zak v. Bose Corp., No. 17-cv-02928 (N.D. Ill. May 27, 2020), ECF No. 110.

[402] Jeannie O’Sullivan, “NJ Judge Trims Samsung Privacy Suit Over Smart TVs,” Law360 (Aug. 21, 2019), available at https://www.law360.com/articles/1191213?scroll=1&related=1.

[403] Order, White et al. v. Samsung Elecs. Am. Inc. et al., Case 2:17-cv-01775-MCA-JAD (D. N.J. Mar. 24, 2020), ECF No. 131.

[404] Id.

[405] Id.

[406] Id.

[407] Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.

[408] Order on Google’s Motion to Dismiss and Motion for Judicial Notice, Balderas v. Google Inc., Case No. 20-CV-0143-NDF (D. N.M. Sept. 25, 2020), ECF No. 34

[409] Id.

[410] Wendy Davis, “New Mexico Wants Appeals Court To Revive Privacy Claims Against Google,” MediaPost (Nov. 30, 2020).

[411] Order Re Motions to Dismiss, McDonald v. Kiloo, No. 17-cv-04344-JD (N.D. Cal. May 22, 2019), ECF No. 270; Motion for Preliminary Approval of Settlement, McDonald v. Kiloo, No. 3:17-cv-04344-JD (L) (N.D. Cal. Aug. 5, 2020), ECF No. 363.

[412] Id.

[413] Id.; see also Craig Clough, “Disney, Viacom Agree To Limit Data Collection In Kids Apps,” Law360 (Aug. 6, 2020).

[414] Press Release, “Developer of Apps Popular with Children Agrees to Settle FTC Allegations It Illegally Collected Kids’ Data without Parental Consent,” Federal Trade Commission (June 4, 2020), available at https://www.ftc.gov/news-events/press-releases/2020/06/developer-apps-popular-children-agrees-settle-ftc-allegations-it.

[415] Stipulated Order for Permanent Injunction and Civil Penalty Judgement, FTC v. Google LLC, no. 1:19-cv-02642 (D.D.C. Sept. 4, 2019), ECF No. 2.

[416] Kate Cox, “YouTube unlawfully violates kids’ privacy, new $3.2B lawsuit claims,” Arstechnica (Sept. 14, 2020), available at https://arstechnica.com/tech-policy/2020/09/google-faces-3-2b-lawsuit-over-claims-it-violated-childrens-privacy/.

[417] Complaint, Wesch v. Yodlee Inc., no. 3:20-cv-05991 (N.D. Cal. Aug. 25, 2020), ECF No. 1.

[418] Defendant Yodlee, Inc.’s Motion to Dismiss Pursuant to Federal Rule of Civil Procedure 12(b)(6), Wesch v. Yodlee Inc., no. 3:20-cv-05991 (N.D. Cal. Nov. 4, 2020), ECF No. 31.

[419] Id.

[420] Complaint for Damages and Declaratory and Injunctive Relief, Cottle v. Plaid Inc., no. 3:20-cv-03056 (N.D. Cal. May 4, 2020), ECF No. 1.

[421] Smith v. Maryland, 442 U.S. 735, 743–44 (1979).

[422] United States v. Gratkowski, 964 F.3d 307, 310 (5th Cir. 2020).

[423] Id. at 311–13.

[424] Id. at 311–12.

[425] Id. at 312.

[426] 2020 WL 3270877, at *1 (D. Mass. June 17, 2020).

[427] Id. at *5.

[428] Id. at *2–5.

[429] 981. F.3d 961, 964 (11th Cir. 2020).

[430] Id. at 969.

[431] United States v. Moalin, 973 F.3d 977, 996 (9th Cir. 2020).

[432] Id. at 988–89.

[433] Id. at 989.

[434] 442 U.S. 735, 741 (1979).

[435] Moalin, 973 F.3d at 989–91.

[436] 138 S. Ct. 2206, 2221 (2018).

[437] Moalin, 973 F.3d at 991.

[438] United States v. Hasbajrami, 945 F.3d 641, 642 (2nd Cir. 2019).

[439] Id. at 646.

[440] Id. at 651.

[441] S. 3501, 116th Congress (2019–2020).

[442] 50 U.S.C. § 1861 (2018).

[443] 50 U.S.C. § 1801(b)(1)(C) (2015).

[444] 50 U.S.C. § 1805(c)(2)(B) (2018).

[445] 50 U.S.C. § 1861 (2018).

[446] 50 U.S.C. § 1801(b)(1)(C) (2015).

[447] 50 U.S.C. § 1805(c)(2)(B) (2018).

[448] Id.

[449] 18 U.S.C. § 2713.

[450] Crime (Overseas Production Orders) Act 2019, c. 5 (Eng.), available at https://www.legislation.gov.uk/ukpga/2019/
5/pdfs/ukpga_20190005_en.pdf.

[451] Press Release, Department of Justice, U.S. and UK Sign Landmark Cross-Border Data Access Agreement to Combat Criminals and Terrorists Online (Oct. 3, 2019), available at https://www.justice.gov/opa/pr/us-and-uk-sign-landmark-cross-border-data-access-agreement-combatcriminals-and-terrorists.

[452] The U.S. Department of Justice, Letter from Assistant Attorney General Stephen E. Boyd to Congress (Jan. 16, 2020), available at https://www.justice.gov/dag/page/file/1236281/download.

[453] Press Release, Department of Justice, Joint Statement Announcing United States and Australian Negotiation of a CLOUD Act Agreement by U.S. Attorney General William Barr and Minister for Home Affairs Peter Dutton (Oct. 7, 2019), available at https://www.justice.gov/opa/pr/joint-statement-announcing-united-states-and-australian-negotiationcloud-act-agreement-us.

[454] Press Release, European Commission, Criminal Justice: Joint Statement on the Launch of EU-U.S. Negotiations to Facilitate Access to Electronic Evidence (Sept. 25, 2019), available at https://ec.europa.eu/commission/presscorner/detail/en/STATEMENT_19_5890.

[455] Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Austl.), available at https://www.legislation.gov.au/Details/C2020B00030; see also Explanatory Memorandum, Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Austl.), available at https://www.legislation.gov.au/Details/C2020B00030/Explanatory%20Memorandum/Text.

[456] Inquiry Announcement, The Australian Parliamentary Joint Committee on Intelligence and Security, Telecommunications Legislation Amendment (International Production Orders) Bill 2020, available at https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/IPOBill2020.

[457] Deham Sadler, Global data-sharing deal ‘deeply flawed’, InnovationAus (Apr. 6, 2020), available at https://www.innovationaus.com/global-data-sharing-deal-deeply-flawed.

[458] Press Release, Court of Justice of the European Union, The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (July 16, 2020), available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.

[459] Id.

[460] Case C-311/18, Schrems v. Data Protection Commissioner (July 16, 2020), available at https://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=uriserv%3AOJ.C_.2015.398.01.0005.01.ENG.

[461] Press Release, Department of Commerce, Joint Press Statement from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders (Aug. 10, 2020), available at https://www.commerce.gov/news/press-releases/2020/08/joint-press-statement-us-secretary-commerce-wilbur-ross-and-european.

[462] Press Release, noyb, 101 Complaints on EU-US transfers filed (Aug. 17, 2020), available at https://noyb.eu/en/101-complaints-eu-us-transfers-filed.

[463] See, e.g., Samantha Raudins, Facial Recognition, Thermal Imaging Part of the New Normal, Columbus Dispatch (July 31, 2020), available at https://www.dispatch.com/story/business/information-technology/2020/07/30/facial-recognition-thermal-imaging-part-of-future-with-coronavirus/112807346/.

[464] Inioluwa Deborah Raji & Joy Buolamwini, University of Toronto and Massachusetts Institute of Technology, Actionable Auditing: Investigating the Impact of Publicly Naming Biased Performance Results of Commercial AI Products (2019), available at https://dam-prod.media.mit.edu/x/2019/01/24/AIES-19_paper_223.pdf.

[465] Kashmir Hill, The Secretive Company That Might End Privacy as We Know It, N.Y. Times (Jan. 18, 2019), available at https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html.

[466] Complaint, State of Vermont v. Clearview AI, INC., No. 226-3-20 (Vt. Super. Ct. Mar. 10, 2020), available at https://ago.vermont.gov/wp-content/uploads/2020/03/Complaint-State-v-Clearview.pdf; Order Granting in Part and Denying in Part Clearview AI’s Motion to Dismiss, State of Vermont v. Clearview AI, INC., No. 226-3-20 (Vt. Super. Ct. Sept. 10, 2020), available at https://ago.vermont.gov/wp-content/uploads/2020/09/Clearview-Motion-to-Dismiss-Decision.pdf.

[467] Complaint, Am. Civil Liberties Union et al. v. Clearview AI, INC., No. 9337839 (Cir. Ct. Ill. Sept. 25, 2020).

[468] Press Release, New York Police Department, NYPD Announces Facial Recognition Policy (Mar. 13, 2020), available at https://www1.nyc.gov/site/nypd/news/pr0313/press-release—nypd-facial-recognition-policy.

[469] Id.

[470] Richard Winton et al., LAPD Bars Use of Third-Party Facial Recognition Systems, Launches Review after Buzzfeed Inquiry, L.A. Times (Nov. 17, 2020), available at https://www.latimes.com/california/story/2020-11-17/lapd-bars-outside-facial-recognition-use-as-buzzfeed-inquiry-spurs-investigation.

[471] Leaders of a Beautiful Struggle v. Balt. Police Dep’t, 979 F.3d 219, 224 (4th Cir. 2020).

[472] Id.

[473] Leaders of a Beautiful Struggle v. Balt. Police Dep’t, 456 F. Supp. 3d 699, 703 (D. Md.); See Carpenter v. United States, 138 S. Ct. 2206, 2220 (2018).

[474] Leaders of a Beautiful Struggle, 979 F.3d at 223.

[475] Id.

[476] Id. at 227.

[477] Id. at 232.

[478] MDS & One Year Permitting Overview, L.A. Dep’t Transp. (Feb. 7, 2019), available at https://ladot.lacity.org/sites/default/files/2020-03/mds-developer-webinar-one-year-permitting-overview_03-06-19_revision.pdf.

[479] See Complaint, Social Bicycles v. City of Los Angeles Dep’t of Transp., No. 2:20-CV-02746 (C.D. Cal. Mar. 24, 2020), ECF No. 1.

[480] The deal made Uber a primary investor in Lime and gave Uber the option to purchase Lime in 2022. See Kea Wilson, “Lime Just Became the Biggest Micromobility Company in the World,” StreetsBlog (May 11, 2020), available at https://usa.streetsblog.org/2020/05/11/lime-just-became-the-biggest-micromobility-company-in-the-world/.

[481] See Complaint, Sanchez v. L.A. Dep’t of Transp., No. 2:20-CV-05044 (C.D. Cal. June 8, 2020), ECF No. 1.

The following Gibson Dunn lawyers assisted in the preparation of this article: Alexander H. Southwell, Ryan T. Bergsieker, Howard S. Hogan, Roscoe Jones Jr., Timothy W. Loose, Ashley Rogers, Eric D. Vandevelde, Abbey A. Barrera, Cassandra Gaedt-Sheckter, Daniel E. Rauch, Samantha Abrams-Widdicombe, Amanda M. Aycock, Fernando Berdion-Del Valle, Allison Chapin, Iman Charania, Josiah Clarke, Sarah Erickson, Zoey Goldnick, Eric Hornbeck, Andrew Howard, Jordan Jacobsen, Jennifer Katz, Brendan Krimsky, Nicole Lee, Warren Loegering, Prachi Mistry, Lauren Navarro, Macey Olave, Sarah Pongrace, Reid Rector, Jacob Rierson, Sarah Scharf, Raquel Alexa Sghiatti, Collin James Vierra, Hayato Watanabe, Victoria Weatherford, Hannah Yim, and Lisa V. Zivkovic.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:

United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)

Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, swazen@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On January 13, 2021, the Office of the Comptroller of the Currency (“OCC”) conditionally approved the charter conversion application for Anchorage Trust Company (“Anchorage”), permitting Anchorage to become a national trust bank.[1] This is the first approval by the OCC of a virtual currency firm’s becoming a federally regulated banking institution and demonstrates the ongoing leadership that the OCC has shown with respect to virtual currency issues.

Although this development is significant in and of itself, the Anchorage approval relies on a new OCC Chief Counsel’s Interpretation, released as OCC Interpretive Letter 1176,[2] that substantially increases the trust powers of national banks, making them a more attractive business model generally and particularly for fintech firms. This Client Alert discusses these developments.

I. The Anchorage Approval – Virtual Currency Activities Are Permissible Fiduciary Activities under the National Bank Act

The OCC’s approval order affirms that the following virtual currency activities, which were fiduciary in nature under the law of Anchorage’s home state, South Dakota, are permissible under the National Bank Act:

Fiduciary custody of digital assets.
Custody of cash deposits (Anchorage holds such deposits at FDIC-insured banks, in omnibus accounts for its clients).
Providing on-chain governance services allowing Anchorage clients to participate in the governance of the underlying protocols on which their virtual assets operate.
Via an affiliate or otherwise, operating validator nodes, providing staking as a service, and providing clients the ability to delegate staking to third-party validators.
Settling transactions facilitated by its affiliates, other third-party brokers, and clients. Clients or their brokers may direct Anchorage Trust to receive digital assets into and to transfer digital assets out of their vaults from and to external accounts or digital asset addresses controlled by third parties, including but not limited to transfers made in connection with the settlement of a purchase or sale of digital assets.[3]

Tellingly, the OCC did not discuss each of these activities as fiduciary activities under its applicable regulation, 12 C.F.R. Part 9. Part 9 defines “fiduciary capacity” as follows:

Fiduciary capacity means: trustee, executor, administrator, registrar of stocks and bonds, transfer agent, guardian, assignee, receiver, or custodian under a uniform gifts to minors act; investment adviser, if the bank receives a fee for its investment advice; any capacity in which the bank possesses investment discretion on behalf of another; or any other similar capacity that the OCC authorizes pursuant to 12 U.S.C.§ 92a.

12 C.F.R. § 9.2(e).

Relying on Section 9.2(e) would have required analogies to have been drawn to the specific activities in that section. Rather than making such analogies, the approval order notes simply that “since ADB-NA will continue performing the current activities of Anchorage Trust, in a manner authorized by South Dakota law for a state trust company, ADB-NA will be a national bank whose operations are those of a trust company and activities related thereto. Accordingly, ADB-NA’s activities are permissible pursuant to the plain terms of 12 U.S.C. § 27(a).”[4]

II. New Expansion of National Bank Fiduciary Powers

12 U.S.C. § 27(a), which was enacted in 1978 in reaction to a federal district court case that called into question the propriety of the OCC’s chartering a non-depository trust bank under the National Bank Act, states that “[a] National Bank Association . . . is not illegally constituted solely because its operations are or have been required by the Comptroller of the Currency to be limited to those of a trust company and activities related thereto.”[5]

Section 27(a) thus clearly authorizes national trust banks. However, notwithstanding an apparently clear statutory command that national bank fiduciary powers include “any other fiduciary capacity in which State banks, trust companies, or other corporations which come into competition with national banks are permitted to act under the laws of the State in which the national bank is located,” 12 U.S.C. § 92a, the OCC has traditionally not exercised its legal authority to the full extent under that statute. Rather, as Interpretive Letter 1176 states, a prior OCC interpretation had required that the OCC look to state law “to determine whether a fiduciary capacity of national bank is permissible [only] after the activity is determined to be ‘fiduciary’ within the meaning of 12 U.S.C. § 92a.”[6]

Interpretive Letter No. 1176 reverses this at least 37-year-old position. For the OCC to use Section 92a’s so-called “bootstrap provision” and determine that an activity that a state’s law regards as being performed in a fiduciary capacity is a fiduciary capacity for purposes of 12 U.S.C § 92a, the OCC must determine that a national bank is engaging in the relevant activity, role, or function consistent with the parameters provided for in the relevant state law to the same extent as a state bank to qualify as a fiduciary capacity. This will make conversions of state trust companies much easier as a powers matter.

This new interpretation accords not only with the plain language of Section 92a, but also with its legislative history, when the relevant provision was added to the Federal Reserve Act in 1918.[7] As an example, under the New York Banking Law in 1918, a national bank was prohibited by state law from acting as a fiscal and paying agent in New York,[8] even though doing so was a permissible fiduciary activity for a New York state-chartered trust company. Section 92a was enacted to level this playing field.

III. Confirmation That National Trust Banks Are Not Limited to Performing Primarily in a Fiduciary Capacity and May Exercise Banking Powers

In addition, Interpretive Letter 1176 confirms that national trust banks may perform other national bank activities permitted under 12 U.S.C. § 24(SEVENTH), and, indeed, that fiduciary activities need not be their primary business activity: “ A national bank that only performs one fiduciary capacity under 12 U.S.C § 92a would need trust powers. Conversely, there is also no requirement that a national trust bank chartered under 12 U.S.C. § 27(a) perform primarily in a fiduciary capacity.”[9]

This confirmation – of what is clearly the case under the National Bank Act – is an important one. National trust banks are clearly authorized by Congress under 12 U.S.C. § 27(a), and they not “banks” within the meaning of the Bank Holding Company Act.

The OCC’s confirmation means that as long as a national trust bank has a valid fiduciary business, it may engage in a traditional bank power such as lending, with all of the preemption benefits of a national charter, without concern over whether such activities are beyond the OCC’s authority to permit as a matter of statutory interpretation.

IV. Confirmation That Certain State Trust Company Activities May Be Permissible for National Banks under Traditional Banking Powers

Interpretive Letter 1176 also confirms that the OCC may find that an activity of a state-chartered trust company is permissible under 12 U.S.C. § 24(Seventh), which permits national banks may engage in the business of banking and activities incidental to the business of banking.

When determining whether an activity is part of the business of banking, the OCC considers the following factors under 12 C.F.R. § 7.5001(c)(1):

Whether the activity is the functional equivalent to, or a logical outgrowth of, a recognized banking activity;
Whether the activity strengthens the bank by benefiting its customers or its business;
Whether the activity involves risks similar in nature to those already assumed by banks; and
Whether the activity is authorized for state-chartered banks.

The OCC stated that, given the fourth factor, “an activity permitted for state trust banks may be part of the business of banking under the authority of 12 U.S.C. § 24(Seventh) for national banks if the activity is authorized for state-chartered banks, and the OCC is satisfied that the remaining three factors are also sufficiently met.”[10]

V. Conclusion

The Anchorage approval came at the end of Brian Brooks’ tenure as Acting Comptroller of the Currency. It is another sign of the OCC’s leadership on virtual currency issues and Acting Comptroller Brooks’ pushing at the boundaries of the National Bank Act to facilitate innovation in financial services. In this case, the expansion of the national trust bank fiduciary and banking powers is well grounded in federal statutory law, and should benefit numerous companies, including fintech companies, that are seeking to benefit from a federal charter.

Gibson Dunn has extensive experience with the issues related to national trust bank chartering and would be pleased to discuss them with you.

____________________

[1] https://www.occ.treas.gov/news-issuances/news-releases/2021/nr-occ-2021-6a.pdf.

[2] https://occ.gov/topics/charters-and-licensing/interpretations-and-actions/2021/int1176.pdf.

[3] OCC Conditional Approval, Application by Anchorage Trust Company to Convert to a National Trust Bank (January 13, 2021).

[4] Id.

[5] 12 U.S.C. § 27(a).

[6] Interpretive Letter No. 1176, OCC Chief Counsel’s Interpretation on National Trust Banks (January 11, 2021) (emphasis added) (citing OCC Interpretive Letter No. 265, reprinted in [1983-1984 Transfer Binder] Fed. Banking L. Rep. (CCP) ¶ 85,429 (July 14, 1983)). Interpretive Letter 1176 states that Interpretive Letter 265’s position on this issue is superseded.

[7] Walter S. Logan, “Amendments to the Federal Reserve Act,” The Annals of the American Academy of Political and Social Science, Vol. 99, The Federal Reserve System – Its Purpose and Work (January 1922), pp. 114-121. The authority over national bank fiduciary powers was transferred from the Federal Reserve Board to the OCC in 1962.

[8] New York Banking Law, § 223 (1918) (currently, Section 131 of the New York Banking Law).

[9] Interpretive Letter No. 1176, OCC Chief Counsel’s Interpretation on National Trust Banks (January 11, 2021).

[10] Id.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Financial Institutions or Derivatives practice groups, or the following authors:

Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, jsteiner@gibsondunn.com)

Please also feel free to contact the following practice group leaders and members:

Matthew L. Biben – New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Mylan L. Denerstein – New York (+1 212-351- 3850, mdenerstein@gibsondunn.com)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

I. Introduction: Themes and Notable Developments

This year’s update marks the end of the Trump administration and the beginning of the Biden administration. The change in leadership of the Securities and Exchange Commission has already begun. In December, Jay Clayton stepped down as Chairman, and this week the Biden administration nominated Gary Gensler to be the new Chairman. Mr. Gensler was Chairman of the Commodity Futures Trading Commission in the Obama administration and presided over a period of heightened financial regulation and aggressive enforcement against major financial institutions. The Wall Street Journal predicts that Mr. Gensler could give Wall Street its “most aggressive regulator in two decades.”[1] In addition to a new Chairman, 2021 will also bring new senior leadership to the Division of Enforcement, as the Division’s Co-Directors have also left the agency.

In this update, we look back at the significant enforcement actions and developments from the last six months of 2020, and consider what to expect from new leadership at the Commission and the Enforcement Division. In sum, it is safe to say that the next four years will see a return to increasing regulatory oversight and escalated enforcement of market participants.

A. Back to the Future: A Look Back and the View Ahead

During the last six months of 2020, the SEC’s enforcement program continued to follow the priorities emphasized by Chairman Clayton over the last four years, while also navigating the challenges presented by the pandemic.

In the last few months, there has also been a nearly complete departure of the senior-most leadership of the Division of Enforcement. In August and December, respectively, Division Co-Directors Steven Peikin and Stephanie Avakian, departed the agency. And in January, Marc Berger, who had been appointed Deputy Director and then Acting Director also announced that he will be leaving at the end of January.

In one of his last speeches, Chairman Clayton reflected on his tenure and echoed the theme that has defined enforcement during the last administration, namely a focus on “Main Street” investors.[2] In practice, and as the Chairman noted, this has translated into a significant number of enforcement actions against fraudulent securities offerings – Ponzi schemes, affinity frauds and other offering frauds – that targeted individual investors.

Of course, one of the notable challenges for the Enforcement Division this year was created by the COVID-19 pandemic. After overcoming the initial hurdles of conducting investigations remotely, the Enforcement staff continued to pursue investigations and bring enforcement actions. Nevertheless, from a numerical standpoint, the number of enforcement actions was off from the prior year. For fiscal 2020, the SEC brought a total of 715 enforcement actions (of which 405 were stand-alone enforcement actions), a significant decline from 862 actions in fiscal 2019 (of which 526 were stand-alone enforcement actions) – a decline of 23% in stand-alone enforcement actions.[3]

There was also a change from last year in the types of cases the SEC brought. For fiscal 2020, the largest single category of cases involved securities offerings, typically offering frauds or unregistered securities offerings. This category accounted for nearly one-third, or 32%, of the stand-alone enforcement actions, compared to 21% of the actions brought in 2019 (and compared to only 16% of the cases in the last year of the Obama administration). Other major categories of cases in fiscal 2020 included cases against investment advisers, which comprised 21% of the total (compared to 36% of the total in fiscal 2019) and cases involving public company financial reporting and disclosure, which comprised 15% of the total in fiscal 2020 (compared to 17% of the total in fiscal 2019).

Despite the decline in the number of cases, there was an increase in the amount of financial remedies (disgorgement and penalties) ordered in enforcement actions. For fiscal 2020, financial remedies totaled $4.68 billion, representing an increase of approximately 8% over the amount ordered in 2019. However, it should be noted that a substantial portion of the 2020 financial remedies was attributable to one case – a settlement with Telegram Group Inc. – in which the company was ordered to pay $1.2 billion in disgorgement, but was credited in full for returning the same amount to investors that had purchased the company’s unregistered digital tokens. Removing this settlement from the financial remedies for fiscal 2020 would reduce the total amount recover to an amount well below the amount ordered in 2019.

Notwithstanding the challenges of the pandemic, the SEC brought a number of significant enforcement actions in the last half of 2020 that we discuss in greater detail in other sections of this update. In particular, the SEC brought a number of cases against public companies for financial reporting and disclosure issues. Three of these cases were the result of the Enforcement Division’s “EPS Initiative,” in which the staff used risk-based data analytics to identify potential earnings management practices.

Other significant cases were the result of the Enforcement Division’s focus on cases related to the pandemic. In particular, the SEC brought the first enforcement action based on disclosures concerning a company’s ability to operate sustainably despite the pandemic.

This year also saw a number of enforcement actions in the area of crypto-currency and other digital assets. In particular, shortly before the end of the year, the SEC filed a complaint against Ripple Labs for alleged violation of the securities registration provisions. The outcome of this litigation will have a significant impact on enforcement and regulation of the digital asset market in the future.

Another highlight of the last year has been the continued growth of the SEC’s whistleblower program. This year is the tenth anniversary of the program and was also a year of record awards both in number and size. Increased efficiency in the award process is also ensuring that the program has become, and will continue to be, an important source of investigations for the future.

Looking ahead, there is little doubt that the new administration will bring a heightened level of enforcement activity. But more important, we can expect a shift in focus and priorities away from retail investors and securities offering frauds and an increased emphasis on the conduct of institutional market participants – investment advisers and broker-dealers, as well as public company accounting, financial reporting and disclosure.

Assuming Mr. Gensler is confirmed by the Senate to be the next SEC Chairman, his experience, both at the helm of the CFTC and since, confirm expectations for increased regulation and enforcement. Mr. Gensler oversaw the implementation of an entirely new regime for the regulation of the markets for derivatives as well as the adoption of numerous regulations pursuant to the Dodd-Frank Act. The CFTC under his leadership also took aggressive enforcement actions against financial institutions in connection with the alleged manipulation of LIBOR. Mr. Gensler will also bring a strong interest in, and familiarity with, the market for crypto-currency and other digital tokens. This will ensure that the market for digital assets will receive particular attention in the coming years.

The last time there was a transition to a Democratic administration in 2008, the SEC confronted the financial crisis and the collapse of the mortgage-backed securities market. In the wake of the financial crisis, the SEC had a defined focus for investigation in distressed financial institutions and participants in the market for mortgage-backed securities. The SEC also adopted a number of initiatives to empower the enforcement program – some based in statute, such as the whistleblower program; others based in policy and practice, such as the encouragement of witness cooperation and the imposition of admissions on certain settling defendants.

The current transition in administrations follows a year of extreme market volatility caused by the pandemic, but also ending with the markets continuing to set records, benefiting from government stimulus and continued low interest rates. There is anticipation that as the COVID-19 crisis abates, the economy and markets will experience significant growth in the coming year. New Enforcement Division leadership will endeavor to identify areas of risk that they deem worthy of heightened scrutiny. In addition, oversight by a Democratic controlled House and Senate may further escalate pressure on the SEC to demonstrate its aggressiveness.

The takeaway from all of this is that the next four years will put a premium on legal and compliance departments and financial reporting functions of financial institutions, investment advisers, broker-dealers and public companies.

B. Commissioner and Senior Staffing Update

As the Trump administration wound down, there were a number of significant changes in the leadership of the Commission and the Enforcement Division. Looking ahead to the coming months, there will be further developments as a new Chairman is confirmed and new leadership of the Enforcement Division is appointed.

Simultaneous with Chairman Clayton’s departure, the White House appointed Republican Commissioner Elad Roisman as Acting Chairman of the Commission. During the interim period following the inauguration of President-elect Biden, but before a new Chairman is nominated and confirmed, the White House could substitute the senior Democratic Commissioner, Allison Herren Lee, as Acting Chairman. Also during the second half of 2020, the other two Commissioners were sworn in: Democrat Commissioner Caroline Crenshaw filled the vacancy left by former Commissioner Robert Jackson, and Republican Commissioner Hester Peirce was sworn in for a second term, after her original term (for which she filled a vacancy in 2018) ended.

There were also significant changes in the leadership of the Enforcement Division. With the departure of the Co-Directors Peikin and Avakian, Marc Berger was appointed Acting Director of the Enforcement Division in December. This month, Mr. Berger also announced his departure. No Acting Director has been appointed as of this writing.

Other changes in the senior staffing of the Commission include:

In August, Scott Thompson was appointed Associate Regional Director of Enforcement in the SEC’s Philadelphia Regional Office. Mr. Thompson succeeds Kelly Gibson, who was appointed Director of the Philadelphia office in February 2020. Mr. Thompson has worked at the SEC since 2007, first as a trial attorney in the Enforcement Division and most recently as Assistant Regional Director from 2013 until his promotion in August 2020.
Also in August, Richard Best was appointed Director of the SEC’s New York Regional Office, succeeding Mr. Berger in the role. Mr. Best has worked at the SEC since 2015, serving in two other Regional Director roles—Salt Lake and Atlanta—before becoming the Director of the New York office. He also previously worked in FINRA’s Department of Enforcement and as a prosecutor in the Bronx District Attorney’s Office.
In early December, Nekia Hackworth Jones was appointed Director of the SEC’s Atlanta Regional Office. She joins the SEC from private practice where she specialized in government investigations and white collar criminal defense. Ms. Jones also previously served as an Assistant U.S. Attorney in the Northern District of Georgia and in DOJ’s Office of the Deputy Attorney General.

C. Legislative Developments: Disgorgement

With little fanfare, the SEC achieved a significant legislative success at the end of 2020, cementing its ability to obtain disgorgement in civil enforcement actions. On January 1, 2021, Congress voted to override the President’s veto of the National Defense Authorization Act (“NDAA”), a military spending bill passed each year since 1961.[4] Buried in the $740.5 billion bill was an amendment to the Securities Exchange Act of 1934, which gives the SEC explicit statutory authority to seek disgorgement in federal court.[5] Under Section 6501 of the NDAA, the SEC is authorized to seek “disgorgement . . . of any unjust enrichment by the person who received such unjust enrichment.”[6] Perhaps more significant, the amendment establishes a ten-year statute of limitations for obtaining disgorgement for scienter-based violations of federal securities laws, doubling the 5-year standard previously established by the Supreme Court. The amendment applies to any action or proceeding that is pending on, or commenced after its enactment (i.e., January 1, 2020).

As discussed in a previous alert, the amendment is a response to two recent Supreme Court decisions which limited the SEC’s authority to seek disgorgement, although the agency has a long history of seeking and receiving disgorgement: Kokesh v. SEC, 137 S. Ct. 1635 (2017) (imposing a five-year statute of limitations on disgorgement), and Liu v. SEC, 140 S. Ct. 1936 (2020) (which imposed equitable limitations on disgorgement, such as the limitation to net profits). The extension of the statute of limitations to ten years is a significant enhancement to the SEC’s remedies since many cases involve conduct that extends more than five years before an action is filed. However, notably, the amendment does not expressly reverse the equitable limitations that the Supreme Court imposed on the disgorgement remedy in Liu. Accordingly, the SEC will continue to confront defenses grounded in equitable principles, such as deduction for legitimate expenses and the elimination of joint and several liability for disgorgement.

D. Whistleblower Awards

2020 marked the 10-year anniversary of the SEC’s whistleblower program. It also marked a record year for the number of whistleblower awards, the total amount of money awarded and the largest single whistleblower award.[7] During fiscal 2020, the Commission issued awards totaling approximately $175 million to 39 individual whistleblowers. As of the end of 2020, the SEC has awarded a total of approximately $736 million to 128 individual whistleblowers in the program’s 10-year history.[8] Perhaps equally notable, enforcement actions attributed to whistleblower tips have resulted in more than $2.5 billion in ordered financial remedies.

The increase in the number of awards is the result of the SEC’s efforts to increase the efficiency of the claim review and award process. In September, the SEC also adopted amendments to the Whistleblower Rule to promote efficiencies in the review and processing of whistleblower award claims. The amendments aim to provide the Commission with tools to appropriately reward individuals, and include a presumption of the statutory maximum award for certain whistleblowers with potential awards of less than $5 million.[9] For further discussion of the amendments to the Whistleblower Rule, see our prior alert on the subject.

The amendments also made one modification to the Whistleblower Rule that has proven to be controversial. As originally proposed in 2018, the amendment would have given the Commission authority to reduce the dollar amount of awards in cases with large monetary sanctions (in excess of $100 million). In the face of opposition from whistleblower advocates, the final rule dropped that amendment, and instead clarified that in determining the appropriate award, the Commission has discretion to consider both the percentage and the dollar amount of the award a discretion the Commission. In the adopting release, the Commission explained the modification as merely clarifying the discretion that the Commission always had in determining the appropriate award. One whistleblower advocate has already filed a suit against the SEC challenging the validity of the amendment under the Administrative Procedure Act.[10]

In October, the SEC also announced the largest award in the program’s history—a payment of over $114 million to a whistleblower who provided information and assistance leading to successful enforcement actions.[11] The award, which consists of a $52 million award in connection with the SEC matter and a $62 million award arising out related actions by another agency, comes on the heels of the SEC’s previous record-breaking $50 million whistleblower award in June.[12]

This year also saw a record level of tips received by the Office of the Whistleblower, as well as other complaints and referrals received by the Enforcement Division as a whole. The Office of the Whistleblower received over 6,900 tips in fiscal year 2020, a 31% increase over the second-highest tip year in fiscal year 2018.[13] More broadly, the Enforcement Division received over 23,650 tips, complaints and referrals in fiscal 2020, a more than 40% increase over the prior year. Inevitably, the increase in tips this past year is likely to lead to an increase in the number of investigations in the years to come.

The SEC’s whistleblower awards also emphasize the assistance whistleblowers contribute to investigations through industry expertise or simply expediting an investigation. For example, in November, the SEC made a payment of over $28 million to an individual who provided information that prompted a company’s internal investigation, and who provided testimony and identified a key witness.[14] Likewise, the SEC announced an award of over $10 million in October to a whistleblower, emphasizing the individual’s substantial ongoing assistance, including help deciphering communications and distilling complex issues.[15] Also of importance to the Commission is a whistleblower’s efforts to reduce ongoing harm to investors. In December, the SEC announced an award of over $1.8 million to a whistleblower who took immediate steps to mitigate harm to investors.[16] Additionally, the announcement noted the whistleblower’s ongoing assistance, which saved time and resources of SEC staff.[17]

Other significant whistleblower awards granted during the second half of this year include:

An award in July of $3.8 million to a whistleblower for information that allowed the SEC to disrupt an ongoing fraud scheme and led to a successful enforcement action.[18]
An award in August of over $1.25 million for information leading to a successful enforcement action, resulting in the return of millions of dollars to investors.[19]
Eleven awards in September, including a notable award of $22 million to an insider whistleblower whose tip led the SEC to open an investigation, and who provided ongoing assistance; and a $7 million award to another whistleblower who provided what the SEC deemed “valuable” information regarding the investigation.[20] Additional awards in September included an award of over $2.5 million to joint whistleblowers for a tip based on an independent analysis of a public company’s filings, and for the whistleblowers’ ongoing assistance in the SEC’s investigation;[21] a $10 million payment to an individual who provided information and assistance that were described as of “crucial importance” to the SEC’s successful enforcement action;[22] a $250,000 award to joint whistleblowers who raised concerns internally and whose tip to the SEC spurred the opening of an investigation and a successful enforcement action;[23] payment of $2.4 million to a whistleblower who provided information and assistance that ultimately stopped ongoing misconduct;[24] awards to totaling over $2.5 million to two whistleblowers who reported misconduct overseas;[25] an award of $1.8 million for information regarding ongoing securities law violations;[26] and four awards totaling almost $5 million for “critical information” resulting in a successful enforcement action.[27]
An award in October of $800,000 for information that caused the SEC to open an investigation leading to two successful enforcement actions.[28]
Four awards in November, including a payment of $3.6 million to a whistleblower who provided information and ongoing assistance to enforcement staff regarding misconduct abroad;[29] a $750,000 payment to an individual who met with enforcement staff and provided information regarding an ongoing fraud;[30] an award of over $1.1 million to a whistleblower who provided what the SEC described a “exemplary assistance,” and led the staff to look at new conduct during an ongoing investigation;[31] and a payment of over $900,000 to an individual who provided importantly information regarding securities law violations occurring overseas.[32]
Six awards in December, including payments totaling of over $6 million to joint whistleblowers who provided information, submitted documents, participated in interviews, and identified key witnesses leading to a successful enforcement action;[33] a payment of nearly $1.8 million to a company insider who provided information that would have otherwise been difficult to detect;[34] an award of approximately $750,000 to two whistleblowers who provided tips and substantial assistance to the staff, including participating in interviews and providing subject matter expertise;[35] a payment of almost $400,000 to two individuals who provided information that prompted the opening of an investigation and ongoing assistance to SEC staff;[36] an award of more than $300,000 to a whistleblower with audit-related responsibilities who provided “high-quality” information after becoming aware of potential securities law violations;[37] a payment of more than $1.2 million for a whistleblower who provided information leading to a successful enforcement action, but whose “culpability and unreasonable delay” impacted the award amount; and a $500,000 payment to a whistleblower who provided significant information and ongoing assistance, which led to a successful enforcement action.[38]

II. Public Company Accounting, Financial Reporting and Disclosure Cases

Public company accounting and disclosure cases comprised a significant portion of the SEC’s cases in the latter half of 2020, and included a range of actions concerning earnings management, revenue recognition, impairments, internal controls, and disclosures concerning financial performance.

A. Financial Reporting Cases

EPS Initiative

In September, the SEC announced the Enforcement Division’s “Earnings Per Share (EPS) Initiative” and the settlement of its first two investigations arising from the Initiative. According to the press release announcing the settled actions, the SEC described the EPS Initiative as using “risk-based data analytics to uncover potential accounting and disclosure violations.”[39] Based on the facts described in the two settled actions, the EPS Initiative is focused at least in part on detecting a practice known as “EPS smoothing,” i.e., questionable accounting to achieve EPS results consistent with consensus analyst estimates. According to the SEC, the first company, a carpet manufacturer, made unsupported and non-GAAP-compliant manual accounting adjustments to multiple quarters in order to avoid EPS results falling below consensus estimates. The second company, a financial services company, used a valuation method that was inconsistent with the valuation methodology described in its filings, in order to appear to have consistent earnings over time. Without admitting or denying wrongdoing, the carpet manufacturer agreed to pay a $5 million penalty to settle the charges; the financial services company agreed to pay a $1.5 million penalty.

Based on our experience representing clients in such matters, the SEC’s attention can be drawn simply by consistent EPS performance, even in the absence of any basis to suspect misconduct. In such circumstances, it is important to demonstrate to the Staff the integrity of accounting and financial reporting controls that negate the potential for improper accounting.

Other Financial Reporting Actions

In August, the SEC instituted a settled action against a motor vehicle parts manufacturer for failing to estimate and report over $700 million in future asbestos liabilities.[40] The SEC alleged that, from 2012 to 2016, the company failed to perform quantitative analyses to estimate its future asbestos claim liabilities, despite having decades of raw historical claims data. Instead, the company incorrectly concluded that it could not estimate these liabilities and therefore did not properly account for them in its financial statements. The company agreed to pay a penalty of $950,000 to settle the action, without admitting or denying the SEC’s allegations.

Also in August, the SEC announced a settled action against a computer server producer and its former CFO related to alleged violations of the antifraud, reporting, books and records, and internal accounting controls provisions of the federal securities laws.[41] According to the SEC’s order, among other violations, the company incentivized employees to maximize revenue at the end of each quarter without implementing and maintaining sufficient internal accounting controls, resulting in a variety of accounting violations related to prematurely recognized revenue. Without admitting or denying wrongdoing, the company agreed to pay a $17.5 million penalty; the CFO agreed to pay more than $300,000 as disgorgement and prejudgment interest and $50,000 as a penalty. Additionally, the company’s CEO, who was not charged with misconduct, consented to reimburse the company $2.1 million in stock profits he received during the period when the accounting errors occurred under the Sarbanes-Oxley Act’s clawback provision.

In September, the SEC instituted a settled action against an engine manufacturer that allegedly inflated its revenue by nearly $25 million by recording its revenues in a manner inconsistent with GAAP.[42] The SEC alleged that the company overstated its revenue by improperly recognizing revenue from incomplete sales, from products that customers had not agreed to accept, and from products with falsely inflated prices, among other violations of GAAP. Without admitting or denying the allegations, the company agreed to pay a $1.7 million penalty, and to undertake measures aimed at remediating alleged deficiencies in its financial reporting internal controls.

Also in September, the SEC announced a settled action against a lighting manufacturer and four of its current and former executives for allegedly inflating the company’s revenue from late 2014 to mid-2018, by prematurely recognizing revenue.[43] According to the complaint, using a variety of improper practices, the company recognized sales revenue earlier than allowed by GAAP and by the company’s own internal accounting policies. The company also allegedly provided backdated sales documents to the company’s auditor in order to cover up the improper practices related to premature revenue recognition. Without admitting or denying wrongdoing, the company agreed to pay a $1.25 million penalty, and the executives agreed to pay penalties as well.

The same month, the SEC also instituted a settled action against an automaker and two of its subsidiaries related to charges that the automaker disclosed false and misleading information related to overstated retail sales reports.[44] According to the SEC, the automaker inflated its reported retail sales using a reserve of previously unreported retail sales to meet internal monthly sales targets, regardless of the date of the actual sales. The company also allegedly paid dealers to falsely designate unsold vehicles as demonstrators or loaners so that the vehicles could be counted as having been sold, even though they had not been sold. The company and its subsidiaries agreed to pay a joint penalty of $18 million without admitting or denying the SEC’s allegations.

Also in September, the SEC instituted settled actions against a heavy equipment manufacturer and three of its former executives for allegedly misleading the company’s outside auditor about nonexistent inventory in order to overstate its income.[45] According to the SEC, the company improperly accounted for nonexistent inventory and created false inventory documents, which it later provided to its outside auditor. The company also allegedly deceived its outside auditor about approximately $12 million in revenue that it improperly recognized. Without admitting or denying the SEC’s allegations, the company and its executives agreed to pay a total of $485,000 in penalties.

In October, the SEC filed a complaint against a seismic data company and four of its former executives for accounting fraud for concealing theft by the executives, and for falsely inflating the company’s revenue.[46] According to the complaint, the company improperly recorded revenue from sales to a purportedly unrelated client (that was actually controlled by the executives), with the company recording roughly $100 million in revenue from sales that it knew the client would be unable to actually pay. The U.S. Attorney’s Office for the Southern District of New York also brought a criminal action against the company’s CEO.

In November, in a case related to previously settled charges against a large bank, the SEC filed a complaint against the bank’s former Senior Executive Vice President of Community Banking alleging that disclosures concerning the bank’s “cross-sell” metric were misleading and that the defendant knew or should have known was improperly inflated.[47] The SEC also instituted a settled action against the bank’s former chairman and CEO for certifying statements that he should have known were misleading arising from the bank’s inflated cross-sell metric. The SEC alleged that the executives knew or should have known that the cross-sell metric was “inflated by accounts and services that were unused, unneeded, or unauthorized.” The litigation against the vice president remains pending; the CEO agreed to pay a $2.5 million penalty to settle the charges, without admitting or denying the SEC’s allegations.

In December, the SEC instituted a settled action against a China-based coffee company, alleging that the company defrauded investors by misstating its revenue, expenses, and net operating losses.[48] According to the complaint, among other things, the company recorded approximately $311 million in false retail sales transactions, as well as roughly $196 million in inflated expenses to conceal the fraudulent sales. The company agreed to pay a $180 million penalty to settle the action, without admitting or denying the SEC’s allegations.

B. Disclosure Cases

Disclosures Related to the COVID-19 Pandemic

In March 2020, the SEC’s Division of Enforcement formed a Coronavirus Steering Committee to oversee the Division’s efforts to actively look for COVID-19 related misconduct. Since the Steering Committee’s formation, there have been at least five enforcement actions for alleged disclosure violations related to COVID-19. As discussed in our mid-year 2020 alert, there was an initial flurry of disclosure-related enforcement actions at the onset of the pandemic. These actions tended to involve microcap companies whose stock was suspended from trading after sky rocketing on the back of allegedly false statements about these companies’ ability to distribute or access highly coveted protective equipment or technology that could detect or prevent the coronavirus.[49] In the second half of 2020, the SEC has continued to bring enforcement actions against companies for allegedly making false statements about their ability to detect COVID-19. For example, in September, the SEC filed an action against a President and Chief Science Officer (“CSO”) alleging he issued false and misleading statements about the company’s development of a COVID-19 blood test.[50] According to the complaint, the President and CSO incorrectly stated that (i) the company had purchased materials to make a test, (ii) the company had submitted the test for emergency approval, and (iii) there was a high demand for the test. The SEC’s complaint also alleged that the defendant failed to provide necessary documents and financial information to the company’s independent auditor to update the company’s delinquent financial statements for 2014 and 2015.

More recently, the SEC announced charges against a biotech company and its CEO for making false and misleading claims in press releases that the company had developed a technology that could accurately detect COVID-19 through a blood test.[51] According to the complaint, the company and CEO made false and misleading statements about the existence of the physical testing device and the status of FDA emergency use authorization while advisors warned that the testing kit would not work as the company publicly described.

The SEC is also starting to bring enforcement actions against companies for alleged misstatements concerning how their financials were affected by the coronavirus. For example, in December, the SEC announced a settled order against a publicly traded restaurant company for allegedly incomplete disclosures in a Form 8-K about the financial effects of the pandemic on the company’s business operations and financial condition.[52] In brief, according to the SEC’s settled order, the company disclosed that it expected to be able to operate “sustainably, ” but did not disclose that it was losing $6 million in cash per week, it only had 16 weeks of cash remaining, it was excluding expenses attributable to corporate operations from its claim of sustainability, and it was not going to pay rent in April 2020. Without admitting or denying the SEC’s findings, the company agreed to pay a $125,000 penalty and to cease-and-desist from further violations of the reporting provisions in Section 13(a) of the Exchange Act and Rules 13a-11 and 12b-20. See our prior alert on this case for additional analysis and commentary on this case.

Other Disclosure Cases

In December, the SEC instituted a settled action against a U.S. based multinational company for allegedly failing to disclose material information about the company’s power and insurance businesses in three separate situations.[53] First, according to the SEC, the company misled investors by disclosing its power business’s increased profits without also disclosing that between one-quarter and one-half of those profits were a result of reductions in the company’s prior cost estimates. Second, the company failed to disclose that its reported increase in cash collections came at the expense of future years’ cash and was derived principally from internal sales between the company’s own business units. Third, the company lowered projected costs for its future insurance liabilities without disclosing uncertainties about those projected costs due to a general trend of rising long-term health insurance claim costs. Without admitting or denying wrongdoing, the company agreed to settle the allegations and pay a $200 million penalty. The settlement also contained a relatively unique undertaking by which the company agreed to self-report to the SEC regarding certain accounting and disclosure controls for one year.

In September, the SEC announced a settled action against an automaker for allegedly misleading disclosures about its vehicles’ emissions control systems.[54] According to the SEC, the automaker stated in a February press release and annual report that an internal audit had confirmed its vehicles complied with emissions regulations, without disclosing that the internal audit had a narrow scope and was not a comprehensive review, and also without disclosing that the Environmental Protection Agency and California Air Resource Board had expressed concerns to the automaker about some of its vehicles’ emissions. The automaker agreed to pay a $9.5 million penalty without admitting or denying the SEC’s allegations.

In September, the SEC instituted a settled action against a hospitality company for failing to fully disclose executive perks by omitting disclosure of approximately $1.7 million in executive travel benefits.[55] The benefits at issue related to company executives’ stays at the company’s hotels, and to the CEO’s personal use of corporate aircraft from the period 2015 to 2018. The company agreed to pay a $600,000 penalty to settle the action, without admitting or denying the SEC’s allegations.

C. Cases Involving Both Misleading Disclosures and Financial Reporting

In July, the SEC announced a settled action against a pharmaceutical company and three of its former executives for misleading disclosures and accounting violations.[56] According to the SEC, the company made misleading disclosures related to its sales to a pharmacy that the company helped establish and subsidize. For example, the company announced it was experiencing double-digit same store organic growth (a non-GAAP financial measure) without disclosing that much of that growth came from sales to the subsidized pharmacy and without disclosing risks related to that pharmacy. The SEC also alleged that the company improperly recognized revenue by incorrectly allocating $110 million in revenue attributable solely to one product to over 100 unrelated products. Without admitting or denying the allegations, the company agreed to pay a $45 million penalty; the former executives agreed to pay penalties ranging from $75,000 to $250,000 and to reimburse the company for previously paid incentive compensation in amounts ranging from $110,000 to $450,000. Additionally, the Controller agreed to a one-year accounting practice bar before the SEC.

In August, the SEC settled instituted a settled action against the former CEO and Chairman of a car rental company alleging that he aided and abetted the company in filing misleading disclosures and inaccurate financial reporting.[57] According to the SEC, the former CEO lowered the company’s depreciation expenses by lengthening the period for which the company planned to hold rental cars in its fleet, from holding periods of twenty months to holding periods of twenty-four and thirty months; the CEO did not fully disclose the new, lengthened holding periods, and did not disclose the risks associated with an older fleet. The complaint also alleged that, when the company fell short of forecasts, the former CEO pressured employees to “find money,” mainly by reanalyzing reserve accounts, resulting in his subordinates making accounting changes that left the company’s financial reports inaccurate. Without admitting or denying the SEC’s allegations, the former CEO agreed to pay a $200,000 penalty and reimburse the company $1.9 million. The car rental company had already agreed to pay a $16 million penalty to settle related charges, in December 2018.

In September, the SEC announced a settled action against a charter school operator engaged in a $7.6 million municipal bond offering, and its former president alleging that the defendants provided inaccurate financial projections and failed to disclose the school’s financial troubles.[58] According to the complaint, the school’s offering document included inaccurate profit and expense projections that indicated the school would become profitable in the next year when, according to the SEC, the school knew or should have known that these projections were inaccurate. The complaint also alleged that the school failed to disclose that it was operating at a sizable loss and had made repeated unauthorized withdrawals from its reserve accounts to pay its debts and routine expenses. Without admitting or denying wrongdoing, the school and its former president agreed to a settlement enjoining them from future violations; the former president also agreed to be enjoined from participating in future municipal securities offerings and to pay a $30,000 penalty.

Also in September, the SEC instituted a settled action against a technology company for inflating reported sales by prematurely recognizing sales expected to occur later and for failing to disclose these practices.[59] According to the SEC’s order, the company allegedly failed to disclose a practice used to increase monthly sales in which some regional managers would accelerate, or “pull-in,” to an earlier quarter’s sales that they expected to occur in later quarters. The company also allegedly failed to disclose that some regional managers sold to resellers known to violate company policy by selling product outside their designated territories in order to increase monthly sales. Finally, the SEC’s order alleged that the company made misleading disclosures by disclosing information related to its channel health that only included channel partners to which the company sold directly, without disclosing that this information did not include channel partners to which the company sold indirectly. The company agreed to pay a $6 million penalty, without admitting or denying wrongdoing.

In December, the SEC announced the settlement of an action filed in February against an energy company and its subsidiary for making misleading statements by claiming that the company would qualify for large tax credits for which the company knew it likely would not be eligible.[60] According to the SEC, the company represented that its project to build two new nuclear power units was on schedule, and therefore, would likely qualify for more than $1 billion in tax credits, when the company knew its project was substantially delayed and, resultingly, would likely fail to qualify for these tax credits. Without admitting or denying the allegations, the company agreed to pay a $25 million penalty; the company and its subsidiary also agreed to pay $112.5 million in disgorgement and prejudgment interest. The settlement remains subject to court approval. The litigation against two of the company’s senior executives remains ongoing.

Also in December, the SEC filed a complaint against a brand-management company with violations of the federal securities laws’ related to the company’s alleged failure to account for and disclose evidence of goodwill impairment.[61] The complaint alleged that the company unreasonably concluded that its goodwill was not impaired based on a qualitative impairment analysis, without taking into account and also without disclosing two internal quantitative analyses showing that goodwill was likely impaired. The litigation against the company remains ongoing.

D. Internal Controls

Increasingly, the SEC has demonstrated a willingness to resolve investigations of public companies on the basis of violations of the internal controls provisions of the Exchange Act. One recent example of an internal controls settlement provided a rare window into a significant divergence of opinion among the Commissioners concerning the appropriateness of such settlements based on a broad application of the internal controls provision.

In October, the SEC instituted a settled action against an energy company related to charges that the company failed to maintain internal controls that would have provided reasonable assurance that the company’s stock buyback plan would have complied with its own buyback policies.[62] According to the SEC’s order, the company implemented a $250 million stock buyback while in possession of material nonpublic information (MNPI) about a potential acquisition, in spite of the company’s policy prohibiting repurchasing stock while in possession of MNPI. In addition to detailing the litany of factors illustrating that the probability of the acquisition was sufficiently high as to have constituted MNPI, the SEC’s order focused on the company’s insufficient process for evaluating whether the acquisition discussions were material at the time it adopted a 10b5-1 plan for the buyback. Specifically, the process did not include speaking with the individuals at the company reasonably likely to have material information about significant corporate developments. As a result, the SEC’s order alleged that the company’s legal department did not consult with the CEO about the prospects of the company being acquired, even though the CEO was the primary negotiator. The company’s legal department thus “failed to appreciate” that the transaction’s probability was high enough to constitute MNPI.

Despite these findings, the SEC did not bring insider trading charges, but instead alleged that the company’s internal controls were insufficient to provide reasonable assurance that the company’s buyback transactions would comply with its buyback policy. Without admitting or denying the allegations, the company agreed to pay a $20 million penalty. Notably, Republican Commissioners Roisman and Peirce dissented from the Commission’s decision to institute the enforcement action. In a public statement explaining their dissent, the Commissioners argued that the internal controls provision, Section 13(b)(2)(B) of the Exchange Act, applies to “internal accounting controls,” and thus does not apply to internal controls to ensure a company does not repurchase stock in compliance with company policies.

III. Investment Advisers

In the second half of 2020, the SEC instituted a number of actions against investment advisers. We discuss notable cases below.

A. Payment for Order Flow

In August, the SEC instituted a settled action against two affiliated investment advisers in connection with their alleged misrepresentations to certain mutual fund and exchange-traded fund clients regarding “payment for order flow” arrangements, i.e., payments the investment adviser received for sending client orders to other brokerage firms for execution.[63] According to the SEC, on multiple occasions, the investment advisers made misleading statements that the payment for order flow arrangements did not adversely affect the prices at which the clients’ orders were executed, when in fact the executing brokers adjusted the execution prices to recoup those payments. Without admitting or denying the findings in the SEC’s order, the firms agreed to a cease-and-desist order, and to pay a combined total of $1 million in penalties.

In August, the SEC instituted a settled action against a California-based investment advisory firm based on allegations that it engaged in practices that violated its fiduciary duties to clients.[64] According to the SEC, the firm failed to disclose a conflict of interest in selecting mutual fund share classes that charged certain fees instead of available lower-cost share classes of the same funds. The firm’s affiliated broker received the associated fees in connection with these investments. Additionally, the SEC alleged that the firm failed to disclose its receipt of revenue sharing payments from its clearing broker in exchange for purchasing or recommending certain money market funds to clients. The SEC further alleged that these practices resulted in a violation of the firm’s duty to seek best execution for those transactions. Without admitting or denying the findings in the SEC’s order, the firm agreed to a cease-and-desist order and to pay disgorgement of $544,446, plus prejudgment interest of $22,746, and a penalty of $200,000, all for distribution to investors.

C. Exchange-Traded Products

In November, the SEC announced the first enforcement actions resulting from the Division of Enforcement’s “Exchange-Traded Products Initiative.” The SEC instituted settled actions against five firms registered as investment advisers and/or broker dealers in connection with their alleged unsuitable sales of complex, volatility-linked exchange-traded products to retail investors.[65] According to the SEC, representatives of the firms recommended that their clients buy and hold exchange-traded products for long periods of time, contrary to the warnings in the products’ offering documents, which made clear that they were intended to be short-term investments. The SEC further alleged that the firms failed to adopt or implement policies and procedures to address whether their registered representatives sufficiently understood the products to be able to form a reasonable basis to assess suitability or to recommend that their clients buy and hold the products. The firms agreed to pay a total of $3,000,000 in civil penalties among the five firms.

D. Puerto Rico Bonds

In December, the SEC filed a complaint in federal court in Puerto Rico against a Florida-based individual operating as an unregistered investment adviser.[66] According to the SEC’s complaint, the individual promised municipal officials in Puerto Rico an annual return of 8-10% on their approximately $9 million investment in the municipality’s funds, with no risk to principal. To convince officials to invest in the municipality’s funds, the individual allegedly falsified bank correspondence and brokerage opening documents. The SEC further alleged that the individual failed to execute the promised investment strategy, instead misappropriating $7.1 million of taxpayer funds by transferring the funds to himself, entities he controlled, and his associates. The SEC’s complaint seeks permanent injunctive relief, disgorgement of alleged ill-gotten gains plus prejudgment interest, and a civil penalty.

E. Disclosure Violations

In December, the SEC instituted a settled action against a UK-based investment adviser based on allegations that the company failed to make complete and accurate disclosures relating to the transfer of its highest-performing traders from its flagship client fund to a proprietary fund, and the replacement of those traders with a semi-systematic, algorithmic trading program.[67] The SEC alleged that the algorithmic trading program underperformed compared to the firm’s live traders, generating less profit with greater volatility. Additionally, the investment adviser allegedly failed to adequately implement policies and procedures reasonably designed to prevent the violations of the Investment Advisers Act under the particular circumstances described above. Without admitting or denying the findings in the SEC’s order, the firm agreed to a cease-and-desist order and to pay disgorgement and penalties totaling $170 million, all to be distributed to investors.

F. Single Broker Quotes

In December, the SEC instituted a settled action against a New York-based investment adviser and global securities pricing service based on allegations that the firm failed to adopt and implement policies and procedures reasonably designed to address the risk that the single broker quotes it delivered to clients did not reasonably reflect the value of the underlying securities.[68] The SEC further alleged that the firm failed to effectively or consistently implement quality controls for prices delivered to clients based on the single broker quotes. Without admitting or denying the findings in the SEC’s order, the firm agreed to cease and desist from future violations, to a censure, and to pay an $8 million penalty.

G. Cherry Picking

In December, the SEC filed a complaint in federal court in Texas against a Dallas-based investment adviser and its principal, charging the defendants with violations of the antifraud provisions of the federal securities laws.[69] The SEC’s complaint alleges that the principal placed options trades in the investment adviser’s omnibus account early in the trading day, but waited until near or after market close to allocate the trades to either his personal account or to specific client accounts. As alleged in the complaint, the principal disproportionately allocated profitable trades to his personal accounts and unprofitable trades to advisory clients, while representing to clients that all trades would be equitably allocated. The SEC’s complaint seeks permanent injunctions, disgorgement with prejudgment interest, and civil penalties.

IV. Broker-Dealers and Financial Institutions

Although not as numerous as prior years, there were nevertheless notable cases involving the conduct of broker-dealers in the latter half of 2020.

A. Financial Reporting and Recordkeeping

In August, the SEC instituted a settled action against a broker-dealer for neglecting to file over 150 suspicious activity reports (SARs) relating to microcap securities that the firm traded on behalf of its customers.[70] The purpose of SARs is to identify and investigate potentially suspicious activity, and the SEC’s order alleged that the broker-dealer failed to do so, even when suspicious transactions were identified by compliance personnel. The allegedly suspicious activity included numerous instances where customers either deposited and sold large blocks of microcap securities before quickly withdrawing the resulting proceeds from the respective accounts, sold enough of a particular microcap security on given days to account for over 70% of the daily trading volume for that security, or deposited microcap securities that were subject to SEC trading suspensions. The broker-dealer agreed to pay an $11.5 million penalty to the SEC, without admitting or denying the findings, and additionally agreed to pay penalties of $15 million and $11.5 million to FINRA and the CFTC respectively.

In September, the SEC instituted a settled action against a broker-dealer subsidiary of a global financial services firm for alleged violations of Regulation SHO.[71] Regulation SHO governs short sales and, among other things, generally prohibits broker-dealers from separately marking their long and short positions in a given security, instead requiring order aggregation to determine and mark one net position for each security. The SEC’s order alleged that the broker-dealer had a “Long Unit” that purchased equity securities to hedge short synthetic exposure, which should have been aggregated with a separate “Short Unit” that sold equity securities to similarly hedge long synthetic exposure for the purposes of order marking. The broker-dealer agreed to pay a $5 million penalty without admitting or denying the SEC’s findings.

B. Trade Manipulation

In September, the SEC instituted a settled action against a broker-dealer subsidiary of a global financial services firm for allegedly using trading techniques that artificially depressed or boosted the price of securities that it intended to buy or sell.[72] Specifically, the SEC’s order alleged that traders at the broker-dealer entered bona-fide buy-or-sell orders for particular securities, while simultaneously entering non bona-fide orders on the opposite side of the market to create a false appearance of buy or sell interest. In a settlement, the broker-dealer admitted to the SEC’s findings and agreed to pay a $25 million penalty and $10 million in disgorgement.

C. Best Execution and Payment for Order Flow

In December, the SEC instituted a settled action against a retail broker-dealer for alleged misstatements concerning revenue streams and execution quality, and for alleged best execution violations.[73] Specifically, the SEC’s order alleged that the broker-dealer did not disclose that it received revenue from order flow, i.e. routing its customers’ orders to principal trading firms, and further alleged that its statements concerning execution quality were inaccurate, even after accounting for customer savings from not having to pay a commission. Without admitting or denying the Commission’s findings, the broker-dealer agreed to pay a $65 million penalty and to obtain an independent consultant to review its relevant policies.

V. Cryptocurrency and Digital Assets

The Commission continued to bring enforcement actions in the area of digital assets during the second half of 2020. As in the first half of the year, these actions primarily were based on alleged failures to comply with the requirement to register an offering of assets deemed to be securities or allegations of fraud in the offer and sale of digital assets.

A. Significant Developments

Significantly, the SEC closed the year by bringing two enforcement actions involving digital assets. On December 22, the SEC charged Ripple Labs Inc. (“Ripple”) and two of its executives—its co-founder and board chairman and its CEO—with raising $1.3 billion through the sale of unregistered digital asset securities.[74] In particular, the SEC alleged that the native digital currency of Ripple, XRP, which has been sold by Ripple and others and trading in secondary markets, including on cryptocurrency exchanges for seven years, is a security (not merely a currency) under the Howey test, which defines a security as an investment of money in a shared enterprise with an expectation of profits from others’ work.[75] Additionally, the SEC alleged that the two executives personally made $600 million worth of unregistered sales of the digital asset. In the press release announcing the action, the SEC stressed that all public issuers “must comply with federal securities laws that require registration of offerings unless an exemption from registration applies.” Six days later, on December 28, the SEC obtained an emergency asset freeze against Virgil Capital LLC and its affiliates due to an alleged fraud perpetrated by the company’s owner.[76] The complaint alleged that the owner and his companies had been fraudulently misrepresenting to investors that their funds were to be used only for digital currency trading, when in reality those funds were used for personal expenses or other high-risk investments.

Another notable development demonstrates the increasing emphasis the SEC is placing on the protection of investors in the context of FinTech innovation. On December 3, 2020, the Commission announced that it was elevating the Strategic Hub for Innovation and Financial Technology (“FinHub”), to a stand-alone office. Previously, the FinHub, which was initially established in 2018, had been a unit within the Division of Corporation Finance.[77] Since its inception, FinHub has “spearheaded agency efforts to encourage responsible innovation in the financial sector, including in evolving areas such as distributed ledger technology and digital assets, automated investment advice, digital marketplace financing, and artificial intelligence and machine learning,” and provided industry players and regulators with a forum to engage with SEC Staff. The establishment of FinHub as a stand-alone office—which will continue to be led by current director Valerie A. Szczepanik—signals that the Commission will continue to focus on digital assets in the years to come.

Although the end of the year arguably was a high-water mark concerning the SEC’s enforcement of actions involving digital assets, the Commission consistently brought similar actions throughout the second half of the year, as discussed below.

B. Registration Cases

In July, the SEC instituted a settled action against a privately-owned California-based company and a related Philippine company for offering and selling U.S.-based securities without registration via an app and for trading in the related swap transactions outside of a registered national exchange.[78] The app allowed individuals to enter into a contract in which they would choose specific securities to “mirror,” and the value of their contracts would fluctuate according to the price of the underlying security. The Commission determined that the contracts constituted security-based swaps, and therefore were subject to U.S. securities laws. Without admitting or denying to the findings in the order, the two companies agreed to pay a penalty of $150,000. Additionally, the companies entered into a separate settlement with the CFTC arising from similar conduct.

In September, the SEC instituted a settled action against an operator of an online gaming and gambling platform for conducting an unregistered initial coin offering (“ICO”) of digital assets.[79] The order found that the company raised approximately $31 million through the offering of its digital token, and promised investors that it would develop a secondary market for trading in its tokens. The SEC determined that the tokens were sold as investment contracts, thereby constituting securities, the offering of which should have been registered. The company agreed to pay a $6.1 million penalty, without admitting or denying the Commission’s findings, and further agreed to disable the token and remove it from all digital asset-trading platforms. The Washington State Department of Financial Institution separately entered into a settlement agreement in connection with this offering.

C. Fraud Cases

In August, the SEC instituted a settled action against a Virginia-based company and its CEO, in connection with the company’s $5 million ICO to raise funding to develop an internet-based job-posting platform.[80] The SEC found that the offering of sale of the coin constituted the sale of unregistered securities, and that the company and its CEO made false and misleading statements to investors relating to the stability of its digital asset and its scalability compared to its competitors. Without admitting or denying the findings in the order, the company agreed to disgorge the $5 million raised and pay over $600,000 in prejudgment interest; the CEO was barred from serving as an officer or director of a public company and agreed to pay a $150,000 penalty; and the company and CEO both agreed to cease trading in (and destroy existing) coins and refrain from participating in any offerings of any digital asset securities.

In September, the SEC instituted a settled action against four individuals, and brought non-settled charges against another individual—an Atlanta-based film producer—and their two companies in connection with the misappropriation and theft of funds that were raised via ICOs.[81] The producer allegedly used the misappropriated funds and proceeds of manipulative trading to buy a Ferrari, a home, jewelry, and other luxury items. Three of the settling defendants agreed to pay a penalty of $25,000 and are prohibited from participating in the issuance of or otherwise transact in digital assets for five years. The fourth settling defendant agreed to pay a $75,000 penalty and is subject to a similar injunction. The U.S. Attorney’s Office for the Northern District of Georgia has also brought a criminal action against the non-settling defendant.

In October, the SEC filed an action against a software magnate and computer programmer for fraudulently promoting investments in ICOs to his thousands of Twitter followers.[82] The Complaint alleges that the programmer failed to disclose that he was paid more than $23 million to promote the investments and made other false and misleading statements, such as that he was advising some of the issuers and personally invested in some of the ICOs. The SEC also brought charges against the programmer’s bodyguard, alleging that he received over $300,000 to help with the scheme. The SEC also alleged that the programmer secretly amassed a large holding in another digital asset while promoting it on Twitter, with the intention of selling his holding at an inflated price. The DOJ’s Tax Division has separately brought criminal charges against the computer programmer.

VI. Insider Trading

Insider trading is another area in which the number and size of cases was diminished from prior years. Nevertheless, insider trading enforcement remains a significant focus for the SEC. Below we note some of the more significant actions.

The SEC announced two insider trading cases in September, and brought a third in December. In the first case, the SEC filed charges against a senior manager at an index provider and his friend, for allegedly obtaining more than $900,000 by trading on inside information.[83] According to the SEC, the manager used information regarding which companies were to be added or removed from the market index to place call and put options using the friend’s brokerage account. The SEC’s complaint seeks injunctive relief and civil penalties; the U.S. Attorney’s Office for the Eastern District of New York filed parallel criminal charges against the manager.

In the second case, the SEC settled insider trading charges against a former finance manager at an online retailer and two family members.[84] According to the SEC’s complaint, the employee allegedly tipped her husband about the company’s financial performance in advance of earnings announcements; the employee’s husband and his father used the information to trade in the company’s shares. The three individuals consented to the entry of a judgment enjoining future violation ordering payment of approximately $2.65 million in disgorgement and penalties. The U.S. Attorney’s Office for the Western District of Washington filed parallel criminal charges against the employee’s husband.

Most recently, the SEC filed insider trading charges against an individual in the Eastern District of New York.[85] According to the SEC’s complaint, the individual obtained information regarding a private equity firm’s interest in a publicly traded chemical manufacturing company in advance of a press release announcing the news. The individual traded on the information and additionally tipped others to trade for a collective profit of $1 million once the news broke. The SEC’s complaint seeks injunctive relief and civil penalties.

VII. Actions Against Attorneys

It is rare for the SEC to bring enforcement actions against attorneys for conduct in their capacity as lawyers. Thus, when the SEC does bring such cases, it is notable.

In December, the SEC filed a partially settled action against two attorneys: one licensed attorney and one disbarred attorney with fraud related to the licensed attorney’s reliance on the disbarred attorney for the preparation of attorney opinion letters for the sale of shares in microcap securities to retail investors.[86] The SEC alleged that the licensed attorney knew the disbarred attorney was disbarred during all relevant times. According to the complaint, the disbarred attorney prepared for the licensed attorney’s signature at least thirty attorney opinion letters, on which the licensed attorney falsely stated that he had personal knowledge of the bases for the opinions in the letters. The complaint also alleged that the disbarred attorney submitted over 100 attorney opinion letters in which he falsely claimed to be an attorney. Without admitting or denying the allegations, the licensed attorney agreed to a partial settlement to an injunction and penny-stock bar, with the potential for other remedies, including penalties, reserved. The SEC’s litigation against the disbarred attorney remains ongoing, as does a criminal action against both attorneys.

VIII. Offering Frauds

The SEC continued to bring offering fraud cases, which often contain charges against individuals and companies that target particular groups of investors.

A. Frauds Targeting Senior Citizens and Retirees

In July, the SEC filed a complaint against an aviation company and its owner, alleging that the company raised $14 million, largely from retired first responders, by representing that it would use the funds to purchase engines and other aircraft parts for leasing to major airlines.[87] The SEC’s complaint alleges that, instead, the company and its owner diverted most of the money for unauthorized purposes, including Ponzi-scheme like payments to other investors.

In September, the SEC charged the former president of a real estate company with violating antifraud provisions of the securities laws in connection with a $330 million alleged Ponzi-like scheme that impacted seniors.[88] In a second September case, the SEC announced settled charges against two individuals charged in connection with the sale of unregistered stock, following up on a 2019 action by the SEC against the company’s former CEO and two previously barred brokers.[89] According to the SEC, the three recently-charged individuals received undisclosed commissions totaling nearly $500,000 in connection with the sale of nearly $1.4 million in stocks to retail investors, most of whom were seniors.

In a recent case, the SEC filed civil charges against an individual in the Eastern District of New York for operating a Ponzi-like scheme that raised over $69 million from current and retired police officers and firefighters, among other investors.[90] The SEC’s complaint alleges that the individual represented that the investments would be used to acquire jewelry for a business that he operated, but instead were diverted to perpetuate and conceal the fraudulent scheme. The individual has pleaded guilty to related criminal charges.

B. Frauds Targeting Affinity Groups

In August, the SEC charged three principals and their companies in connection with a Ponzi-like scheme targeting African immigrants.[91] According to the SEC, the investors believed that the funds would be used for foreign exchange and cryptocurrency trading. The CFTC also filed civil charges, and the DOJ filed criminal charges. In September, the SEC filed a complaint in the Eastern District of New York against a Swedish national in connection with a purportedly “pre-funded reversed pension plan” that was largely marketed online and attracted over 800 investors from the Deaf, Hard of Hearing and Hearing Loss communities.[92] Finally, in December, the SEC brought an emergency action against a real estate development company and its owner in connection with a $119 million round of fundraising that predominantly targeting South Asian investors.[93]

The SEC has also focused on companies engaged in or making representations about emerging technologies and e-commerce. For example, the SEC charged an e-commerce startup and its CEO in Northern California with misrepresenting the extent of the company’s contracts with more well-known retailers and brands in order to attract investment.[94] The SEC filed another complaint against the founder and CEO of a machine-learning analytics company in California, alleging that the founder misrepresented the company’s prior financial performance and its client list.[95] In the Eastern District of Virginia, the SEC filed charges alleging that the founder and CEO of an online marketplace in connection with the offering and selling of over $18.5 million in securities, some of which were sold to corporate investors.[96] Both the U.S. Attorney’s Office and the Fraud Section of the Department of Justice have also announced criminal charges based on similar allegations. Finally, a court in the Southern District of New York froze over $35 million in assets[97] in connection with allegations by the SEC that the former CEO of a fraud detection and prevention software company misled investors by providing investors with erroneous financial statements.[98] According to the SEC, the former CEO altered bank statements supplied to the company’s finance department and incorporated into investor materials over the course of two years, during which the company raised approximately $123 million.

________________________

[1] Paul Kiernan and Scott Patterson, “An Old Foe of Banks Could Be Wall Street’s New Top Cop,” Wall Street Journal, Jan. 16, 2021, available at https://www.wsj.com/articles/an-old-foe-of-banks-could-be-wall-streets-new-top-cop-11610773211.

[2] Speech by Chairman Jay Clayton, “Putting Principles into Practice, the SEC from 2017-2020,” Remarks to the Economic Club of New York, Nov. 12, 2020, available at https://www.sec.gov/news/speech/clayton-economic-club-ny-2020-11-19.

[3] See 2020 Annual Report of U.S. SEC Division of Enforcement, available at https://www.sec.gov/files/enforcement-annual-report-2020.pdf.

[4] National Defense Authorization Act for Fiscal Year 2021, H.R. 6395, 116th Cong. (2020).

[5] Id.

[6] Id.

[7] Whistleblower Program, 2020 Annual Report to Congress, available at https://www.sec.gov/files/2020%20Annual%20Report_0.pdf.

[8] SEC Press Release, SEC Awards Over $1.6 Million to Whistleblower (Dec. 22, 2020), available at https://www.sec.gov/news/press-release/2020-333.

[9] SEC Press Release, SEC Adds Clarity, Efficiency, and Transparency to Its Successful Whistleblower Award Program (Sept. 23, 2020), available at https://www.sec.gov/news/press-release/2020-219.

[10] Lydia DePhillis, “The SEC Undermined a Powerful Weapon Against White-Collar Crime,” ProPublica (Jan. 13, 2021), available at https://www.propublica.org/article/the-sec-undermined-a-powerful-weapon-against-white-collar-crime.

[11] SEC Press Release, SEC Issues Record $114 Million Whistleblower Award (Oct. 22, 2020), available at https://www.sec.gov/news/press-release/2020-266.

[12] SEC Press Release, SEC Issues Record $114 Million Whistleblower Award (Oct. 22, 2020), available at https://www.sec.gov/news/press-release/2020-266.

[13] Whistleblower Program, 2020 Annual Report to Congress, available at https://www.sec.gov/files/2020%20Annual%20Report_0.pdf.

[14] SEC Press Release, SEC Awards Over $28 Million to Whistleblower (Nov. 3, 2020), available at https://www.sec.gov/news/press-release/2020-275.

[15] SEC Press Release, SEC Awards Over $10 Million to Whistleblower (Oct. 29, 2020), available at https://www.sec.gov/news/press-release/2020-270.

[16] SEC Press Release, SEC Issues Multiple Whistleblower Awards Totaling Over $3.6 Million (Dec. 18, 2020), available at https://www.sec.gov/news/press-release/2020-325.

[17] SEC Press Release, SEC Issues Multiple Whistleblower Awards Totaling Over $3.6 Million (Dec. 18, 2020), available at https://www.sec.gov/news/press-release/2020-325.

[18] SEC Press Release, SEC Issues $3.8 Million Whistleblower Award (July 14, 2020), available at https://www.sec.gov/news/press-release/2020-155.

[19] SEC Press Release, SEC Awards Over $1.25 Million to Whistleblower (Aug. 31, 2020), available at https://www.sec.gov/news/press-release/2020-199.

[20] SEC Press Release, SEC Awards Almost $30 Million to Two Insider Whistleblowers (Sept. 30, 2020), available at https://www.sec.gov/news/press-release/2020-239.

[21] SEC Press Release, SEC Awards Over $2.5 Million to Joint Whistleblowers for Detailed Analysis That Led to Multiple Successful Actions (Sept. 1, 2020), available at https://www.sec.gov/news/press-release/2020-201.

[22] SEC Press Release, SEC Awards More Than $10 Million to Whistleblowers (Sept. 14, 2020), available at https://www.sec.gov/news/press-release/2020-209.

[23] SEC Press Release, SEC Awards Almost $250,000 to Joint Whistleblowers (Sept. 17, 2020), available at https://www.sec.gov/news/press-release/2020-214.

[24] SEC Press Release, SEC Issues $2.4 Million Whistleblower Award (Sept. 21, 2020), available at https://www.sec.gov/news/press-release/2020-215.

[25] SEC Press Release, SEC Issues Two Whistleblower Awards for High-Quality Information Regarding Overseas Conduct (Sept. 25, 2020), available at https://www.sec.gov/news/press-release/2020-225.

[26] SEC Press Release, SEC Issues $1.8 Million Whistleblower Award to Company Outsider (Sept. 28, 2020), available at https://www.sec.gov/news/press-release/2020-231.

[27] SEC Press Release, SEC Whistleblower Program Ends Record-Setting Fiscal Year With Four Additional Awards (Sept. 30, 2020), available at https://www.sec.gov/news/press-release/2020-240.

[28] SEC Press Release, SEC Awards $800,000 to Whistleblower (Oct. 15, 2020), available at https://www.sec.gov/news/press-release/2020-255.

[29] SEC Press Release, SEC Awards More Than $3.6 Million and $750,000 in Separate Whistleblower Awards (Nov. 5, 2020), available at https://www.sec.gov/news/press-release/2020-278.

[30] SEC Press Release, SEC Awards More Than $3.6 Million and $750,000 in Separate Whistleblower Awards (Nov. 5, 2020), available at https://www.sec.gov/news/press-release/2020-278.

[31] SEC Press Release, SEC Awards Over $1.1 Million to Whistleblower for Independent Analysis (Nov. 13, 2020), available at https://www.sec.gov/news/press-release/2020-283.

[32] SEC Press Release, SEC Awards Whistleblower Over $900,000 (Nov. 19, 2020), available at https://www.sec.gov/news/press-release/2020-288.

[33] SEC Press Release, SEC Awards Over $6 Million to Joint Whistleblowers (Dec. 1, 2020), available at https://www.sec.gov/news/press-release/2020-297.

[34] SEC Press Release, SEC Issues Multiple Whistleblower Awards Totaling Nearly $3 Million (Dec. 7, 2020), available at https://www.sec.gov/news/press-release/2020-307.

[35] SEC Press Release, SEC Issues Multiple Whistleblower Awards Totaling Nearly $3 Million (Dec. 7, 2020), available at https://www.sec.gov/news/press-release/2020-307.

[36] SEC Press Release, SEC Issues Multiple Whistleblower Awards Totaling Nearly $3 Million (Dec. 7, 2020), available at https://www.sec.gov/news/press-release/2020-307.

[37] SEC Press Release, SEC Awards More Than $300,000 to Whistleblower with Audit Responsibilities (Dec. 14, 2020), available at https://www.sec.gov/news/press-release/2020-316.

[38] SEC Press Release, SEC Issues Multiple Whistleblower Awards Totaling Over $3.6 Million (Dec. 18, 2020), available at https://www.sec.gov/news/press-release/2020-325.

[39] SEC Press Release, SEC Charges Companies, Former Executives as Part of Risk-Based Initiative (Sept. 28, 2020), available at https://www.sec.gov/news/press-release/2020-226.

[40] SEC Press Release, SEC Charges BorgWarner for Materially Misstating its Financial Statements (Aug. 26, 2020), available at https://www.sec.gov/news/press-release/2020-195.

[41] SEC Press Release, SEC Charges Super Micro and Former CFO in Connection with Widespread Accounting Violations (Aug. 25, 2020), available at https://www.sec.gov/news/press-release/2020-190.

[42] SEC Press Release, Engine Manufacturing Company to Pay Penalty, Take Remedial Measures to Settle Charges of Accounting Fraud (Sept. 24, 2020), available at https://www.sec.gov/news/press-release/2020-222.

[43] SEC Press Release, SEC Charges Lighting Products Company and Four Executives with Accounting Violations (Sept. 24, 2020), available at https://www.sec.gov/news/press-release/2020-221.

[44] SEC Press Release, SEC Charges BMW for Disclosing Inaccurate and Misleading Retail Sales Information to Bond Investors (Sept. 24, 2020), available at https://www.sec.gov/news/press-release/2020-223.

[45] SEC Press Release, SEC Charges Manitex International and Three Former Senior Executives with Accounting Fraud (Sept. 29, 2020), available at https://www.sec.gov/news/press-release/2020-237.

[46] SEC Press Release, SEC Charges Seismic Data Company, Former Executives with $100 Million Accounting Fraud (Oct. 8, 2020), available at https://www.sec.gov/news/press-release/2020-251.

[47] SEC Press Release, SEC Charges Former Wells Fargo Executives for Misleading Investors About Key Performance Metric (Nov. 13, 2020), available at https://www.sec.gov/news/press-release/2020-281.

[48] SEC Press Release, Luckin Coffee Agrees to Pay $180 Million Penalty to Settle Accounting Fraud Charges (Dec. 16, 2020), available at https://www.sec.gov/news/press-release/2020-319.

[49] See, e.g., Praxsyn Corp., Applied Biosciences Corp., and Turbo Global partners Inc.

[50] SEC Press Release, SEC Orders Top Executive of California Microcap Company for Misleading Claims Concerning COVID-19 Test and Financial Statements (Sept. 25, 2020), available at https://www.sec.gov/news/press-release/2020-224.

[51] SEC Press Release, SEC Charges Biotech Company and CEO with Fraud Concerning COVID-19 Blood Testing Device (Dec. 18, 2020), available at https://www.sec.gov/news/press-release/2020-327.

[52] SEC Press Release, SEC Charges the Cheesecake Factory for Misleading COVID-19 Disclosures (Dec. 4, 2020), available at https://www.sec.gov/news/press-release/2020-306.

[53] SEC Press Release, General Electric Agrees to Pay $200 Million Penalty for Disclosure Violations (Dec. 9, 2020), available at https://www.sec.gov/news/press-release/2020-312.

[54] SEC Press Release, Fiat Chrysler Agrees to Pay $9.5 Million Penalty for Disclosure Violations (Sept. 28, 2020), available at https://www.sec.gov/news/press-release/2020-230.

[55] SEC Press Release, SEC Charges Hospitality Company for Failing to Disclose Executive Perks (Sept. 30, 2020), available at https://www.sec.gov/news/press-release/2020-242.

[56] SEC Press Release, Pharmaceutical Company and Former Executives Charged with Misleading Financial Disclosures (July 31, 2020), available at https://www.sec.gov/news/press-release/2020-169.

[57] SEC Press Release, SEC Charges Hertz’s Former CEO with Aiding and Abetting Company’s Financial Reporting and Disclosure Violations (Aug. 13, 2020), available at https://www.sec.gov/news/press-release/2020-183.

[58] SEC Press Release, SEC Charges Charter School Operator and its Former President with Fraudulent Municipal Bond Offering (Sept. 14, 2020), available at https://www.sec.gov/news/press-release/2020-208.

[59] SEC Press Release, SEC Charges HP Inc. with Disclosure Violations and Control Failures (Sept. 30, 2020), available at https://www.sec.gov/news/press-release/2020-241.

[60] SEC Press Release, Energy Companies Agree to Settle Fraud Charges Stemming from Failed Nuclear Power Plant Expansion (Dec. 2, 2020), available at https://www.sec.gov/news/press-release/2020-301.

[61] SEC Press Release, SEC Charges Sequential Brands Group Inc. with Deceiving Investors by Failing to Timely Impair Goodwill (Dec. 11, 2020), available at https://www.sec.gov/news/press-release/2020-315.

[62] SEC Press Release, SEC Charges Andeavor for Inadequate Controls Around Authorization of Stock Buyback Plan (Oct. 15, 2020), available at https://www.sec.gov/news/press-release/2020-258.

[63] SEC Press Release, SEC Charges Affiliated Advisers for Misrepresentations About Payment for Order Flow Arrangements (Aug. 5, 2020), available at https://www.sec.gov/news/press-release/2020-175.

[64] SEC Press Release, Advisory Firm Settles Charges of Defrauding Investors, Agrees to Refund Allegedly Ill-Gotten Gains to Harmed Clients (Aug. 13, 2020), available at https://www.sec.gov/news/press-release/2020-182.

[65] SEC Press Release, SEC Charges Investment Advisory Firms and Broker-Dealers in Connection with Sales of Complex Exchange-Traded Products (Nov. 13, 2020), available at https://www.sec.gov/news/press-release/2020-282.

[66] SEC Press Release, SEC Charges Unregistered Investment Adviser with Defrauding Puerto Rico Municipality (Dec. 1, 2020), available at https://www.sec.gov/news/press-release/2020-299.

[67] SEC Press Release, SEC Orders BlueCrest to Pay $170 Million to Harmed Fund Investors (Dec. 8, 2020), available at https://www.sec.gov/news/press-release/2020-308.

[68] SEC Press Release, Global Securities Pricing Service to Pay $8 Million for Compliance Failures (Dec. 9, 2020), available at https://www.sec.gov/news/press-release/2020-310.

[69] SEC Litig. Rel. No. 24990, SEC Charges Texas-Based Investment Adviser and Its President for Conducting Fraudulent “Cherry-Picking” Scheme (Dec. 21, 2020), available at https://www.sec.gov/litigation/litreleases/2020/lr24990.htm.

[70] SEC Press Release, SEC Charges Interactive Brokers with Repeatedly Failing to File Suspicious Activity Reports (Aug. 10, 2020), available at https://www.sec.gov/news/press-release/2020-178.

[71] SEC Press Release, Morgan Stanley Agrees to Pay $5 Million for Reg SHO Violations in Prime Brokerage Swaps Business (Sept. 30, 2020), available at https://www.sec.gov/news/press-release/2020-238.

[72] SEC Press Release, J.P. Morgan Securities Admits to Manipulative Trading in U.S. Treasuries (Sept. 29, 2020), available at https://www.sec.gov/news/press-release/2020-233.

[73] SEC Press Release, SEC Charges Robinhood Financial with Misleading Customers About Revenue Sources and Failing to Satisfy Duty of Best Execution (Dec. 17, 2020), available at https://www.sec.gov/news/press-release/2020-321.

[74] SEC Press Release, SEC Charges Ripple and Two Executives with Conducting $1.3 Billion Unregistered Securities Offering (Dec. 22, 2020), available at https://www.sec.gov/news/press-release/2020-338.

[75] SEC v. W.J. Howey Co., 328 U.S. 293 (1946).

[76] SEC Press Release, SEC Obtains Emergency Asset Freeze, Charges Crypto Fund Manager with Fraud (Dec. 28, 2020), available at https://www.sec.gov/news/press-release/2020-341.

[77] SEC Press Release, SEC Announces Office Focused on Innovation and Financial Technology (Dec. 3, 2020), available at https://www.sec.gov/news/press-release/2020-303.

[78] SEC Press Release, SEC Charges App Developer for Unregistered Security-Based Swap Transactions (July 13, 2020), available at https://www.sec.gov/news/press-release/2020-153.

[79] SEC Press Release, Unregistered ICO Issuer Agrees to Disable Tokens and Pay Penalty for Distribution to Harmed Investors (Sept. 15, 2020), available at https://www.sec.gov/news/press-release/2020-211.

[80] SEC Press Release, SEC Charges Issuer and CEO With Misrepresenting Platform Technology in Fraudulent ICO (Aug. 13, 2020), available at https://www.sec.gov/news/press-release/2020-181.

[81] SEC Press Release, SEC Charges Film Producer, Rapper, and Others for Participation in Two Fraudulent ICOs (Sept. 11, 2020), available at https://www.sec.gov/news/press-release/2020-207.

[82] SEC Press Release, SEC Charges John McAfee With Fraudulently Touting ICOs (Oct. 5, 2020), available at https://www.sec.gov/news/press-release/2020-246.

[83] SEC Press Release, SEC Charges Index Manager and Friend With Insider Trading (Sept. 21, 2020), available at https://www.sec.gov/news/press-release/2020-217.

[84] SEC Press Release, SEC Charges Amazon Finance Manager and Family With Insider Trading (Sept. 28, 2020), available at https://www.sec.gov/news/press-release/2020-228.

[85] SEC v. Peltz, 20-cv-6199 (E.D.N.Y. Dec. 22, 2020), ECF 1.

[86] SEC Press Release, SEC Charges Disbarred New York Attorney and Florida Attorney with Scheme to Create False Opinion Letters (Dec. 2, 2020), available at https://www.sec.gov/news/press-release/2020-300.

[87] SEC Press Release, SEC Charges CEO and Company With Defrauding First Responders and Others Out of Millions (July 30, 2020), available at https://www.sec.gov/news/press-release/2020-167.

[88] SEC Press Release, SEC Charges Former Real Estate Executive With Misappropriating $26 Million in Ponzi Scheme (Sept. 29, 2020), available at https://www.sec.gov/news/press-release/2020-236.

[89] SEC Press Release, SEC Charges Unregistered Brokers in Penny Stock Scheme Targeting Seniors (Sept. 29, 2020), available at https://www.sec.gov/news/press-release/2020-234; see also SEC Press Release, SEC Halts Penny Stock Scheme Targeting Seniors (Nov. 27, 2019), available at https://www.sec.gov/news/press-release/2019-245.

[90] SEC Press Release, SEC Charges Jewelry Wholesaler with Fraudulent Securities Offering Targeting Current and Retired Police Officers and Firefighters (Dec 30, 2020), available at https://www.sec.gov/news/press-release/2020-343.

[91] SEC Press Release, SEC Charges Ponzi Scheme Targeting African Immigrants (Aug. 18, 2020), available at https://www.sec.gov/news/press-release/2020-198.

[92] SEC Press Release, SEC Charges Swedish National with Global Scheme Defrauding Retail Investors, Including Deaf Community Members (Sept. 21, 2020), available at https://www.sec.gov/news/press-release/2020-232.

[93] SEC Press Release, SEC Charges Company and CEO for $119 Million Securities Fraud Targeting Members of the South Asian American Community (Dec. 21, 2020), available at https://www.sec.gov/news/press-release/2020-329.

[94] SEC Press Release, SEC Charges E-Commerce Startup and CEO With Defrauding Investors (Nov. 23, 2020), available at https://www.sec.gov/news/press-release/2020-291.

[95] SEC Press Release, SEC Charges Silicon Valley Start-Up and CEO With Defrauding Investors (July 20, 2020), available at https://www.sec.gov/news/press-release/2020-160.

[96] SEC Press Release, SEC Charges Trustify Inc. and Founder in $18.5 Million Offering Fraud (July 24, 2020), available at https://www.sec.gov/news/press-release/2020-162.

[97] SEC v. Rogas, No. 20-cv-7628 (S.D. Cal. Sept. 24, 2020), ECF No. 21.

[98] SEC Press Release, SEC Charges Former CEO of Technology Company With Raising $123 Million in Fraudulent Offerings (Sept. 17, 2020), available at https://www.sec.gov/news/press-release/2020-213.

The following Gibson Dunn lawyers assisted in the preparation of this client update: Mark Schonfeld, Barry Goldsmith, Richard Grime, Jeff Steiner, Tina Samanta, Brittany Garmyn, Zoey Goldnick, Rachel Jackson, Jesse Melman, Lauren Myers, Jaclyn Neely, Jason Smith, Mike Ulmer, Timothy Zimmerman, and Marie Zoglo.

Securities Enforcement Practice Group Leaders:
Barry R. Goldsmith – New York (+1 212-351-2440, bgoldsmith@gibsondunn.com)
Richard W. Grime – Washington, D.C. (+1 202-955-8219, rgrime@gibsondunn.com)
Mark K. Schonfeld – New York (+1 212-351-2433, mschonfeld@gibsondunn.com)

Please also feel free to contact any of the following practice group members:

New York
Zainab N. Ahmad (+1 212-351-2609, zahmad@gibsondunn.com)
Matthew L. Biben (+1 212-351-6300, mbiben@gibsondunn.com)
Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com)
Joel M. Cohen (+1 212-351-2664, jcohen@gibsondunn.com)
Lee G. Dunst (+1 212-351-3824, ldunst@gibsondunn.com)
Mary Beth Maloney (+1 212-351-2315, mmaloney@gibsondunn.com)
Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com)
Avi Weitzman (+1 212-351-2465, aweitzman@gibsondunn.com)
Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com)
Tina Samanta (+1 212-351-2469, tsamanta@gibsondunn.com)

Palo Alto
Michael D. Celio (+1 650-849-5326, mcelio@gibsondunn.com)
Paul J. Collins (+1 650-849-5309, pcollins@gibsondunn.com)
Benjamin B. Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

Denver
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
Monica K. Loseman (+1 303-298-5784, mloseman@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

After a complicated path to passage, today the Senate completed the override of President Trump’s veto of the National Defense Authorization Act and, as part of that legislation, passed the Anti-Money Laundering Act of 2020 (“AMLA” or the “Act”).[1] The AMLA is the most comprehensive set of reforms to the anti-money laundering (“AML”) laws in the United States since the USA PATRIOT Act was passed in 2001. The Act’s provisions range from requiring many smaller companies to disclose beneficial ownership information to FinCEN to mandating awards to whistleblowers that report actionable information about Bank Secrecy Act (“BSA”)/AML violations. This alert identifies 10 of the biggest takeaways for financial institutions from the AMLA.[2]

The AMLA May Lead to More AML Enforcement, Including Through Expanded Whistleblower Provisions

The AMLA has a number of provisions that could result in significantly increased civil and criminal enforcement of AML violations. First and foremost, it provides for a significantly expanded whistleblower award program. Specifically, it states that when an AML enforcement action brought by DOJ or the U.S. Treasury Department results in monetary sanctions over $1 million, the Secretary of the Treasury “shall” pay an award of up to 30 percent of what was collected to whistleblowers who “voluntarily provided original information” that led to a successful enforcement action.[3] The previous whistleblower award program limited awards in most cases to $150,000 and was discretionary[4] – in our experience, that much more modest award program did not generate significant interest among potential whistleblowers or the plaintiffs’ bar. The Act also includes anti-retaliation protections for whistleblowers and, in the event of a violation of these provisions, allows them to file a complaint with the Department of Labor and, if it is not adjudicated within a certain period of time, to seek recourse in federal district court.[5]

It would be hard to overstate the far-reaching potential effects of this new program. By way of analogy, in 2010, the SEC announced its own whistleblower program to reward individuals who provided the agency with high-quality information.[6] The program has prompted a significant number of tips to the SEC. As of October 2020, the SEC Office of the Whistleblower had received more than 40,000 tips from whistleblowers in every state in the United States and approximately 130 countries around the world.[7] And this program has led to some significant SEC whistleblower awards, which may have encouraged further reporting. In October 2020, for instance, the SEC awarded $114 million to a whistleblower, the largest single award in history.[8]

As with the SEC whistleblower program, the new awards for BSA whistleblowers may incentivize employees and plaintiffs’ attorneys to provide a substantial number of new tips to law enforcement, even if many of them do not result in enforcement actions. Indeed, the number of employees at financial institutions who have access to information that could potentially form the basis for an AML whistleblower complaint is many times greater than in other contexts. Many large financial institutions employ hundreds of individuals in functions with AML responsibilities. For example, it remains to be seen whether this provision will weaponize the information held by even front-line compliance employees tasked with elevating suspicious activity for potential SAR filings when those employees do not see a SAR ultimately get filed.

The AMLA Increases Penalties for BSA/AML Violations in a Number of Ways

Another harbinger of increased enforcement is the expanded penalties enacted under the AMLA. As we explained in a January 2020 client alert, in recent years DOJ has been increasingly aggressive in using its money laundering authority to police international corruption and bribery, as illustrated by the 1MDB, FIFA, and PDVSA prosecutions.[9] And the incoming Biden administration has indicated that cracking down on illicit finance at home and abroad will be a top priority.[10]

The AMLA creates a number of new penalties that will help the government do so. It creates a new prohibition on knowingly concealing or misrepresenting a material fact from or to a financial institution concerning the ownership or control of assets involved in transactions over $1 million involving assets of a senior foreign political figure, close family member, or other close associate.[11] The Act also makes it a crime to knowingly conceal or misrepresent a material fact from or to a financial institution concerning the source of funds in a transaction that involves an entity that is a primary money laundering concern.[12] The penalties for violating these provisions are up to 10 years imprisonment and/or a $1 million fine.[13]

The Act also generally enhances penalties for various BSA/AML violations. For instance, it provides that any person “convicted” of violating the BSA shall, “in addition to any other fine under this section, be fined in an amount that is equal to the profit gained by such person by reason of such violation,” and, in the event the person was employed at a financial institution at the time of the violation, repay to the financial institution any bonus paid during the calendar year during or after which the violation occurred.[14] The Act additionally prohibits individuals who have committed an “egregious” violation of the BSA from sitting on the boards of U.S. financial institutions for 10 years.[15] Furthermore, the AMLA creates enhanced penalties for repeat violators, providing that if a person has previously violated the BSA, the Secretary of the Treasury “may impose” additional civil penalties of up to the greater of three times the profit gained or loss avoided by such person as a result of the violation or two times the maximum statutory penalty associated with the violation.[16]

The AMLA Significantly Increases the Government Resources Committed to Address Money Laundering

The AMLA also contains a host of provisions designed to better resource the government to address money laundering. It establishes special hiring authority for FinCEN and the Office of Terrorism and Financial Intelligence.[17] It also creates a number of unique roles, including FinCEN domestic liaisons to oversee different regions of the United States, as well as Treasury attachés and FinCEN foreign intelligence unit liaisons to be stationed at U.S. embassies or foreign government facilities.[18] The Act additionally creates a Subcommittee on Innovation and Technology to advise the Secretary of the Treasury on innovation with respect to AML and calls for BSA “Innovation Officers” and “Information Security Officers” at FinCEN and other federal financial regulators.[19] Although these staffing reforms may not directly impact financial institutions, the government’s increased focus and sophistication in addressing money laundering may result in additional inquiries from law enforcement, regulations, and guidance.

The AMLA Provides Additional Statutory Authority for DOJ to Seek Documents from Foreign Financial Institutions

DOJ typically has three avenues to pursue documents from foreign financial institutions. It can: (i) make a request under the Mutual Legal Assistance Treaty (or, in the absence of a treaty, a letter rogatory) with the country in question, which can be a slow process; (ii) it can issue a Bank of Nova Scotia subpoena, which requires written approval from DOJ’s Office of International Affairs[20]; or (iii) it can issue a subpoena pursuant to 31 U.S.C. § 5318(k) to a foreign financial institution that maintains a correspondent bank account in the United States.

The AMLA significantly expands the scope of DOJ’s (and Treasury’s) authority to seek and enforce correspondent account subpoenas under Section 5318. Previously, these subpoenas could be issued to any foreign bank that maintained a correspondent account in the United States and could “request records related to such correspondent account.”[21] The AMLA broadens this authority to allow DOJ to seek “any records relating to the correspondent account or any account at the foreign bank, including records maintained outside of the United States,” if the records are the subject of an investigation that relates to a violation of U.S. criminal laws, a violation of the BSA, a civil forfeiture action, or a Section 5318A investigation.[22] Thus, by statute, DOJ now has the authority to subpoena from foreign banks not only records related to correspondent accounts, but records from any account at the foreign bank if they fall within one of the broad investigative categories identified in the statute. The AMLA also requires the foreign financial institution to authenticate all records produced.[23] In the event a foreign financial institution fails to comply, the Act authorizes the Attorney General to seek contempt sanctions, and the Attorney General or Secretary of the Treasury may direct covered U.S. financial institutions to terminate their correspondent relationships with the foreign financial institution refusing to comply and can impose penalties on those institutions that fail to do so.[24]

The AMLA Includes a Pilot Project for Sharing SAR Data Across International Borders

An issue that many of our financial institution clients face is how to share information contained in suspicious activity reports (“SARs”) across U.S. borders to affiliates located in other countries.[25] Historically, FinCEN has issued guidance to partially address the problem by permitting sharing of SAR information with foreign parent organizations or U.S. affiliates.[26] The AMLA further addresses this issue by providing that within a year after the legislation is enacted, the Treasury Department shall issue rules that create a pilot program for financial institutions to share information related to SARs, including their existence, “with the institution’s foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks.”[27] Notably, it contains jurisdictional carve-outs that would not permit sharing with any entities located in China or Russia (which can be waived by the Secretary of the Treasury on a case-by-case basis for national-security reasons) or in jurisdictions that are state sponsors of terrorism, subject to U.S. sanctions, or that the Secretary of the Treasury determines cannot reasonably protect the security and confidentiality of the data.[28] The pilot project is set to last three years, and can be extended for an additional two years upon a showing by the Treasury Department that it is useful and in the U.S. national interest.[29]

The AMLA Specifically Applies the BSA to Nontraditional Value Transfers, Including Cryptocurrency

As financial institutions have become more adept at fighting money laundering in the past decade, the government has become increasingly concerned that criminals may turn to other mediums, such as cryptocurrency and art, to try to launder money. For instance, in November 2020, DOJ announced that it seized over $1 billion worth of Bitcoin that was tied to drug sales and other illicit products and services on the online marketplace Silk Road before it was shut down.[30] And using high-end artwork was one of the ways in which the alleged co-conspirators in the 1MDB scandal attempted to launder the proceeds of their alleged crimes, by purchasing various high-end pieces of art and then seeking banks or financiers “who take art as security for … bank loans.”[31]

While U.S. enforcers had argued that preexisting anti-money laundering authorities could reach transactions involving cryptocurrency and art, the application of preexisting AML regulations to cryptocurrency, in particular, has often been an uneasy fit. The preexisting AML regime was a set of rules written largely for an analog world, and its application to the digital realm left open important questions, particularly in the context of criminal enforcement actions. Now, however, the Act expands the definition of financial institution and money transmitting business to include businesses engaged in the exchange or transmission of “value that substitutes for currency,” potentially reinforcing the government’s position that the BSA applies to cryptocurrency.[32] The AMLA also adds antiquities dealers, advisors, and consultants to the definition of “financial institution” under the BSA.[33] As to art, the AMLA requires the government to prepare a study within a year that assesses money laundering and terrorist financing through the art trade, including “which markets … should be subject to regulation,” “the degree to which the regulations, if any, should focus on high-value trade in works of art,” and “the need, if any, to identify persons who are dealers, advisors, consultants, or any other persons who engage as a business in the trade in works of art.”[34]

Many Smaller Companies Will Be Required to Disclose Beneficial Ownership Information to FinCEN, Which Will Also Be Available to Financial Institutions

The lack of a requirement for corporations to provide beneficial ownership information at the state or federal level in the United States has long been seen by law enforcement as a loophole that criminals can exploit. For instance, in 2016, the Financial Action Task Force (“FATF,” an international body that sets AML standards) recommended that the United States “[t]ake steps to ensure that adequate, accurate and current [beneficial owner] information of U.S. legal persons is available to competent authorities in a timely manner, by requiring that such information is obtained at the Federal level.”[35]

Accordingly, one of the most significant developments in the AMLA is the requirement for “reporting compan[ies]” to disclose beneficial ownership information to FinCEN, which will in turn maintain a nonpublic beneficial ownership database.[36] The definition of “reporting company” exempts a wide range of entities, including many classes of financial institutions (such as registered issuers, credit unions, broker-dealers, money transmitters, and exchanges) and larger U.S. companies, which are defined as companies that employ more than 20 full-time employees in the United States, had more than $5 million in gross revenue in the past year, and are operating at a physical office in the United States.[37] Thus, the new requirement is aimed at smaller businesses and shell companies.

Although the reporting requirement generally does not apply to financial institutions, it nevertheless has important consequences for them. The Act allows FinCEN to disclose beneficial ownership information to a financial institution with the reporting company’s consent to facilitate the financial institution’s compliance with Customer Due Diligence requirements.[38] As such, financial institutions will have to develop processes to effectively evaluate information from this beneficial ownership database. Moreover, the AMLA provides significant penalties for misuse of beneficial ownership information. Failure to disclose beneficial ownership information subjects a person to civil monetary penalties of $500 per day and a fine up to $10,000 and/or imprisonment of up to two years.[39] By contrast, unauthorized disclosure of beneficial ownership information is subject to the same civil penalty, but with fines up to $250,000—25 times the fine for failure to report—and/or imprisonment of up to five years.[40]

The AMLA Requires the Government to Establish AML Priorities That Will Feed Into Examinations of Financial Institutions

The AMLA requires the Secretary of the Treasury to publish “public priorities for anti-money laundering and countering the financing of terrorism policy” within 180 days after the law’s enactment.[41] The priorities must be “consistent with the national strategy for countering the financing of terrorism and related forms of illicit finance.”[42] FinCEN will have 180 days after the priorities are released to promulgate rules to carry out these priorities.[43] Financial institutions, for their part, will be required to “review” and “incorporat[e]” these priorities into their AML programs, which will be a measure “on which a financial institution is supervised and examined.”[44]

The AMLA Begins to Address Inefficiencies in SAR and CTR Filing Processes

Some argue that the current SAR and CTR filing processes are the worst of both worlds: they are incredibly burdensome for financial institutions but simultaneously bury enforcers with so much information that they cannot separate the wheat from the chaff. The $10,000 threshold for CTRs, for example, was set in 1970, and were it to be adjusted for inflation, the current threshold for filing a CTR today would be more than $60,000.[45] The lack of indexing for these thresholds has resulted in a swelling volume of mandatory reports; more than 16 million CTRs were filed in 2019.[46] Similarly, the SAR thresholds were set over 20 years ago, and the “current regime promotes the filing of SARs that may never be read, much less followed up on as part of an investigation”[47]—resulting in over 2.7 million SARs filed in 2019.[48]

The AMLA begins to take steps to address these criticisms. It requires that, when imposing requirements to report suspicious transactions, the Secretary of the Treasury shall, among other things, “establish streamlined, including automated, processes to, as appropriate, permit the filing of noncomplex categories of reports.”[49] It also requires the government to conduct formal reviews of whether the CTR and SAR thresholds should be adjusted and to determine if there are changes that can be made to the filing process to “reduce any unnecessarily burdensome regulatory requirements” while ensuring the information has a high degree of usefulness to enforcers.[50]

The AMLA also contains a number of provisions to try to ensure the usefulness of information provided by financial institutions. For instance, it requires FinCEN to periodically disclose to financial institutions “in summary form[] information on suspicious activity reports filed that proved useful to Federal or State criminal or civil law enforcement agencies during the period since the most recent disclosure,” provided the information does not relate to an ongoing investigation or implicate national security.[51] Similarly, the AMLA requires FinCEN to publish threat pattern and trend information at least twice a year to provide meaningful information about the preparation, use, and value of reports filed under the BSA.[52]

The AMLA Continues to Promote Collaboration Between the Public and Private Sectors

As FinCEN has recognized, “[s]haring information through … public-private partnerships supports more, and higher-quality, reports to FinCEN and assists law enforcement in detecting, preventing, and prosecuting terrorism, organized crime, money laundering, and other financial crimes.”[53] To that end, FinCEN has sought to improve collaboration between law enforcement and financial institutions over the years. For instance, in 2017, FinCEN created the “FinCEN Exchange” to “enhance information sharing with financial institutions.”[54]

The AMLA contains a number of provisions designed to further promote collaboration between the public and private sectors. It formalizes the FinCEN Exchange by statute, and requires the Secretary of the Treasury to periodically report to Congress about the utility of the Exchange and recommendations for further improvements.[55] The Act requires that data shared under the Exchange be done so in accordance with federal law and in “such a manner as to ensure the appropriate confidentiality of personal information”; it also “shall not be used for any purpose” other than identifying and reporting on financial crimes.[56] Furthermore, the Act requires the Secretary of the Treasury to convene a team consisting of stakeholders from the public and private sector “to examine strategies to increase cooperation between the public and private sectors for purposes of countering illicit finance.”[57]

________________________

[1] William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, H.R. 6395. Division F of the NDAA is the Anti-Money Laundering Act of 2020, and Title XCVII within the bill contains additional provisions relevant to the financial services industry.

[2] This alert is not a comprehensive summary of every provision of the AMLA, the specific provisions of the law discussed herein, or the broader NDAA. For example, the NDAA contains a provision providing the SEC explicit authority to seek disgorgement in federal court, which is discussed in a separate Gibson Dunn client alert available here.

[3] AMLA, § 6314 (adding 31 U.S.C. § 5323(b)(1)).

[4] See 31 U.S.C. § 5323.

[5] AMLA, § 6314 (adding 31 U.S.C. § 5323(g)).

[6] Press Release, U.S. Secs. & Exch. Comm’n, SEC Proposes New Whistleblower Program Under Dodd-Frank Act, (Nov. 3, 2010), https://www.sec.gov/news/press/2010/2010-213.htm.

[7] U.S. Secs. & Exch. Comm’n, Whistleblower Program Annual Report 27-30 (2020), https://www.sec.gov/files/2020%20Annual%20Report_0.pdf.

[8] Press Release, SEC Issues Record $114 Million Whistleblower Award, Securities and Exchange Commission, Oct. 22, 2020, https://www.sec.gov/news/press-release/2020-266.

[9] Developments in the Defense of Financial Institutions – The International Reach of the U.S. Money Laundering Statutes, Gibson Dunn (Jan. 9, 2020), https://www.gibsondunn.com/developments-in-defense-of-financial-institutions-january-2020/.

[10] Amy MacKinnon, Biden Expected to Put the World’s Kleptocrats on Notice, Foreign Policy (Dec. 3, 2020), https://foreignpolicy.com/2020/12/03/biden-kleptocrats-dirty-money-illicit-finance-crackdown/.

[11] AMLA, § 6313 (adding 31 U.S.C. § 5335(b)).

[12] AMLA, § 6313 (adding 31 U.S.C. § 5335(c)).

[13] AMLA, § 6313 (adding 31 U.S.C. § 5335(d)).

[14] AMLA, § 6312 (adding 31 U.S.C. § 5322(e)).

[15] AMLA, § 6310 (adding 31 U.S.C. § 5321(g)).

[16] AMLA, § 6309 (adding 31 U.S.C. § 5321(f)).

[17] AMLA, § 6105.

[18] AMLA, §§ 6106, 6107, 6108.

[19] AMLA, §§ 6207, 6208, 6303.

[20] Justice Manual § 9-13.525, U.S. Department of Justice, https://www.justice.gov/jm/jm-9-13000-obtaining-evidence#9-13.525 (“[A]ll Federal prosecutors must obtain written approval from the Criminal Division through the Office of International Affairs (OIA) before issuing any unilateral compulsory measure to persons or entities in the United States for records located abroad.”).

[21] 31 U.S.C. § 5318(k)(3)(A).

[22] AMLA, § 6308 (31 U.S.C. § 5318(k)(3)(A)(i) as revised).

[23] AMLA, § 6308 (31 U.S.C. § 5318(k)(3)(A)(ii) as revised).

[24] AMLA, § 6308 (31 U.S.C. § 5318(k)(D), (E) as revised).

[25] See 31 U.S.C. § 5318(g)(2)(A)(i) (providing that financial institutions or their employees involved in reporting suspicious transactions may not notify “any person involved in the transaction that the transaction has been reported.”).

[26] Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices or Controlling Companies (Jan. 20, 2006), https://www.fincen.gov/sites/default/files/guidance/sarsharingguidance01122006.pdf; Fin. Crimes Enf’t Network, FIN-2010-G006, Sharing Suspicious Activity Reports by Depository Institutions with Certain U.S. Affiliates (Nov. 23, 2010), https://www.fincen.gov/sites/default/files/shared/fin-2010-g006.pdf.

[27] AMLA, § 6212 (adding 31 U.S.C. § 5318(g)(8)(B)(i)).

[28] AMLA, § 6212 (adding 31 U.S.C. § 5318(g)(8)(C)).

[29] AMLA, § 6212 (adding 31 U.S.C. § 5318(g)(8)(B)(iii)).

[30] Press Release, U.S. Dept. of Justice, United States Files A Civil Action To Forfeit Cryptocurrency Valued At Over One Billion U.S. Dollars, (Nov. 5, 2020), https://www.justice.gov/usao-ndca/pr/united-states-files-civil-action-forfeit-cryptocurrency-valued-over-one-billion-us.

[31] United States of America v. One Pen and Ink Drawing By Vincent Van Gogh Titled “La Maison De Vincent A Arles” et al., No. 2:16-cv-5366 (C.D. Cal. July 20, 2016), Dkt. 1 ¶¶ 440-43, https://www.justice.gov/archives/opa/page/file/877156/download

[32] AMLA, § 6102(d); see also Press Release, Sen. Mark Warner, Warner, Rounds, Jones Applaud Inclusion of Bipartisan Anti-Money Laundering Legislation in NDAA (Dec. 3, 2020), https://www.warner.senate.gov/public/index.cfm/2020/12/warner-rounds-jones-applaud-inclusion-of-bipartisan-anti-money-laundering-legislation-in-ndaa (highlighting “[e]nsuring the inclusion of current and future payment systems in the AML-CFT regime” as among the achievements of the new NDAA).

[33] AMLA, § 6110(a)(1) (31 U.S.C. § 5312(a)(2)(Y) as amended).

[34] AMLA, § 6111(e).

[35] FATF, Anti-money laundering and counter-terrorist financing measures in the United States: Executive Summary 11 (2016), http://www.fatf-gafi.org/media/fatf/documents/reports/mer4/MER-United-States-2016-Executive-Summary.pdf.

[36] AMLA, § 6403 (adding 31 U.S.C. § 5336)

[37] AMLA, § 6403 (adding 31 U.S.C. § 5336(a)(11)).

[38] AMLA, § 6403 (adding 31 U.S.C. § 5336(c)(2)(B)(iii)).

[39] AMLA, § 6403 (adding 31 U.S.C. § 5336(h)(3)(A)).

[40] AMLA, § 6403 (adding 31 U.S.C. § 5336(h)(3)(B)).

[41] AMLA, § 6101(a) (adding 31 U.S.C. § 5311(b)(4)(A)).

[42] AMLA, § 6101(a) (adding 31 U.S.C. § 5311(b)(4)(C)).

[43] AMLA, § 6101(a) (adding 31 U.S.C. § 5311(b)(4)(D)).

[44] AMLA, § 6101(a) (adding 31 U.S.C. § 5311(b)(4)(E)).

[45] Blaine Luetkemeyer, Steve Pearce, It’s Time to Modernize the Bank Secrecy Act, American Banker (June 13, 2018), https://www.americanbanker.com/opinion/its-time-to-modernize-the-bank-secrecy-act.

[46] FinCEN Report of Transactions in Currency, 85 Fed. Reg. 29,022, 29,023 (May 14, 2020), https://www.govinfo.gov/content/pkg/FR-2020-05-14/pdf/2020-10310.pdf.

[47] The Clearing House, A New Paradigm: Redesigning the U.S. AML/CFT Framework to Protect National Security and Aid Law Enforcement 13 (2017), here.

[48] See FinCEN Report of Reports by Financial Institutions of Suspicious Transactions, 85 Fed. Reg. 31,598, 31,599 (May 26, 2020), https://www.govinfo.gov/content/pkg/FR-2020-05-26/pdf/2020-11247.pdf.

[49] AMLA, § 6202 (adding 31 U.S.C. § 5318(g)(5)(D)).

[50] AMLA, §§ 6204, 6205.

[51] AMLA, § 6203(b).

[52] AMLA, § 6206 (adding 31 U.S.C. § 5318(g)(6)).

[53] Press Release, Fin. Crimes Enf’t Network, FinCEN Exchange in New York City Focuses on Virtual Currency, https://www.fincen.gov/resources/financial-crime-enforcement-network-exchange.

[54] Press Release, Fin. Crimes Enf’t Network, FinCEN Launches “FinCEN Exchange” to Enhance Public-Private Information Sharing, (Dec. 4, 2017), https://www.fincen.gov/news/news-releases/fincen-launches-fincen-exchange-enhance-public-private-information-sharing.

[55] AMLA, § 6103 (adding 31 U.S.C. § 310(d)(2), (3)).

[56] AMLA, § 6103 (adding 31 U.S.C. § 310(d)(4)(A), (4)(B), 5(B)).

[57] AMLA, § 6214.

The following Gibson Dunn lawyers assisted in preparing this client alert: Stephanie Brooker, M. Kendall Day, Linda Noonan, Ella Alves Capone, Chris Jones and Alexander Moss.

Gibson Dunn has deep experience with issues relating to the Bank Secrecy Act, other AML and sanctions laws and regulations, and the defense of financial institutions more broadly. For assistance navigating white collar or regulatory enforcement issues involving financial institutions, please contact any of the authors, the Gibson Dunn lawyer with whom you usually work, or any of the leaders and members of the firm’s Financial Institutions, White Collar Defense and Investigations, or International Trade practice groups.

Stephanie Brooker – Washington, D.C. (+1 202-887 3502, sbrooker@gibsondunn.com)
M. Kendall Day– Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Linda Noonan – Washington, D.C. (+1 202-887-3595, lnoonan@gibsondunn.com)
Ella Alves Capone – Washington, D.C. (+1 202-887-3511, ecapone@gibsondunn.com)
Chris Jones* – San Francisco (+1 415-393-8320, crjones@gibsondunn.com)
Alexander Moss – Washington, D.C. (+1 202.887.3615, amoss@gibsondunn.com)

Please also feel free to contact any of the following practice group leaders:

Financial Institutions Group:
Matthew L. Biben – New York (+1 212-351-6300, mbiben@gibsondunn.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)

White Collar Defense and Investigations Group:
Joel M. Cohen – New York (+1 212-351-2664, jcohen@gibsondunn.com)
Charles J. Stevens – San Francisco (+1 415-393-8391, cstevens@gibsondunn.com)
F. Joseph Warin – Washington, D.C. (+1 202-887-3609, fwarin@gibsondunn.com)

International Trade Group:

Ronald Kirk – Dallas (+1 214-698-3295, rkirk@gibsondunn.com)
Judith Alison Lee – Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com)
Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com)

*Mr. Jones is admitted only in New York and Washington, D.C. and is practicing under the supervision of Principals of the Firm.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Gibson Dunn provides a discussion regarding the latest developments and trends in anti-money laundering and sanctions laws, regulations, and enforcement. This webcast includes a particular focus on international AML developments, including the increasing overlap between sanctions and AML enforcement. We also discuss updates related to the FinCEN files, FinCEN’s new enforcement guidance, virtual currency, marijuana-related businesses, and sports betting. With respect to sanctions, we cover the increasing complexity of complying with the growth in both traditional U.S. sanctions and newer export controls. We also analyze the mounting challenges for companies seeking to navigate global compliance stemming from the enforcement of “counter-sanctions” imposed by China, the European Union, and others.

View Slides (PDF)

MODERATOR:

F. Joseph Warin is co-chair of Gibson Dunn’s global White Collar Defense and Investigations Practice Group, and chair of the Washington, D.C. office’s 200-person Litigation Department. Mr. Warin’s group is repeatedly recognized by Global Investigations Review as the leading global investigations law firm in the world. Mr. Warin is a former Assistant United States Attorney in Washington, D.C. He is ranked annually in the top-tier by Chambers USA, Chambers Global, and Chambers Latin America for his FCPA, fraud and corporate investigations experience. Among numerous accolades, he has been recognized by Benchmark Litigation as a U.S. White Collar Crime Litigator “Star” for ten consecutive years (2011–2020).

PANELISTS:

Stephanie L. Brooker is co-chair of Gibson Dunn’s Financial Institutions Practice Group and member of the White Collar Group. She is the former Director of the Enforcement Division at FinCEN, and previously served as the Chief of the Asset Forfeiture and Money Laundering Section in the U.S. Attorney’s Office for the District of Columbia and as a DOJ trial attorney for several years. Ms. Brooker represents multi-national companies and individuals in internal corporate investigations and DOJ, SEC, and other government agency enforcement actions involving, for example, matters involving BSA/AML; sanctions; anti-corruption; securities, tax, and wire fraud; whistleblower complaints; and “me-too” issues. Her practice also includes BSA/AML compliance counseling and due diligence and significant criminal and civil asset forfeiture matters. Ms. Brooker has been named a Global Investigations Review “Top 100 Women in Investigations” and National Law Journal White Collar Trailblazer.

Kendall Day is a litigation partner in Washington, D.C. and was a white collar prosecutor for 15 years, eventually rising to become an Acting Deputy Assistant Attorney General, the highest level of career official in the Criminal Division at DOJ. He represents financial institutions, multi-national companies, and individuals in connection with criminal, regulatory, and civil enforcement actions involving anti-money laundering (AML)/Bank Secrecy Act (BSA), sanctions, FCPA and other anti-corruption, securities, tax, wire and mail fraud, unlicensed money transmitter, false claims act, and sensitive employee matters. Mr. Day’s practice also includes BSA/AML compliance counseling and due diligence, and the defense of forfeiture matters.

Adam M. Smith is a partner in Washington, D.C. and was the Senior Advisor to the Director of the U.S. Treasury Department’s OFAC and the Director for Multilateral Affairs on the National Security Council. His practice focuses on international trade compliance and white collar investigations, including with respect to federal and state economic sanctions enforcement, the FCPA, embargoes, and export controls. He routinely advises multi-national corporations regarding regulatory aspects of international business. Mr. Smith is ranked by Chambers and Partners and was named by Global Investigations Review as a leading sanctions practitioner.

Ella Alves Capone is a senior associate in the Washington, D.C. office. Her practice focuses primarily in the areas of white collar criminal defense, corporate compliance, and securities litigation. Ms. Capone regularly conducts internal investigations and advises multinational corporations and financial institutions, including major banks and casinos, on compliance with anti-corruption and anti-money laundering laws and regulations.

Since the last presidential election, there have been several regulatory developments that go to the heart of the U.S. dual banking system – the quintessentially American system under which banking entities may choose either a state or federal charter. These developments have occurred at the Office of the Comptroller of the Currency (OCC), the regulator of national banks. Perceived as increasing both the number of federally regulated entities and the scope of preemption of state consumer law, these developments have been challenged by state regulators in New York, California and Illinois, and others, in lawsuits that are now pending. Potential issues for the upcoming election, therefore, may be the extent of state-federal regulatory balance and the degree of judicial control over federal regulatory actions. On the latter point, litigation over these developments will play out with a changed Supreme Court and one at which certain Justices have begun to question the traditional deference paid to regulators’ interpretations of the statutes they administer. This Alert discusses the relevant issues at stake.

I. Fintech/Payments Charters

At the end of the Obama Administration, then-Comptroller Thomas Curry stated that the OCC had the authority under the National Bank Act to grant special purpose national bank charters to fintech companies “engaged in the business of banking,” including to companies that did not take deposits. After his departure, the OCC slowly fleshed out a framework for evaluating such charters. Late this August, Acting Comptroller Brian Brooks seemed to accelerate this process by stating that the OCC was prepared to begin accepting charter applications for national banks engaged only in payments activities.The OCC’s actions were challenged by state financial regulators. Most significantly, the New York Department of Financial Services (NYDFS) sued the OCC regarding the special purpose national bank charter. Last fall, NYDFS won an initial victory in the United States District Court for the Southern District of New York, where Judge Victor Marrero held that the suit was ripe for adjudication and that the OCC had no authority to issue charters for non-deposit taking banks other than those that Congress had specifically authorized, such as national trust banks.[1]

The OCC appealed this case to the U.S. Court of Appeals for the Second Circuit (Second Circuit), where briefs have been filed, including on the issue of whether, absent congressional authorization of exceptions, a federal charter to engage in the “business of banking” in the National Bank Act always requires deposit taking.

II. The OCC’s “Valid When Made” and “True Lender” Regulations

The OCC’s second action was to promulgate, in June 2020, a final regulation that would overturn the decision of the Second Circuit in the Madden v. Midland Funding, LLC case.[2] In Madden, the Second Circuit held that a borrower could assert a usury defense against a nonbank company that had purchased a loan originally made by a national bank, even though the loan when originally made was not usurious because of the National Bank Act’s interest-rate exportation provision, 12 U.S.C. § 85 (Section 85), which allows a national bank to charge nationally the interest rate permitted under the laws of the state in which the bank is located.[3]

The OCC’s regulation (Valid When Made Regulation) overrides the Madden holding and gives nonbank purchasers of loans from national banks and federal thrifts, including fintech lending companies that have national bank lending partners, the same usury protection as is available to national banks under Section 85.[4]

In late July, the States of California, Illinois and New York sued the OCC in the United States District Court for the Northern District of California, seeking declaratory and injunctive relief. The States argued that the Valid When Made Regulation was invalid as arbitrary and capricious and contrary to law, and that only Congress had the authority to overrule the Madden decision.[5]

Finally, just yesterday, the OCC finalized a second regulation relevant to this area. This regulation (True Lender Regulation) clarifies when a national bank or federal thrift is the “lender” for purposes of Section 85 and other statutes. It states that a national bank or federal thrift is the true lender if, as of the date of origination, it (1) is named as the lender in the loan agreement or (2) funds the loan.[6] The rule also specifies that if, as of the date of origination, one bank is named as the lender in the loan agreement for a loan and another bank funds that loan, the bank that is named as the lender in the loan agreement makes the loan.[7] State regulators may be expected to claim that, taken together, the True Lender Regulation and Valid When Made Regulation will facilitate so-called “rent a bank” schemes by nonbank lenders to avoid state usury and other consumer protection requirements.

III. Dual Banking System Effects

The special purpose national bank charter and Valid When Made and True Lender Regulations clearly implicate the dual banking system and particularly as applied to fintech companies. For example, to the extent that payments companies currently engage in money transmission, they must become licensed in every state having jurisdiction. A single federal non-depository bank charter for such entities is appealing from an efficiency standpoint and would likely attract many applicants. Similarly, some fintech lending companies partner with bank lenders, with the fintech acquiring the loan from the bank after it is made and then seeking to benefit from federal preemption. Certain states have alleged that this practice creates loopholes in their licensing and consumer protection schemes. It is therefore not surprising that states and regulators in jurisdictions with active consumer regulation have chosen to go to court to challenge the OCC’s actions.

IV. Preemption and Judicial Deference: The Watters and Cuomo Cases and Beyond

It has been some time since significant decisions were handed down in cases involving the OCC and the National Bank Act – one has to look at Waters v. Wachovia Bank, N.A. in 2007 and Cuomo v. The Clearing House Association L.L.C. in 2009, both in the United States Supreme Court. Both cases were closely decided; Waters was 5-3 and Cuomo was 5-4. Waters held that national bank operating subsidiaries – subsidiaries that engaged in activities permissible for national banks – were not subject to state registration and examination requirements, but only the “visitorial powers” of the OCC.[8] Cuomo held that it was not a reasonable interpretation of the “visitorial powers” provision of the National Bank Act to preempt state enforcement of – as opposed to supervision with respect to – state consumer law against national banks.[9] Waters thus upheld the OCC’s position with respect to one aspect of the preemptive effect of the National Bank Act’s visitorial powers clause, while Cuomo rejected one. Interestingly, although the cases were closely decided, the split of the Justices was unusual: Justice Scalia and Chief Justice Roberts joined Justice Stevens’ dissent in Waters that favored the state regulators, and Justice Scalia wrote the opinion in Cuomo, which was joined by the Court’s more liberal Justices, holding that the OCC could not preempt state enforcement.[10]

Since the two cases were decided, the composition of the Supreme Court has changed substantially, and in particular, Justices Gorsuch, Kavanaugh, and Barrett have replaced Justices Scalia, Kennedy, and Ginsburg. The changed composition has resulted in speculation that the classic Chevron doctrine of deference to administrative agency interpretations of ambiguous statutes may, in an appropriate case, be refined. Justice Ginsburg wrote a classic example of Chevron deference in her opinion upholding the OCC in the famous VALIC bank annuities case. Justice Gorsuch, like Justice Thomas, has publicly criticized Chevron.

It is of course speculative whether any of the current actions against the OCC will reach the Supreme Court or how the Court might rule in them. It is certainly possible, however, that despite some commentators’ wishes, the ultimate resolution to the issues raised by the fintech/payments charter and Valid When Made/True Lender regulations will depend not on policy judgments, but rather such traditional approaches to statutory construction as textual analysis of the National Bank Act and applying canons of construction, and without exhibiting Merovingian supineness to the OCC’s interpretation.

V. The National Trust Bank Charter

With regulation unsettled, one of the special purpose national bank entities that bears a close look by companies seeking to innovate banking is the national trust bank charter. As even the District Court in Lacewell v. OCC conceded, Congress has specifically authorized the OCC to grant federal charters to non-depository institutions engaged in fiduciary activities.[11] Under the OCC’s regulations, these activities include acting as trustee, executor, administrator, registrar of stocks and bonds, transfer agent, guardian, assignee, receiver, or custodian under a uniform gifts to minors act; investment adviser, if the bank receives a fee for its investment advice; any capacity in which the bank possesses investment discretion on behalf of another; or any other similar capacity that the OCC authorizes.[12]

More importantly, although a national trust bank does not accept deposits, it may engage in other activities that are authorized as part of the “business of banking” under 12 U.S.C. 24(SEVENTH) and are related to its business plan.[13] Such activities would include foreign currency activities (including virtual currency activities) and payments. A national trust bank is required to have bona fide fiduciary activities as part of its business plan, but it is not prevented from exercising other related incidental banking powers.[14]

There are other advantages to the national trust bank charter. A national trust bank benefits in the same manner as a national bank from federal preemption. A national trust bank is permitted to become a member of the Federal Reserve System. Controlling shareholders of national trust banks are not regulated as bank holding companies.

Conclusion

The Comptroller of the Currency may be removed by a President only “upon reasons to be communicated by [the President] to the Senate.”[15] A change in Administrations could well mean a change in Comptrollers. Whether the “special purpose” non-depository charter continues to be embraced by the OCC under a Democratic President is an open question (but only an open one, as it was President Obama’s Comptroller, Thomas Curry, who first proposed the national fintech charter). Even so, it is reasonable to expect the state litigation over special purpose charters to continue for some time. National trust bank charters do have explicit authorization by Congress; such entities, assuming that the bank has a bona fide fiduciary business, can engage in incidental banking activities like currency activities and payments that are related to the business plan and therefore may offer an alternative route forward to some firms until the larger questions affecting the U.S. dual banking system are resolved.

_____________________

[1] Lacewell v. OCC, Case 1:18-cv-08377-VM (S.D.N.Y. Oct. 21, 2019).

[2] Madden v. Midland Funding, LLC, 786 F.3d 246 (2d Cir. 2015).

[3] Id.

[4] OCC, Final Rule: Permissible Interest on Loans That Are Sold, Assigned, or Otherwise Transferred, 85 Fed. Reg. 33530 (June 2, 2020).

[5] People of the State of California, People of the State of Illinois, People of the State of New York v. The Office of the Comptroller of the Currency, Case No. 20-cv-5200 (N.D. Cal. 2020).

[6] OCC, Final Rule: National Banks and Federal Savings Associations as Lenders, available at https://www.occ.gov/news-issuances/federal-register/2020/nr-occ-2020-139a.pdf.

[7] Id.

[8] 550 U.S. 1 (2007).

[9] 557 U.S. 519 (2009).

[10] See id.; Waters, 550 U.S. 1, 22 (2007) (Stevens, J.).

[11] 12 U.S.C. § 27(a).

[12] 12 C.F.R. 9.2(e).

[13] See, e.g., OCC Conditional Approval 877 (December 13, 1999) (“The OCC has not limited the operations of trust banks to the exercise of fiduciary powers, but has permitted a range of incidental and nonfiduciary activities. The OCC, when it chartered Trust Co., did not restrict or address its insurance agency activities. Hence, Trust Co.’s charter is sufficiently broad to encompass its proposed insurance and annuity sale[s].”).

[14] Id.

[15] 12 U.S.C. § 2.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur S. Long and Samantha J. Ostrom.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Financial Institutions practice group, or the following:

Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com)
Matthew L. Biben – New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Mylan L. Denerstein – New York (+1 212-351- 3850, mdenerstein@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, jsteiner@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
James O. Springer – New York (+1 202-887-3516, jspringer@gibsondunn.com)
Samantha J. Ostrom – Washington, D.C. (+1 202-955-8249, sostrom@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On September 21, 2020, the Office of the Comptroller of the Currency, the U.S. regulator of national banks, issued an interpretive letter that concluded that national banks may hold deposits that serve as reserves for certain stablecoin issuers (Stablecoin Letter).[1] The Stablecoin Letter’s guidance is another example of the active role the OCC has recently taken in the cryptocurrency and financial technology (fintech) space.

I. Prior Developments

Since becoming Acting Comptroller of the Currency on May 29th, Brian Brooks has made it clear that he views the OCC as taking the lead on technological developments in banking. For example, on July 22nd, the OCC issued an interpretive letter that concluded that national banks may provide “cryptocurrency custody services on behalf of customers, including by holding the unique cryptographic keys associated with cryptocurrency.”[2] The July interpretive letter reaffirms the OCC’s view that national banks may provide traditional banking services – i.e., custody – to any lawful business, including cryptocurrency businesses, “so long as they effectively manage the risks and comply with applicable law.”[3] In July as well the OCC granted the first full-service national bank charter to a fintech company, stating that it represented “the evolution of banking and a new generation of banks that are born from innovation and built on technology intended to empower consumers and businesses.”[4]

II. What Are Stablecoins?

As the OCC explains, a stablecoin is “a type of cryptocurrency designed to have a stable value as compared with other types of cryptocurrency, which frequently experience significant volatility.”[5] Cryptocurrencies often utilize cryptography and distributed ledger technology to act as a medium of exchange that is created and stored electronically. But unlike other cryptocurrencies like bitcoin and ether, a stablecoin is specifically designed to maintain a stable value by being backed by another asset with a relatively stable value, such as a fiat currency.

For example, during 2020, the value of one bitcoin in U.S. dollars has fluctuated from below $5,000 to $12,000. In contrast, one USD Coin – a stablecoin created by Centre Consortium (a collaboration between Coinbase and Circle Internet Financial) and traded on digital currency exchanges like Coinbase – can always be redeemed to the issuer for $1 (minus any fees where applicable), despite its price on third-party platforms fluctuating above $1 (having reached a high of $1.17) or below (having reached a low of $0.92).[6] This reduced volatility results from the stablecoin issuer holding in custody accounts fiat currency or other assets for each stablecoin issued (e.g., USD Coin’s issuer maintains in custody accounts at least $1 for every unit of USD Coin issued)[7] – other cryptocurrencies, such as bitcoin, typically do not maintain such a reserve.

Among other things, stablecoins (1) act as a digital store of value; (2) enable the exchange of one cryptocurrency for another without the need to either sell a cryptocurrency for fiat currency or buy it with fiat; and (3) maintain a more predictable and less volatile value compared to other cryptocurrencies, making it an attractive option as a medium of exchange for transactions such as remittances.

III. The Stablecoin Letter

The Stablecoin Letter addresses a national bank’s authority to hold reserves only for a stablecoin backed on a one-to-one basis by a single fiat currency and held in a hosted wallet.[8] The OCC issued the Stablecoin Letter because certain bank customers, particularly stablecoin issuers, “may desire to place assets in a reserve account with a national bank to provide assurance that the issuer has sufficient assets backing the stablecoin.”

In approving the activity, the OCC stated that national banks are expressly authorized to receive deposits and receiving deposits in a core banking activity. National banks are permitted to provide permissible banking services to any lawful business they choose, including cryptocurrency businesses, so long as they effectively manage the risks of those services and comply with applicable law.

The Stablecoin Letter also sets forth the compliance measures necessary for doing business with stablecoin issuer. National banks should conduct “sufficient due diligence commensurate with the risks associated with maintaining a relationship with a stablecoin issuer.” Such due diligence should include a review to ensure compliance with the customer due diligence requirements under the Bank Secrecy Act and the customer identification requirements under § 326 of the USA PATRIOT Act. In addition, national banks must identify and verify the beneficial owners of legal entity customers opening accounts, comply with applicable federal securities laws, provide accurate and appropriate disclosures regarding deposit insurance coverage, and ensure that deposit activities comply with all other applicable laws and regulations.

Finally, drawing an analogy to audit agreements with program managers for bank-issued prepaid cards, the OCC advised national banks to enter into the necessary agreements with stablecoin issuers to allow the banks to verify at least daily that the reserve account balances for the fiat currency backing the stablecoins are always equal to or greater than the number of the stablecoin issuer’s outstanding stablecoins.

IV. Conclusion

The Stablecoin Letter is another example of the OCC’s interpreting the “business of banking” provision of the National Bank Act in the light of technological advancements. It therefore shows that the agency is seeking to take a lead on fintech banking issues. As part of the business of banking under the National Bank Act, holding deposits for stablecoin issuers should also be permissible for state-chartered banks under the “wild card” provisions of state banking statutes. The Stablecoin Letter is also strong evidence that cryptocurrencies continue to become more and more mainstream, and that traditional legal regimes can no longer shy away from considering them.

________________________

[1] OCC Interpretive Letter No. 1172, at 1 (Sept. 21, 2020), available at https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1172.pdf. Note that references herein to “national banks” include Federal savings associations.

[2] OCC Interpretive Letter No. 1170, at 1 (July 22, 2020), available at https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1170.pdf.

[3] Id.

[4] Acting Comptroller of the Currency Presents Varo Bank, N.A. Its Charter (July 31, 2020), available at https://occ.gov/news-issuances/news-releases/2020/nr-occ-2020-99.html (last visited Sept. 28, 2020).

[5] Stablecoin Letter at 1.

[6] See Circle USDC Risk Factors, available at https://support.usdc.circle.com/hc/en-us/articles/360001314526-Circle-USDC-Risk-Factors (last visited Sept. 28, 2020).

[7] USD Coin’s reserves are verified monthly by Grant Thornton LLP and published on Circle Internet Financial’s website, available at https://www.circle.com/en/usdc (last visited Sept. 28, 2020).

[8] Cryptocurrencies are held in “wallets,” which are often software programs that store the cryptographic keys associated with a unique unit of a cryptocurrency. See OCC Interpretive Letter No. 1170, at 5. The OCC defines a “hosted wallet” as a wallet in which the stored cryptographic keys are controlled by an identifiable third party, on behalf of accountholders that do not generally have access to the cryptographic keys. See Letter at note 3.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur S. Long, Jeffrey L. Steiner and Rama Douglas.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Financial Institutions practice group, or the following:

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

I. Introduction: Themes and Notable Developments

A. Impact of the Pandemic on Securities Enforcement

The first half of 2020 will undoubtedly be most remembered for the impact of the pandemic on every aspect of our lives, both personal and professional. To be sure, the pandemic has had a profound effect on the economy and financial markets. As we know from prior crises, financial shocks give rise to a host of regulatory risks for public companies and market participants and lead the SEC to shift its attention to identifying and investigating indicators of potential securities law violations. History teaches us that unprecedented market volatility, fast moving economic events, and dislocations create substantial challenges for compliance, and that there is a significant increase in the risk of an investigation. As the impact of the pandemic continues today, this heightened investigative risk is compounded by unique challenges of remote work arrangements and the diminished ability for direct oversight and interaction.

Similarly, the pandemic had a significant impact on the SEC’s enforcement program. Among other things, the pandemic caused the Enforcement Division to recalibrate priorities to address emerging risks, resulted in a number of enforcement actions against parties seeking to take advantage of the crisis, and required an adaptation of the investigative process to a remote work environment. Despite the pandemic, the Commission also continued to institute enforcement actions in its traditional areas of focus that had been in the pipeline since before the quarantine.

1. Enforcement Priorities and Regulatory Risks Arising from the Pandemic

Shortly after the nation implemented quarantine protocols in March, the co-directors of the SEC Enforcement Division took the unusual step of issuing a cautionary statement emphasizing “the importance of maintaining market integrity and following corporate controls and procedures” during this crisis. The SEC cited as examples the heightened risk of insider trading (“in these dynamic circumstances, corporate insiders are regularly learning new material nonpublic information that may hold an even greater value than under normal circumstances”) and the need to be mindful of disclosure controls (“protect against the improper dissemination and use of material nonpublic information”).[1]

Six weeks later, in a speech in May, Enforcement Co-Director Steven Peikin provided insights on the Division’s enforcement priorities in light of the pandemic.[2] In response to the pandemic, the Enforcement Division formed a Coronavirus Steering Committee, comprised of leadership from the Home and Regional Offices, the specialized units, and the Office of Market Intelligence, to identify areas of potential misconduct and coordinate the Division’s response to pandemic-related issues. Among the issues receiving heightened regulatory scrutiny are:

Insider Trading and Market Manipulation: The rapid and dramatic impact of the pandemic on the financial performance of companies increases the potential for trading that could be perceived as attributable to material nonpublic information. The Steering Committee is working with the Division’s Market Abuse Unit to monitor announcements in industries particularly impacted by the pandemic and to identify potentially suspicious market movements.
Accounting Fraud: As with other financial crises, the pandemic is likely to expose previously undisclosed financial reporting issues, as well as give rise to rapidly evolving financial reporting and disclosure challenges. The Steering Committee is on the lookout for indications of potential disclosure and reporting misconduct. In particular, the Steering Committee is reviewing public filings with an eye toward disclosures that appear out of step with companies in similar industries. The Committee is also looking for accounting that attempts to inaccurately characterize preexisting financial statement issues as coronavirus related.
Asset Management: Asset managers confront unique challenges created by the pandemic, including with respect to valuations, liquidity, disclosures, and the management of potential conflicts among clients and between clients and the manager. The Steering Committee is working with the Division’s Asset Management Unit to monitor these issues, including failures to honor redemption requests, which could reveal other underlying asset management issues.
Complex Financial Instruments: As with prior financial crises, the pandemic may reveal risks inherent in various structured investment products. The Steering Committee is working with the Division’s Complex Financial Instruments Unit to monitor complex structured products and the marketing of those products to investors.
Microcap Fraud: The Steering Committee is working with the Division’s Microcap Fraud Task Force and Office of Market Intelligence, and has suspended trading in the securities of over 30 issuers relating to allegedly false or misleading claims related to the coronavirus.

As we discussed in our prior alerts in March and May on these issues, by understanding the issues that can give rise to regulatory scrutiny, and consulting with counsel on how to navigate unique challenges, issuers and financial institutions can both lower the risk of being in a regulatory spotlight and resolve regulatory inquiries more efficiently.

The SEC has brought several enforcement actions against parties allegedly seeking to take advantage of the pandemic. These cases have typically involved allegations that a company, or those trading in a company’s securities, have made false or misleading statements about the company’s ability to supply scarce protective or testing products in response to the pandemic. It will take much longer to assess whether the crisis leads to enforcement actions based on more nuanced financial reporting, disclosure, or trading conduct.

In late April, the SEC filed an action against a company and its CEO alleging the defendants issued false and misleading press releases about the company’s ability to supply large quantities of N95 masks.[3] According to the SEC’s complaint, the company issued a press release in February stating that it was in the process of solidifying its mask supply chain, and another press release in March stating that it had a large number of masks on hand. In a subsequent March press release, the company admitted it never had any masks available to sell. The SEC’s complaint alleged that the company never had the masks, any orders for them, or any contracts with companies that could supply them.

In May, the SEC filed actions against two different companies for allegedly misleading investors in their press releases concerning COVID-19 product offerings.[4] According to the first complaint, a bioscience company’s press release incorrectly stated that the company had begun shipping home finger-prick COVID-19 tests when the tests neither shipped nor were intended for home use. In a second action, the SEC alleged that a company and its CEO issued a misleading press release announcing a multinational public-private partnership to sell thermal scanning equipment to detect individuals with fevers when, in fact, the company had neither an agreement to sell the product nor a government partnership.

In June, the SEC also filed actions alleging market manipulations by parties allegedly using the pandemic as a means to inflate the price of companies’ securities. In one action, the SEC alleged that a trader manipulated the stock of a biotechnology company through misleading statements in an online investment forum, including assertions that the company had developed an approved COVID-19 blood test.[5] The complaint also alleged that the defendant spoofed orders on the company’s stock to create the appearance of high demand. In a second action against five Canadian citizens, the SEC alleged that the defendants fraudulently inflated microcap companies’ stock through misleading statements such as a claim that one of the companies could make medical facemasks and that another had automated kiosks for retail use. The complaint also alleged that the defendants enabled the companies’ control persons to anonymously sell company stock and evade registration requirements.[6]

3. Investigative Process in a Remote Work Environment

Despite the pandemic, the Commission’s Enforcement program has continued to conduct investigations, albeit with accommodations for the realities of remote work situations.

In his speech in May, Co-Director Peikin noted that the Division staff continued to remain engaged despite the new challenges of a remote work environment. The Division staff was directed to work with defense counsel and others to reach reasonable accommodations concerning document production, testimony, interviews, and counsel meetings, given the challenges of the pandemic, but Mr. Peikin also cautioned that the staff will need to protect potential claims and won’t agree to an indefinite hiatus in investigations or litigations. In particular, Mr. Peikin noted that in instances where defense counsel does not agree to tolling agreements, the Division will consider recommending that the Commission commence an enforcement action, despite an incomplete investigative record, and will rely on civil discovery to further support its claims.

B. Supreme Court Ruling on Disgorgement

In June 2020, the Supreme Court in Liu v. S.E.C. issued a major decision regarding the scope of the SEC’s power to obtain disgorgement of ill-gotten gains in litigated cases.[7] Liu did not, as some had hoped, do away with disgorgement in litigated actions entirely. Instead, while leaving lower courts to fill in the precise contours, the Supreme Court articulated three guiding principles for determining the availability and scope of SEC disgorgement: first, disgorgement should benefit “wronged investors” rather than “the public at large”; second, courts may hold parties liable only for their own profits, not others’ profits; and third, disgorgement cannot exceed actual gains and must instead be limited to “net profits” after deducting “legitimate expenses.”[8]

Liu arose from a 2016 enforcement action alleging misappropriation of millions of dollars of investors’ funds under the guise of constructing a cancer-treatment center that would have qualified the investors for EB-5 immigration status. In assessing the district court’s award of disgorgement to the SEC, the Supreme Court held that “a disgorgement award that does not exceed a wrongdoer’s net profits and is awarded for victims is … permissible under [15 U.S.C.] § 78u(d)(5),” the statute authorizing the SEC to seek equitable relief.[9] The Court provided general guidelines for lower courts to consult in crafting disgorgement awards consistent with this holding.

First, the Court emphasized that disgorgement must be for the benefit of investors, noting that it “must do more than simply benefit the public at large by virtue of depriving a wrongdoer of ill-gotten gains.”[10] In many cases—for example, where there are no apparent investor victims or it is infeasible to distribute the funds to harmed individuals—the SEC deposits disgorged funds with the Treasury. The Court raised doubts about this practice, opining, “It is an open question whether, and to what extent, that practice … satisfies the SEC’s obligation to award relief ‘for the benefit of investors’….”[11]

Second, the Court emphasized “the common-law rule requiring individual liability for wrongful profits,” while noting that “[t]he historic profits remedy … allows some flexibility to impose collective liability.”[12] Thus, while there could potentially be “liability for partners engaged in concerted wrongdoing,” like the married petitioners in Liu, joint-and-several liability was “seemingly at odds with the common-law rule.”[13]

Third, the Court explained that disgorgement must not exceed a party’s ill-gotten gains, and, therefore, “courts must deduct legitimate expenses before ordering disgorgement.”[14] In assessing whether expenses were legitimate (and hence deductible), even if incurred in connection with a fraudulent scheme, the Court distinguished legitimate expenses that “have value independent of fueling a fraudulent scheme”—for example, possibly the lease payments and cancer-treatment equipment in Liu—from “‘inequitable deductions’ such as for [the alleged fraudsters’] personal services.”[15]

It is unclear how significantly Liu’s guidelines will impact SEC enforcement actions going forward. In particular, the Supreme Court left open the question of whether, and under what circumstances, the SEC is permitted to deposit disgorged funds into the Treasury where, as is often the case, it is infeasible to distribute funds to injured investors (if any exist). The SEC may try to sidestep this issue by finding new ways to benefit investors—for example, by depositing disgorgement proceeds into investor protection funds rather than the Treasury. Meanwhile, the Court’s guidance regarding the deductibility of legitimate expenses that “have value independent of fueling a fraudulent scheme” will, in at least some cases, likely result in a broader set of deductible expenses, thereby shrinking the “net profits” eligible for disgorgement.

Even if Liu significantly constrains the SEC’s disgorgement authority, the Commission could pivot to minimize its impact. First, it is unclear the extent to which Liu’s guiding principles apply to disgorgement in administrative proceedings, where there is express statutory authority for the remedy. The SEC may therefore decide to bring more administrative cases and avoid the judicial forum. Additionally, the SEC may increasingly rely on its statutory authority to pursue civil penalties to make up for any shortfall in disgorgement. As a result, Liu may have the effect of altering the mix (but not the amount) of monetary remedies the SEC seeks.

C. Commissioner and Senior Staffing Update

During the first half of 2020, there were a number of leadership changes, several of which reflect the advancement of lawyers with many years of experience in the Division of Enforcement to positions of senior leadership.

As we previewed in our Year-End Enforcement Alert, Commissioner Robert Jackson stepped down in February 2020 to return to teaching at NYU Law School. In June, President Trump nominated Caroline Crenshaw to fill the vacancy. Ms. Crenshaw has worked at the Commission since 2013, most recently as counsel to Commissioner Jackson. Previously, Ms. Crenshaw worked as counsel to former Democratic Commissioner Kara Stein, a position also once held by current Democratic Commissioner Allison Herren Lee. Before joining the Commission, Ms. Crenshaw worked in private practice on investigations defense. Ms. Crenshaw is also a judge advocate in the U.S. Army Judge Advocate General’s Corps. Until Ms. Crenshaw is confirmed, the Commission will operate with four Commissioners: Chairman Jay Clayton, along with Commissioners Hester Peirce, Elad Roisman, and Lee (currently the only Democrat).

Other changes in the senior staffing of the Commission include:

In February, Paul Montoya was appointed Associate Regional Director in the SEC’s Chicago Office. As Associate Regional Director, Mr. Montaya co-heads the Enforcement program for the Office, along with Associate Regional Director Kathryn Pyszka. Mr. Montoya has worked at the SEC since 1997, including most recently as an Assistant Regional Director in the Chicago office, where he supervised staff in the Asset Management Unit.
Also in February, Kelly Gibson was appointed Director of the SEC’s Philadelphia Office. She was most recently Associate Regional Director in the Philadelphia office, and has worked at the SEC since 2008, including working in the Market Abuse Unit.
In June, Jennifer Leete was named Associate Director in the SEC’s Division of Enforcement. Ms. Leete has worked at the SEC since 1999, most recently as an Assistant Director. She succeeds Antonia Chion who retired in February 2020.

With the election approaching in November, one should expect a number of additional changes over the remainder of the year at senior levels of the Commission. In June, President Trump proposed Chairman Clayton as the U.S. Attorney for the Southern District of New York. However, in view of the events surrounding the nomination, it appears unlikely that the appointment will receive Senate consideration before the election.

D. Whistleblower Awards

The last six months have reflected two distinct trends in the Commission’s whistleblower program—an increase in the number of whistleblower complaints, as well as an increase in the number and size of whistleblower awards.

First, as a result of the pandemic, the Commission has noted a marked increase in the number of whistleblower tips. In the two months of quarantine, from mid-March to mid-May, the Enforcement Division triaged more than 4,000 whistleblower tips, a 35% increase over the same period in 2019. As the pandemic continues to impact businesses through the remainder of this year, including by affecting financial reporting, disclosure, and trading, one should expect the increased pace of whistleblower complaints to continue. This puts a premium on companies’ ability to demonstrate their response to internal complaints that could presage a whistleblower report to the government.

The second notable trend has been the increased number and size of whistleblower awards in the first half of this year. During the first half of 2020, the SEC awarded a total of nearly $115 million to 15 separate whistleblowers.

Most notably, in June, the SEC announced the single largest whistleblower payment in the program’s history—$50 million to an individual who reported what the SEC described as “detailed, firsthand observations” of company misconduct which resulted in an enforcement action that returned funds to harmed investors.[16] In April, the SEC awarded over $27 million, the seventh-largest award in the program’s history, to a whistleblower for information that uncovered violations occurring domestically and abroad.[17] Also in April, the SEC awarded over $18 million to a whistleblower who provided information that helped initiate an enforcement action which allowed investors to recover “millions of dollars in losses.”[18]

Other significant whistleblower awards granted during the first half of this year include:

Two awards in January of $277,000 and $45,000 respectively to two whistleblowers in connection with separate fraudulent retail investment schemes.[19]
An award in February of over $7 million for sustained cooperation that led to a successful enforcement action.[20]
Four awards in March—a $1.6 million payment for information that revealed securities law violations;[21] $570,000 and $94,000 payments for assistance that resulted in several enforcement actions;[22] and a $450,000 payment for assistance from a compliance professional who first reported internally and waited the required 120 days before reporting to the SEC.[23]
Two awards in April: one for $2 million for information the SEC deemed “vital” and difficult to uncover without the individual’s cooperation;[24] and a second for nearly $2 million for what the SEC described as “critical evidence of wrongdoing” provided by a whistleblower who suffered hardship as a result of first raising concerns within their organization.[25]
An award in May of nearly $2 million for information that led to a successful enforcement action and allowed for an asset freeze that prevented disgorgement of ill-gotten investor funds.[26]
Two awards in June, including a $700,000 payment for information that resulted in asset recovery for investors[27] and a $125,000 payment for information and assistance which helped the SEC and another agency bring enforcement actions against the perpetrator of a fraudulent securities offering.[28]

In total, as of the end of June 2020, the Commission has paid out approximately $501 million to 85 individuals since the whistleblower program began.[29] Because whistleblower awards relate to prior enforcement actions, the recent awards are unrelated to the pandemic. However, the number and size of the recent awards reflect the strong incentives such awards provide to would-be whistleblowers.

II. Public Company Cases

A. Accounting Fraud and Internal Controls

1. Disclosures Cases

In February, the SEC announced a settled order against a global alcohol producer for failing to disclose trends affecting its key performance indicators.[30] The SEC alleged that the producer reported high organic net sales growth and organic operating profit growth without mentioning its pattern of shipping products in excess of distributor demand. According to the settled order, the company allegedly pressured distributors to buy products in excess of demand in order to meet internal sales targets despite declining market conditions, and the resulting increase in shipments enabled the company to meet performance targets and to report higher growth in certain performance indicators. The order also alleged that the company failed to disclose the trends that resulted from shipping products in excess of demand, the positive impact the over-shipping had on sales and profits, and the negative impact that the increase in inventory would have on future growth. The SEC’s order notes that the producer did not report these trends because it did not have adequate procedures in place to consider whether the company needed to disclose them.[31] Without admitting or denying the findings in the SEC’s order, the producer agreed to pay a $5 million civil penalty to settle the action.

In June, the SEC announced a settled action against an insurance company for failing to fully disclose benefits provided to its former CEO.[32] The company allegedly did not report over $5.3 million worth of personal expenses over five years even after the company had been made aware of the inaccuracies. Without admitting or denying the findings, the company consented to the SEC’s cease-and-desist order and to a $900,000 civil penalty.

2. Financial Reporting

In February, the SEC instituted a settled action against a financial institution for allegedly misleading representations concerning the success of its cross-selling business strategy.[33] According to the settled order, the cross-sell metric reflected accounts and services that were unused and unauthorized by customers, and that had been opened through sales practices inconsistent with the company’s disclosure of a needs-based selling model. Without admitting or denying the allegations, the firm agreed to cease and desist from future violations and to pay a civil penalty of $500 million for distribution to investors. The settlement was part of a broader resolution with the Department of Justice.

Also in February, the SEC filed an action against a parent company, two of its former executives, and its energy subsidiary for allegedly making misleading statements about the subsidiary’s nuclear power plant expansion.[34] According to the complaint, which was filed in federal court in South Carolina, the defendants represented that the company was on track in its plan to build two plants and receive nearly $1 billion in tax credits, even though they knew the company was behind schedule and the plan was eventually abandoned.

3. Cases against Independent Auditors

In May, the SEC instituted settled administrative actions against three former audit partners at an international accounting firm based on allegations that they improperly shared answers to internal training exams and attempted to cover up the misconduct during an internal investigation.[35] The settled order alleged that one former partner requested a second former partner to text him images of exam questions, and during the firm’s internal investigation, the first former partner deleted the texts and encouraged the other former partner to follow suit. The third former partner also allegedly shared exams and answers within his team. Without admitting or denying the findings, the former partners agreed to suspensions on appearing or practicing before the SEC as accountants with the right to apply for reinstatement after durations of three years for the first former partner, two for the second, and one for the third.

III. Broker-Dealers

A. Suitability

In February, the SEC instituted a settled action against two subsidiaries of a broker-dealer relating to supervision of investment advisers and registered representatives who recommended certain investments—single-inverse ETFs—to retail investors.[36] The SEC’s administrative order alleged that the broker-dealer’s policies and training were not reasonably designed to prevent and detect potentially unsuitable recommendations of single-inverse ETFs. Consequently, certain employees allegedly recommended clients buy and hold those securities, despite the risk associated with holding such investments for longer than one day. Without admitting or denying the SEC’s findings, the firm agreed to pay a $35 million penalty to be distributed to clients.

B. Trade Execution

In May, the SEC instituted a settled administrative action against an agency broker-dealer for routing certain customer orders in a manner inconsistent with representations in marketing materials as to how customer orders would be routed to market centers for execution.[37] According to the SEC’s order, the firm represented that customer orders would be routed to market centers through the firm’s smart order router based on execution price and liquidity factors. However, during the relevant period, the firm had entered into arrangements to route orders to unaffiliated broker-dealers (who had more favorable, high-volume pricing arrangements with market centers) to determine routing of the orders to market centers. Without admitting or denying the SEC’s allegations, the firm agreed to pay a $5 million penalty. The SEC’s order also recognized the firm’s cooperation, including retaining an outside expert to analyze the large volume of data related to customer orders and executions.

C. Fees

In May, the SEC instituted a settled action against a broker-dealer based on allegations that the firm provided allegedly misleading information about its “wrap fee” program to customers.[38] “Wrap fee” programs offer accounts in which clients pay an asset-based fee for a bundle of investment advisory and brokerage services, including trade execution services. According to the SEC’s order, the firm marketed the program as providing investment advice, trade execution, and other services for a single fee, but it allegedly directed certain wrap fee clients’ trades to third-party broker-dealers for execution, which in some instances resulted in clients incurring additional trade execution fees. Without admitting or denying the allegations, the firm agreed to pay a $5 million penalty for distribution to affected clients.

D. Record-Keeping

In the first half of this year, the SEC instituted settled enforcement actions against two separate broker-dealers for deficiencies in trading information—known as “blue sheet” data—that the firms provided to the SEC in response to requests.[39] SEC staff routinely requests blue sheet data from broker-dealers in a variety of investigations or regulatory inquiries. In both of the enforcement actions, the errors in the data that the broker-dealers provided were the result of undetected coding errors in the process for identifying data for production to the SEC. In both actions, the broker-dealer firms consented to violations of the record-keeping provisions of the Securities Exchange Act, Section 17(a)(1) and Rules 17a-4(j) and 17a-25. The firms agreed to pay penalties to the SEC of $3.2 million and $1.55 million, respectively.

Notably, in both settlements, the SEC required the respondent broker-dealer firms to admit to the findings in the settled order, even as both orders acknowledged the firms’ remedial actions and cooperation in the investigations; admissions have become a standard practice in blue sheet cases brought by the SEC.

IV. Investment Advisers

A. Risk Management

In January, the SEC instituted partially settled enforcement actions against a New York-based investment advisory firm, the firm’s president, and a senior portfolio manager for allegedly misleading representations concerning the management of risk in a mutual fund managed by the advisory firm.[40] The advisory firm and president settled the action; the portfolio manager is contesting the allegations. According to the SEC’s order and complaint, during a three-month period, from December 2016 to February 2017, the fund managed by the advisory firm lost approximately 20% of its value when markets moved against the fund’s positions. The SEC’s settled order against the firm and the president alleged that the advisory firm represented that it maintained risk parameters, but that the firm breached those parameters and did not take corrective action to avoid losses. The SEC’s pending complaint against the portfolio manager alleges that he represented to investors that he employed a risk management strategy involving safeguards to prevent losses of more than 8%, but that in fact such safeguards did not limit losses. Without admitting or denying the SEC’s findings, the advisory firm and president agreed to implement remedial compliance measures and to pay disgorgement and interest of approximately $9 million and penalties of $1.3 million by the advisory firm and $300,000 by the president.

B. Pre-Release ADRs

In 2020, the SEC has continued its initiative, commenced in 2018, focused on practices related to American Depositary Receipts (“ADRs”). ADRs are U.S. securities that represent foreign shares of a foreign company, and they typically require foreign shares in the same quantity to be held in custody at a depositary bank.[41] “Pre-released” ADRs are a variation that are issued without the deposit of foreign shares. Instead, they require that a customer either already owns the number of shares in equal amounts to the number of shares represented by the ADR or that the broker receiving the shares has an agreement with a depository bank.

In February, the SEC instituted its fifteenth action involving pre-released ADRs. In that settled action, the SEC’s order alleged that the broker-dealer improperly borrowed pre-released ADRs from other brokers when it should have known that the brokers did not own the corresponding foreign shares.[42] The order also alleged that the broker-dealer failed to reasonably supervise its securities lending desk personnel concerning the borrowing of pre-released ADRs from these brokers. Without admitting to or denying the allegations, the firm agreed to pay disgorgement and interest of approximately $400,000 and a penalty of approximately $180,000.

In April, the SEC instituted the final three actions the Enforcement Division intends to recommend under the Division’s Share Class Selection Disclosure Initiative, a program which provided advisers an opportunity to self-report failures to fully disclose conflicts of interest in selecting mutual fund share classes. Under the program, self-reporting advisers were eligible for standardized settlement terms that included disgorgement of fees, but did not include a penalty.[43] These latest settled orders related to two advisers who self-reported by the deadline and consented to violations of Section 206(2) of the Advisers Act and one who reported shortly after the deadline and consented to violations of Sections 206(2) and 206(4) of the Advisers Act and agreed to pay a $10,000 penalty.

D. Policies and Procedures to Prevent Misuse of MNPI

In May, the SEC instituted a settled administrative action against a Los Angeles-based private equity investment adviser firm based on allegations that the firm failed to implement and enforce policies and procedures reasonably designed to prevent the misuse of material nonpublic information under the particular circumstances in which the firm had a senior employee on the board of a portfolio company while also trading in the public securities of the portfolio company.[44] Notably, the settled order did not allege that the firm engaged in any trading while in possession of material nonpublic information. Even though the firm conducted its trading during the portfolio company’s open trading windows, and the firm’s compliance department had approved the firm’s trades, the SEC’s order alleged that the firm did not require its compliance staff to inquire or document sufficiently whether the board representative or other members of the investment team were in possession of material nonpublic information relating to the portfolio company. Without admitting or denying the allegations, the firm agreed to pay a $1 million penalty.

E. Misrepresentation

In May, the SEC filed a complaint and a request for appointment of a receiver against a Florida-based investment advisory firm alleging that the firm improperly inflated revenue data in order to increase asset values and performance metrics.[45] The complaint also alleged that the firm misrepresented monthly returns and investment balances, which, in turn, resulted in the payment of inflated management fees to the firm. The court granted the SEC’s request for appointment of a receiver, and the litigation is ongoing.

V. Ratings Agencies

In May, the SEC instituted a settled action against a credit rating agency for allegedly violating two conflict of interest rules—Rule 17g-5(c)(8)(i) and Section 15E(h)(1) of the Securities Exchange Act of 1934—designed to separate credit ratings and analysis from sales and marketing efforts.[46] According to the SEC’s settled order, analysts responsible for analyzing and rating the credit of companies also participated in sales and marketing efforts targeted at the same companies the analysts were responsible for rating, creating an impermissible conflict of interest. Additionally, the SEC alleged that the credit rating agency failed to maintain sufficient written policies and procedures to separate the firm’s analytical and business development functions. Without admitting or denying the findings, the credit rating agency agreed to pay a $3.5 million penalty and agreed to conduct training and implement changes to its internal controls, policies, and procedures related to the charged provisions.

VI. Cryptocurrency

In the first half of 2020, the Commission continued to bring enforcement actions in the area of cryptocurrency and other digital assets. Some of the enforcement actions were based on alleged failures to comply with the requirement to register an offering of assets deemed to be securities; other actions included allegations of fraud in the offer and sale of digital assets; and one case concerned a celebrity endorsement of an initial coin offering (ICO) without disclosure of compensation received by the celebrity.

A. Registration Cases

In February, the SEC instituted a settled action against a blockchain technology company for conducting an unregistered offering of digital tokens, which the SEC determined to be investment contracts, i.e., securities.[47] Citing to the Supreme Court’s decision in SEC v. W.J. Howey Co.,[48] as well as the SEC’s Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO,[49] the SEC’s order alleged that a purchaser of the digital tokens would have had a reasonable expectation of obtaining a future profit based on the company’s representations and efforts to build its business, including through its use of the ICO fund proceeds to develop a data marketplace for data sets relating to digital assets. In total, the offering raised approximately $45 million. Without admitting or denying the SEC’s findings, the company has agreed to return the funds raised to investors via a claims process, register the tokens as securities, file periodic reports with the SEC, and pay a $500,000 penalty.

In May, the SEC instituted a settled action against a blockchain technology company for conducting an unregistered ICO which raised over $25 million by selling Consumer Activity Tokens to approximately 9,500 investors.[50] During the offering, the company emphasized its expectation that the tokens would increase in value and took steps to make the tokens available for trading on third-party digital asset trading platforms after the ICO. The company planned on using the ICO funds to develop a blockchain-based search platform for targeted consumer advertising. Without admitting or denying the SEC’s findings, the company agreed to pay disgorgement and interest of approximately $29 million and a penalty of $400,000. Additionally, the company removed the Consumer Activity Tokens from all digital asset trading platforms and does not plan to continue development of the search platform.

B. Fraud Cases

In January, the SEC commenced an action against two individuals and two businesses, alleging violations of the antifraud and securities registration provisions of the federal securities laws in connection with the sale of digital assets.[51] The complaint alleged that in marketing and selling digital asset securities to raise funds for a blockchain technology they were developing, the defendants misrepresented that the technology was being tested by 20 hedge funds, when in reality they had sent a prototype to 12 hedge funds, none of which used the prototype. Additionally, the complaint alleged that one of the individual defendants used a fake identity when marketing the digital securities to conceal his criminal record. In a parallel action, the U.S. Attorney’s Office for the District of New Jersey announced criminal charges against the individual who misrepresented his identity to investors.

In February, the SEC filed an action against an individual alleging violations of the antifraud provisions of the federal securities laws based on misrepresentations about the profits purportedly earned from trading digital assets.[52] The complaint alleged that the defendant misrepresented to investors, comprised mainly of physicians, that he had developed a proprietary algorithm that enabled him to generate extraordinary profits trading cryptocurrencies. Additionally, the complaint alleged that the defendant misrepresented the amount of assets he had under management and used investor funds to pay for personal expenses. In parallel actions, the U.S. Attorney’s Office for the Southern District of New York and the Commodity Futures Trading Commission brought criminal and civil actions against the defendant.

In March, the SEC filed an action against three individuals alleging violations of the antifraud and securities registration provisions of the federal securities laws in connection with an ICO. The complaint alleged that the individuals conducted an unregistered ICO—raising more than $4.3 million from more than 150 investors—and made fraudulent representations to investors regarding the risk and value of the digital assets being offered.[53] The complaint also alleged that the individuals never distributed the digital assets to the investors and instead used investor funds to pay personal expenses and funnel proceeds to two other parties.

C. Failure to Disclose Compensation for Endorsement

In February, the SEC instituted a settled action against a celebrity for allegedly violating the anti-touting provisions of the federal securities laws.[54] The celebrity promoted an investment in an ICO but failed to disclose payments he received from the issuer for the endorsements. The endorsements included posts on the celebrity’s public social media accounts and a press release. Without admitting or denying the SEC’s findings, the celebrity agreed to pay disgorgement of the promotional payments of $157,000 he had received, as well as a $157,000 penalty and agreed not to promote any securities, digital or otherwise, for three years.

VII. Offering Frauds

In the first half of 2020, the SEC continued to bring a substantial number of enforcement actions to enjoin offering frauds, particularly those that targeted retail investors, including seniors.

A. Ponzi-Like Schemes

In January, the SEC filed three cases alleging fraudulent securities offerings that amounted to Ponzi-like schemes. In the first, the SEC alleged that an individual fraudulently raised at least $75 million from more than 500 investors through unregistered securities offerings, promising investors a perpetual guaranteed rate of return on their investments, which he claimed to be channeling into the purchase or creation, marketing, and maintenance of revenue-generating websites.[55] The complaint, which the SEC filed in federal court in Chicago, alleges that, in reality, the defendant used investors’ funds to pay investor returns and his own personal expenses, including mortgage payments and private school tuition for his family. The Court granted a temporary restraining order and preliminary injunction, ordered an asset freeze and other emergency relief against the defendant, and appointed a receiver for the defendant’s company.[56]

In the second case, the SEC filed an action against two individuals and their companies, alleging that they conducted a fraudulent securities offering that raised almost $5 million from retail investors.[57] The complaint, which the SEC filed in federal court in California, alleges that the defendants solicited investments in a holding company they controlled, purporting that the funds would be used to operate a Washington-licensed recreational marijuana company. Instead, the complaint alleges, the defendants used the investors’ funds to support their own lavish lifestyles.

In the third case, the SEC filed an action against a California couple alleging a fraudulent securities offering that raised almost $1 billion from seventeen investors, including major institutional investors, between 2011 and 2018.[58] According to the complaint, which the SEC filed in federal court in Sacramento, the defendants solicited investments from wealthy investors by offering securities in the form of investment contracts through their two solar generator companies. The complaint alleged that the defendants promised investors tax credits, lease payments, and profits from the operation of mobile solar generators but never manufactured the majority of the promised generators and instead used investor funds to pay other investors and for personal expenses. The defendants consented to permanent injunctions, with monetary relief to be determined by the court.

In the first half of 2020, the SEC filed two actions alleging investment frauds that targeted retail investors, including senior citizens. In February, the SEC filed an action against a Florida-based private real estate firm and its CEO and Managing Director, alleging the defendants fraudulently raised more than $170 million from at least 1,100 investors.[59] According to the complaint, the defendants represented to investors that they would receive between 8% and 10% annual interest on their investments, and that their investment would be used to purchase undervalued real estate. The SEC alleges that, in reality, the defendants invested less than half of the funds in properties and used the remainder on personal expenses and to repay investors in another fund. The court granted the SEC’s request for emergency relief, including an accounting and the appointment of a receiver over the primary and relief defendants.

In a second case, in May, the SEC filed an action against a California investment adviser alleging he conducted a Ponzi scheme targeting senior citizens in Southern California.[60] The complaint alleges that the defendant raised more than $5.6 million from at least 35 investors by marketing securities in another of his companies and by promising investors between 3% and 10.5% returns on so-called “private annuity contracts.” According to the complaint, the defendant did not invest the funds in any securities but rather used the funds to pay promised returns to other investors and to settle investor fraud lawsuits. The court ordered an asset freeze, an accounting, and appointment of a temporary receiver.[61] The U.S. Attorney’s Office for the Central District of California also filed a criminal complaint against the defendant.

B. Microcap Stock Fraud

In January, the SEC filed a pair of complaints against six individuals in the U.S., Canada, and Europe alleging fraudulent and unregistered stock offerings in at least 45 microcap companies that raised over $35 million.[62] The complaints allege that the defendants conducted two schemes: one to secretly dump large quantities of microcap stock while fraudulently transferring and hiding the source of funds used to promote the stocks, and another to sell and then manipulatively trade millions of unregistered shares of a microcap stock while artificially inflating its price and dumping the shares into the market. The U.S. Attorney’s Office for the Southern District of New York announced parallel criminal charges.

C. Affinity-Based Offering Frauds

In January, the SEC filed a settled action against a Pennsylvania man for allegedly conducting a decade-long fraud, which raised approximately $60 million in investments from Amish and Mennonite community members.[63] According to the SEC’s complaint, the defendant, who provided accounting and investment services to fellow Amish and Mennonite community members, solicited investments from his clients and promised to invest the funds in business and real estate loans to other members of the religious community but instead funneled a large percentage of the investments into his personal investment projects, which failed and left him unable to repay investors. The settlement provided for injunctive relief and the return of ill-gotten gains plus prejudgment interest. In February, the defendant also pleaded guilty to criminal charges of conspiracy and fraud brought by the U.S. Attorney’s Office for the Eastern District of Pennsylvania.

Also in the first half of 2020, the SEC filed two actions against individuals alleging investment frauds that targeted senior retail investors’ retirement funds. In the first action, in March, the SEC filed a complaint alleging that a Russian national, through a number of companies he owned, raised over $26 million from retail investors, many of them older investors looking to invest their retirement savings. According to the complaint, the defendant used internet ads linked to spoofed websites of 24 actual legitimate financial firms to lure investors to invest in fictitious Certificates of Deposit.[64] The U.S. Attorney’s Office for the District of New Jersey announced parallel criminal charges.

In the second action, in June, the SEC filed a complaint alleging that a securities broker based in Nashville, Tennessee, defrauded two seniors of nearly $1 million over the course of four years.[65] According to the complaint, after acting as the senior investor’s registered representative for more than three decades, the defendant made unauthorized sales of securities from the investor’s account and transferred the proceeds of those sales into his own bank account using falsified wire transfer forms. The complaint further alleged that, after the first investor’s death in March 2019, the defendant stole funds from another senior’s brokerage account in similar fashion. The U.S. Attorney’s Office for the Middle District of Tennessee also filed parallel criminal charges.

D. Misuse of Client Funds

In March, the SEC filed charges, and obtained an asset freeze and other emergency relief, against a Florida-based investment adviser and its managing member in connection with an alleged fraudulent unregistered securities offering.[66] The SEC’s complaint alleged that the investment adviser made misrepresentations to investors about a purported hedge fund including assurances that investor funds were deposited into a sub-fund, which was purportedly invested in U.S.-listed products and 90% hedged using listed options. According to the complaint, the investment adviser instead directed a significant part of investor funds to a private start-up company owned by a managing member.

In May, the SEC filed an action against the owner of a film distribution company for allegedly violating the antifraud provisions of the federal securities laws.[67] The SEC’s complaint alleged that the individual diverted funds he received from an investment management company, which were meant to support his film distribution business, to a sham company and then used the investor funds to pay personal expenses. The SEC is seeking disgorgement, civil penalties, and permanent injunctive relief. In a parallel action, the U.S. Attorney’s Office for the Southern District of New York filed criminal charges against the individual.

______________________

[1] Public Statement, “Statement from Stephanie Avakian and Steven Peikin, Co-Directors of the SEC’s Division of Enforcement, Regarding Market Integrity” (Mar. 23, 2020), available at https://www.sec.gov/news/public-statement/statement-enforcement-co-directors-market-integrity.

[2] See May 12, 2020 Keynote Address: Securities Forum West 2020, available at https://www.sec.gov/news/speech/keynote-securities-enforcement-forum-west-2020.

[3] SEC Press Release, SEC Charges Company and CEO for COVID-19 Scam (Apr. 28, 2020), available at https://www.sec.gov/news/press-release/2020-97.

[4] SEC Press Release, SEC Charges Companies and CEO for Misleading COVID-19 Claims (May 14, 2020), available at https://www.sec.gov/news/press-release/2020-111.

[5] SEC Press Release, SEC Charges California Trader Engaged in Manipulative Trading Scheme Involving COVID-19 Claims (June 9, 2020), available at https://www.sec.gov/news/press-release/2020-128.

[6] SEC Press Release, SEC Charges Microcap Fraud Scheme Participants Attempting to Capitalize on the COVID-19 Pandemic (June 11, 2020), available at https://www.sec.gov/news/press-release/2020-131.

[7] 140 S. Ct. 1936 (2020).

[8] See also Barry Goldsmith et al., Supreme Court Reins In, But Does Not Overturn, SEC’s Disgorgement Authority, New York Law Journal (June 25, 2020), available at https://www.law.com/newyorklawjournal/2020/06/25/supreme-court-reins-in-but-does-not-overturn-secs-disgorgement-authority/, for a discussion of the implications of Liu.

[9] 140 S. Ct. at 1940.

[10] Id. at 1948.

[11] Id.

[12] Id. at 1949.

[13] Id.

[14] Id. at 1950.

[15] Id.

[16] SEC Press Release, SEC Awards Record Payout of Nearly $50 Million to Whistleblower (June 4, 2020), available at https://www.sec.gov/news/press-release/2020-126.

[17] SEC Press Release, SEC Awards Over $27 Million to Whistleblower (Apr. 16, 2020), available at https://www.sec.gov/news/press-release/2020-89.

[18] SEC Press Release, SEC Awards Over $18 Million to Whistleblower (Apr. 28, 2020), available at https://www.sec.gov/news/press-release/2020-98.

[19] SEC Press Release, SEC Awards Whistleblowers Whose Information Helped Stop Fraud (Jan. 22, 2020), available at https://www.sec.gov/news/press-release/2020-15.

[20] SEC Press Release, SEC Awards More Than $7 Million to Whistleblower (Feb. 28, 2020), available at https://www.sec.gov/news/press-release/2020-46.

[21] SEC Press Release, SEC Awards Over $1.6 Million to Whistleblower (Mar. 23, 2020), available at https://www.sec.gov/news/press-release/2020-69.

[22] SEC Press Release, SEC Awards Over $570,000 to Two Whistleblowers (Mar. 24, 2020), available at https://www.sec.gov/news/press-release/2020-71.

[23] SEC Press Release, SEC Awards $450,000 to Whistleblower (Mar. 30, 2020), available at https://www.sec.gov/news/press-release/2020-75.

[24] SEC Press Release, SEC Awards Approximately $2 Million to Whistleblower (Apr. 3 2020), available at https://www.sec.gov/news/press-release/2020-80.

[25] SEC Press Release, SEC Issues $5 Million Whistleblower Award (Apr. 20, 2020), available at https://www.sec.gov/news/press-release/2020-91.

[26] SEC Press Release, SEC Awards Almost $2 Million to Whistleblower (May 4, 2020), available at https://www.sec.gov/news/press-release/2020-100.

[27] SEC Press Release, SEC Awards Almost $700,000 to Whistleblower (June 19, 2020), available at https://www.sec.gov/news/press-release/2020-138.

[28] SEC Press Release, SEC Awards $125,000 to Whistleblower (June 23, 2020), available at https://www.sec.gov/news/press-release/2020-141.

[29] Id.

[30] SEC Press Release, SEC Charges Global Alcohol Producer with Disclosure Failures (Feb. 19, 2020), available at https://www.sec.gov/news/press-release/2020-36.

[31] Administrative Proceeding File No. 3-19701, In the Matter of Diageo plc (Feb. 19, 2020), available at https://www.sec.gov/litigation/admin/2020/33-10756.pdf.

[32] SEC Press Release, Insurance Company Settles SEC Charges for Failing to Disclose Executive Perks (June 4, 2020), available at https://www.sec.gov/news/press-release/2020-127.

[33] SEC Press Release, Wells Fargo to Pay $500 Million for Misleading Investors About the Success of Its Largest Business Unit (Feb. 21, 2020), available at https://www.sec.gov/news/press-release/2020-38.

[34] SEC Press Release, SEC Charges South Carolina Energy Companies Former Executives With Defrauding Investors (Feb. 27, 2020), available at https://www.sec.gov/news/press-release/2020-44.

[35] SEC Press Release, SEC Charges Three Former KPMG Audit Partners for Exam Sharing Misconduct (May 18, 2020), available at https://www.sec.gov/news/press-release/2020-115.

[36] SEC Press Release, SEC Charges Wells Fargo in Connection with Investment Recommendation Practices (Feb. 27, 2020), available at https://www.sec.gov/news/press-release/2020-43.

[37] SEC Press Release, SEC Charges Bloomberg Tradebook for Order Routing Misrepresentations (May 6, 2020), available at https://www.sec.gov/news/press-release/2020-104.

[38] SEC Press Release, SEC Charges Morgan Stanley Smith Barney with Providing Misleading Information to Retail Clients (May 12, 2020), available at https://www.sec.gov/news/press-release/2020-109.

[39] SEC Press Release, Cantor Fitzgerald Agrees to Pay $3.2 Million to Settle Charges for Providing Deficient Blue Sheet Data (Apr. 6, 2020), available at https://www.sec.gov/news/press-release/2020-81; SEC Press Release, SG Americas to Pay $3.1 Million to Settle Charges of Providing Deficient Blue Sheet Data (June 24, 2020), available at https://www.sec.gov/news/press-release/2020-142.

[40] SEC Press Release, SEC Charges Portfolio Manager and Advisory Firm with Misrepresenting Risk in Mutual Fund (Jan. 27, 2020), available at https://www.sec.gov/news/press-release/2020-21.

[41] SEC Press Release, ABN AMRO Clearing Chicago Charged with Improper Handling of ADRs (Feb. 6, 2020), available at https://www.sec.gov/news/press-release/2020-29.

[42] Admin. Proc. File No. 3-19693, In the Matter of ABN AMRO Clearing Chicago LLC (Feb. 6, 2020), available at https://www.sec.gov/litigation/admin/2020/34-88139.pdf.

[43] SEC Press Release, SEC Orders Three Self-Reporting Advisory Firms to Reimburse Investors (Apr. 17, 2020), available at https://www.sec.gov/news/press-release/2020-90.

[44] SEC Press Release, Private Equity Firm Ares Management LLC Charged with Compliance Failures (May 26, 2020), available at https://www.sec.gov/news/press-release/2020-123.

[45] SEC Press Release, SEC Obtains Receiver Over Florida Investment Adviser Charged with Fraud (May 12, 2020), available at https://www.sec.gov/news/press-release/2020-110.

[46] SEC Press Release, SEC Orders Credit Rating Agency to Pay $3.5 Million for Conflicts of Interest Violations (May 15, 2020), available at https://www.sec.gov/news/press-release/2020-112.

[47] SEC Press Release, ICO Issuer Settles SEC Registration Charges, Agrees to Return Funds and Register Tokens As Securities (Feb. 19, 2020), available at https://www.sec.gov/news/press-release/2020-37.

[48] 328 U.S. 293 (1946).

[49] Exchange Act Rel. No. 81207 (July 25, 2017).

[50] SEC Press Release, Unregistered $25.5 Million ICO Issuer to Return Money for Distribution to Investors (May 28, 2020), available at https://www.sec.gov/news/press-release/2020-124.

[51] SEC Press Release, SEC Charges Convicted Criminal Who Conducted Fraudulent ICO Using a Fake Identity (Jan. 17, 2020), available at https://www.sec.gov/news/press-release/2020-12.

[52] SEC Press Release, SEC Charges Orchestrator of Cryptocurrency Scheme Ensnaring Physicians (Feb. 11, 2020), available at https://www.sec.gov/news/press-release/2020-32.

[53] SEC Press Release, SEC Emergency Action Stops Digital Asset Scam (Mar. 20, 2020), available at https://www.sec.gov/news/press-release/2020-66.

[54] SEC Press Release, Actor Steven Seagal Charged With Unlawfully Touting Digital Asset Offering (Feb. 27, 2020), available at https://www.sec.gov/news/press-release/2020-42.

[55] SEC Press Release, SEC Obtains Emergency Asset Freeze, Charges Businessman With Operating a Ponzi-Like Scheme (Jan. 14, 2020), available at https://www.sec.gov/news/press-release/2020-10.

[56] SEC Litigation Release, SEC Obtains Preliminary Injunction Against Businessman for Operating a Ponzi-Like Scheme (Mar. 6, 2020), Litigation Release No. 24760, available at https://www.sec.gov/litigation/litreleases/2020/lr24760.htm.

[57] SEC Press Release, SEC Files Charges Against Scheme to Sell Fictitious Interests in Marijuana Company (Jan. 21, 2020), available at https://www.sec.gov/news/press-release/2020-14.

[58] SEC Press Release, SEC Charges Husband and Wife with Nearly $1 Billion Ponzi Scheme (Jan. 24, 2020), available at https://www.sec.gov/news/press-release/2020-18.

[59] SEC Press Release, SEC Charges Real Estate Company and Executives With Defrauding Retail Investors, Obtains Emergency Relief (Feb. 18, 2020), available at https://www.sec.gov/news/press-release/2020-35.

[60] SEC Press Release, SEC Shuts Down Fraudulent Investment Adviser Targeting Senior Citizens (May 22, 2020), available at https://www.sec.gov/news/press-release/2020-120.

[61] SEC Litigation Release, SEC Obtains Preliminary Injunction Against Fraudulent Investment Adviser Targeting Senior Citizens, Litigation Release No. 24831 (June 9, 2020), available at https://www.sec.gov/litigation/litreleases/2020/lr24831.htm.

[62] SEC Press Release, SEC Charges Six Individuals in International Microcap Fraud Schemes (Jan. 2, 2020), available at https://www.sec.gov/news/press-release/2020-1.

[63] SEC Press Release, SEC Brings Charges Against Fraud Targeting Amish and Mennonite Investors (Jan. 31, 2020), available at https://www.sec.gov/news/press-release/2020-26.

[64] SEC Press Release, SEC Charges Russian National for Defrauding Older Investors of Over $26 Million in Phony Certificates of Deposit Scam (Mar. 13, 2020), available at https://www.sec.gov/news/press-release/2020-61.

[65] SEC Press Release, SEC Charges Broker Who Defrauded Seniors Out of Almost $1 Million (June 12, 2020), available at https://www.sec.gov/news/press-release/2020-132.

[66] SEC Press Release, SEC Halts Fraudulent Offering by Florida Investment Adviser (Mar. 10, 2020), available at https://www.sec.gov/news/press-release/2020-56.

[67] SEC Press Release, SEC Charges Owner of Film Distribution Company with Defrauding Publicly Traded Fund (May 22, 2020), available at https://www.sec.gov/news/press-release/2020-122.

The following Gibson Dunn lawyers assisted in the preparation of this client update: Mark Schonfeld and Tina Samanta.

Securities Enforcement Practice Group Leaders:
Richard W. Grime – Washington, D.C. (+1 202-955-8219, rgrime@gibsondunn.com)
Barry R. Goldsmith – New York (+1 212-351-2440, bgoldsmith@gibsondunn.com)
Mark K. Schonfeld – New York (+1 212-351-2433, mschonfeld@gibsondunn.com)

Please also feel free to contact any of the following practice group members:

New York
Zainab N. Ahmad (+1 212-351-2609, zahmad@gibsondunn.com)
Matthew L. Biben (+1 212-351-6300, mbiben@gibsondunn.com)
Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com)
Joel M. Cohen (+1 212-351-2664, jcohen@gibsondunn.com)
Lee G. Dunst (+1 212-351-3824, ldunst@gibsondunn.com)
Mary Beth Maloney (+1 212-351-2315, mmaloney@gibsondunn.com)
Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com)
Avi Weitzman (+1 212-351-2465, aweitzman@gibsondunn.com)
Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com)
Tina Samanta (+1 212-351-2469, tsamanta@gibsondunn.com)

Washington, D.C.
Stephanie L. Brooker (+1 202-887-3502, sbrooker@gibsondunn.com)
Daniel P. Chung (+1 202-887-3729, dchung@gibsondunn.com)
Stuart F. Delery (+1 202-887-3650, sdelery@gibsondunn.com)
Patrick F. Stokes (+1 202-955-8504, pstokes@gibsondunn.com)
F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com)

Palo Alto
Michael D. Celio (+1 650-849-5326, mcelio@gibsondunn.com)
Paul J. Collins (+1 650-849-5309, pcollins@gibsondunn.com)
Benjamin B. Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

Denver
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
Monica K. Loseman (+1 303-298-5784, mloseman@gibsondunn.com)

Los Angeles
Michael M. Farhang (+1 213-229-7005, mfarhang@gibsondunn.com)
Douglas M. Fuchs (+1 213-229-7605, dfuchs@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

A. Key Themes

1. Concern with Size and Interconnectedness

2. Private Versus Public Interest

3. Preference for Narrow Banking

4. Innovation as a Source of Risk

5. The Futility of Bank Supervision

B. Consequences For Regulatory Priorities

1. Size and Interconnectedness

2. Private Interest Versus Public Interest

3. Narrow Banking

4. Innovation and Fintechs

5. The Quarles/Brainard Divide – Likely Positioning

I. Filing and Settlement Trends

A. Filing Trends

B. Industry and Other Trends in Cases Filed

C. Settlement Trends

II. What to Watch for in the Supreme Court

A. Supreme Court Issues Narrow Decision in Price-Impact Case

B. Supreme Court to Decide whether the PSLRA’s Discovery Stay Applies in State Court

C. The Court Addresses Constitutional Challenges to Administrative Adjudicators

III. Delaware Developments

A. Court of Chancery Invalidates Poison Pill under Second Unocal Prong

B. Court of Chancery Rejects Claim that Pandemic Constituted a Materially Adverse Effect

C. Bellwether SPAC Litigation Remains in Initial Stages

D. Court of Chancery Determines CEO Breached Fiduciary Duty and Financial Advisor Aided and Abetted That Breach in Course of Executing a Merger

E. Appraisal Litigation Continues Its Steady Decline

IV. Further Development of Disseminator Liability Theory Upheld in Lorenzo

V. Survey of Coronavirus-Related Securities Litigation

A. Securities Class Actions

1. False Claims Concerning Commitment to Safety

2. Failure to Disclose Specific Risks

3. Alleged Insider Trading and “Pump and Dump” Schemes

B. Stockholder Derivative Actions

1. Disclosure Liability

2. Oversight Liability

3. Insider Trading

C. SEC Cases

VI. Falsity of Opinions – Omnicare Update

VII. Halliburton II Market Efficiency and “Price Impact” Cases

VIII. Other Notable Developments

A. Morrison Domestic Transaction Test

B. Eighth Circuit Strikes Class Allegations under Rule 12(f)

C. Congress Codifies SEC Disgorgement Remedy

D. Delaware Exclusive Forum Bylaws Applicable to Section 14

E. Ninth Circuit Upholds Broad Protection for Forward-Looking Statements

I. Background

A. What are NFTs and What is the Blockchain?

B. What Do You Get When You Buy An NFT?

II. Intellectual Property

III. Profit Participations

IV. Securities Law

V. Climate Change

VI. Conclusion

I. OFAC’s Enforcement Against BitGo

II. OFAC’s Enforcement Against BitPay

III. Conclusion

A. Overarching Administration Priorities: Combatting Climate Change and Advancing Racial Justice

1. Climate Change

2. Advancing Racial Justice

1. Digital Assets and Cryptocurrencies

2. Fintech: The OCC and Trump Administration Rulemakings

3. An Invigorated CFPB

4. Shifting Priorities and Continuing Enforcement at the CFTC

C. Congressional Priorities

TABLE OF CONTENTS

I. REGULATION OF PRIVACY AND DATA SECURITY

A. Biden Administration and Presidential Transition

1. Data Privacy

2. Consumer Protection

B. COVID-19 and Privacy

1. Federal Regulatory Efforts

i. Two COVID-19 Privacy Bills Introduced in Congress

ii. HIPAA Guidance and Enforcement Discretion in Response to COVID-19

iii. CDC Vaccination Program’s Data Use and Sharing Agreement

2. State Regulatory Efforts

i. Enacted State Laws

ii. State Laws under Consideration

iii. State Laws Not Enacted

iv. State Attorneys General and COVID-19 Privacy

C. Legislative Developments

**A. Court of Chancery Invalidates Poison Pill under Second Unocal Prong**