These trading suspensions raise significant concerns for foreign issuers, particularly because most of the SEC’s orders state that the potential manipulation was “effectuated through recommendations made to investors by unknown persons [emphasis added] via social media.” Thus, companies that may themselves be victims of third-party manipulation now face the compounding harm of being treated as suspected wrongdoers and having their trading halted, along with potential collateral consequences, such as reputational damage, SEC inquiries and shareholder lawsuits. In addition, Nasdaq recently proposed a new rule that would allow it to delist stocks where the SEC has imposed trading suspensions, effectively cutting off a company’s access to the US capital markets.  

Foreign issuers – particularly those based in Asia – should consider evaluating their vulnerability to third-party market manipulation and developing a response plan in the event of a stock price rally that potentially triggers regulatory scrutiny. Likewise, foreign private companies seeking access to the US capital markets should be mindful of the risk of potential market manipulation for microcap companies.

Characteristics of companies subject to trading suspensions

The 14 companies affected by the trading suspensions conduct a range of business operations, from beauty products and food catering to online travel services, digital advertising and traditional Chinese medicine therapies. Most of the companies were founded more than 10 years ago.

These companies also share some common characteristics:

• Asia-headquartered and offshore-incorporated: As noted above, all 14 companies are headquartered in Asia, including six in mainland China or Hong Kong, five in Singapore, and one each in Indonesia, Malaysia and Japan. All but two are incorporated in offshore jurisdictions, such as the Cayman Islands and the British Virgin Islands.

• Recent IPOs with modest IPO proceeds: Twelve of the 14 companies went public in 2025, while the other two went public in 2024. Their IPO proceeds ranged from $5 million to $15 million, and all 14 companies were considered “microcap” at the time of their IPOs (i.e., with market capitalization of less than $300 million). Thirteen of the companies priced their IPOs at $4 per share, the minimum bid price required by Nasdaq and the NYSE.

• Significant stock price fluctuations leading to trading suspensions: For some companies, trading was suspended while the stock price was surging; for others, the suspension occurred as the price declined from a spike. Several of the 14 companies experienced a dramatic stock price increase shortly after the IPO. For example, the stock price of Charming Medical surged from $4 to $29.36 within 10 days of the IPO. Other companies saw their stock prices remain steady for an extended period before experiencing sudden volatility. QMMM’s stock price stayed between $1 and $4 for a year after its IPO, when it suddenly spiked to $207 before plummeting to $71 within the span of a week. These abnormal trading patterns prompted the SEC to suspend trading, in some cases within weeks of the companies’ IPOs.

SEC’s trading suspensions extended by stock exchanges

The SEC’s orders suspending trading in the securities of these 14 companies are nearly identical. In each order, the SEC stated that there was “potential manipulation” in the company’s securities “through recommendations made to investors by unknown persons via social media,” which “appear to be designed to artificially inflate the price and trading volume” of the company’s securities. The SEC further stated that “the public interest and the protection of investors” required it to suspend trading in the securities of the company.

As noted in our November 2025 Law360 article, although the SEC is only authorized to suspend trading for up to 10 business days, the stock exchanges (Nasdaq and NYSE) continued to halt trading for these companies after that period expired. Nasdaq announced that “trading will remain halted” until the issuer “has fully satisfied Nasdaq’s request for additional information.”

To date, trading remains halted for all 14 companies, and it is unclear if they will ultimately persuade the SEC and the stock exchange to lift the trading halt. All 14 companies publicly stated that they were cooperating with the investigations and denied any involvement in market manipulation. Many of the 14 companies also stated in their public filings that there were no material changes to their business operations, although several companies disclosed changes to their directors, executive officers and/or auditors since the SEC suspended trading in their stocks. Two companies disclosed in their public filings after the trading suspensions that they moved their headquarters.

In addition, on February 20, 2026, Nasdaq filed a proposed rule change with the SEC that would allow Nasdaq to delist companies whose stocks are subject to trading suspension by the SEC. Nasdaq “believes that the ability for third parties to manipulate a security’s price can indicate that the security does not have sufficient liquidity, and the issuing company does not have sufficient market interest, for listing to be appropriate.” As such, Nasdaq proposed it should have discretion to delist companies under trading suspensions based on a set of factors, including whether any of the company’s advisors (such as auditors, underwriters and law firms) “were involved in prior transactions where the securities became subject to a pattern of concerning or volatile trading.” If adopted, Nasdaq intends to use this new rule to suspend companies “even where the problematic or unusual trading appears to be driven by third parties with no known connection to the company, and even where Nasdaq Staff cannot determine whether the company or any associated individual was involved.” The SEC is currently soliciting comments on the proposed rule change and is expected to either approve or disapprove it within the coming months.

Shareholder lawsuits

Two companies – Charming Medical and Smart Digital Group – were sued for securities fraud in connection with the trading suspensions. In both cases, the plaintiffs named the companies’ directors, officers, auditors and underwriters as defendants.

The complaint against Charming Medical alleges that the company’s “IPO and its extremely small public float” made the company’s stock susceptible to manipulation. The plaintiff further alleges that the company’s offering documents failed to warn investors of the “substantial market manipulation risk,” and that the company failed to dispel false rumors circulated by scammers.

Similarly, the complaint against Smart Digital Group alleges the company violated securities laws by failing to disclose it was the subject of a pump-and-dump scheme and at risk of a trading suspension.

Takeaways

Asia-based companies trading in the US face the risk of having their trading suspended by the SEC based solely on unusual trading patterns or market activity, even when they were not involved with the potential manipulation. The consequences of trading suspensions, followed by indefinite trading halts by stock exchanges, can include loss of access to the US capital markets, prolonged investigations and significant reputational damage.

Moreover, if Nasdaq’s proposed rule change is approved, companies subject to SEC trading suspensions may face delisting proceedings, even where the unusual trading activity appears to have been driven entirely by unaffiliated third parties. Plaintiffs’ law firms appear to be focused on this issue, and it is possible they will file more copycat complaints against companies that have fallen victim to stock manipulation.

To mitigate the risk of falling victim to market manipulation activity, companies based in Asia that are considering going public in the US should be mindful of the distribution of their shares while they remain private. And companies that recently went public in the US should consider monitoring rumors on social media and developing a response plan for an unexpected stock price rally. For example, a targeted company may consider publicly denying any rumors circulating on social media that are designed to drive up a company’s stock price. If they are subject to a trading suspension, companies should be prepared to respond quickly by engaging with the SEC and publicly denying involvement with the market manipulation.

As we have previously written about (see our posts from January 23, 2025, June 24, 2025, and August 6, 2025), the legal landscape governing DEI-related employment practices continues to evolve rapidly. The IBM settlement is the first of its kind under the Civil Rights Fraud Initiative announced by DOJ just under a year ago and represents the first DOJ resolution to fulfill the Trump administration’s promises to use an expanded theory of FCA liability to enforce companies’ compliance with anti-discrimination laws. The settlement underscores the administration’s expansive and, at times, unsettled view of the contours of DEI-related FCA enforcement, while raising significant questions about the practical longevity of existing DEI initiatives and how companies and federal contractors will respond.

IBM settlement allegations

DOJ alleged that IBM falsely claimed compliance with anti-discrimination requirements in its federal contracts by maintaining practices that discriminated against employees and applicants based on race, color, national origin and/or sex. The settlement agreement identified four specific practices that the government alleged violated federal anti-discrimination laws:

• Compensation adjustments, including a “diversity modifier,” that tied bonus or incentive pay to the achievement of certain demographic targets.
• Practices that altered hiring eligibility based on protected characteristics, such as differing interview panels for diverse and nondiverse candidates.
• Race- and sex-based demographic goals for business units that informed personnel decisions.
• Mentorship, training and leadership development programs with eligibility formally restricted by race, sex or national origin.

DOJ also alleged that IBM allocated costs associated with these programs to its federal contracts and sought reimbursement while simultaneously certifying compliance – a linkage that converted what might otherwise be an employment law matter into an actionable FCA claim.

IBM agreed to pay $17,077,043, including civil penalties. While IBM received formal cooperation credit for its early disclosure, assistance with the damages calculation and voluntary remediation, the damages multiplier still exceeded the 2x figure commonly seen in FCA settlements.

DEI-related framework

The Trump administration has issued several directives that have laid the groundwork for its DEI-related investigations and enforcement.

• On January 21, 2025, President Donald Trump issued Executive Order 14173, “Ending Illegal Discrimination and Restoring Merit-Based Opportunity,” that revoked President Lyndon B. Johnson’s Executive Order 11246, the foundational affirmative action framework for federal contractors first issued in the wake of the Civil Rights Act of 1964. The 2025 executive order, which extends beyond federal contracting, directs federal agencies to ensure contractors and grantees cease “illegal DEI” programs (a term left undefined in the order) and certify compliance with federal anti-discrimination laws.
  
• On May 19, 2025, DOJ launched the Civil Rights Fraud Initiative, announcing its intention to use the FCA to target federal contractors and grant recipients whose DEI programs “assign benefits or burdens” on the basis of race, ethnicity or national origin. Notably, while the Civil Rights Fraud Initiative was announced as a co-led initiative between the Civil Fraud Section and the Civil Rights Division – DOJ’s primary enforcement vehicle for violations of Title VII – the IBM settlement did not include a signature from a Civil Rights Division representative.

• In July 2025, a DOJ memo titled “Guidance for Recipients of Federal Funding Regarding Unlawful Discrimination” provided internal DOJ guidance that entities receiving federal funds must not discriminate on the basis of protected characteristics.

• Most recently, on March 26, 2026, Trump signed Executive Order 14398, “Addressing DEI Discrimination by Federal Contractors,” which directs all executive departments and agencies to acknowledge the financial materiality of their anti-discrimination obligations. The order also mandates that all federal contracts and subcontracts include a new clause prohibiting “racially discriminatory DEI activities,” a term defined more expansively than the language set forth in Executive Order 14173.

Future FCA liability

The settlement confirms that DOJ is prepared to deploy the FCA as an active enforcement mechanism against companies with DEI programs the government characterizes as “discriminatory,” and that voluntary compliance with FCA investigations does not preclude significant damages recoveries. Recent executive orders compound this exposure by requiring contractors to acknowledge that their compliance with anti-discrimination obligations is “material to the Government’s payment decisions” under the FCA – embedding the FCA’s materiality element directly into the contractual framework. Although this tactic has yet to be tested in court, it may significantly heighten the risk of government inquiries and litigation for federal contractors and other recipients of federal funds.

It is also worth noting that the covered conduct period in the IBM settlement begins in January 2019, a start date that predates both the current administration’s executive orders and the US Supreme Court’s 2023 decision in Students for Fair Admissions v. Harvard, which ruled that many race-based affirmative action programs are unconstitutional. This backward-looking scope confirms that historical practices may carry ongoing FCA exposure even where companies have since discontinued or modified their programs to comply with recent executive orders.

Key takeaways

• The IBM settlement confirms that DOJ is making good on its stated intention to deploy the FCA as an enforcement mechanism to target DEI programs it characterizes as discriminatory.

• DOJ is placing high priority on DEI FCA-related investigations. This settlement comes less than a year after the Initiative was announced, marking a clear effort to expedite investigations brought under the Initiative. Multiple senior DOJ officials also personally signed and made official statements supporting the IBM settlement.

• While the legal landscape remains unsettled, many companies may seek to resolve these investigations through early settlement rather than bearing the burden of costly and protracted litigation. This dynamic may delay the opportunity for courts to weigh in on the merits of the government’s expanded FCA enforcement theory, leaving the contours of permissible DEI programming unclear.

• Federal contractors and recipients of government funding that maintain diversity-related programs should continue to carefully assess the parameters of those programs to ensure compliance with existing law, and should also consider whether the current administration would view past practices to be “illegal DEI” when assessing potential FCA enforcement risk.

The SEC obtained orders for monetary relief totaling $17.9 billion in FY2025 – a new record – but $14.9 billion of that amount stemmed from a single matter: the judgment in the Robert Allen Stanford Ponzi scheme case, which was initiated in 2009. Excluding the Stanford judgment, as well as disgorgement amounts that were “deemed satisfied” by court orders in non-SEC actions, monetary relief orders obtained in FY2025 totaled $2.7 billion – $1.3 billion in penalties and $1.4 billion in disgorgement. In FY2024, by comparison, the SEC obtained $8.2 billion in financial remedies.

The SEC acknowledged that FY2025 was a “unique period of transition,” with 58% of the enforcement actions having been filed before the US presidential inauguration on January 20, 2025. In the April 7 press release, SEC Chairman Paul Atkins stated that the current SEC administration is prioritizing cases involving “fraud, market manipulation, and abuses of trust” and emphasizing “holding individual wrongdoers accountable.”

Retail investor protection

The FY2025 enforcement results demonstrate the current SEC administration’s focus on securities fraud targeting retail investors, such as Ponzi schemes, offering frauds and disclosure failures. Notably, the press release highlighted an enforcement action against a publicly traded biopharmaceutical company[1] that allegedly concealed a “harsh critique levied by the Food and Drug Administration” (FDA) about the approval prospect of the company’s drug candidate. The company allegedly made false and misleading statements about the drug’s efficacy and likelihood of approval in its initial public offering documents. The company agreed to pay $2.5 million in civil penalties to settle the action.

Individual accountability

The current SEC administration has focused more heavily on individual accountability, with nearly 90% of the stand-alone actions filed since the presidential inauguration involving individual charges. The press release linked to multiple individual enforcement actions, such as actions against three individuals[2] for allegedly creating false documents in municipal bond offerings that raised $284 million, and against the founder of a beverage company[3] for allegedly misrepresenting the company’s business operations and use of investor funds. The SEC also obtained orders barring 119 individuals from serving as officers and directors of public companies, comparable to the 124 individuals barred in FY2024.

Investment advisers

In FY2025, the SEC brought 72 enforcement actions against investment advisers and investment companies, a decline of 26% from FY2024. However, the SEC has stated that “breaches of fiduciary duty by investment advisers” remain a top priority for the agency. The press release highlighted a few notable actions and wins against investment advisers, including a jury verdict[4] against a Massachusetts-based investment adviser for alleged failure to disclose financial incentives for selling certain products, as well as a $150,000 settlement[5] with a New York-based investment adviser for alleged failure to disclose advisory fees in connection with the conversion of certain client accounts.

Cross-border fraud

As discussed in our September 18 and October 28 blog posts, the SEC has formed a Cross-Border Task Force to investigate transnational fraud, such as “pump-and-dump” schemes involving foreign-based companies. Along those same lines, the SEC has also charged individuals in foreign jurisdictions for alleged involvement in insider trading[6] or market manipulation.[7]

Insider trading and market manipulation

“Abusive trading” continues to be a focus of this SEC administration, and in FY2025, the SEC brought 31 insider trading and 15 market manipulation cases, on par with FY2024’s totals of 34 and 17, respectively. As discussed in our December 23 blog post, the SEC is particularly focused on insider trading in biotech stocks, which could be subject to significant volatility in response to clinical trial results, FDA decisions and merger activities.

Misuse of emerging technologies  

While the SEC has changed its approach to crypto enforcement, it “remains committed to detecting, deterring, and bringing actions against those seeking to take advantage of investors by misusing new technologies.” In FY2025, such actions included charges against digital asset promoters[8] for allegedly making false statements in connection with crypto asset offerings, the founder of a crypto and foreign exchange trading company[9] for alleged misappropriation of investor funds, and the founder of an AI startup[10] for allegedly misrepresenting the company’s use of AI. In the AI startup case, the SEC alleged that the founder told investors that the company used AI to process transactions, when in fact, the company relied largely on contract employees to manually input orders. 

Benefit of self-report and cooperation

The current SEC administration has reiterated the value of self-reporting, cooperation and remediation as tools for mitigating enforcement outcomes. As discussed in our February 27 blog post, the recently updated Enforcement Manual has expanded the cooperation framework and emphasizes the “timeliness” of cooperation.

The press release noted that in FY2025, the SEC imposed reduced civil penalties or declined to recommend enforcement actions against several companies that self-reported, cooperated and remediated securities law violations. One example cited by the SEC involved an investment adviser[11] that allegedly violated Rule 105 of Regulation M by purchasing certain securities after selling short the same securities during Rule 105’s restricted period. The SEC credited the company’s cooperation, including voluntarily gathering documents, conducting a review for prior violations and presenting to the staff on the company’s compliance efforts. The SEC also credited the company’s remediation efforts, such as updating its compliance policies and procedures.

Takeaways

The FY2025 enforcement results reflect the current administration’s much-publicized change of priorities. As it said it would, the SEC appears to have concentrated its resources on fraud and has prioritized charging individuals for securities violations. At the same time, the SEC’s continued emphasis on self-reporting, cooperation and remediation presents a meaningful opportunity for market participants to mitigate potential exposure.

[1] In the Matter of Allarity Therapeutics, Securities Act of 1933 Release No. 11367, Securities Exchange Act of 1934 Release No. 102646 (Mar. 12, 2025).

[2] SEC v. Miller et al., No. 1:25-cv-02702 (S.D.N.Y. Apr. 1, 2025).

[3] SEC v. Scalise et al., No. 2:25-cv-03088 (E.D. Pa. June 17, 2025).

[4] SEC v. Cutter Financial Group, No: 1:23-cv-10589 (D. Mass. Apr. 23, 2025).

[5] In the Matter of One Oak Capital Management, LLC and Michael DeRosa, Securities Exchange Act of 1934 Release No. 102425, Investment Advisers Act of 1940 Release No. 6855 (Feb. 14, 2025).

[6] SEC v. Safi et al., No. 1:25-cv-10516 (D. Mass. Mar. 4, 2025).

[7] SEC v. Kushnarev, No. 1:25-cv-05412 (N.D. Ga. Sept. 22, 2025).

[8] SEC v. Unicoin, et al., No. 1:25-cv-04245 (S.D.N.Y. May 20, 2025).

[9] SEC v. Palafox, et al., No. 1:25-cv-00681 (E.D. Va. Apr. 22, 2025).

[10] SEC v. Saniger, No. 1:25-cv-02937 (S.D.N.Y. Apr. 9, 2025).

[11] In the Matter of Sourcerock Group, LLC, Securities Exchange Act of 1934 Release No. 103629 (Aug. 4, 2025).

Requirements under the policy

The CEP applies to all of the DOJ’s corporate criminal matters, except for Sherman Antitrust Act violations. Under the CEP, the threshold requirement is that a company makes an adequate voluntary self-disclosure. That means that a company (1) promptly self-reports to the appropriate DOJ criminal component (2) before the department has independently learned of the conduct or any government investigation is imminent or underway, (3) without having been legally required to do so in the first place. Importantly, if a company’s employee simultaneously makes an internal report and submits a whistleblower complaint directly to the DOJ, and the company subsequently self-reports that alleged misconduct to the DOJ, that self-report still qualifies as a voluntary self-disclosure under the CEP as long as it is made within 120 days of receiving the internal whistleblower complaint.

Following the submission of a self-report, the company will be expected to fully cooperate with the DOJ. That includes “timely, truthfully, and accurately” disclosing all relevant facts, proactively cooperating with the DOJ and making relevant company employees available for interviews. A company will receive “cooperation credit” for complying with the investigation, which the DOJ will use in determining what benefits the company will receive.

Lastly, a company will be expected to timely and appropriately remediate the misconduct, which can include implementing compliance programs, appropriately disciplining employees and paying restitution to victims.

In announcing the policy, the DOJ emphasized that companies that choose not to self-report could face harsher consequences. Deputy Attorney General Todd Blanche stated that for companies that do not self-disclose misconduct, “make no mistake – we will not hesitate to seek appropriate resolutions against companies and individuals alike that perpetrate white collar offenses that harm American interests.”

Three-tier treatment system

At its core, the CEP is structured around three tiers, each carrying a different set of outcomes depending on the company’s conduct.

Tier 1 – Declination

The DOJ will decline to prosecute a company that provides a fully compliant, voluntary self-disclosure of misconduct, cooperates with the department’s investigation and remediates the misconduct, provided there are “no aggravating circumstances” surrounding the offense. Those aggravating circumstances include:

1. The “nature and seriousness of the offense”
2. The “egregiousness or pervasiveness of the misconduct”
3. The “severity of harm caused by the misconduct”
4. “Corporate recidivism”

Even where some aggravating circumstances exist, prosecutors retain the discretion to recommend a declination if the weight of the company’s proactive conduct tips the balance. Any declination comes with an obligation to pay disgorgement and restitution to any victims. All declinations will be made public.

Tier 2 – “Near miss” cases

A company that fully cooperates with the DOJ and remediates its misconduct, but either falls short on the technical requirements for voluntary self-disclosure under Tier 1 or has aggravating factors that “warrant a criminal resolution,” is not eligible for declination. However, the company can still receive favorable treatment, including a non-prosecution agreement of under three years, waiver of the requirement for an independent compliance monitor and a reduction of any applicable fines by 50%–75% off the low end of the Sentencing Guidelines range.

Tier 3 – All other cases

Where a company does not satisfy either of the first two tiers, prosecutors retain broad discretion over the form and terms of any resolution, and fine reductions are capped at 50% off the Sentencing Guidelines range. For companies that cooperate and remediate, there is a presumption that the reduction will be measured from the low end of that range. The specific outcome will turn on the facts of each case, including any history of prior misconduct.

Key takeaways

• The CEP gives companies a clearer roadmap that applies consistently across the entire DOJ. The policy’s three-tiered system offers companies that self-report favorable treatment, but DOJ retains significant discretion as to the outcome, particularly in cases where one or more aggravating factors may apply.
• The CEP supersedes the corporate self-disclosure programs of all other United States Attorney’s Offices and DOJ components with the exception of criminal antitrust cases. Importantly, the CEP is limited to criminal liability; it does not shield companies from civil liability or potential actions from other government agencies, including the SEC.
• When companies receive whistleblower reports or become aware of potential issues that may implicate criminal liability, they should promptly consult counsel to determine whether an internal investigation is needed so that companies can evaluate whether to self-report within 120 days of any potential whistleblower report to DOJ.
• Because of the exacting requirements for a company to be eligible for a Tier 1 full declination, companies should work with counsel to carefully determine whether and how to present a self-report to the DOJ.

Overall, the updates reflect the current SEC administration’s focus on engagement and transparency – indeed, “engagement” has been added to the Manual’s mission statement, which states that the SEC intends to “engag[e] with harmed investors and other members of the public in a professional manner.” Also, in the press release announcing the changes, the SEC stated that it encourages “open, informed, and thoughtful dialogue between SEC staff and potential respondents and defendants.” On their face, these statements suggest that companies and individuals facing SEC investigations may be provided more meaningful opportunities through proactive engagement and effective advocacy during the investigative process to persuade the SEC not to bring an enforcement action or to settle on more favorable terms.

Below, we summarize the most important updates in the Manual.

Updates to Wells process

The Wells process is triggered with a formal notice from the staff that it has made a preliminary determination to recommend an enforcement action against the individual or entity. Thereafter, that individual or entity under SEC investigation is entitled to submit a written or video statement to the Division of Enforcement, typically with the intent of convincing the staff that no enforcement action is warranted. In October 2025, SEC Chairman Paul Atkins previewed procedural changes to the Wells process to promote fairness and transparency, including an extended timeline for submission, opportunities for Wells meetings and access to the SEC’s investigation files. The Manual incorporates these changes and several other procedural updates.

Additional approval required before issuing a Wells notice.

The Manual requires the staff to obtain approval from the Office of the Director (in addition to an associate director or unit chief) before issuing a Wells notice. This additional approval requirement provides the director with the opportunity to weigh in on potential charges and remedies earlier in the process, and in some cases, they might recommend changes to reflect consistency across the Division of Enforcement and more closely align with Commission priorities.

Circumstances in which a Wells notice is issued.

The Manual states that a “Wells notice will be provided in most cases” in which the staff makes a preliminary determination to recommend that the Commission file an action or institute a proceeding. The previous manual did not provide any prescriptive guidance concerning how often Wells notices should be issued, and traditionally practices have varied among the staff and across different administrations. The Manual also limits the circumstances in which the staff should consider not providing a Wells notice to “parallel covert criminal investigation(s)” as opposed to parallel criminal investigation more generally. Historically, the staff often did not issue a Wells notice when there was a parallel criminal investigation, even if it was overt, due to a concern that undertaking the process could lead to a delay in the filings. This change will mean that either the staff will issue Wells notices earlier in the process in order to build in enough time to coordinate the timing of SEC charges with criminal charges, or the SEC will file charges following their criminal counterparts.

Extended time period for Wells submission.

Recipients of a Wells notice will now be allowed four weeks to make a Wells submission and can seek extensions, although the staff could deny such requests for “good cause.” This change isn’t likely to have a significant impact on the process, as historically the staff gave recipients two weeks to respond, but generally granted extensions.

Sharing of other evidence not known to Wells recipients.

While Wells recipients were often given the opportunity to review material produced to the SEC by third parties, there was no written policy regarding the sharing of such evidence with potential respondents or defendants. The updated Manual changes that, directing the staff to inform Wells notice recipients of “salient, probative evidence” that the staff reasonably believes the recipients may not know, subject to “confidentiality or other constraints” for information sharing.

Access to SEC’s investigative files.

Previously, the staff had discretion whether to allow Wells recipients access to its investigative files. Now, the Manual directs the staff to be “forthcoming about the content of the investigative file” and to “make reasonable efforts” to allow recipients to review the files. This change will likely lead to more consistency in practices across the Division of Enforcement, which historically have varied with some staff providing substantial access and other staff providing none. However, the Manual still provides the staff some discretion in determining whether and how much to share. Among other things, the staff may consider whether the Wells recipient “was unresponsive to staff requests, failed to cooperate, or otherwise refused to provide information during the investigation.”

Requests for Wells meetings are ‘typically granted.’

As former staff noted early last year (see our March 18, 2025 blog post), the current SEC administration is more receptive to Wells meetings compared to the previous one. The Manual provides that requests for Wells meetings are “typically granted” and should be scheduled within four weeks of the Wells submission. However, what has not changed is that Wells recipients generally will only be accorded one post-Wells notice meeting. The Manual also states that the post-Wells notice meeting will include a member of senior leadership at the associate director level or above, so it will not necessarily include the director or a deputy director.

Guidelines for ‘helpful’ Wells submissions.

The updated Manual now includes guidelines for “helpful” Wells submissions, including that they should “focus on disputed factual or legal issues, or raise significant legal risks or policy or programmatic concerns.” Among other things, submissions are deemed helpful when they “[a]cknowledge and address evidence and precedent in support of the staff’s position, while highlighting exculpatory evidence and adverse precedent.” This guidance provides helpful transparency concerning the factors the staff considers “helpful,” potentially leading to a more productive dialogue during the Wells process.

White papers will be provided to the Commissioners.

Outside the Wells process, persons may voluntarily submit materials (such as white papers and legal memos) to the staff. Materials accepted by the staff “will generally be provided to the Commission along with any recommendation from the staff for an enforcement action against the submitting party.” The previous manual did not require staff to share white papers with the Commission, although the general practice was to do so. This change will likely encourage parties to submit white papers and similar materials more frequently during the Wells process, as they are sure to garner a broader review audience.

These updates increase transparency and balance the information playing field between the staff and Wells recipients.

Simultaneous consideration of settlement offers and waiver requests

As explained in this October 22, 2025 Governance Beat blog post, the Division of Enforcement is tasked with negotiating settlement terms with potential defendants and respondents where the staff determines there were violations of the securities laws. If a settlement in principle is reached, the staff presents its recommendation to bring an enforcement action and the proposed settlement terms to the Commission. Certain settlement terms can result in statutory disqualifications with significant collateral consequences to a settling party’s business, such as loss of “well-known seasoned issuer” status or disqualification from relying on Reg D safe harbor.

To avoid these consequences, parties may submit waiver requests to the Division of Corporation Finance, which evaluates the requests and makes a recommendation to the Commission whether to grant or deny the waiver. Since 2021, settlement negotiation and the waiver process have proceeded in parallel workstreams, with each division making separate recommendations to the Commission. In practice, however, parties typically await feedback on their waiver requests before submitting signed settlement offers.

In September 2025, Chairman Atkins announced the SEC will restore its pre-2021 practice of “permitting a settling entity to request that the Commission simultaneously consider an offer of settlement that addresses both an underlying Commission enforcement action and any related waiver request.” The new process is now documented in the Manual, which provides that if the Commission accepts the settlement offer but rejects the waiver request, the respondent has five business days to decide whether to move forward with the settlement.

Revised process for formal orders of investigation

As discussed in our March 18, 2025 blog post, the SEC adopted a final rule reversing the process for formal orders of investigation that had been in place for the past 15 years. The new rule requires a majority of the Commissioners to agree before the SEC formally opens an investigation. Previously, that power was delegated to the director of the Division of Enforcement.

The new rule is incorporated into the Manual, which provides that the staff must obtain two levels of approval – first from the Office of the Director, then from the Commission – before a formal order can be issued. In practice, this may lead to staff seeking information on a voluntary basis for a longer time period while they await subpoena authority.

Formalized criminal referral policy

In June 2025, the SEC issued a Criminal Referral Policy Statement pursuant to Executive Order 14294. The policy statement identified factors the staff should consider when deciding whether to refer potential securities law violations to the US Department of Justice for criminal prosecution. Those factors include harm to victims, potential gain to defendants, the defendants’ knowledge and expertise, recidivism and whether a criminal referral could provide more investor protection. These factors are now incorporated into the Manual.

In addition, the Manual establishes formal procedures for criminal referrals. For non-urgent matters, the staff must obtain approval from the director of the Division of Enforcement for the referral decision. For expedited matters, the associate director or unit chief has discretion to notify leadership after the referral has been made. The staff generally will not refer conduct that solely implicates strict liability offenses to criminal authorities. The previous manual did not contain formal referral procedures and allowed the staff to “informally refer a matter to federal or state criminal authorities.”

Expanded cooperation framework

Since 2001, the SEC has relied on the analytical framework set forth in the Seaboard Report to evaluate a company’s cooperation in an SEC investigation. The Seaboard Report identifies four measures for evaluation: self-policing, self-reporting, remediation and cooperation. Compared to the 2017 version, the updated Manual expands upon each of the measures and provides detailed guidance to companies on the steps they can take to potentially receive cooperation credit.

• Self-policing – The Manual makes clear that self-policing requires not only “establishing” an effective compliance program but also “implementing” said program.

• Self-reporting – Self-reporting credit is generally not available if the misconduct has already received media attention, if the staff learned of it from another source or if there is an “imminent threat of disclosure or government investigation.”

• Remediation – The Manual provides a list of “effective” remediation measures, including disciplining employees, strengthening internal controls, clawing back executive compensation, making corrective disclosures, hiring new staff and improving training.

• Cooperation – To receive cooperation credit, companies must go beyond merely complying with subpoenas. “Exemplary cooperation” could include summarizing internal investigation findings, identifying key documents and witnesses, translating foreign language documents or providing experts’ financial analyses.

The Manual emphasizes the importance of “timeliness” of cooperation and encourages companies to provide assistance during the early stages of investigation.

In addition, the Manual states that the SEC’s cooperation program is overseen by the Division of Enforcement’s “Cooperation Committee” that will approve “all cooperation agreements, deferred prosecution agreements, non-prosecution agreements, and immunity requests.” While this committee and process is not new, its mention and description in the Manual provides additional transparency to the public.

Preservation, document production and privilege log

Although document preservation notices are not new, there has been no formal policy regarding the form and timing of such notices – until now. The updated Manual directs the staff to “consider sending a document preservation letter as early as is appropriate in an investigation,” and requires the letter to “explicitly request the preservation of all relevant communications” on messaging apps, including those on personal devices. Notably, for the first time, the term “document” is defined to include text and other electronic messages. Thus, while the current SEC administration may be retreating from enforcement over off-channel communications, it is not overlooking text messages in the gathering of evidence.

The Manual also updates guidance for production cover letters, requiring the producing party to describe the steps taken to identify responsive documents, including who searched and reviewed the documents, what sources were searched, the location of the original documents and who maintained them.

The previous manual did not include any specific requirements with respect to the content of privilege logs. The updated Manual now requires that, for each document withheld for attorney-client privilege, the privilege log must identify the attorney and client involved. For each document withheld under the work product doctrine, the privilege log must identify the anticipated litigation at issue.

Takeaways

The significant updates to the Manual reflect the SEC’s commitment to engagement, transparency and fairness. They also reflect an effort to increase consistency in practices across the Division of Enforcement. Companies and individuals facing SEC investigations should take advantage of the enhanced Wells process – including access to third parties’ productions and the SEC’s investigative files, as well as Wells meetings – to present their case effectively before any enforcement recommendation is made. Early and proactive cooperation, including self-reporting and timely remediation, can yield significant benefits. Overall, these updates present an opportunity for respondents to engage more constructively with the staff and potentially achieve more favorable outcomes.

Before availing themselves of the new program, companies should discuss with counsel the potential collateral consequences of self-disclosure. Of note, the new program is limited to actions brought by the SDNY and does not foreclose charges brought by the Securities and Exchange Commission (SEC) or other regulators.  

SDNY’s new policy – Key differences

SDNY’s revised voluntary self-disclosure program significantly accelerates the benefits of self-reporting. Under SDNY’s prior voluntary self-disclosure program from 2023, a company that voluntarily disclosed misconduct to the SDNY would be eligible to receive “significant benefits,” including a declination letter. Critically, however, those benefits were not guaranteed. The company would be expected to fully cooperate with the SDNY and remediate the misconduct before qualifying for any benefits.

Under the new program, any company that self-reports misconduct to the SDNY will be immediately eligible for a conditional declination letter after a brief review. Importantly, if the company fully cooperates with the SDNY to remediate the misconduct, it will then receive a final declination letter. While such declination letters will not shield individual executives and employees from criminal liability, they will shield the company from criminal charges. The new voluntary self-disclosure program makes clear that the SDNY “will treat decisions not to self-report as weighing heavily against any future declination request” by a company.

Requirements under the new program

To be eligible for the benefits offered by the SDNY’s new self-disclosure program, a company must first self-report misconduct to the SDNY. A self-disclosure qualifies under the new program even if the company makes the report after becoming aware of a whistleblower submission or press reporting regarding the company’s misconduct. The key requirement is that the disclosure be made before the company learns of a government investigation.

After the SDNY reviews the report, it will provide the company with a conditional declination letter. The company will then be required to cooperate fully and commit to ongoing reporting of criminal conduct for three years, including by supplementing the information it initially provided with any new information it learns. In addition, the company must remediate the harm caused, including by terminating responsible employees, and commit to pay restitution to all injured parties. After the company finishes cooperating with the SDNY, it will receive a final declination letter.

Nonetheless, companies should be aware of the limited scope and potential collateral consequences of the program. Principally, it only applies to actions brought by the SDNY. Companies that self-report could still face significant liability, including through actions filed by the SEC and other regulators, shareholders, other US Attorney’s Offices, or state regulators. SEC enforcement actions against corporations can have significant impacts, including high penalties and reputational harm, as well as potential collateral consequences to their ability to raise capital by relying on certain exemptions to registration requirements. 

Key takeaways

• SDNY’s revised voluntary self-disclosure program provides a greater incentive to companies to self-report misconduct. A conditional declination letter allows a company to assure itself and its stakeholders that it will very likely be free from future criminal liability regarding the reported misconduct. Moreover, the guarantee of a final declination letter marks a major shift in the SDNY’s previous approach to self-reporting.
  
  
• However, it is important to note that any shield from liability through a declination letter only applies to criminal prosecutions brought by the SDNY. Companies must still consider potential exposure to civil liability from actions brought by a patchwork of other government agencies, such as the SEC, as well as criminal liability from actions brought by other US Attorney’s Offices or state regulators. Potential shareholder litigation is also an area of concern. 
  
  
• Companies should work with counsel to carefully consider whether to self-report under the new policy.
  
  

Background

In Kalbers, a professor sought nearly six million documents Volkswagen produced to the US Department of Justice (DOJ) during the so-called Dieselgate criminal investigation. Volkswagen had provided the materials in response to a federal grand jury subpoena, and almost all were stamped: “FOIA Confidential – Produced Pursuant to Rule 6(e).” Rule 6(e) of the Federal Rules of Criminal Procedure bars disclosure of “matter[s] occurring before the grand jury,” and in turn, FOIA exempts disclosure of any information protected by federal law, including Rule 6(e)’s grand jury secrecy mandate. The district court nonetheless ordered disclosure, reasoning that DOJ had not shown which documents were actually presented to the grand jury or that releasing them would necessarily reveal grand jury matters.

The Ninth Circuit reversed, holding that Rule 6(e) protects documents from FOIA disclosure when the government obtained them solely through a grand jury subpoena. The court reasoned that disclosing such documents would reveal the scope and focus of the grand jury’s investigation. It further explained that grand jury protection can be overcome only if the requester can show that the government obtained the documents from a source independent of the grand jury subpoena, the requester seeks the documents for a purpose unrelated to the grand jury investigation, and disclosure would not compromise the grand jury process. If the requestor fails to satisfy any of these factors, Rule 6(e) bars disclosure.

The court remanded for further proceedings on four documents that lacked the Rule 6(e) label.

Key takeaways

1. Label documents clearly and consistently

Almost all of the six million documents Volkswagen produced were stamped “FOIA Confidential – Produced Pursuant to Rule 6(e),” and the Ninth Circuit relied heavily on that labeling to conclude they were grand jury materials. The labels created a clear record tying the documents to the subpoena, and the court emphasized that DOJ could not redact them because doing so would itself disclose the connection to the grand jury investigation. Without this labeling, the government would have faced a more difficult task of demonstrating the materials’ protected status. The court remanded only as to the four unlabeled documents.

2. The ‘independent source’ limitation

The central inquiry is whether the government possesses the documents only because of the grand jury subpoena. Here, DOJ had no independent source for the Volkswagen materials, so disclosure was barred. The court contrasted this with cases like United States v. Dynavac, where the government possessed the same materials through a separate administrative process; in such circumstances, disclosing them does not necessarily reveal anything about the grand jury’s work. If an independent source exists, Rule 6(e) protection may not apply.

3. Internal investigations don’t create an escape hatch

The requester argued that Volkswagen’s internal investigation materials should fall outside Rule 6(e) because they were created for purposes independent of the grand jury proceeding. The Ninth Circuit rejected that argument. The court noted that Volkswagen had commissioned the internal investigation because of DOJ’s criminal investigation, and the materials were funneled to the government solely through the grand jury subpoena process. When internal investigation documents flow to DOJ through a subpoena, that collection is treated as grand jury material regardless of the documents’ origins.

Bottom line

The Kalbers decision makes clear that Rule 6(e) provides robust protection when documents are in the government’s possession only through a grand jury subpoena and not from an independent source. Proper labeling creates a clear record that strengthens this protection and makes it easier for the government to demonstrate protected status. Ensuring that protection requires thoughtful document handling from the onset of dealing with the government in a criminal matter.

Just one day later, on January 9, the Supreme Court agreed to review a circuit split regarding the standard the SEC must meet when seeking an award of disgorgement in a civil action. The question before the Supreme Court is whether the SEC must show that investors suffered actual financial loss (pecuniary harm) to obtain disgorgement, or whether it is enough to show that the defendant profited from alleged violations of the securities laws. This will be the third time the Supreme Court will consider SEC disgorgement in the past decade, following Liu v. SEC in 2020 (which addressed whether the SEC could seek disgorgement through its power to award equitable relief) and Kokesh v. SEC in 2017 (which addressed the applicable statute of limitations). The Supreme Court’s decision should be consequential, as the SEC obtained $6.1 billion in disgorgement and prejudgment interest in fiscal year 2024.

Supreme Court to review circuit split on SEC disgorgement powers

Background

In Sripetch v. SEC, both the petitioner – a stock trader who was ordered to disgorge more than $3 million in profits and prejudgment interest – and the government asked the Supreme Court to grant review, recognizing a square split between the US Court of Appeals for the Second Circuit and the US Court of Appeals for the Ninth Circuit related to the scope of the SEC’s remedial authority. 

As the petitioner put it, the question is “whether the SEC may seek equitable disgorgement in civil-enforcement suits without showing investors suffered pecuniary harm.” In the petitioner’s case, the Ninth Circuit sided with the First Circuit in holding that the SEC does not need to show that investors suffered pecuniary harm. The Ninth Circuit acknowledged that its ruling diverged from the Second Circuit’s 2023 opinion in SEC v. Govil, which held that disgorgement in this context does require a finding that investors suffered pecuniary harm.

A key point of disagreement centers on a question left open from the Supreme Court’s 2020 opinion in Liu – the definition of “victim” in this context. In Govil, the Second Circuit determined that here, a victim is “one who suffers pecuniary harm from the securities fraud.” In doing so, it relied in part on language from Liu referencing “return[ing] the funds to victims,” which the Second Circuit found “presupposes pecuniary harm.” Among other things, the Second Circuit found support for the “centrality of pecuniary harm to victimhood” in other “profit-stripping remedies” discussed in Liu, including constructive trust and accounting. The court also drew comparison with private securities fraud actions under Section 10(b) of the Securities Exchange Act of 1934, which require that an investor suffer economic loss.

While the Ninth Circuit in Sripetch agreed with the Second Circuit that disgorgement requires a victim (or victims), it disagreed that “victim” is “narrowly defined as an individual or entity that has suffered pecuniary harm.” The Ninth Circuit reasoned that a pecuniary harm requirement is inconsistent with disgorgement at the common law, which only required showing interference with “the claimant’s legally protected interests,” not loss. The Ninth Circuit also disagreed with the Second Circuit’s reading of Liu and its reliance on private securities actions, which the Ninth Circuit observed are different “by design” from SEC civil enforcement actions, given that “Congress imposed an economic loss requirement” in private actions specifically “to address ‘abusive litigation by private parties’” (citation omitted) – a consideration that does not apply to SEC actions.

For its part, the government has taken the position that the Ninth Circuit “correctly resolved the question presented,” and that the applicable statutes “authorize[] a court to award disgorgement in an SEC suit without a finding of pecuniary harm to investors.”

Govil on remand: A broad reading of pecuniary harm

Just over a week after the Supreme Court granted review in Sripetch, the district court in Govil issued its opinion on remand from the Second Circuit. The district court’s January 20 decision reflected a broad reading of what can be considered “pecuniary harm” and who may be considered a “victim.” The upshot is that even if the Supreme Court ultimately determines that the SEC must demonstrate pecuniary harm to obtain disgorgement, expansive interpretations of such harm by lower courts may allow the SEC to still make that showing in many cases.

Having held that disgorgement requires a showing of pecuniary harm, the Second Circuit in Govil instructed the district court to determine whether, as a factual matter, the defendant’s conduct caused pecuniary harm. On remand, the district court considered testimony and expert reports offered by the SEC and found that both investors and the company itself experienced pecuniary harm due to the defendant’s fraud.

First, the court determined that investors suffered pecuniary harm on multiple fronts, including (1) artificially inflated stock prices and trading losses, and (2) capital raising activities (a secondary offering and a rights offering) that were needed due to the defendant’s misappropriation and that had a “dilutive effect” on existing shareholders.[1] Second, the court found that the company also qualified as a victim and suffered pecuniary harm when the defendant “misappropriated proceeds reserved for corporate use,” creating “a shortfall in funds available for operating expenses, financing, and investments.”

Takeaways

The Supreme Court’s decision in Sripetch may have significant implications for the SEC’s ability to seek ill-gotten gains from defendants and respondents in connection with enforcement actions. The scope of the SEC’s ability to seek disgorgement is significant, to say the least: In fiscal year 2024, disgorgement and prejudgment interest accounted for nearly 75% of the financial remedies for which the SEC obtained orders ($6.1 billion of $8.2 billion in total) and was the highest amount on record. If the Supreme Court rules that the SEC must show that investors suffered pecuniary harm as a precondition to obtaining disgorgement, it will certainly limit the SEC’s remedial reach. It will also impact how individuals and companies assess potential exposure and navigate SEC investigations and enforcement actions. At the same time, the effect of a “pecuniary harm” requirement will turn on how that term is defined – and as seen in the district court’s opinion in Govil on remand, courts may be inclined to read it broadly, thus allowing the SEC to make the showing in many cases.

How the Supreme Court will decide this case remains to be seen, but we expect it will be heard this term.    

District court rules that SEC can seek industry bans in administrative proceedings

Background

On January 8, the US District Court for the District of Columbia dismissed Sztrom v. SEC, a lawsuit brought by two investment advisors challenging the constitutionality of an SEC follow-on administrative proceeding. The advisors previously settled an SEC enforcement action brought in federal court. As part of that settlement, the advisors each paid $25,000 in civil penalties and consented to an entry of final judgment barring them from violating certain securities laws, without admitting liabilities. After the entry of final judgment, the SEC commenced a follow-on administrative proceeding seeking to ban the pair from the securities industry. The advisors alleged that the follow-on administrative proceeding was unlawful because it:

1. Violated due process by adjudicating charges that were prosecuted by the same agency.
2. Violated Article III because only federal courts have the power to adjudicate this type of matter.
3. Violated the Fifth and Seventh Amendments because the government cannot deprive the advisors of “their rights to pursue their chosen profession” except through a jury trial.
4. Denied the advisors their rights to a hearing under the Advisers Act and Administrative Procedure Act.

The district court’s analysis

The court first addressed the plaintiffs’ jury trial and statutory hearing rights claims. The court agreed with the SEC that Congress has impliedly removed district courts of subject matter jurisdiction over these claims. The Advisers Act explicitly provides that a party may seek review of an SEC administrative order in the US courts of appeals. The court further determined that meaningful judicial review remained available through the appellate process, and that the claims at issue were not “wholly collateral” to the statutory review scheme, nor outside the SEC’s expertise. As such, the district court lacked subject matter jurisdiction over these claims.

With respect to the due process claim, the court held that it was “squarely foreclosed by D.C. Circuit precedent” – namely, the 1988 case Blinder, Robinson & Co. v. SEC. In Blinder, the DC Circuit held that a regulator’s combination of prosecutorial and adjudicative functions through its in-house tribunal did not violate the Constitution. The court was unpersuaded that Jarkesy changes the outcome, reasoning that Jarkesy is limited to monetary penalties.

As to the advisors’ Article III claim, the court held that the SEC’s follow-on proceeding – which seeks remedial sanctions in the public interest – falls within the “public rights” exception and does not violate Article III.

Takeaways

This is the second time that the DC District Court upheld the viability of SEC follow-on administrative proceedings. Last year, in Lemelson v. SEC, another judge in the DC District Court considered similar arguments when an investment advisor – who was found liable for securities fraud by a jury – challenged the legality of a follow-on administrative proceeding that sought to ban him from the securities industry. The Lemelson court reached the same conclusions as the Sztrom court, and Lemelson appealed. While the appeal was pending, the SEC dismissed the administrative proceeding on the grounds that “further proceedings … would not be in the public interest,” because the district court that imposed the initial injunction thought that “it would be excessive” for the SEC to impose a lifetime ban on Lemelson in any follow-on proceeding.

Taken together, Lemelson and Sztrom indicate that the DC District Court is unlikely to expand Jarkesy beyond monetary penalties, and SEC follow-on administrative proceedings are – at least for now – here to stay.

[1] Under the Investment Advisers Act of 1940 (Advisers Act), the SEC can censure, suspend or ban a person associated with an investment adviser if it finds, “on the record after notice and opportunity for hearing,” that such penalty is “in the public interest,” and that the person “is enjoined” by a court from “engaging in or continuing” certain securities-related activities. Such proceedings are referred to as follow-on administrative proceedings. Follow-on administrative proceedings accounted for between 16% to 25% of all SEC enforcement actions during fiscal years 2019 to 2024. (The SEC has not released enforcement data for fiscal year 2025.)

[2] It remains to be seen whether other courts will adopt this interpretation. With respect to the finding that artificially inflated stock prices constitute pecuniary harm, for example, it is worth noting that in Sripetch, the Ninth Circuit observed that the SEC’s argument that paying artificially inflated prices alone causes pecuniary harm is “in tension” with the Supreme Court’s decision in Dura Pharamaceuticals v. Broudo. In Dura, the Supreme Court explained that “an initially inflated purchase price might mean a later loss” but “that is far from inevitably so.” (emphasis added)

With 2025 ending, it appears that Atkins followed through on his promise to realign the SEC’s enforcement priorities to return to the SEC’s core mission of pursuing clear-cut rule violations in an effort to bolster investor protection, with a focus on traditional fraud as opposed to technical violations, such as books-and-records infractions. This resulted in a sharp decline in public company enforcement. A recent Cornerstone report[1] showed that in FY 2025, the SEC initiated 56 actions against public companies and their subsidiaries, 52 of which were initiated prior to Chairman Gary Gensler’s departure on January 20. Only two enforcement actions were initiated after Atkins became chairman, and he recused himself with respect to one of the charging decisions.

In addition to a decrease in new public company enforcement actions, 2025 also saw the SEC retreating from Gensler-era initiatives in crypto and cybersecurity enforcement. Since January, the SEC has closed most of its crypto investigations and enforcement actions, which Atkins has characterized as “the previous administration’s regulation-by-enforcement crusade.” On November 20, the SEC terminated its long-running litigation against SolarWinds and its chief information security officer relating to SolarWinds’ cybersecurity disclosures.

Looking ahead to 2026, we expect the SEC to prioritize charging individuals responsible for misconduct rather than imposing corporate penalties. We also expect a continued focus on insider trading, especially in the biotech sector. Finally, as discussed in our October 28 blog post, foreign issuers listed on US stock exchanges will likely face continued close scrutiny, particularly where “pump and dump” schemes are suspected.

Sharp decline in public company enforcement actions in FY 2025 amid leadership change

The Cornerstone report compared the FY 2025 statistics to three prior fiscal years that also involved a change in SEC administration (FY 2013, FY 2017 and FY 2021). While enforcement actions in those three prior years were distributed fairly evenly between the periods before and after the departure of the incumbent chairman, FY 2025 saw a stark contrast between the incoming and outgoing administrations. As noted above, 52 of the 56 public company enforcement actions in FY 2025 happened prior to Gensler’s departure in January. In addition, the SEC initiated 29 public company actions in Q1 (which ran from October 2024 to December 2024) – the highest Q1 number in the SEED database, which goes back to FY 2010. By contrast, there was only one public company enforcement action in September 2025, compared to 35 in September 2024.

SolarWinds lawsuit dismissed

The SEC’s voluntary dismissal of the SolarWinds lawsuit marked the end of a two-year litigation that arose from the 2020 SUNBURST cyberattack. The SEC alleged that SolarWinds overstated its cybersecurity practices while understating its cybersecurity risks, and that SolarWinds minimized the scope and severity of the SUNBURST attack. (Read more about the SolarWinds litigation and an amicus brief Cooley submitted on behalf of 50+ cybersecurity leaders and organizations.)

In July 2024, Judge Paul A. Engelmayer of the US District Court for the Southern District of New York dismissed most of the SEC’s claims, except for a securities fraud claim based on a Security Statement on the company’s website, which was published a year before its initial public offering. The defendants moved for summary judgment in April 2025, arguing that the SEC had conceded in the parties’ joint statement of undisputed material facts that SolarWinds implemented each of the policies described in its Security Statement. The court never ruled on this motion, as the SEC chose to dismiss the case entirely.

The parties’ stipulation of dismissal stated that the SEC’s decision to dismiss this action “does not necessarily reflect the Commission’s position on any other case.” Indeed, the SEC is still focused on cybersecurity disclosures, as reflected by its creation of a Cyber and Emerging Technologies Unit, which – among other things – will “combat misconduct as it relates to … [p]ublic issuer fraudulent disclosure relating to cybersecurity,” as discussed in our February 25 blog post. Consistent with Atkins’ stated goal of focusing on “genuine harm,” we can expect the SEC to continue to police material cybersecurity misrepresentations and omissions that led to investor harm.

Individual accountability over corporate penalties

The relatively slow pace of SEC enforcement activity this year can be attributed to several factors. Atkins assumed his role in April, followed by Enforcement Director Meg Ryan in September. In October, the federal government commenced its longest shutdown in history, which only recently concluded. During this transitional period, the Division of Enforcement is likely working to align its priorities, case theories and remedies with the new SEC leadership. This alignment is critical for novel or “first-of-their-kind” matters, as the staff assesses the SEC’s position on new types of charges and relief before formally recommending action. Once the Division of Enforcement has clarity on the SEC’s direction, subsequent cases of a similar nature are expected to proceed more swiftly.

For public companies, the early signals suggest that the SEC will likely favor holding individuals responsible for misconduct, rather than pursuing large corporate settlements. As an example, on November 7 (during the government shutdown), the SEC charged the founder and CEO of a trade finance platform for engaging in a fraudulent scheme in connection with the company’s de-SPAC merger in 2020. The SEC alleged that the defendant overstated the amount of activity on the platform in order to induce the special purpose acquisition company (SPAC) investors to approve the merger, which generated $60 million for the defendant. Ultimately, the investors suffered “substantial losses” when the company’s stock price fell below $1 and all the public securities were acquired for $0.1 per share by a company owned and controlled by the defendant and the SPAC’s former CEO.

Insider trading – especially in biotech stock – has been a focus

Over the summer, the SEC charged a number of individuals for insider trading in biotech stock:

• In an August 7 complaint, the SEC alleged that an individual learned through his investment in a private biotech company that the private company was going to merge with a public biotech company. The individual purchased the public company’s stock in 15 accounts belonging to him and his family members. When the merger was announced, the price of the public company’s stock rose by 215%, resulting in approximately $160,000 in trading profits for the individual.
• In an August 18 complaint, the SEC alleged that two men traded in the stock of six public companies based on material nonpublic information (such as drug trial results and upcoming mergers) that their friend obtained as a consultant to pharmaceutical and biotech companies. The defendants made more than $500,000 through those trades.
• In an August 22 complaint, the SEC charged a former director of a biopharmaceutical company, along with his two family members and two friends, with insider trading ahead of a merger announcement. The defendants collectively made more than $500,000 in profit.

The price of biotech stock can fluctuate dramatically in response to clinical trial results, US Food and Drug Administration decisions and merger activities. This makes biotech companies particularly susceptible to insider trading. The SEC and the Financial Industry Regulatory Authority employ sophisticated surveillance tools to monitor trading patterns around significant corporate announcements, enabling regulators to detect suspicious trades. Given the SEC’s apparent focus on insider trading in the biotech sector, biotech companies should consider strengthening their insider trading compliance programs, including implementing appropriate blackout periods around major events.  

Foreign issuers will continue to face scrutiny

There is one notable exception to the SEC’s generally restrained approach to public company enforcement. Foreign issuers whose stock primarily trades on US stock exchanges will continue to be a focus of this SEC administration. As we explained in our October 28 blog post, the SEC has suspended securities trading of a number of Asia-based Nasdaq issuers due to suspected “pump and dump” schemes. The SEC appears to be closely coordinating with Nasdaq such that when the SEC suspension period expires, Nasdaq issues its own trading halt pending its request for information from these companies. In addition, as we discussed in our September 18 blog post, the SEC is expected to use its newly created Cross-Border Task Force to scrutinize foreign issuers and their disclosures to US investors. Therefore, foreign issuers should consider evaluating and enhancing their compliance programs, as well as ensuring the accuracy of their disclosures, to mitigate the heightened enforcement risks.

[1] The findings of the report are based on the Securities Enforcement Empirical Database (SEED), which tracks and records SEC enforcement actions against public companies and their subsidiaries based on data from the SEC’s website.

Atkins emphasized the SEC’s commitment to establishing a regulatory framework that promotes fairness, predictability and innovation while maintaining robust investor protections. The goal, he noted, is to move beyond ad hoc enforcement and offer a clear roadmap for market participants navigating the evolving crypto landscape.

From uncertainty to clarity

For the past decade, the SEC’s approach to crypto has focused on enforcement actions with only limited guidance or rulemaking, which has created a fog of uncertainty around the application of securities laws to crypto. 

The prior SEC administration’s focus on determining whether crypto assets themselves are investment contracts fundamentally misapplied the securities laws and US Supreme Court precedent, which focus on transactions and relationships between parties – not on an object. Yes, tokens can be sold as part of investment contract transactions. But investment contracts end – they don’t last forever just because a token is trading on a blockchain.

The flawed application of securities laws muddied the waters and ultimately hurt the US economy:

• Innovation flight: US projects relocating to friendlier jurisdictions offshore.
• Compliance chaos: Convoluted legal structures and pervasive litigation risk.
• Investor confusion: Uncertainty over what qualifies as a security.

Atkins made clear: That era is over. The objective now is to replace ambiguity with clarity, while continuing to pursue fraud and market manipulation aggressively.

Core principles of ‘Project Crypto’

Before outlining the details, Atkins introduced two guiding principles for the SEC’s crypto framework:

1. Form does not change substance: A stock remains a stock, whether represented on paper, through a DTCC entry or as a blockchain token.
2. Economic reality over labels: Calling something a “token” or a “non-fungible token (NFT)” does not exempt it from securities laws. Conversely, just because a token was part of a capital raise does not mean it is permanently a security.

Bottom line: Economic reality governs – labels do not.

Token taxonomy: Four buckets

Atkins previewed a classification framework for digital assets:

1. Digital commodities/network tokens: Decentralized, functional networks where value is not tied to managerial efforts – likely not securities.
2. Digital collectibles: NFTs and similar items purchased for enjoyment rather than profit, such as art, music, memes or in-game items – not securities.
3. Digital tools: Tokens providing access or credentials, such as membership passes or tickets. If sold for use rather than speculation, these are not securities.
4. Tokenized securities: Traditional financial instruments – such as stocks and bonds – issued on chain. These remain securities.

What’s next?

Atkins outlined the SEC’s roadmap:

1. Classification framework: Formal guidance on the four buckets, grounded in the Howey This will likely replace the Framework for Investment Contract Analysis, published in 2019.
2. Regulatory roadmap: Atkins outlined a vision for a regulatory framework that balances investor protection with innovation. In the coming months, and in alignment with legislation currently before Congress, the SEC is expected to consider a package of exemptions to create a tailored offering regime for crypto-assets that are part of or subject to an investment contract. The roadmap also emphasizes cross-agency coordination with the Commodity Futures Trading Commission (CFTC) and banking regulators, as well as alignment with congressional initiatives, to ensure a harmonized approach that supports innovation while maintaining market integrity.
3. Fraud enforcement: Atkins underscored that “fraud remains fraud,” and the SEC – alongside other regulatory bodies – will continue to take aggressive enforcement action against fraud, market manipulation and other illicit conduct. His warning was clear: “If you raise money by promising to build a network, and then take the proceeds and disappear, you will be hearing from us, and we will pursue you to the full extent of the law.” 

Why it matters

• Issuers: Begin mapping tokens to the new taxonomy.
• Trading platforms: Non-security tokens may gain a clear path to listing outside SEC-regulated venues.
• Investors: Expect greater transparency regarding what constitutes a security versus a collectible or utility token.

The big picture

Atkins’ remarks signal a pivotal shift in the SEC’s approach to digital assets – from “regulation by enforcement” to structured, predictable rules. For crypto innovators and investors, this represents a significant step toward clarity and stability in the US market.

Private companies are not immune from these risks. The anti-fraud provisions of federal securities laws apply to private companies, and the US Securities and Exchange Commission (SEC) has not shied away from pursuing private companies (as well as their officers and directors) for alleged fraud. The US Department of Justice (DOJ) also closely scrutinizes startups and their founders. And because of the relatively long statute of limitations for securities fraud (five years for SEC civil enforcement and six years for DOJ criminal prosecution), statements made to investors in a company’s early stages could trigger a government investigation years down the road. Moreover, the mere existence of an investigation – not to mention the company’s response and the investigation’s outcome – is highly relevant in due diligence when companies raise capital or pursue an exit. That means that officers and directors of startups should be mindful of what they say to investors and the public about their companies’ products and financial performance. Here are some ways to mitigate the risks of a government investigation for founders and private companies.

1. Use tenses carefully: Now versus later

Understandably, investors want to know what the company plans to achieve in the future. When communicating with investors, it is helpful to distinguish between what the company has and does today versus what it expects or aims to do tomorrow. Try to avoid ambiguous phrasing that implies current capabilities when you are describing roadmap items.

2. Double check the numbers in written materials

Make sure that any numbers you provide in pitch decks, press releases or other written materials are accurate and can be substantiated with supporting documents. If you include pro forma or illustrative figures, consider labeling them as such and keeping them separate from actual results. When announcing a financing round, be accurate about (i) the total round size targeted, (ii) the amount already closed and (iii) any remaining capacity for subsequent closings. Remember that statements about the company’s users, traffic or revenue are not just for marketing purposes – they could be treated as representations to investors, and any material inaccuracies could potentially lead to a securities fraud investigation.

3. Caveat forward-looking statements appropriately

When making forward-looking statements (such as those about expectations, goals and projections), it is best to clearly identify them as such and accompany them with appropriate cautionary language. For example, instead of saying, “We will reach $50 million in revenue next year,” consider, “We expect to reach $50 million in revenue next year, although risks and uncertainties could cause actual results to differ from our projection.” Better yet – identify the assumptions underlying your forward-looking statements and the risks that could lead to deviation from the goal.

4. Build projections in good faith

Financial projections should be prepared in good faith and grounded in defensible methodology and supporting data. Where feasible, consider offering investors access to the underlying model or a summary of key assumptions so they can understand the basis for the forecast. Apply the same discipline to any option-value estimates shared with prospective hires by using reasonable, supportable exit valuation ranges and other assumptions.

5. Provide accurate financial records to investors and the board

Consider engaging experienced accounting professionals early on to help maintain accurate records of the company’s financials. When communicating to investors about the company’s financials, make sure the information you provide aligns with the company’s stated accounting policies. If the provided financials are unaudited, you might consider noting that. Officers should provide regular updates to the board about the company’s financials. If material adjustments are required, explain them promptly to the board as well as to investors, who may otherwise rely on the inaccurate numbers.

6. Accurately describe third-party relationships

It is helpful to be precise when describing your relationships with customers, partners and other investors. Distinguish signed agreements from verbal interest, and avoid exaggerating the nature of the relationship. You may want to share a proposed description with the relevant third party for review. It is always a good idea to obtain consent from the third party before using its logos or attributing quotes.

7. Use raised funds as represented

While money is fungible, you may want to monitor what you tell investors about the use of proceeds and how the company actually spends them to help ensure accuracy. Where appropriate, consider informing investors of compensation paid to founders and high-level employees. Aim to maintain clear records tying expenditures to the stated purposes. If your plans change, document the rationale and update the board in a timely manner. Where appropriate, inform investors of the change of plan.

8. Where practicable, provide transparency into company performance

Consider setting a reasonable cadence for updates to investors, highlighting both progress and risks. It is helpful to provide visibility into key performance indicators and deviations from the plan (though avoid divulging proprietary or sensitive information about the business). Transparency strengthens credibility and instills investor confidence.

9. Enable effective board oversight

Having a well-functioning board is important to assure investors that your company is operating effectively. To help ensure the board can carry out its oversight role, officers should provide accurate and timely information to the board. In addition, consider sending important, time-sensitive updates to the board in real time, rather than waiting for the next board meeting.

10. Be careful with statements about the use of AI

It is important not to overstate the company’s use of cutting-edge technology, such as artificial intelligence (AI). Both the SEC and DOJ have pursued companies and their principals who allegedly misled investors about the use of AI technology (known as AI-washing). Consider reviewing your representations about your company’s AI capabilities, especially statements used in fundraising activities.

The task force is one of several recent SEC initiatives focused on foreign-based companies. Most recently, the SEC temporarily suspended trading in the securities of nine foreign-based issuers listed on Nasdaq suspected of market manipulation. Notably, as the SEC trading suspensions expire, Nasdaq has been announcing that the trading of these issuers’ securities continue to be halted “for additional information requested from the company.” In June, the SEC indicated it is considering tightening eligibility for accommodations available to foreign issuers. In August, the SEC announced a settled enforcement action against a British security-based swap dealer for failing to comply with U.S. securities laws, either directly or through substituted compliance. Taken together, these developments indicate that foreign companies participating in the U.S. capital markets should anticipate heightened SEC oversight and enforcement in the coming years.

Recent trading suspension orders against foreign-based issuers

A recent uptick in temporary trading suspensions reflects the SEC’s increased scrutiny of foreign-based issuers. Section 12(k) of the Securities Exchange Act of 1934 (Exchange Act) grants the SEC broad authority to suspend trading in any security for up to 10 business days if it believes doing so protects investors and serves the public interest. The SEC suspends trading when the staff identifies suspicious trading activity that poses an imminent risk to investors, such as during the “pump” phase of a suspected “pump and dump” scheme. After the suspension ends, exchange-listed securities can resume trading immediately.[1] However, SEC enforcement staff often continue to investigate the potential misconduct after the trading suspension is lifted, and after the investigation is completed may bring an action alleging violations of the securities laws against the individuals and/or entities involved.

Between September 26 and October 22, 2025, the SEC issued orders suspending the trading on Nasdaq of nine Asia-based companies due to suspected social-media-driven schemes to inflate price and volume. While the SEC’s authority to suspend trading is limited to 10 business days, Nasdaq is able to effectively extend that period of time by conducting its own investigation. Indeed, thus far, once the trading suspensions ordered by the SEC in this time period have expired, Nasdaq has announced that trading in the stock will “remain halted” until the issuer “has fully satisfied Nasdaq’s request for additional information.” This signals a coordinated and effective effort by the SEC and Nasdaq to keep the stock from trading in the U.S. pending the issuer’s ability to satisfy the concerns that led to the suspension. It is currently unclear if the issuers are engaging with Nasdaq and providing the requested information. Even if they are, they may not successfully satisfy Nasdaq to have the trading halts lifted. If the issuers do not satisfy Nasdaq’s requests, trading in the stock will remain halted long term and the stock could eventually be delisted. In the meantime, the SEC’s Enforcement Division is likely also investigating the suspected market manipulation that led to the trading suspensions, and enforcement actions could follow.

The uptick in trading suspensions is notable given their relative scarcity in the last few years: two in 2024, four in 2023 and two in 2022. Moreover, seven of the recent trading suspensions were issued during the government shutdown, when the SEC was operating with limited staffing. These circumstances underscore that this area is a top priority for the current administration.

SEC’s concept release on foreign private issuer eligibility

As discussed in this June 10 Cooley client alert, the SEC is considering amendments to the definition of a “foreign private issuer” (FPI). Under current rules, a non-government foreign issuer can qualify as an FPI if either (1) no more than 50% of its outstanding voting securities are held by U.S. persons, or (2) it lacks sufficient U.S. contact under a three-part test that considers the domicile of directors and officers, the location of assets and the principal place of business. FPIs benefit from accommodations not available to U.S. domestic issuers, including extended annual reporting deadlines, reduced current reporting, and exemptions from quarterly reporting and Section 16 reporting, among others.

The SEC established the foundation of the current FPI definition in 1983 and last amended it in 1999. At the time, FPIs were most commonly incorporated and headquartered in Canada and the UK. The SEC anticipated that such issuers would be subject to meaningful home-jurisdiction regulatory and disclosure regimes, and the FPI framework was designed to avoid the burdens of duplicative or conflicting requirements.

The population of FPIs has since changed markedly. As the SEC noted in its concept release, the most prominent changes are the jurisdictional makeup and primary trading market of the FPIs:

• While the FPIs in the early 2000s were concentrated in Canada and the UK, by 2023, the most common jurisdiction of incorporation for FPIs was the Cayman Islands, and the most common jurisdiction of headquarters was China.
• The proportion of FPIs with differing jurisdictions for incorporation and headquarters increased from 7% in 2003 to 48% in 2023, in part driven by China-based issuers incorporated in offshore jurisdictions.
• The proportion of FPIs with securities traded almost exclusively in the U.S. increased steadily, from less than 15% in 2004 to 55% in 2023.

The SEC observed that this population shift raises the concern that current FPIs are not “subject to meaningful disclosure requirements and oversight outside of the United States,” and the trend “may have resulted in less information” being made available to U.S. investors.

In his remarks at the Investor Advisory Committee meeting on September 18, SEC Chair Paul Atkins stated that the “current standard for extending special accommodations to foreign companies” no longer “make[s] sense” given the “significant changes to the population of foreign companies listed in the United States.” He emphasized that the SEC is not trying to “disincentivize” foreign companies from listing in the U.S.; rather, the SEC’s objective is to protect U.S. investors.  

The concept release outlined several potential amendments to the FPI definition, including revising the existing eligibility tests, imposing a foreign trading volume requirement, requiring FPIs to be listed on a “major foreign exchange,” incorporating an SEC assessment of foreign regulation applicable to the FPI, establishing a new mutual recognition system, or adding an international cooperation arrangement requirement. If the SEC narrows the FPI definition, a number of foreign-based companies would likely lose their FPI status and accommodations. Those companies would likely face more frequent and expansive disclosure obligations, potentially leading to higher noncompliance and enforcement risks.

Enforcement action against UK-based company for compliance failures

A recent enforcement action further underscores the SEC’s scrutiny of non-U.S. market participants, including those in jurisdictions with comparable regulatory regimes. On August 6, 2025, the SEC announced settled charges against MUFG Securities EMEA, a UK-based security-based swap dealer (SBSD). The SEC permits non-U.S. SBSDs to satisfy certain requirements under the Exchange Act by complying with comparable requirements in their home jurisdiction. The SEC alleged that when MUFG registered with the SEC as an SBSD in 2021, it elected for substituted compliance with UK rules for certain recordkeeping, financial reporting and compliance requirements. However, MUFG allegedly failed to comply with those requirements, including calculating and recording quarterly “net liquid assets,” making financial disclosures publicly available on its website and submitting an annual compliance report to the SEC.

As a result of its noncompliance with the comparable UK requirements, MUFG was obligated to comply directly with the Exchange Act, and it failed to do so. The SEC also alleged that MUFG failed to establish written compliance policies that would have prevented these failures or a robust risk management system adequate for managing its business. To settle the charges, MUFG agreed to pay $9.8 million and engage in undertakings related to a compliance consultant’s comprehensive review of its compliance program.

The case serves as a reminder that electing substituted compliance is not a substitute for compliance. A foreign SBSD that elects, but then fails, to comply with home-jurisdiction requirements must comply directly with U.S. securities laws – and the SEC has shown it will enforce that obligation.

Key takeaways

• The SEC has stepped up enforcement actions against non-U.S. market participants (including through the Cross-Border Task Force) and issued several trading suspensions of Asia-based issuers whose securities traded on Nasdaq.
• The SEC is considering narrowing the FPI definition, which could remove FPI accommodations for some foreign companies and subject them to more frequent and expansive U.S. disclosure obligations.
• These recent developments make clear that cross-border enforcement is a top priority of the SEC. As a result, foreign companies seeking access to U.S. capital markets should consider reassessing and enhancing their compliance programs and ensure the accuracy of their disclosures to address the increased risk of enforcement.

[1] For over-the-counter (OTC) securities, however, broker-dealers generally may not solicit transactions until they have satisfied certain regulatory requirements, including reviewing and confirming that current information about the company and its financials is publicly available.

This announcement – the first major enforcement initiative announced under Atkins – follows a similar action by the U.S. Department of Justice (DOJ), which recently announced the formation of a cross-agency Trade Fraud Task Force to “identify and combat trade fraud that threatens [U.S.] economic and national security interests,” discussed in our September 12 blog post. As noted in our April 7, May 8 and June 11 blog posts, cross-border fraud enforcement has become one of DOJ’s, and now the SEC’s, top priorities. Companies with global supply chains should consider strengthening their compliance programs to mitigate criminal and civil enforcement risks.

Task force continues SEC’s focus on China

In its press release, the SEC emphasized that the task force will focus on companies from foreign jurisdictions where “governmental control and other factors pose unique investor risks,” specifically mentioning China. This focus is in line with the May 12, 2025, memorandum issued by Acting Assistant Attorney General Matthew R. Galeotti, announcing that DOJ’s Criminal Division will focus on alleged fraud perpetrated by Chinese-affiliated companies listed on U.S. exchanges.

The task force announcement comes on the tail of recent SEC investigations and enforcement actions involving Chinese companies listed on U.S. markets. For example, Didi Chuxing, a Chinese ride-hailing company, was the subject of an SEC investigation following its initial public offering (IPO). Two days after the IPO, Chinese regulators announced a cybersecurity investigation into Didi, leading U.S. regulators to question Didi’s disclosures surrounding the IPO. In May 2022, Didi stated that it was cooperating with the SEC’s investigation and making plans to delist from the New York Stock Exchange (NYSE).

More recently, on February 6, 2024, the SEC announced it had settled accounting fraud charges against Cloopen Group Holding Limited, a China-based provider of cloud communications products and services whose American depositary shares formerly traded on the NYSE. After its external auditor identified potential accounting errors in the company’s year-end audit, Cloopen promptly conducted an internal investigation and determined that two senior managers had orchestrated a fraudulent scheme to prematurely recognize revenue on contracts for which Cloopen either had not completed or not started work. Cloopen self-reported its accounting issues within a few days of starting its internal investigation, cooperated “extensively” with the SEC’s investigation and took prompt remedial measures, and the SEC ultimately decided not to impose civil penalties.

These recent investigations and settlements emphasize the importance of fulsome and accurate disclosures, as well as robust internal compliance structures and processes to help companies detect and address misconduct. Our April 2024, August 2024 and October 2024 blog posts provide additional guidance on creating strong internal compliance controls.

Task force emphasizes auditors and underwriters

The task force also will focus on “gatekeepers,” including auditors and underwriters, who facilitate foreign companies’ access to U.S. capital markets. This again follows the SEC’s long-running focus on audit quality in foreign countries. On August 26, 2022, former SEC Chair Gary Gensler announced that the Public Company Accounting Oversight Board (PCAOB) had signed a Statement of Protocol with the China Securities Regulatory Commission and the Ministry of Finance of the People’s Republic of China “governing inspections and investigations of audit firms based in China and Hong Kong.” The agreement provided “standards against which to judge whether auditors of Chinese issuers have complied with the requirements of U.S. law, including PCAOB accounting standards.”

Given this continued emphasis on gatekeepers, U.S.-based auditors and underwriters doing business with foreign companies, as well as foreign companies seeking access to U.S. markets, should continue to ensure compliance with all relevant U.S. accounting standards.

Task force consolidates SEC investigative and enforcement resources

In announcing the task force, the SEC emphasized the collaboration of several divisions across the Commission, including the Division of Enforcement, Division of Corporate Finance, Division of Examinations, Division of Economic and Risk Analysis, Division of Trading and Markets, and Office of International Affairs, “to consider and recommend other actions that would better protect U.S. investors, including new disclosure guidance and any necessary rule changes.” Companies should expect further guidance and regulatory action resulting from this cross-agency cooperation.

Key takeaways

• The SEC has made cross-border fraud a top investigative and enforcement priority. Its new Cross-Border Task Force will consolidate SEC investigative efforts to combat transnational fraud.
• The task force is placing a strong emphasis on foreign-based companies, auditors and underwriters who facilitate foreign access to U.S. capital markets, and companies from foreign countries where “governmental control and other factors pose unique investor risks.”
• As such, foreign companies seeking access to U.S. capital markets, or U.S.-based companies facilitating that access, should consider evaluating and updating their compliance programs to mitigate the heightened government investigation and enforcement risk. In addition, companies should consider reviewing their internal reporting systems to ensure that whistleblower complaints will be heard and investigated.

As previously noted in our April 7, May 8 and June 11 blog posts, trade fraud enforcement has become one of DOJ’s top priorities. Companies with global supply chains should consider strengthening their compliance programs to mitigate criminal and civil enforcement risks.

Task force will pursue both civil and criminal penalties 

The new task force is positioned to pursue both civil and criminal enforcement against parties that engage in trade fraud. On the civil side, this may include actions under the FCA and the Tariff Act of 1930. As we noted previously, there are significant risks for liability under the FCA, which provides for a penalty of up to $28,619 for each false claim and allows the government to collect restitution of up to three times the amount of unpaid tariffs.

DOJ’s press release highlighted four civil settlements since March that involved allegations of improperly evaded customs duties. The settlement amounts totaled $32.2 million and involved a range of products, including multi-layered wood flooring, plastic resin, extruded aluminum products and quartz surface products.

In addition to civil enforcement, the task force will also pursue criminal prosecutions under Title 18’s trade fraud and conspiracy provisions. In July, DOJ officials stated that the Criminal Division’s major frauds unit was shifting resources to trade enforcement and was expected to add “significant personnel” from other DOJ divisions. The larger group would be renamed “the market, government, consumer fraud unit” and is expected to “focus on trade fraud and other white-collar crimes affecting investors and consumers.” As we noted previously, criminal prosecution of tariff evasion is not a speculative risk, and the risk is only expected to increase as DOJ intensifies its focus on trade enforcement.

DOJ encourages referrals from whistleblowers

In its press release, DOJ emphasized the importance of industry cooperation and whistleblower participation in identifying and addressing trade fraud schemes and made clear that the task force “welcomes” domestic companies to blow the whistle on their competitors’ unfair trade practices. As we previously discussed, DOJ’s Criminal Division revised its Whistleblower Awards Pilot Program in May to expand the program’s subject matter areas, which now include trade fraud.

The DOJ whistleblower program and the FCA’s qui tam provisions provide strong financial incentives for whistleblowers to report alleged tariff evasion. Indeed, three of the four settlements highlighted in the DOJ press release were qui tam actions brought by whistleblowers (two former employees and one competitor).

DOJ willing to reward self-disclosure and cooperation

Consistent with its long-standing policy of incentivizing self-disclosure, cooperation and remediation, DOJ has indicated a willingness to reduce penalties for companies that take steps to meet its leniency requirements. In one of the four FCA settlements highlighted in the DOJ press release, the company received credit for its “significant” efforts around self-disclosure, cooperation and remediation. Specifically, DOJ noted that the company made a “timely voluntary self-disclosure of the potential violations,” performed a “thorough and independent internal investigation,” preserved and disclosed “facts not known to the government but relevant to its investigation,” conducted “an analysis of potential damages” that it shared with the government, and undertook “remedial actions” that included “disciplining personnel and making improvements to compliance procedures.”

Key takeaways

• DOJ has made trade enforcement a top priority. Its new Trade Fraud Task Force will pursue both civil and criminal enforcement actions against individuals and companies that engage in tariff evasion.
• The task force is placing a strong emphasis on whistleblower participation, particularly from domestic companies that have allegedly been harmed by their competitors’ suspected trade fraud.
• As such, companies with global supply chains should consider evaluating and updating their compliance programs to mitigate the heightened government investigation and enforcement risk. In addition, companies should consider reviewing their internal reporting systems to ensure that whistleblower complaints will be heard and investigated.

Background

This case arose from a high-profile bribery scandal involving FirstEnergy and former Ohio House Speaker Larry Householder, who was eventually sentenced to 20 years in prison. In response to a Department of Justice subpoena – which was quickly followed by investigations by other state and federal regulators and eight lawsuits relating to the bribery allegations – FirstEnergy and its board hired two outside law firms to conduct internal investigations.

During discovery in a related securities class action, the plaintiffs moved to compel FirstEnergy to produce all materials related to the internal investigations, claiming that those materials were not entitled to attorney-client privilege or work-product protection because they were meant to serve “business purposes.” The district court – affirming a special master’s conclusions – granted the plaintiffs’ motion to compel, finding that FirstEnergy had not shown that the internal investigations were conducted in anticipation, or as a result, of litigation rather than for business or employment-related purposes.

FirstEnergy petitioned the Sixth Circuit to overturn the district court’s decision and to stay the discovery order pending the resolution of its mandamus petition. Thirty-nine leading law firms, 11 corporate and ethics scholars, and several legal and business groups filed amicus briefs in support of FirstEnergy.

Sixth Circuit granted discovery stay

In a significant victory for FirstEnergy, the Sixth Circuit granted the discovery stay pending a decision on the company’s mandamus petition, in a decision that is highly relevant for companies concerned about the disclosure of privileged materials. The Sixth Circuit held that FirstEnergy demonstrated that the internal investigation materials are likely privileged because FirstEnergy retained the two law firms in the wake of government investigations and civil lawsuits, and that FirstEnergy “sought and received its counsels’ advice through the investigations.” Accordingly, the court concluded that the law firms’ work “resulted in precisely the kinds of communications” that would be protected by attorney-client privilege under Upjohn v. United States. The Sixth Circuit agreed with FirstEnergy and the amici that the district court erred in focusing on FirstEnergy’s dual motivation for retaining the two law firms and the fact that the company “also used [counsels’] advice for business purposes.” Characterizing the district court’s reasoning as “backwards,” the Sixth Circuit held that, “[w]hat matters for attorney-client privilege is not what a company does with its legal advice, but simply whether a company seeks legal advice.” As the court pointed out, “a corporation could hardly justify expending resources on legal advice that wasn’t business-related.”

The Sixth Circuit likewise held that the internal investigations were likely protected by the work-product doctrine. The court rejected the district court’s reasoning that the internal investigations were not “performed in anticipation of litigation” and would have occurred in “substantially the same manner for business purposes,” pointing to the “onslaught of civil and criminal investigations” that prompted the company’s actions.

Key takeaways

• The Sixth Circuit’s order, though temporary pending resolution of the mandamus petition, suggests that the Sixth Circuit will continue to allow the attorney-client privilege and work-product protections to apply to documents and communications generated in the course of an internal investigation.
• The court clarified that the motivation for initiating an internal investigation is irrelevant to the determination of privilege – what matters is whether the company sought legal advice.
• The court also affirmed the application of the work-product doctrine to dual-purpose documents – i.e., those that were created in anticipation of litigation and also served business purposes.

The memo states that entities receiving federal funds – like all entities subject to antidiscrimination laws – must not discriminate on the basis of protected characteristics. Issued soon after the launch of the US Department of Justice (DOJ) Civil Rights Fraud Initiative, which aims to use the False Claims Act to pursue claims against federal fund recipients that violate federal antidiscrimination law, the memo details various practices that it considers unlawful and that could result in revocation of federal grant funding. According to the memo, federal funding recipients, such as educational institutions, local and state governments, and public employers, may also be held liable for discrimination if they “knowingly fund the unlawful practices of contractors, grantees, or other third parties.” The guidance also contains nonbinding best practices as “practical recommendations to minimize the risk of violations” of federal antidiscrimination laws and states that all entities subject to federal antidiscrimination laws, including private employers, should review programs to ensure compliance with the law.

The memo lists five ways programs and policies may result in unlawful discrimination:

1. Granting preferential treatment based on protected characteristics

The memo states that preferential treatment occurs when recipients of federal funds provide “opportunities, benefits, or advantages” to individuals or groups based on protected characteristics, thereby disadvantaging similarly qualified individuals. Such practices are generally unlawful unless they meet narrow exceptions.

Examples of preferential treatment in the memo include:

• Race-based scholarships or programs, internships, mentorship programs or leadership initiatives that reserve spots for specific racial groups (e.g., scholarship funding available only to students of a certain race).
• Hiring or promotion practices that prioritize “underrepresented groups” over equally qualified candidates, “where the preferred ‘underrepresented groups’ are determined on the basis of a protected characteristic like race.”
• Restricting access to facilities or resources based on race or ethnicity (e.g., designating “safe spaces” for a specific race or ethnic group).

2. Using ‘proxies’ for protected characteristics

The memo also addresses the use of “unlawful proxies,” which it defines as intentional use of “ostensibly neutral criteria that function as substitutes for explicit consideration of” protected characteristics like race or sex. According to the DOJ, these practices are deemed unlawful when facially neutral criteria are “selected because they correlate with, replicate, or are used as substitutes for protected characteristics” or are “implemented with the intent to advantage or disadvantage individuals based on protected characteristics.”

Examples provided in the memo include:

• Using “cultural competence” requirements, such as requiring applicants to demonstrate “lived experience” or “cross-cultural skills” in ways that, in effect, evaluate an applicant’s racial or ethnic backgrounds, rather than objective qualifications, or using selection criteria that advantage candidates who have experiences the employer associates with certain racial groups.
• Geographic or institutional targeting, such as recruitment strategies targeting specific geographic areas, institutions or organizations because of their racial or ethnic composition rather than other legitimate factors.
• Narratives or “diversity statements,” such as requiring applicants to describe obstacles they have overcome, when such statements are used as a proxy for providing advantages based on protected characteristics.

3. Segregation based on protected characteristics

Segregation based on protected characteristics occurs when organizations separate or restrict access to programs, activities or resources – like training sessions – by race, sex or other protected traits. The memo states that such practices will be viewed as violating federal law, even if they are intended to promote inclusion or address past inequities.

Examples of unlawful segregation include:

• Race-based training, such as when a DEI training session separates participants by race.
• Segregation in facilities or resources based on protected characteristics, even if done to create “safe spaces” (e.g., university study areas intended only for members of particular racial or ethnic communities).
• Programs that exclude qualified participants based on protected characteristics.

Although segregation is usually prohibited, the DOJ notes exceptions for sex-separated sports and intimate spaces, such as bathrooms, showers, locker rooms and dormitories. It notes that if federally funded institutions allow “males, including those who self-identify as ‘women,’ to access single-sex spaces designed for females,” it undermines the “privacy, safety, and equal opportunity of women and girls.” Federally funded organizations are advised to maintain “sex-based boundaries rooted in biological differences” to comply with federal law and safeguard rights. The memo cautions that failing to segregate in these instances risks creating a hostile work environment under Title VII or violating Title IX.

Organizations should note, however, that many state and city antidiscrimination laws require employers to permit employees to use multi-occupancy facilities, including bathrooms, that are consistent with their gender identity.

4. Using protected characteristics as candidate selection criteria

The memo also states that using protected characteristics, such as race or sex, to select candidates for employment, for awarding contracts or for program participation is unlawful. Significantly, this includes the following commonly used practices:

The memo also states that using protected characteristics, such as race or sex, to select candidates for employment, for awarding contracts or for program participation is unlawful. Significantly, this includes the following commonly used practices:

• “Diverse slate” requirements, including mandating a minimum number of candidates from specific racial groups, setting demographic benchmarks or requiring representation in candidate pools.
• Prioritizing contracts for women- or minority-owned businesses or using sex or race as a primary selection factor.
• Internships, scholarships, fellowships or leadership programs that use race, sex or other protected traits as selection criteria.

5. Training programs promoting discrimination or hostile work environments

The memo also discusses DEI training programs that “through their content, structure, or implementation” “stereotype, exclude, or disadvantage individuals based on protected characteristics or create a hostile work environment.”

For example, trainings that “single out, demean, or stereotype individuals based on protected characteristics” are unlawful, such as those that include statements such as “all white people are inherently privileged” or “toxic masculinity.” Likewise, trainings that impose penalties for dissent could result in discriminatory treatment and lead to hostile work environments.

On the flip side, the memo notes that federal law permits trainings that are focused on unlawful workplace discrimination and do not “single out particular groups as inherently racist or sexist.”

Best practices recommendations

The memo outlines the following recommendations on best practices and urges entities to review all programs and policies to ensure compliance with federal law:

• Inclusive access: Make all programs and resources available to qualified individuals, regardless of protected characteristics, and avoid titles that may be perceived as limiting access based on race or ethnicity. (The memorandum states, however, that some sex separation “is necessary where biological differences implicate privacy, safety or athletic opportunity.”)
• Skills-based selection: Base decisions on specific, role-related skills and qualifications. If criteria like socioeconomic status, first-generation status or geographic diversity are considered, ensure their use is justified on grounds unrelated to conferring an advantage based on a protected characteristic.
• Avoid demographic targets: Eliminate programs and selection criteria designed to achieve specific demographic representation.
• Document criteria rationale: If using selection criteria that may correlate with protected characteristics, clearly document the legitimate, nondiscriminatory reasons for using that criteria and apply those rationales consistently. For example, if applicants are asked to describe “obstacles they have overcome” or submit a “diversity statement,” institutions and employers should document that this information is used to assess neutral attributes such as resilience or perseverance.
• Review neutral criteria: Ensure that facially neutral criteria are not indirectly serving as proxies for protected characteristics. As an example, the memo states that “a program targeting ‘low-income students’ must be applied uniformly without targeting areas or populations to achieve racial or sex-based outcomes.”
• No diversity quotas: Remove any diversity quotas from programs or policies, including any requirements that a specific protected group be represented in candidate pools, hiring panels or final selections.
• Open trainings: Ensure all qualified individuals can participate in training programs. Avoid segregating groups or requiring agreement with particular beliefs based on protected characteristics.
• Nondiscrimination clauses: Include nondiscrimination clauses in all vendor and third-party contracts, monitor for ongoing compliance and terminate funding for noncompliant programs.
• Anti-retaliation measures: Establish anti-retaliation procedures and safe reporting mechanisms, including in employee handbooks and program guidelines. Provide confidential, accessible channels for individuals to report concerns about unlawful practices.

Next steps

The memo demonstrates the ever-increasing regulatory scrutiny from the DOJ toward recipients of federal funding, such as educational institutions, government contractors and other organizations. These entities should proactively review and audit all DEI policies, programs and initiatives, in conjunction with counsel, in light of the way the DOJ views antidiscrimination statutes.

While this memo highlights that grant recipients may jeopardize their federal funding by engaging in certain “unlawful” practices, it is important to note that this memo applies broadly to all entities subject to federal antidiscrimination laws and reflects the current administration’s approach to enforcing such laws. Further, notwithstanding the DOJ memo, there remains a body of case law and competing state laws related to DEI practices that may present challenges for companies seeking to comply with the federal guidance.

In connection with the takedown results, DOJ stressed the scope of the government’s commitment to this enforcement area, calling it a “whole-of-government approach to combating health care fraud.” And, in related remarks, Matthew Galeotti, head of DOJ’s Criminal Division, made clear that the industry should expect to be closely scrutinized going forward, stating, “This takedown represents the largest health care fraud takedown in American history. But it’s not the end – it’s the beginning of a new era of aggressive prosecution and data-driven prevention.”

At the same time, DOJ’s announcement about the working group also emphasized a tool from President Donald Trump’s first administration – “(c)(2)(A) dismissals.” This refers to the government’s authority to seek dismissal of a whistleblower complaint (a qui tamaction) based on various considerations, including whether the action is meritless or interferes with an agency’s policies. The working group’s mandate includes consideration of such dismissals, which may suggest an increased willingness to exercise DOJ’s authority to curb qui tamactions that “do not serve the interests of the United States.”

DOJ-HHS False Claims Act Working Group

On July 2, DOJ announced a DOJ-HHS False Claims Act Working Group focused on combating healthcare fraud. This effort reflects DOJ and HHS’s “long history of partnering” and “ongoing collaboration” on False Claims Act (FCA) cases related to healthcare fraud. Indeed, a working group between DOJ and HHS was formed at the end of Trump’s first administration, with the goal of targeting fraud related to funds HHS administered in connection with the COVID-19 pandemic. In contrast, the latest iteration of the working group is charged with “expedit[ing] ongoing investigations” and “identify[ing] new leads” in certain other priority areas related to healthcare.

The group also will focus on FCA priorities specified in a memo issued by DOJ on June 11, including “Combatting Discriminatory Practices and Policies” (targeting diversity, equity and inclusion programs) and “Protecting Women and Children” (targeting gender transition care).

DOJ’s announcement makes clear that the administration “is fully committed to supporting” the working group and notes that the group urges “whistleblowers to identify and report [FCA] violations” in priority enforcement areas. As part of the group’s work, HHS is charged with making referrals to DOJ of potential FCA violations related to priority areas and will use “enhanced data mining and assessment of HHS and HHS-OIG report findings” to identify leads.

The group also will discuss “whether HHS should implement a payment suspension pursuant to 42 C.F.R. § 405.370 et seq.” and “whether DOJ shall move to dismiss a qui tam complaint under 31 U.S.C. § 3730(c)(2)(A), consistent with Justice Manual Section 4-4.111,” which recognizes that some qui tam actions could be “meritless” or “parasitic.” Trump’s first administration saw a significant uptick in such dismissals. In early 2018, DOJ issued a memo that set forth certain considerations for moving to dismiss qui tamactions, which were later incorporated into the Justice Manual. Following the memo, the rate of government-initiated dismissals of FCA actions substantially increased: In the 30 years preceding the memo, the government moved to dismiss only about 45 cases, while in the two years following the memo, it moved to dismiss about 50. The working group’s involvement in considering dismissal decisions may suggest an increase in the government’s use of its authority to seek dismissal of qui tam complaints.

The working group will be co-led by the HHS General Counsel, Chief Counsel to the HHS Office of Inspector General (HHS-OIG) and the Deputy Assistant Attorney General of the Commercial Litigation Branch. Its membership will include leadership from the HHS Office of General Counsel, Centers for Medicare & Medicaid Services’ Center for Program Integrity, Office of Counsel to HHS-OIG and DOJ’s Civil Division, in addition to designees from US Attorneys’ Offices.

Largest-ever national healthcare fraud takedown

Just days before the new FCA working group was announced, DOJ released results from its 2025 National Health Care Fraud Takedown, which Galeotti described as “the largest coordinated health care fraud takedown in the history of the Department of Justice.” DOJ’s Health Care Fraud Unit coordinated the takedown, which was a cross-agency effort including US Attorneys’ Offices, HHS-OIG, Federal Bureau of Investigation (FBI) and Drug Enforcement Agency, among others.

As part of the takedown, 324 defendants were criminally charged for alleged participation in healthcare fraud schemes to the tune of more than $14.6 billion in intended loss. To demonstrate the “significant return on investment that results from health care fraud enforcement efforts,” DOJ also emphasized the related seizure of more than $245 million in “cash, luxury vehicles, cryptocurrency, and other assets.” An additional 20 defendants faced civil charges related to more than $14 million in alleged fraud, and another 106 defendants entered civil settlements of more than $34 million.

The types of fraud targeted by the takedown included the alleged submission of fraudulent claims to Medicare, Medicaid and private insurance companies, including claims related to alleged fraudulent wound care and telemedicine and genetic testing schemes, as well as the alleged illegal diversion of prescription opioids and other controlled substances.

In related remarks, Galeotti emphasized several key points about the sprawling takedown. Galeotti discussed the “disturbing trend of transnational criminal organizations” engaging in “sophisticated and complex” healthcare fraud schemes and reported that defendants from multiple foreign countries were charged as part of the takedown. He also noted that 74 of the defendants, some of whom were medical professionals, were charged in connection with opioid-related schemes.

Looking ahead, Galeotti announced the creation of a Health Care Fraud Data Fusion Center to “revolutionize how we detect, investigate, and prosecute health care fraud.” As DOJ explained, the center will “leverage cloud computing, artificial intelligence, and advanced analytics to identify emerging health care fraud schemes.” This coordinated effort will involve experts from DOJ’s Criminal Division, Fraud Section and Health Care Fraud Unit Data Analytics Team, as well as HHS-OIG, FBI and other agencies to “increase efficiency, detection, and rapid prosecution of emerging health care fraud schemes.”

Takeaways

Companies and individuals in the healthcare industry may expect to see aggressive and coordinated healthcare fraud enforcement, particularly in certain priority areas. In addition to government-initiated actions, given that whistleblowers have been expressly encouraged to come forward, companies should be mindful of the financial incentives available to whistleblowers (through both the FCA and DOJ’s Whistleblower Rewards Pilot Program) and consider evaluating and strengthening compliance programs and internal reporting structures. It is also worth noting that the new working group will consider DOJ’s authority to seek dismissal of qui tamsuits that do not serve the government’s interests – and based on the first Trump administration, we may see increased use of that authority.       

Referrals for criminal prosecution

While it is widely known that the CFPB administers and civilly enforces federal consumer financial laws, some regulations issued by the CFPB under these laws carry criminal penalties. The CFPB may refer alleged violations of criminal regulatory offenses to the DOJ for prosecution. The policy statement indicates that, in doing so, the CFPB will consider the following four factors – among others – when exercising discretion in referring criminal regulatory offenses to the DOJ:

• The harm or risk of harm caused by the alleged offense.
• The potential gain to the putative defendant that could result from the offense.
• Whether the putative defendant held specialized knowledge, expertise or an industry license related to the regulation at issue.
• Evidence of the putative defendant’s general awareness of the unlawfulness of its conduct as well as its knowledge of the regulation at issue.

By May 9, 2026, the CFPB will submit to the director of the Office of Management and Budget (OMB), in consultation with the attorney general, a report listing all criminal regulatory offenses enforceable by the CFPB or DOJ, along with the range of potential criminal penalties for a violation of each offense and the applicable mens rea standard for the offense.

When weighing whether to refer a criminal regulatory offense to the DOJ, the CFPB will consider whether the contemplated criminal offense is on the list. This report will be updated on at least an annual basis and made publicly available on the CFPB’s website.

Historically, the CFPB has referred cases to the DOJ for criminal prosecution when such cases involve egregious conduct. For example, in 2013, the DOJ charged the owner and employees of a debt relief company with conspiracy to commit mail and wire fraud – the “first-ever criminal charges based on [CFPB] referral.” In that case, the defendants orchestrated a multimillion-dollar fraud scheme that convinced more than 1,200 “debt-ridden individuals” to pay for debt settlement services, and the defendants “never paid a penny to the customers’ creditors.” Similarly, in 2017, a jury in the US District Court for the Southern District of New York convicted the principal of a payday lending enterprise of wire fraud, aggravated identity theft, and violations of the Racketeer Influenced Corrupt Organizations Act and the Truth in Lending Act, following a civil action brought by the CFPB. The defendant in that case “systematically evaded state usury laws in order to charge illegally high interest rates,” and issued payday loans to consumers who never sought them.

Evaluation of mens rea

EO 14294 calls for each federal agency to examine whether the agency’s statutory authorities allow it to adopt a “background” or default mens rea standard for criminal regulatory offenses. The CFPB will assess, in consultation with the attorney general, whether it can adopt a default mens rea standard. In addition, the CFPB will submit a report to the OMB director assessing whether the applicable mens rea standards for criminal regulatory offenses are appropriate. If necessary, the CFPB also will present a plan to change the applicable mens rea standards to a generally applicable standard and provide a justification for each criminal regulatory offense for which the CFPB plans to deviate from the default standard.

Future rules and notices of proposed rulemaking

Finally, the CFPB will coordinate with the DOJ to draft a statement to be included in all future notices of proposed rulemaking (NPRMs) and final rules that carry a criminal penalty. The statement will indicate that the proposed or final rule is a criminal regulatory offense and will cite the authorizing statute for that penalty. Additionally, all NPRMs and final rules will include the mens rea requirement for each element of the offense.

Looking ahead

While the CFPB has used its criminal referral authority in the past in more limited fashion, the rhetoric of the last administration – labeling companies “repeat offenders” for even minor missteps, emphasizing “illegal” conduct for technical regulatory violations and targeting individuals for enforcement actions – caused much anxiety about the subjectivity and discretion in the CFPB’s reach. While there are many reasons we expect to see a decrease in CFPB activity all around, because the EO’s stated policy is that strict liability offenses are “generally disfavored,” it is possible that this process may result in changes to enforcement of certain statutory violations. Moreover, because so many of the laws applicable to financial institutions were written without contemplation of evolving technology, consumer behavior and industry practices, providing clarity behind the analysis and decision-making process will provide companies with helpful context when evaluating their own risk.

The case serves as a reminder that violations of the CPSA could result in not only civil penalties, but also criminal prosecution of individual executives and employees. In light of these developments, companies should consider evaluating and enhancing their regulatory compliance and CPSA reporting programs, as well as training their employees and executives on CPSA reporting obligations.

Background

Section 15(b) of the CPSA imposes an affirmative reporting requirement on manufacturers, retailers, importers and distributors of consumer products. Companies must promptly notify the Consumer Product Safety Commission (CPSC) when they obtain information that reasonably supports the conclusion that a product contains a defect that could create a substantial product hazard or poses an unreasonable risk of serious injury or death. Failure to timely report the information can result in civil penalties (for “knowing” violations), as well as criminal penalties (for “willful” violations).

The defendants were part-owners and executives of Gree USA, which imported and sold residential dehumidifiers that were made by Gree Electric Appliances of Zhuhai. The defendants had received “multiple reports” that the dehumidifiers they imported were “defective, dangerous and could catch on fire.” Despite knowing that they had a reporting obligation under Section 15(b), the defendants failed to report the information to CPSC for at least six months, continuing to sell the hazardous products during that period. The defective dehumidifiers were later subject to multiple recalls, with more than 450 reported fires and millions of dollars in property damage attributed to the recalled units. Recent CPSC warnings also have linked at least four deaths to the recalled products.

In addition to the individual sentences, the Gree companies paid $91 million in total monetary penalties (including $15.45 million in civil penalties to CPSC). Gree USA also pleaded guilty to willfully failing to notify CPSC, and the other companies entered into a deferred prosecution agreement related to the same charge.

CPSC continues to focus on hazardous products that harm Americans

Regardless of recent political developments at CPSC – three Democratic commissioners were removed in May and then ordered reinstated on June 13 – the agency has remained committed to compliance and enforcement. According to a May 15 announcement, the agency issued 28 product safety recalls and warnings during the week of May 12 – “a new agency record and more than double the agency’s previous weekly high for safety warnings.” In its May 15 announcement, CPSC emphasized its focus on “foreign violators,” stating that “the Commission will not hesitate to warn Americans about dangerous products, particularly in cases involving foreign firms that are unreachable when problems arise.”

CPSC Acting Chairman Peter Feldman reiterated that message in his comments on the Gree executives’ sentencing, stating that, “[t]hese Chinese-made products were hazardous, and the defendants knew it. Today’s sentences are a clear message that the CPSC will take a hard line against executives who break American laws and endanger families.” Similarly, US Attorney for the Central District of California Bill Essayli emphasized that the Department of Justice (DOJ) will continue to enforce product safety laws, stating that, “[c]orporate executives who choose to ignore the law will be held accountable – especially when death and serious injuries result.”

Key takeaways

• DOJ and CPSC have demonstrated their willingness to pursue not only civil and criminal liability against corporate entities, but also criminal prosecution of individuals who fail to report product safety hazards under the CPSA. The risks are not hypothetical – individuals who are found to have willfully violated the CPSA could face up to five years in prison.
• Section 15(b) of the CPSA imposes reporting obligations not only on manufacturers, but also on retailers, importers and distributors. Therefore, American companies and executives should remain alert to civil and criminal liabilities for failing to report product safety issues of imported goods. 
• Companies should consider strengthening their Section 15(b) reporting and compliance programs, including regular training for employees on Section 15(b) obligations and internal reporting protocols. A robust internal reporting system that allows issues to be escalated quickly may help mitigate risks.
• An effective compliance program requires ongoing evaluation, including periodic audits focused on high-risk areas and real-time reviews of recent product safety incidents for lessons learned. A culture of compliance – driven by leadership and reinforced throughout the organization – can help ensure that compliance expectations are understood and met at every level.

The day after DOJ released the new guidelines, Matthew Galeotti, head of DOJ’s Criminal Division, spoke at the American Conference Institute’s Conference on Global Anti-Corruption, Ethics & Compliance. He explained that the “through-line” of the guidelines is the “vindication of US interests,” emphasized that DOJ will focus on conduct “that genuinely impacts the United States or the American people,” and observed that if conduct “does not implicate US interests,” it “should be left to our foreign counterparts or appropriate regulators.”

Galeotti went beyond the FCPA to discuss corporate criminal enforcement more broadly, stating that, under his leadership, the Criminal Division will “vigorously pursue” meritorious investigations and “move them expeditiously.” Galeotti also cautioned white-collar defense counsel not to “seek[] premature relief” by appealing the decisions of trial attorneys and assistant United States attorneys (AUSAs) to DOJ leadership, noting that such actions “will be counter-productive.” In addition, Galeotti reiterated the benefits of voluntary self-disclosure, noting that the updated Corporate Enforcement Policy (CEP) provides a guarantee of a declination – not just a “presumption” – for companies that voluntarily self-report, cooperate and remediate.

DOJ’s pause and review of FCPA enforcement

On February 5, 2025, Attorney General Pamela Bondi issued a memorandum that, among other things, directed the Criminal Division to focus on FCPA prosecutions related to cartels or TCOs and to “shift focus away from investigations and cases that do not involve such a connection.” Five days later, the president signed Executive Order 14209, which stated that the FCPA had been “stretched beyond proper bounds and abused in a manner that harms the interests of the United States.” The order also stated that FCPA enforcement “against American citizens and businesses … for routine business practices in other nations … harms American economic competitiveness and, therefore, national security.” DOJ was directed “to cease initiation of new FCPA investigations,” review existing investigations and issue updated guidelines or policies regarding FCPA enforcement.

New FCPA guidelines

Four months after the February 10 executive order, DOJ released its new guidelines for FCPA investigations. The guidelines direct prosecutors to consider the following factors, none of which, according to Galeotti, is “necessary or dispositive.” Under the guidelines, new FCPA investigations must be approved by senior DOJ officials and should “proceed as expeditiously as possible.”

1. Cartels or TCOs

Consistent with the February 5 Bondi memo, under the guidelines, one “primary consideration” in deciding whether to pursue an FCPA investigation is whether the alleged misconduct is associated with cartels or TCOs, relates to money laundering for cartels or TCOs, or is linked to “foreign officials” or “state-owned entities” that have received bribes from cartels or TCOs.

2. Opportunities for US companies

The guidelines note that “corrupt competitors skew markets and disadvantage law-abiding US companies” when they bribe foreign officials to “obtain lucrative contracts and illicit profits.” Therefore, another important consideration for new FCPA enforcement is whether the alleged misconduct “deprived specific and identifiable US entities of fair access to compete and/or resulted in economic injury to specific and identifiable American companies and individuals.” The guidelines state that DOJ prosecutors will not focus on individuals or entities based on their nationality, but also observe that “[t]he most blatant bribery schemes have historically been committed by foreign companies.”

3. National security

New FCPA enforcement will seek to advance US national security by focusing on corruption involving “key infrastructure or assets,” including in sectors such as defense, intelligence and critical infrastructure.

4. Serious misconduct

The guidelines direct prosecutors not to focus on “alleged misconduct involving routine business practices,” but rather on conduct that “bears strong indicia of corrupt intent tied to particular individuals, such as substantial bribe payments, proven and sophisticated efforts to conceal bribe payments, fraudulent conduct in furtherance of the bribery scheme, and efforts to obstruct justice.”

Galeotti emphasizes self-disclosure, speed of prosecution and cautions against appeals to DOJ leadership

In addition to addressing the new FCPA guidelines, Galeotti discussed corporate criminal enforcement more broadly. In doing so, he made clear that “[f]ighting white-collar and corporate crime is a critical component of the Criminal Division’s priorities,” and warned that DOJ “will move aggressively – yet fairly – to prosecute white-collar offenders whose crimes undermine US interests.” He then offered insight into several areas.   

First, Galeotti reiterated that the updated CEP guarantees a declination for companies that voluntarily self-report, cooperate and remediate. While recognizing that DOJ has “maintained our discretion to deviate where there are aggravating circumstances,” he insisted that “this is not a game of ‘gotcha,’” and stated that he would “closely scrutinize any [voluntary self-disclosure] that is not recommended for a CEP declination.” And in case there was any question regarding DOJ’s focus on self-reporting, Galeotti concluded his remarks by saying: “What do I want you to take away from today? This is the time for companies to self-report. It is the time to do the work, come in early, cooperate, and remediate.”

Second, Galeotti discussed the need for speed and efficiency, explaining that “we must move quickly to get criminals off the streets and bring clarity to those under investigation,” and “use our resources efficiently in service of all [DOJ’s] priorities.” To this end, he also urged efficiency from the defense side, noting that the swift production of documents and witnesses, among other things, “are just part of what we expect cooperating companies to do.” He likewise made clear that the government’s focus on efficiency cannot be used as a shield, stating, “when the delay is due to the conduct of a subject or target, arguments regarding a supposed lack of efficiency will not resonate.” 

Finally, Galeotti urged white-collar defense counsel to be “conscientious about what, when, and how you appeal the decisions of Trial Attorneys and AUSAs.” He cautioned against “seeking premature relief, mischaracterizing prosecutorial conduct, or otherwise failing to be an honest broker,” noting that such actions not only “undermine[] our system,” but “will be counter-productive to your appeals.”

Key takeaways

• The FCPA is back in business, so to speak, but DOJ’s focus going forward will be on “limiting undue burdens on American companies that operate abroad” and “targeting enforcement actions against conduct that directly undermines US national interests.”
• Recent updates to the CEP further incentivize self-reporting corporate misconduct. Companies and individuals also should be mindful of the timeliness of self-reporting. As Galeotti noted, “when one company reports misconduct, it typically leads to the discovery of similar misconduct at other companies, so you benefit from being first in the door.”
• DOJ’s “renewed efforts to combat white-collar crime” also will focus on quick action and efficiency, and the government expects similar responsiveness from subjects and targets.
• Additional guidance is likely to be issued soon. Galeotti referenced forthcoming announcements “in key priority areas, including corporate resolutions across the white-collar landscape.” 

In May, DOJ took two notable actions. First, it outlined 10 priorities for criminal enforcement, including prosecutions for trade and customs fraud, healthcare fraud, bribery and violations of the Federal Food, Drug, and Cosmetic Act (FDCA). Second, it announced revisions to the Whistleblower Awards Pilot Program (Whistleblower Program) and the Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) – expanding the benefits available for whistleblowers and giving companies an even greater incentive to self-report misconduct to the government.

These developments reinforce that DOJ is continuing to focus resources on corporate misconduct – and companies, accordingly, should evaluate and consider strengthening internal reporting systems and ensure diligence of third-party suppliers and manufacturers, specifically for compliance with trade laws.

DOJ announcement: 10 ‘high-impact’ areas of focus, including tariff evasion

On May 12, Matthew Galeotti, head of DOJ’s Criminal Division, sent a memorandum that reflects changes in DOJ’s enforcement priorities. Galeotti listed 10 “high-impact” areas of focus, which included “[t]rade and customs fraud, including tariff evasion.” He said, “[t]rade and customs fraudsters” were “undermin[ing] the Administration’s efforts to create jobs and increase investment in the United States.” He placed tariff evasion as a necessary focus for DOJ because it is a “threat[] to the U.S. economy, American competitiveness, and our national security.”

The nine other areas of focus are:

• Healthcare and procurement fraud.
• Violations of the Controlled Substances Act and FDCA.
• Fraud by variable interest entities, which Galeotti described as “typically Chinese-affiliated companies listed on U.S. exchanges that carry significant risks to the investing public.”
• “Fraud that victimizes U.S. investors,” including “Ponzi schemes, investment fraud, elder fraud, servicemember fraud” and consumer safety fraud.
• Conduct that threatens US national security, such as sanctions violations.
• Material support to foreign terrorist organizations.
• Complex money laundering.
• Bribery and associated money laundering.
• Crimes that involve digital assets.

We previously discussed several of these enforcement areas. In this April post, we wrote that DOJ, “in conjunction with the Department of Homeland Security (DHS), is expected to use criminal statutes – such as conspiracy, smuggling and wire fraud – to investigate and charge companies and individuals for alleged trade violations.” Additionally, we noted that, “DOJ has made clear that it also intends to aggressively pursue civil remedies against tariff evasions through the False Claims Act (FCA), which allows the government to recover money it is owed.”

In April, we also covered an FCA case against a uniform company that allegedly conspired to fraudulently withhold the correct amounts of duties owed on its uniforms by falsely underreporting their value to customs officials. The case began with a former employee who blew the whistle on the purported behavior. 

We also discussed other priorities mentioned in Galeotti’s memo, including healthcare fraud in this May post analyzing a recent FCA case predicated on violations of the Anti-Kickback Statute. Under the evolving case law, we recommended – and still recommend – that companies be prepared to present evidence of medical necessity and maintain accurate documentation.

Finally, we also analyzed current case law for convictions brought under the FDCA. Based on recent circuit court opinions, we “anticipate[d] that the government will, alongside its existing arsenal of healthcare fraud enforcement tools, wield criminal penalties under the FDCA against hospitals, private parties and medical providers.”

DOJ ‘turning a new page’ on white-collar enforcement to reward self-reporting

The same day the memorandum was issued, Galeotti spoke at a conference about money laundering and financial crimes. He announced that, “the Criminal Division is turning a new page on white-collar and corporate enforcement.” He went on to explain that, “specifically, we are making clearer the benefits for companies that self-report. Companies that are ready to take responsibility should not be overburdened by enforcement.” He also discussed revisions to the Whistleblower Program, discussed below, including the addition of tariff fraud to the list of violations covered. And Galeotti stated that companies that “self-disclose and meet other criteria will receive a declination, not just a presumption of declination.” On the other hand, he made clear that, “[w]here a company does not self-disclose, it will not receive these benefits.” 

Revisions to DOJ Whistleblower Program

Concurrent with Galeotti’s memo and speech, DOJ made several revisions to its Whistleblower Awards Pilot Program. Most significantly, DOJ expanded the subject matter areas that a whistleblower’s information must relate to. In addition to the preexisting list of violations like money laundering, bribes to domestic public officials, federal healthcare offenses and sanctions offenses, DOJ added the following:

• Violations related to “trade, tariff, and customs fraud.”
• Violations related to fraud in federally funded contracting (not involving healthcare or related kickbacks).
• Violations related to federal immigration law.
• Violations related to sanctions offenses, material support of terrorism and the Controlled Substances Act.

We previously observed that DOJ had established a whistleblower incentive program that “complement[ed] existing initiatives from the US Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC) and the US Department of Commerce.” When DOJ officially launched the program last year and likewise amended the CEP to expand benefits to companies that self-report, we wrote that the programs made “DOJ’s expectations to companies clear: ‘Call us before we call you’” – and that message seems to remain true today.

Updates to the CEP

Finally, DOJ revised the CEP to expand leniency for companies that self-disclose misconduct. Instead of a “presumption” of declination, the update provides companies a guarantee of declination if they meet the following factors:

• Voluntarily self-disclose misconduct to the Criminal Division.
• Fully cooperate with the Criminal Division’s investigation.
• Timely and appropriately remediate the misconduct.
• Have no aggravating circumstances related to the nature and seriousness of the offense.

For a “near miss” voluntary self-disclosure – i.e., where companies act in good faith by self-reporting but the self-report does not qualify as a voluntary self-disclosure, or where aggravating circumstances exist – the revised CEP provides favorable resolutions when companies fully cooperate and timely remediate. In such cases, the Criminal Division will provide a nonprosecution agreement with a term less than three years, will not require an independent compliance monitor and will provide a reduction of 75% off the low end of the US Sentencing Guidelines’ fine range.

Key takeaways

These developments in corporate criminal enforcement reinforce that companies should consider taking certain steps to minimize risk:

• For the newly announced tariffs, companies should consider more diligence of third-party suppliers and manufacturers. As we noted previously, companies should remain “alert to red flags – such as significant price differentials quoted by different suppliers,” especially for products that the company had “historically sourced from high-tariff countries.”
• Given the increased focus on investigations started by a whistleblower complaint, “companies should consider strengthening their internal reporting systems.” 
• Companies “should quickly and effectively investigate internal complaints, and should expect that if the complaint falls into the categories of offenses covered by [the Whistleblower Program], that the employee will, or may have already, gone to the DOJ in an effort to reap the financial rewards of the program.”
• Relatedly, we again remind companies that “often, whistleblowers who report to the government do so after attempting (and sometimes, failing) to raise concerns internally.” An effective compliance program could preempt or mitigate exposure.

In an opinion issued on May 22, 2025, in Kousisis v. United States, the Supreme Court held that the federal wire fraud statute does not require the government to prove the defendant caused or attempted to cause pecuniary loss to the victim of the fraud. Put another way, the Court made clear that a person may be criminally liable for fraud even though they did not intend to cause economic harm.

In so holding, the Court resolved a circuit split but did not signal a radical change in its approach to the reach of federal criminal fraud statutes. Nevertheless, the decision is somewhat at odds with other opinions from recent terms that have tightened the reins on federal fraud laws – such as Ciminelli v. United States, which held that the government’s theory of fraud was an overreach, and Snyder v. United States, which narrowed the reach of a federal bribery law.

Going forward, individuals and companies should be aware that federal wire fraud prosecutions may be instituted even if the victim does not pay or lose a penny more than they would have absent the misrepresentations at issue. We anticipate future litigation will focus on whether a misrepresentation satisfies the law’s materiality requirement.

Background

The petitioners here are Stamatios Kousisis and the company for which he worked as a project manager, Alpha Painting and Construction Co. The case revolves around government bids that Kousisis and Alpha submitted – and were awarded – for painting two major landmarks in Philadelphia (a bridge and a train station).

Federal grants from the US Department of Transportation (DOT) provided much of the funding for these restoration projects. Under those grants, the Pennsylvania Department of Transportation (PennDOT) was required to implement a disadvantaged-business program to ensure the participation of entities owned and controlled by “individuals who are both socially and economically disadvantaged.”[1] Such participation must serve a “commercially useful function” – simply passing funds through a disadvantaged business does not count.

To comply with these requirements, PennDOT mandated that bidders for the painting projects subcontract a certain percentage to disadvantaged businesses. In their bid, Alpha and Kousisis represented that Alpha would fulfill this requirement by sourcing its materials from a disadvantaged business. But, in reality, that business served as nothing more than a pass-through entity – merely “a paper pusher, funneling checks and invoices to and from Alpha’s actual suppliers.” This failed to satisfy DOT’s requirements that the disadvantaged business serve a “commercially useful function,” and contradicted the representations Kousisis made in the bid. Throughout the project, Kousisis continued to make false representations as he “falsely reported qualifying payments” to PennDOT. Alpha’s gross profit from the projects was more than $20 million.  

Following a jury trial, Kousisis and Alpha were convicted of wire fraud under 18 USC § 1343 and conspiracy to commit wire fraud under 18 USC § 1349. Section 1343 prohibits employing a scheme to “obtain[] money or property by means of false or fraudulent pretenses.” Kousisis and Alpha were prosecuted under a theory of fraudulent inducement, which is where defendants “use[] falsehoods to induce a victim to enter a transaction.” The Department of Justice took the position that this did not require it to prove that the defendants intended to cause economic loss.

In both the trial court and on appeal to the US Court of Appeals for the Third Circuit, Kousisis and Alpha did not contest that their misrepresentations were material. Instead, they argued that since PennDOT was satisfied with the actual work (the painting), it did not lose the benefit of its bargain by not having a disadvantaged business participate. Therefore, they said, there was no scheme to defraud PennDOT of “money or property” under Section 1343. Both courts rejected this argument on the grounds that Alpha and Kousisis had sought to obtain – and did obtain – millions of dollars that the government only handed over because it had been told that the supplies would be provided by a disadvantaged business.

The Supreme Court granted cert to resolve a circuit split over whether a federal fraud conviction can stand where the defendant “did not seek to cause the victim net pecuniary loss.”

SCOTUS opinion

The Supreme Court affirmed the Third Circuit’s ruling, rejecting the petitioners’ argument that economic loss is required for a federal wire fraud conviction.

Writing for the majority, Justice Amy Coney Barrett explained that, “[u]nder the fraudulent-inducement theory, a defendant commits federal fraud whenever he uses a material misstatement to trick a victim into a contract that requires handing over her money or property—regardless of whether the fraudster, who often provides something in return, seeks to cause the victim net pecuniary loss.” After examining the statutory text and prior case law, Justice Barrett concluded that, “[t]he fraudulent-inducement theory is consistent with both the text of the wire fraud statute and our precedent interpreting it.”[2]

The wire fraud statute does not mention economic loss

Justice Barrett observed that the petitioners’ argument “rests on the premise that a scheme cannot constitute wire fraud if, as here, the defendant provides something—be it money, property, or services—of equal value in return.” Tellingly, there is no mention of “loss” in the wire fraud statute. Rather, Justice Barrett explained, Section 1343 refers to “obtain[ing] money or property,” which means “to gain or attain possession” of it – and “[a] thing is no less ‘obtained’ simply because something else is simultaneously given in return.” As such, “a defendant violates § 1343 by scheming to ‘obtain’ the victim’s ‘money or property,’ regardless of whether he seeks to leave the victim economically worse off.” (Citations omitted.)

Economic loss not required at common law

The majority also rejected the petitioners’ arguments that economic loss was part of “fraud” at common law, such that the references to “fraud” in Section 1343 draw in a common law loss requirement. While recognizing that, “[w]hen Congress uses a term with origins in the common law, we generally presume that the term ‘brings the old soil with it,’” Justice Barrett emphasized that this principle only applies where the term at common law had a “settled meaning.” (Citation omitted.) After examining multiple variations of “fraud” at common law, the majority concluded that at common law there was no “generally applicable rule that all fraud plaintiffs must plead and prove economic loss.” As such, the majority declined to “read such a requirement into the wire fraud statute.”

Fraudulent inducement theory consistent with SCOTUS precedent

The majority similarly rejected a series of arguments where the petitioners insisted that the fraudulent inducement theory runs counter to other Supreme Court precedent. Among other things, Justice Barrett noted that the Court has “twice rejected the argument that a fraud conviction depends on economic loss,” namely in Carpenter v. United States, 484 U.S. 19 (1987) and Shaw v. United States, 580 U.S. 63 (2016).

The majority also reiterated that, “[n]o matter the underlying theory of fraud, § 1343 requires that ‘money or property’ have been an object of the fraudster’s scheme.” It distinguished other types of schemes invoked by the petitioners, such as those that seek to “alter the exercise of regulatory power” or those that “target[] some kind of intangible interest,” such as “a citizen’s interest in ‘impartial government.’” (Citations omitted.)

Limiting principles: Materiality, ‘particular species of fraud’

Finally, Justice Barrett acknowledged the petitioners’ concern that endorsing the fraudulent inducement theory could result in broad liability. According to Alpha and Kousisis, under that theory, “every intentional misrepresentation designed to induce someone to transact in property would constitute property fraud.” They urged that this would “threaten[] fair notice” and “encroach into States’ police powers.”

However, the majority was “not persuaded” for two reasons. First, the “materiality requirement substantially narrows the universe of actionable misrepresentations” – in other words, even an intentional misrepresentation must pass a materiality threshold to be within the reach of the federal fraud statutes. Second, the fraudulent inducement theory only “criminalizes a particular species of fraud: intentionally lying to induce a victim into a transaction that will cost him money or property.” As such, it is “not so imprecise as to risk encroachment on States’ authority or to ‘create traps’ for the ‘unwary.’” (Citation omitted.)

Justice Barrett concluded by observing that while the language of Section 1343 is broad, “Congress enacted the wire fraud statute, and it is up to Congress—if it so chooses—to change it.”    

Takeaways

The Kousisis decision holds that defendants may be criminally liable for wire fraud even if they do not seek to cause the victim to lose money.[3] Going forward, individuals and companies – including government contractors – should be mindful of this ruling. As Justice Sotomayor warned in her concurrence in the judgment: “When a defendant tricks a victim out of their money by promising one thing and delivering something materially different, it is no defense to say that the delivered items are of equal economic value.” We anticipate future fraud prosecutions will focus on the law’s materiality requirement, which the defendants did not contest in this case.

[1] A disadvantaged business enterprise is defined under the relevant federal law as a “for-profit small business” that is “at least 51 percent owned by one or more individuals who are both socially and economically disadvantaged,” and that is similarly “controlled by one or more of the socially and economically disadvantaged individuals who own it.”

[2] The opinion of the Court was joined by Chief Justice John Roberts and Justices Clarence Thomas, Samuel Alito, Elena Kagan, Brett Kavanaugh and Ketanji Brown Jackson. There was no dissent, though several justices wrote separately: Justice Thomas concurred, Justice Neil Gorsuch concurred in part and in the judgment, and Judge Sonia Sotomayor concurred in the judgment.

[3] Under the US Sentencing Guidelines, whether the victim suffered a monetary loss or the defendant intended a monetary loss remains a – if not the – critical factor in determining the sentence after a conviction. Kousisis does not impact the role of loss at sentencing.

Implications for compliance programs

While the First Circuit’s decision does not fundamentally alter how compliance programs should be structured, and compliance requirements under the AKS remain largely unchanged, the prevalence of the more robust “but-for” standard opens up potential defenses for individuals and companies facing AKS allegations. To bolster these defenses, it is essential that healthcare providers and companies review their compliance processes to ensure that evidence of medical necessity is well documented.  

1. Emphasize medical necessity

To avoid false claims liability under the “but-for” causation standard, companies should emphasize and be prepared to present evidence of medical necessity. This is crucial because where there is clear evidence that services or supplies were medically necessary, it is less likely that the government (or relator’s counsel) will be able to prove “but-for” causation – in other words, that those claims would not have been submitted absent an improper financial arrangement.

For pharmaceutical companies, it may also be wise to implement a formal monitoring program to review medical necessity of orders by healthcare professionals (HCPs) with whom the company has a separate financial relationship (e.g., through a speaker program). Additionally, for other companies, requiring certification that a test is medically necessary when ordering or processing it can significantly bolster a company’s defense against subsequent allegations of wrongdoing. This could involve a statement alongside the order affirming that the patient meets all conditions for the prescribed test.

2. Importance of recordkeeping

The First Circuit’s decision similarly reinforces the importance of maintaining clear, accurate documentation at all stages of interactions between pharmaceutical companies and HCPs. Whether it is the contractual language between the company and HCPs with whom they have financial arrangements or internal records surrounding specific arrangements, well-maintained records will be crucial in defending against false claims allegations if they arise. In addition, companies should consider implementing stronger provider attestation requirements, according to which HCPs with whom the company has separate financial relationships affirm that the services they ordered were medically necessary and not influenced by outside factors. These measures can help strengthen a company’s defense if faced with allegations of improper kickbacks or false claims.

3. Speaker program selection

The First Circuit’s decision also has potential implications for how companies structure their speaker programs and manage provider attestations. For example, while it may seem counterintuitive, when selecting potential speakers, it may now be beneficial to focus on doctors who have consistently prescribed or ordered services in the past. Their involvement could suggest that their prescribing behavior is independent of any financial incentives. In other words, there is evidence that these providers would still have prescribed “but for” their compensation as speakers. For speakers who have no experience with a drug, it is harder to establish that they are not ordering it because of their payment as a speaker.

This is no time to rest on compliance laurels 

The First Circuit’s decision is the latest in a series of rulings reshaping the legal landscape for healthcare compliance in the false claims space. While the decision may make the government’s job harder in some cases, it should not drastically alter compliance protocols, as it does not impact the underlying kickback analysis. At the same time, the “but-for” causation standard in FCA cases increases the emphasis on maintaining strong documentation and clear lines of evidence for medical necessity in case a defense is necessary.

As the circuit split deepens, healthcare companies should be prepared for potential future US Supreme Court review and should continue taking proactive steps to ensure their compliance programs pass muster. A robust compliance framework that emphasizes medical necessity, maintains thorough recordkeeping and scrutinizes relationships with healthcare providers will help minimize the risk of violating the AKS and FCA.

For more insights into how the First Circuit’s decision may impact your healthcare compliance practices, or for assistance in making them more robust, please contact any of the lawyers listed below.

These risks are not speculative, as demonstrated by an FCA complaint filed by DOJ last month. In US v. Barco Uniforms, et al., DOJ intervened in a whistleblower lawsuit against a uniform company and its top suppliers for underpaying customs duties on apparel imported from China. A former senior employee of the uniform company initiated the lawsuit in 2016. The case serves as a reminder that companies should consider evaluating their internal compliance programs – including strengthening their internal reporting systems for tariff compliance – to mitigate against whistleblower risks.

False Claims Act background

The FCA is the primary mechanism to recover federal funds from those who knowingly and falsely seek or receive payments through a government contract or federal program, or – as relevant here – knowingly and falsely make a statement material to an obligation to pay money to the government (such as customs duties). Under the FCA, the term “knowing” includes both “actual knowledge” and “deliberate ignorance” or “reckless disregard” of the truth or falsity of the claim. Since its amendment in 1986, the FCA provides that claims may be brought by DOJ or by individual whistleblowers (referred to as “relators”) on behalf of the government. As mentioned above, the FCA provides a strong incentive for whistleblowers to take action: A relator who brings a successful qui tam suit may be awarded 15% to 30% of the recovery.

Allegations against Barco Uniforms

According to the government’s complaint, Barco Uniforms is a US company that sells uniforms to large businesses, including restaurant chains and healthcare providers. Barco’s top suppliers included companies operated by father-son duo Kenny and David Chan. The Chans operated factories in China that produce the uniforms, which are subject to customs duties when imported to the US.

The government alleged that Barco and the Chans conspired to fraudulently withhold the correct amount of duties owed on the uniforms by falsely underreporting their value to customs officials. Barco and the Chans used a double-invoicing scheme involving one set of invoices presented to US Customs and Border Protection (CBP) that fraudulently undervalued the goods, and another set of invoices that reflected the actual prices. Barco benefited from the scheme by underbidding competitors, and the Chans benefited by securing Barco’s business and pocketing the money that was legally due to CBP for duties.

The government’s complaint focused on Barco’s knowledge and participation in the scheme. According to the government, the chairman of Barco’s board directed business to the Chans at a price lower than other competitive bids. The chairman allegedly told Barco employees that the negotiated price was possible by altering the duty cost. Further, after the government served a civil investigative demand on Barco in 2018, Barco engaged a third-party auditor to review its accounting records. The auditor found irregularities in customs duties, instructed Barco to double-check its duty calculations, and advised Barco regarding the legal ramifications of underpayment of duties. Despite this advice, Barco redesigned its cost sheets to improperly exclude “vendor profit” from the calculation of item value subject to customs duties in order to arrive at a lower amount of duties.

The whistleblower who initiated the FCA action served as Barco’s director of product commercialization. She alleged that she had brought up the underpayment issue with her supervisor and several other Barco executives in 2014, but they ignored her. She also claimed that Barco terminated her in March 2015.

Whistleblower risks and the importance of effective compliance programs

The Barco complaint follows a record year for FCA enforcement. DOJ reported that in fiscal year 2024, settlements and judgments under the FCA exceeded $2.9 billion – the highest amount since 2021. DOJ also reported a record-setting number of whistleblower-initiated actions: 979 qui tam actions were filed last year, up from the 713 filed in 2023. Actions filed under the FCA’s whistleblower provisions brought in a total of $2.4 billion in settlements and judgments in 2024, accounting for more than 80% of last year’s total take, with $400 million+ going to the whistleblowers. In comparison, DOJ-initiated actions brought in about $503 million in 2024 (up from $363 million in 2023). All told, the 2024 results reflect robust FCA enforcement.

In addition to the 2024 results, in February of this year, DOJ made clear that it intends to focus on FCA enforcement of tariffs to align with the president’s policy priorities, promising to “aggressively” pursue civil remedies for tariff evasion. In light of this statement and the Barco complaint, companies should consider evaluating their compliance programs, including implementing a functional internal reporting channel that would allow for the prompt investigation of whistleblower complaints. Often, whistleblowers who report to the government do so after attempting (and sometimes, failing) to raise concerns internally. As the saying goes, “An ounce of prevention is worth a pound of cure,” and an effective compliance program may preempt or mitigate civil and criminal exposure.

Key takeaways

• The new tariffs implemented by the Trump administration are expected to put significant pressure on the supply chain, and some participants in the supply chain may be tempted to undercut competitors by falsely underpaying the amount of tariffs owed on goods.
• US companies that import goods may be liable under the FCA if they knew (or were reckless in not knowing) about tariff underpayment by their supply chain partners.
• Companies should consider evaluating and strengthening their compliance programs in light of these heightened risks.

The new tariffs will no doubt put significant pressure on the supply chain, especially with respect to Asian countries that are significant exporters of manufactured goods to the US. As explained in this March 12 Cooley alert, the impact of the Trump administration’s tariffs will be felt by US companies across the board, and many will immediately encounter rising material costs and reduced profit margins. Companies will need to confront and address these business challenges.

At the same time, to enforce the new tariffs, the US Department of Justice (DOJ), in conjunction with the Department of Homeland Security (DHS), is expected to use traditional criminal statutes – such as conspiracy, smuggling and wire fraud – to investigate and charge companies and individuals for alleged trade violations. Moreover, DOJ has made clear that it also intends to “aggressively” pursue civil remedies against tariff evasions through the False Claims Act (FCA), which allows the government to recover money it is owed. As supply chain pressures increase, companies should consider conducting due diligence of their supply chain partners and strengthening compliance programs to mitigate criminal and civil enforcement risks.

Significant risk areas for tariff violations: country of origin, valuation and classification

Companies should be aware that participants in their supply chains – from sourcing agents, suppliers, third-party partners and customs brokers to the companies’ own procurement departments – may seek to mitigate the impact of tariffs by engaging in evasive practices. There are three areas that pose significant risks of trade violations:

1. Country of origin. The “country of origin” of imported goods is where the goods were manufactured, grown or underwent “substantial transformation” into the final product being imported. Because the new reciprocal tariffs impose different tariffs based on the country of origin of the imported goods, participants in the supply chain may be tempted to engage in “transshipment” – routing goods produced in a high-tariff country through a lower-tariff country before shipping to the US, and presenting the goods as originating from the lower-tariff country.

• Valuation. Tariffs are typically calculated as a percentage of the value of the imported goods. To minimize tariffs, some importers may be tempted to deliberately understate the value of the imported goods when declaring them to customs officers.

• Classification. The US customs tariff system – known as the Harmonized Tariff Schedule (HTS) – sets forth the tariffs on imported products based on categories for classification. One common tactic of tariff evasion involves misclassifying the imported goods by moving them from a higher tariff category to a lower or exempted tariff category.

Misrepresentation in any of these areas exposes companies and individuals to potential criminal and civil penalties, as discussed below.

Criminal exposure for tariff evasion

US Customs and Border Protection (CBP) has primary responsibility for tariff enforcement. CBP frequently refers suspected violations to DOJ for civil and criminal investigation and enforcement. With the administration’s focus on tariffs, companies should expect CBP and DOJ to place increased emphasis and resources on tariff enforcement to deter and penalize evasion and maximize the effect of administration policy priorities.

Recent cases illustrate that DOJ can and will pursue criminal charges for tariff evasion:

• In September 2024, DOJ charged an importer of truck tires with conspiracy to smuggle tires made in China (which were subject to a 73.99% tariff) by transshipping them through third countries, including Canada and Malaysia. DOJ alleged that the defendant filed documents with CBP that fraudulently represented the Chinese-origin tires as originating in countries other than China. The defendant also was alleged to have created two sets of invoices – one set that fraudulently undervalued the tires (which was presented to CBP) and another that reflected the actual value of the tires. The scheme resulted in a $1.9 million loss of revenue to the US. The defendant pleaded guilty to one count of conspiracy and cooperated in the government’s investigation. He was sentenced to time served followed by three years of supervised release and ordered to pay $1.9 million in restitution.

• In October 2023, a Florida couple pleaded guilty to conspiracy and smuggling charges, and both were subsequently sentenced to nearly five years in prison for evading more than $42 million in duties in connection with illegally importing plywood from China. According to DOJ, the defendants falsely declared the species, country of origin and country of harvest of the wood from which the plywood was made. The defendants’ scheme included sending containers of plywood from China to Malaysia or Sri Lanka, where the wood was taken out of the original containers and put into a second set of containers to conceal the origin of the wood. In addition to imprisonment, the defendants were ordered to pay $42 million in forfeiture, as well as $1.6 million in storage costs incurred by the government for maintaining the seized wood.

Civil exposure from DOJ as well as qui tam plaintiffs

In addition to criminal sanctions, DOJ can pursue civil penalties under the FCA against companies and individuals for “knowing” underpayment of custom duties (known as a “reverse false claim”). Under the FCA, the term “knowing” includes both “actual knowledge” and “deliberate ignorance” or “reckless disregard” of the truth or falsity of the claim. While innocent mistakes cannot form the basis of liability, a company could be liable for a reverse false claim if it learned of a tariff underpayment (or was reckless in not knowing about the underpayment) but took no action to rectify the issue – including an underpayment that resulted from the action of another party within the supply chain. Because the FCA imposes significant monetary penalties, the risk here is substantial. If found liable, a defendant can be ordered to pay three times the amount of underpaid tariffs, plus civil penalties of up to $28,619 per false claim. As such, the FCA exposure for tariff underpayment could far exceed the amount underpaid.

The FCA risk is particularly high because it is not just DOJ that can initiate these cases. Private plaintiffs often bring FCA claims through qui tam actions on behalf of the government. And the incentive to do so is likewise significant. Whistleblowers who bring a successful qui tam action receive a portion of the recovered funds – up to 25% if the government intervenes, and up to 30% if the government does not. In addition, whistleblowers can recover attorneys’ fees and expenses. Given these financial incentives, the pool of potential whistleblowers includes not only a company’s own employees and companies and individuals in its supply chain, but also competitors, who stand to gain financially both from the whistleblower incentive award and from eliminating unfair competition.

DOJ settled FCA cases relating to tariff underpayment under both the Biden administration and the first Trump administration, as illustrated below. These cases also demonstrate the risk of whistleblower suits, as each was initially brought as a qui tam action.

• In January 2023, DOJ settled an FCA case against a vitamin importer, alleging that the defendant misclassified more than 30 of its products under the HTS in order to avoid paying customs duties. In the settlement agreement, the defendant admitted to retaining a consultant to review its HTS classifications and learning that the correct codes carried higher duty rates than the HTS classifications it had been using. Despite obtaining this information, the defendant admitted that it did not implement the correct classification for more than nine months and never remitted duties that it had previously underpaid. Under the settlement, the defendant owed $22.8 million, of which $10.8 million constituted restitution.

• In September 2020, DOJ settled an FCA case against a German industrial engineering company for misrepresenting the nature, classification and value of imported merchandise. The company allegedly submitted CBP declarations describing Chinese stainless steel pipe products (which were subject to high tariff rates) as carbon-steel products (which were subject to lower tariffs) and avoided millions of dollars in duties. The settlement required the company to pay $22.2 million.

• In April 2020, DOJ settled an FCA case against a furniture importer and its executives, alleging that they falsely described wooden bedroom furniture imported from China as “metal” or “non-bedroom” furniture on documents submitted to CBP. The defendants allegedly manipulated images of their products in packing lists and invoices, and directed their Chinese manufacturers to ship furniture in mislabeled boxes and falsify invoices. The defendants agreed to pay $5.2 million, and the individual defendants separately pleaded guilty to criminal charges of conspiracy.

While using the FCA to enforce tariffs is not new, DOJ has made clear that it intends to focus on FCA enforcement of tariffs to align with Trump’s policy priorities. At the Federal Bar Association’s annual qui tam conference in Washington, DC, in February, Deputy Assistant Attorney General Michael Granston stated that DOJ “plans to continue to aggressively enforce the False Claims Act,” which he views as a “powerful tool” for fighting tariff evasion. Granston noted that enforcement against “illegal foreign trade practices” will be a focus of DOJ, and that DOJ plans to rely on data analysis to identify potential fraud.

Core insights

In light of DOJ’s focus on tariff evasion, companies should consider revisiting their compliance programs and taking reasonable measures to ensure compliance with trade laws. Particularly with regard to newly announced tariffs, companies should consider increasing diligence of third-party suppliers and manufacturers and remaining alert to red flags – such as significant price differentials quoted by different suppliers, especially with respect to products historically sourced from high-tariff countries.

Companies also should be aware that many sophisticated plaintiffs’ law firms specialize in FCA qui tam actions and have the resources to investigate tariff evasion. Companies should consider strengthening their internal reporting systems, which are important tools to mitigate against the risk of whistleblower suits, as they allow whistleblower complaints to be heard and acted upon so that concerns can be investigated and potential violations prevented or mitigated before the exposure becomes significant.

Final rule eliminates delegation of authority to director of the Division of Enforcement to issue formal orders of investigation

While the requirement that the Division of Enforcement seek Commission approval is not new, it is a change to a more than 15-year-old rule. In 2009, following the financial crisis, the SEC delegated certain authorities to the director of the Division of Enforcement for a one-year period. In 2010, the SEC extended the delegation for an indefinite period, “until the Commission orders otherwise.” One of the delegated authorities is “to order the making of private investigations” – in other words, to formally open an investigation, which would allow SEC staff to issue subpoenas for documents and witness testimony.

The final rule “delete[s] this delegation provision” in order to “align the Commission’s use of its investigative resources with Commission priorities.” This means that the director of the Division of Enforcement can no longer issue formal orders of investigation – that power is vested solely with the SEC Commissioners. The removal of delegation authority reverts the process to one that Paul Atkins, new SEC chair nominee, was familiar with from his time as an SEC Commissioner from 2002 to 2008.

The final rule does not affect the process for enforcement staff to make informal inquiries, such as issuing a voluntary request for information.  

SEC says it is not putting enforcement ‘on hold’ but will focus on core areas

In recent public remarks, Apps has made clear that the SEC will continue to focus on “core” areas. At the Securities Enforcement Forum in New York in January, Apps stated that there was “no blanket rule that things are on hold,” and that the Division of Enforcement was taking a case-by-case approach to existing investigations. She reiterated the message at the American Bar Association (ABA) White Collar Crime conference in Miami in March, stating that the SEC is “not walking away” from enforcement and will “move forward with the core enforcement agenda [it has] always moved forward with.” Those areas have traditionally included Ponzi schemes, accounting fraud, insider trading, deceptive market practices, disclosure issues and breaches of fiduciary duty.

At the same time, Apps acknowledged – both at the Securities Enforcement Forum and the ABA conference – that the SEC’s approach to crypto enforcement is evolving. The SEC launched a Crypto Task Force on January 21, 2025, and created a Cyber and Emerging Technologies Unit (CETU) on February 20, 2025. Check out our February 25 Securities Litigation + Enforcement blog post to learn more about the Crypto Task Force and the CETU.

New SEC administration likely will be more open to Wells meetings

Apps also suggested that under the new SEC, the leadership of the Division of Enforcement will be open to meetings during the “Wells process.” The Wells process allows individuals and entities under SEC investigation to make a written submission before the Division of Enforcement makes a recommendation as to whether the Commission should proceed with an enforcement action. Under the previous SEC administration, a meeting with the SEC during the Wells process was generally not available unless the action presented novel legal or factual issues.

But at the Securities Enforcement Forum, Apps noted that, going forward, the director or deputy director of the Division of Enforcement will “generally agree” to have a Wells meeting with counsel for a prospective defendant who requests it. She also noted that defense counsel sometimes engage in a “pre-Wells” process that involves a meeting with SEC enforcement leadership, but she cautioned that the SEC likely will not be receptive to having “two sets of Wells meetings.” While acknowledging that defense counsel are free to make informal submissions, she suggested that defense counsel and SEC staff should be clear up front about their views regarding submissions and in-person meetings.

Key takeaways

• Going forward, for SEC staff to open an investigation, they will have to persuade a majority of the SEC’s Commissioners – a bureaucratic hurdle that could slow down some investigations and force the SEC to prioritize investigations at the “core” of its mission. However, SEC staff can still use informal inquiries to request information from companies and individuals, and information obtained through those inquiries could form the basis for seeking Commission approval to open a formal investigation that includes the power to issue subpoenas.
• While the SEC’s enforcement priorities are evolving to align with the new administration’s priorities, the SEC says that it will continue to police fraud, insider trading and other traditional areas of securities enforcement.
• Individuals and companies going through the Wells process may have more opportunities to tell their side of the story prior to the commencement of an action.

On February 5, 2025, US Attorney General Pam Bondi issued a memorandum titled Ending Illegal DEI and DEIA Discrimination and Preferences (memo or directive). The memo came down as part of Bondi’s[KZ1]  14 “first-day” directives – one of two directives that expressly address diversity, equity, inclusion and accessibility (DEI or DEIA).[1] Both directives arise from two recent federal actions: the US Supreme Court decision in Students for Fair Admissions, Inc. v. President & Fellows of Harvard Coll., 600 US 181, 206 (2023), and President Donald Trump’s Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity, 90 Fed. Reg. 8633 (January 21, 2025).[2] Consistent with other Trump Administration orders and directives, the memo takes the position that federal law prohibits DEI and DEIA policies and makes clear that the Department of Justice (DOJ) will use both civil and criminal enforcement tools to proscribe a wide range of companies and universities from utilizing so-called exclusionary DEI or DEIA policies.

The memo has two sections. The first directs the DOJ to prepare a report containing recommendations to the private sector to “end illegal discrimination and preferences,” and the second provides guidance to federally funded institutions. The memo contains a single footnote, which states that its prohibitions are intended to encompass programs that are exclusionary in nature and not educational, cultural or historical observances, such as Black History Month, International Holocaust Remembrance Day or similar events, which “celebrate diversity, recognize historical contributions, and promote awareness without engaging in exclusion or discrimination.”

DOJ report on DEI/DEIA

Both EO 14173 and the memo direct the DOJ (Civil Rights Division and Office of Legal Policy, jointly) to prepare a report with enforcement recommendations and “other appropriate measures to encourage the private sector to end illegal discrimination and preferences.” The report should include:

• “Key sectors of concern” within the DOJ’s jurisdiction and “the most egregious and discriminatory DEI and DEIA practitioners” within each sector
• A deterrence plan, including proposals for criminal investigations, and as many as nine civil compliance investigations of several types of organizations, such as:
  • Publicly traded corporations
  • Institutions of higher education with endowments of more than $1 billion
  • Large nonprofit corporations or associations
  • Foundations with assets of $500 million or more
  • State and local bar and medical associations
• Other potential litigation activities, including:
  • Interventions in pending cases
  • Statement of interest submissions
  • Amicus brief submissions
  • Regulatory actions and sub-regulatory guidance
• “Other strategies” as needed to comply with federal law

Potential loss of federal funding for educational institutions

The memo cites the concurrence of Justice Neil Gorsuch in the Students for Fair Admissions case, as applied to educational agencies, colleges and universities that receive federal funds. The DOJ is instructed to work with the Department of Education to “issue directions,” while the DOJ’s Civil Rights Division “will pursue actions regarding the measures and practices required to comply with Students for Fair Admissions.”

Now what?

1. Assess your company’s or educational institution’s DEI policies, programs and initiatives. Take account of what policies, programs or initiatives do (or do not) exist at your organization as they relate to diversity, equity, inclusion, accessibility or related concepts and goals. Communicate with the appropriate people in your organization to identify relevant practices and analyze whether those policies, programs or initiatives may be susceptible to legal challenge.
   
2. Consider whether this directive implicates your company or educational institution. Review and understand whether the memo has the potential to apply to your organization and its policies. By its terms, the directive applies to many different entities and policies across several different industries and sectors; those most clearly at risk include any company, organization or institution receiving federal funds.

3. Consult counsel to discuss potential civil or criminal risk. This memo signals increased regulatory scrutiny and white-collar enforcement risk – particularly for entities like educational institutions and government contractors. If you have any questions about potential civil or criminal risk, or understanding the terms of this or any of the recent directives, consult outside counsel to discuss further and take appropriate next steps.

[1] The second memorandum is titled Eliminating Internal Discriminatory Practices.

[2] See also New Executive Order Would Terminate Race and Gender Affirmative Action Requirements for Federal Contractors, Cooley alert, January 23, 2025.

Congress passed the Administrative False Claims Act in late December as part of the National Defense Authorization Act. The new law significantly expands federal agencies’ ability to investigate fraud claims and provides new incentives for agencies to initiate, pursue, and settle investigations of false claims, which are when companies make materially false statements to secure reimbursement through a government contract or federal program.

The False Claims Act, enacted in 1863 in response to fraud by government contractors during the Civil War, has been the government’s primary civil enforcement tool to remedy this type of fraud. The task of enforcement and investigation largely has fallen to the Justice Department or private whistleblowers.

But the AFCA empowers and encourages agencies to undertake their own investigations against alleged fraud at lower-dollar thresholds—thus diversifying the enforcement authority for false claims.

Although the AFCA’s predecessor statute, the Program Fraud Civil Remedies Act of 1986, authorized agencies to investigate false claims through administrative channels, the AFCA removes obstacles associated with its predecessor and revamps agency false claims enforcement by:

• Authorizing recovery for double the amount of each false claim and raising the PFCRA’s maximum per-claim recovery cap from $150,000 to $1 million, with automatic adjustments for inflation
• Enabling agencies to recuperate costs associated with their AFCA investigations and enforcement actions
• Expanding the number of agency personnel authorized to adjudicate false claims cases
• Extending the statute of limitations from within six years to within 10 years of the date of the violation, under certain circumstances

The $1 million maximum recovery cap means agencies are more likely to pursue standalone false claims investigations. The higher cap, with the double damages provision, also increase agencies’ leverage to seek heightened recoveries during settlement negotiations and in enforcement actions. By redirecting lower-level fraud allegations to administrative channels, the AFCA also frees the Justice Department to pursue more significant false claims investigations, for which it touted over $78 billion in recoveries since 1986.

Because any AFCA recovery reimburses the agency that pursued the investigation, it creates a self-funding mechanism for investigations outside of general appropriations. This further encourages smaller-scale false claims probes—even at or below the previous $150,000 threshold—that might otherwise have gone unaddressed due to limited agency resources. The AFCA also reduces personnel constraints by expanding the categories of officers authorized to oversee these claims.

Compared with the False Claims Act, which only imposes liability where there is an underlying claim for government funds, the AFCA expands the scope of liability by authorizing recovery for false statements in the absence of any claim. This means that even if the company never got any government funding, it could still be liable for putting out false information.

And unlike the False Claims Act’s qui tam provisions, whereby whistleblowers can bring actions on behalf of the federal government and secure a portion of the recovery, the AFCA bars private enforcement of AFCA claims. This is unlikely to affect whistleblower conduct, however, since the False Claims Act’s private enforcement and recovery mechanisms remain intact.

As agencies prepare to flex their enhanced authority under the AFCA, contractors and other beneficiaries of government programs should be ready for greater scrutiny and enforcement.

Proactively addressing potential AFCA risks can mitigate exposure. Combined with the False Claims Act, the AFCA’s broadened reach and streamlined processes equips the government with sharp tools to probe potential false claims in the years ahead.

This content was originally published on Bloomberg. Copyright 2025 Bloomberg Industry Group, Published Online, www.bloombergindustry.com. Reproduced with permission.

Notably, Jackson is the second-ever federal appellate ruling – and the very first since the US Supreme Court’s landmark opinion in Loper Bright Enterprises v. Raimondo² last year – to endorse the government’s expansive reading of Section 301(k).³ That provision criminalizes “[t]he alteration, mutilation, destruction, obliteration, or [label] removal of … a food, drug, device, tobacco product, or cosmetic, if such act is done while such article is held for sale (whether or not the first sale) … and results in such article being adulterated or misbranded.”⁴ In addition, Jackson newly interpreted the term “legally marketed device” to exclude adulterated devices, which may inadvertently and severely undermine the “practice of medicine” defense dictated by Section 1006 of the FDCA, 21 USC § 396 (Section 1006). 

Jackson squarely rejected common defenses asserted by the physician, Dr. Anita Jackson, who argued that her decision to reuse the medical devices at issue:

1. Fell outside Section 301(k)’s criminal prohibition for holding adulterated medical devices for “resale,” since she had used the devices solely for bona fide surgeries and had never actually sold any devices to patients.⁵
2. Fit squarely within her expert medical judgment, which Congress expressly placed outside the reach of the FDCA, including Section 301(k).⁶

During the first Trump administration, the US Department of Justice (DOJ) brought record-breaking criminal charges and recoveries for healthcare fraud.⁷ Now, with newfound vigor in the wake of Jackson, we expect DOJ and the US Food and Drug Administration (FDA) under the second Trump administration to continue aggressively prosecuting fraud involving medical devices by supplementing long-standing enforcement mechanisms with additional charges under Section 301(k).

Key factual background

Jackson was an ear, nose and throat (ENT) surgeon specializing in balloon sinuplasty surgery to treat chronic sinus infections. Balloon sinuplasty surgery involves inserting a medical device – in Jackson’s case, the Entellus XprESS – into a patient’s nose and inflating a small balloon to widen the nasal cavity. Because it touches a patient’s hair and bodily fluid during surgery, FDA had approved marketing of the Entellus for one-time use only, with the expectation that each device would be discarded after a single patient’s surgery.

Jackson oversaw multiple offices that performed balloon sinuplasty with reused Entellus devices, and her staff aggressively solicited patients to receive the procedure.⁸ She would then bill Medicare and falsely claim reimbursement for the surgery and the full cost of a new Entellus. Through this fraud scheme, Jackson charged Medicare more than $46 million for balloon sinuplasty surgery; at one point, she was the nation’s leading Medicare biller for the procedure.⁹

Crucially, during these surgeries, Jackson and her staff would frequently reuse a single Entellus on multiple patients, cleaning the device each time between surgeries. However, the Entellus was approved by FDA only for one-time use, and so the medical industry had no established practices to adequately sanitize the device for reuse. Indeed, Jackson’s staff testified that reused Entellus devices could not be fully sterilized, and that the devices became rusty and difficult to operate over time.¹⁰

Following a federal grand jury indictment and trial, a jury in the US District Court for the Eastern District of North Carolina convicted Jackson on all 20 counts, including for holding adulterated Entellus devices for sale in violation of Section 301(k), and for making materially false statements in response to Medicare audits.¹¹ After the court sentenced her to 25 years in prison and more than $5.7 million in restitution, Jackson appealed the verdict.

The Fourth Circuit’s opinion in Jackson

Jackson focused her appeal on challenging her Section 301(k) conviction as beyond the scope of the FDCA, and further asserted that her conviction on that count prejudicially tainted the jury’s verdict on the remaining 19 counts. She raised two primary arguments against the government’s broad interpretation of its Section 301(k) prosecutorial authority. 

First, Jackson argued that, during her many balloon sinuplasty surgeries, no Entellus device was ever “held for sale (whether or not the first sale),” nor did she ever pass ownership or title of any devices to her patients. Under Jackson’s theory, the statute’s plain text requires an attempt to sell adulterated devices to sustain a Section 301(k) conviction. 

Despite Jackson’s failure to preserve this argument below, the Fourth Circuit largely reached the merits by holding that the trial court did not plainly err in determining that Jackson’s conduct – soliciting patients for, and profiting from, the procedure using the Entellus – equated to holding them for sale, such that her conduct fell within Section 301(k)’s prohibition.

For support, the Fourth Circuit favorably cited the US Court of Appeals for the Ninth Circuit in United States v. Kaplan.¹²Kaplan, the first-ever circuit case interpreting Section 301(k)’s held-for-sale requirement, held that Section 301(k)’s held-for-sale requirement is met when the medical device is used in any “commercial relationship between the doctor and the patient.”¹³  Even as Jackson did not need to tackle Kaplan’s interpretation of Section 301(k) head on, the Fourth Circuit acknowledged Kaplan’s “common-sense persuasiveness,” representing the very first time that another circuit has endorsed the Ninth Circuit’s broad reading and suggesting it may adopt Kaplan’s reading as its own in a future case.¹⁴

Second, Jackson argued that another section of the FDCA, Section 1006, precludes the government from prosecuting her for reusing Entellus devices for surgeries. Section 1006 exempts from liability actions falling within “the authority of a health care practitioner to prescribe or administer any legally marketed device to a patient for any condition or disease within a legitimate health care practitioner-patient relationship.” In Jackson’s estimation, reusing a medical device labeled for one-time use in legitimate surgeries merely reflected off-label usage within her discretion as a learned medical practitioner.

The Fourth Circuit disagreed. In its view, Jackson was conflating using a device off label, which may fall within the legitimate practice of medicine, with holding “adulterated” Entellus devices for sale, which is illegal for physicians and non-physicians alike.¹⁵ The jury found that she had failed to adequately sanitize the same Entellus device between different patient surgeries so as to render those devices “adulterated.” Moreover, her reuse of “adulterated” Entellus devices could not qualify for Section 1006’s exemption because that provision protects physicians only to the extent they prescribe or administer a “legally marketed device” – and FDA had never authorized the marketing or sale of the Entellus for multiple uses. If adopted, the court observed that her reading of the FDCA would “thwart congressional intent and create a huge loophole” that reflexively exempts physicians from otherwise unlawful conduct.

In so doing, Jackson appears to have severely undermined, if not eliminated, the “practice of medicine” provision under Section 1006. Specifically, the court’s use of the term “adulterated” could be read to mean the Entellus lacked adequate sanitation due to multiple uses on different patients.¹⁶ But “adulterated” also is a term of art under Section 501(f)(1)(B), which provides that a device is “adulterated” if it lacks FDA’s marketing authorization for a particular intended use (i.e., an “off-label use”), such as the multiple-use indication at issue in Jackson. If the second meaning were adopted, it would essentially gut Section 1006, and healthcare practitioners may not rely on that provision at all, as any “off-label use” would practically render the device “adulterated” and, therefore, prohibited under Section 301(k).

Healthcare fraud enforcement post-Jackson

The Jackson court’s determination that the Entellus was not a “legally marketed device” may embolden the government to reject the “practice of medicine” defense any time a healthcare practitioner uses an approved or cleared device for “off-label uses,” under the reasoning that any device that violates the FDCA is not “legally marketed.”

So while the Fourth Circuit did not officially adopt the Ninth Circuit’s holding in Kaplan – namely, that medical providers may be prosecuted pursuant to Section 301(k)’s bar on holding an adulterated medical device for sale whenever it is used to treat patients – it clearly resonated with that expansive reading in rejecting Jackson’s arguments to the contrary, including its interpretation of the Section 1006 “practice of medicine” defense.

With DOJ and FDA now armed with two circuit opinions (Kaplan and Jackson) that have taken an expansive approach to Section 301(k), we anticipate that the government will, alongside its existing arsenal of healthcare fraud enforcement tools, wield criminal penalties under the FDCA against hospitals, private practices and medical providers. As such, industry participants can expect close scrutiny by federal and state enforcers over the use of allegedly adulterated medical devices to perpetuate healthcare fraud.

The prospect of robust healthcare fraud enforcement is particularly salient given the new administration’s desire to draw attention to – and curb – alleged waste and abuse by recipients of federal funds. During President Donald Trump’s first term, DOJ eagerly pursued healthcare fraud prosecutions, including a nationwide takedown of 345 medical professionals for $6 billion in alleged fraud involving opioids,¹⁷ and the largest individual healthcare fraud scheme in DOJ history.¹⁸

Jackson presages renewed statutory authority for DOJ and FDA to situate Section 301(k) into future healthcare fraud enforcement efforts, and to test the outer boundaries of the FDCA’s criminal prohibitions, including Section 301(k), in the months and years ahead.

Notes

1. No. 23–4467, No. 23-4587, 2025 WL 249109, at *7–8 (4th Cir., January 21, 2025).
2. 603 US 369 (2024); see US Supreme Court’s October 2023 Term Administrative Law Trilogy – Holdings, Analyses and Implications of Jarkesy, Loper Bright and Corner Post, Cooley client alert, July 26, 2024.
3. FDCA § 301(k), 21 USC § 331(k). The first and only other circuit opinion interpreting Section 301(k) is United States v. Kaplan, 836 F.3d 1199, 1208 (9th Cir., 2016), as discussed below.
4. 21 USC § 331(k).
5. Id. at *7.
6. Id. at *7–8.
7. See, e.g., DOJ press release, National Health Care Fraud Takedown Results in Charges Against 601 Individuals Responsible for Over $2 Billion in Fraud Losses, June 28, 2018.
8. The Fourth Circuit explained that Jackson implemented quotas, incentives and other unorthodox methods to prescribe and administer the surgery. Her former employees testified that she instructed them to recruit patients in Walmart parking lots, churches, barbershops and doctors’ offices (Jackson, 2025 WL 249109, at *2). To increase the number of sinuplasty surgeries performed, she often skipped routine diagnostics to determine whether it was medically appropriate, and she misled patients into believing that the surgery was simply a “sinus spa” or “sinus rinse” (Id.). Then, to cover up her conduct, she submitted false, incomplete and altered records to the government, including some bearing fake notarizations and forged patient signatures (Id. at *3).
9. DOJ press release, Raleigh ENT Doctor Sentenced to 25 Years in Prison for Adulterating Surgical Devices, for Defrauding Medicare, and for Stealing Patient Identities, June 16, 2023.
10. Id.
11. See 21 USC § 331(k); 18 USC §§(a)(2); and DOJ press release, Raleigh ENT Doctor Sentenced to 25 Years in Prison for Adulterating Surgical Devices, for Defrauding Medicare, and for Stealing Patient Identities, June 16, 2023.
12. 836 F.3d 1199, 1208 (9th Cir., 2016).
13. Id.
14. 2025 WL 249109 at *6–*7.
15. 2025 WL 249109 at *18.
16. 2025 WL 249109 at *13 (discussing the term “adulterated” in the context of “unsanitary conditions”).
17. DOJ press release, National Health Care Fraud Takedown Results in Charges Against 601 Individuals Responsible for Over $2 Billion in Fraud Losses, June 28, 2018.
18. DOJ press release, South Florida Health Care Facility Owner Sentenced to 20 Years in Prison for Role in Largest Health Care Fraud Scheme Ever Charged by The Department of Justice, September 12, 2019.

Cooley is pleased to announce a three-part webinar series, Whistleblower Essentials for US Companies, hosted by Cooley partners Rebekah Donaleski and Daniel Grooms from our white collar defense and investigations practice. This series will cover DOJ, SEC, CFTC and other policies concerning individual and corporate self-disclosure and whistleblowing, how to identify key business risk areas, and ways to mitigate those risks while building a strong compliance program. All sessions last one hour.

February 4, 2025 | Session 1 – An Overview of the Government’s Approach to Whistleblowers and Corporate Cooperation

11:00 am PST // 12:00 pm MST // 1:00 pm CST // 2:00 pm EST

The DOJ Criminal Division’s Corporate Whistleblower Awards Pilot Program creates new dynamics for companies and their compliance structures, adding to a number of existing initiatives from the SEC, CFTC, and other regulators and prosecutors, as well as programs providing incentives for corporate cooperation. Join partners Daniel Grooms, Luke Cadigan, John Bostic and Melissa Gohlke for this first session as they dive into the specifics of each program, eligibility requirements and potential changes in the new administration.

Click here for more information and to register

February 11, 2025 | Session 2 – Key Areas That Generate Risk

11:00 am PST // 12:00 pm MST // 1:00 pm CST // 2:00 pm EST

Companies should stay proactive in navigating the new and evolving landscape of corporate accountability. Join partners Rebekah Donaleski, Shamis Beckley, Dee Bansal, Annie Froehlich and John Hemann for this second session, which will focus on identifying key risk areas, including anti-bribery and corruption, antitrust, export controls and sanctions, and the False Claims Act for government contractors and companies involved in the healthcare system.

Click here for more information and to register

February 18, 2025 | Session 3 – How to Remediate Risks and Minimize Compliance Exposure

11:00 am PST // 12:00 pm MST // 1:00 pm CST // 2:00 pm EST

Join partners Rebekah Donaleski, Russell Capone, Sonia Nath and Elizabeth Skey for this final session in the series, which will cover practical risk mitigation strategies to help companies strengthen compliance programs, manage internal whistleblower reports efficiently, and proactively address significant risk areas. Attendees will learn how to navigate expectations from prosecutors and regulators for corporate compliance programs, ensure swift response protocols, and minimize exposure under the evolving government approach to corporate enforcement.

Click here for more information and to register

For additional insights related to individual and corporate self-disclosure and whistleblowing, we invite you to explore these blog posts by the webinar panelists and others from our white collar defense and investigations practice:

• Expanded False Claims Law Puts Government Contractors on Notice by Andrew Goldstein, Shamis Beckley, Matt Nguyen and Jenny Portis (January 31, 2025)
• DOJ Focuses on AI, Emerging Tech in Newly Issued Guidance Updates for Evaluating Corporate Compliance Programs by Bobby Earles and Bingxin Wu (October 9, 2024)
• EDNY Launches New Whistleblower Non-Prosecution Pilot Program by Matthew Kutcher and Tara Levens (September 26, 2024)
• DOJ Launches New Incentive Program for Corporate Whistleblowers by Rebekah Donaleski and Keegan Trofatter (August 8, 2024)
• The Prisoner’s Dilemma Comes for Corporate Crime Rebekah Donaleski, Daniel Grooms and Priya Gambhir (April 23, 2024)
• Addressing Workplace Complaints: A Critical Step in Light of Whistleblower Incentives by Rebekah Donaleski and Miriam Petrillo (April 9, 2024)
• DOJ to Launch New Whistleblower Rewards Program by Rebekah Donaleski, Shamis Beckley and Madeleine McNally (March 12, 2024)
• DOJ Announces New Safe Harbor Policy for Voluntary Self-Disclosure in M&A by Bobby Earles, Daniel Grooms and Samantha Kirby (November 30, 2023)
• When the Whistle Blows, Listen Carefully – and Consider Self-Disclosure by Shamis Beckley and Samantha Kirby (March 1, 2023)

Continuing legal education (CLE) credits

Attendees may earn up to 1.0 CLE credit for participating in each session of this live webinar. Credit will not be granted for on-demand viewing.

FBI and CISA recommend using encrypted and ephemeral messaging

On a December 3, 2024 call with the press, FBI and CISA officials warned against unencrypted text and voice communications. Jeff Greene, CISA’s executive assistant director for cybersecurity, stated, “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible, if not really hard, for them to detect it.” The next day, the FBI, CISA, and several other US and foreign agencies released guidance for strengthening network devices against potential exploitation. Among other things, the guidance recommends network engineers to “ensure that traffic is end-to-end encrypted to the maximum extent possible.”

Two weeks later, on December 18, 2024, CISA published Mobile Communications Best Practice Guidance, which aims to “promote protections for mobile communications from exploitation” by cyberattacks. The guidance is directed at “highly targeted” senior government officials and senior politicians, though CISA notes that it is “applicable to all audiences.” CISA’s guidance makes general recommendations for devices and online accounts, as well as specific recommendations for iPhone and Android users.

Topping the list of CISA’s general recommendations is to “use only end-to-end encrypted communications.” CISA recommends individuals to “adopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps.” To ensure that messages between different operating systems (e.g., iPhones and Androids) remain secure, CISA also recommends using a messaging app that is compatible with both systems. CISA notes that such apps “may include features like disappearing messages and images, which can enhance privacy.”

Other general recommendations include:

• Enabling Fast Identity Online (FIDO) phishing-resistant authentication
• Migrating away from Short Message Service (SMS)-based multifactor authentication (due to the fact that SMS messages are not encrypted)
• Using a password manager
• Setting a Telco PIN (offered by most telecommunications providers)
• Regularly updating software
• Opting for the latest hardware version from the cell phone manufacturer
• Not using a personal virtual private network (VPN)

With respect to iPhone users, CISA recommends enabling Lockdown Mode, disabling certain settings to ensure that messages do not send as SMS if iMessage is unavailable, and using encrypted Domain Name System (DNS) services, among other things.

As for Android users, CISA recommends using phones from manufacturers with strong security track records, using only Rich Communication Services if end-to-end encryption is enabled, and using encrypted DNS services, among other things.

Regulators warn of noncompliance risks regarding encrypted and ephemeral messaging

As we reported in March 2024, over the past several years, US regulators have increasingly focused on corporate use of ephemeral and encrypted messaging due to the challenges of retrieving and reviewing such communications at a later date. DOJ officials have stated that when conducting an investigation, prosecutors will consider a company’s use of ephemeral and encrypted applications, whether the company preserved those communications and whether those messages are accessible for the investigation. Failure to produce such communications may adversely impact the offer that a company receives to resolve criminal liability.

The DOJ’s most recent version of Evaluation of Corporate Compliance Programs reinforces this stance, noting that prosecutors will consider a corporation’s policies and procedures governing the use of communications platforms, including ephemeral messaging applications. In a January 2024 joint press release with the Federal Trade Commission (FTC) regarding the agencies’ updated standard preservation letters and specifications for second requests, the agencies specifically called out the ephemeral messaging application Signal as one of the messaging platforms that allows “immediate and irretrievable destruction of communications and documents,” and warned companies that failure to preserve data from ephemeral messaging platforms will be treated as spoliation or even obstruction of justice.

In addition, as we reported in December 2024, since 2021, the SEC has conducted a broad sweep of financial institutions, focusing on whether employees communicated about business matters over text messages or other messaging apps. In particular, the SEC looks to whether a company’s employees use ephemeral and encrypted messages that make it difficult for the company to monitor and preserve communications. The SEC’s “off-channel communications” sweep has resulted in charges against more than 100 firms, with more than $2 billion in penalties levied, including $63.1 million in penalties against 12 firms from earlier this week. A similar sweep by the Commodity Futures Trading Commission (CFTC) resulted in more than $1.23 billion in civil monetary penalties imposed against 28 financial institutions.  

Both SEC Chair Gary Gensler and CFTC Chair Rostin Behnam have announced that they plan to depart on January 20, 2025. There is early indication that their successors (to be appointed by incoming President Donald Trump) may roll back the off-channel communications sweep. In September 2024, the Republican SEC commissioners issued a statement urging their colleagues to “reconsider [the SEC’s] current approach to the off-channel communications issue.” In the statement, Commissioner Hester Peirce and Commissioner Mark Uyeda noted that “it does not appear that firms have an achievable path to compliance,” and that the SEC’s current approach “equates reasonableness with perfection.” The commissioners recommended “work[ing] with the industry” and taking a more “privacy-respecting approach.”

The FBI’s and CISA’s recent advisories indicate the agencies’ recognition that companies have legitimate needs for using encryption and ephemeral messaging to protect sensitive business communications. CISA’s guidance specifically recommends using Signal because it “guarantees end-to-end encryption.” It remains to be seen whether these agencies’ view on encryption and ephemeral messaging signals a policy shift in the federal government that will be reflected in subsequent policy changes at the DOJ and SEC, or whether companies will be forced to choose between the necessity of secure communications for sensitive business discussions and the demand for regulatory compliance and cooperation in government investigations.

Read on for more highlights from this year’s enforcement results.

Record-breaking financial remedies, including from several sweeps

Setting aside the $4.5 billion Terraform settlement, the SEC obtained $3.7 billion in financial remedies in FY2024. As highlighted in the SEC’s report, a large proportion of that amount resulted from several industry-wide sweeps.

Off-channel communications

Since 2021, the SEC has undertaken a broad sweep focused on whether certain regulated entities (such as broker-dealers and investment advisers) have run afoul of recordkeeping rules that require such firms to preserve electronic communications related to their business. The SEC has specifically focused on whether employees communicated about business matters over text messages or other messaging apps, and whether those messages were preserved. In FY2024, the SEC obtained $600 million in civil penalties from actions against 70 firms for alleged violations of recordkeeping rules. Overall, this sweep has resulted in charges against more than 100 firms, with more than $2 billion in penalties imposed.

Whistleblower protection

Consistent with the SEC’s emphasis on encouraging whistleblowers to report potential securities violations, the SEC in FY2024 settled eight enforcement actions to address violations of the Dodd-Frank whistleblower protection rule, which prohibits market participants from taking any action to impede would-be whistleblowers from contacting the SEC. The SEC alleged that those firms either purported to limit customers’ ability to voluntarily contact the SEC or required their employees to waive the right to a possible whistleblower monetary award. Related settlements totaled $21 million.

Disclosure of holdings and transactions by insiders

Federal securities laws require certain insiders and market participants to disclose their securities holdings and transactions. In FY2024, the SEC levied more than $3.8 million in penalties against 23 entities and individuals for failures to timely report information about their holdings and transactions in public company stock or for contributing to filing failures by their officers and directors.

Focus on emerging technologies and emerging risks

In FY2024, the SEC pursued enforcement actions ranging from evergreen investor risks such as material misstatements, internal control deficiencies and major gatekeeping failures to emerging issues related to disclosures concerning artificial intelligence (AI), cybersecurity and crypto.  

AI

In FY2024, the SEC charged three firms for alleged false statements regarding their purported use of AI in their investment processes.

Cybersecurity

Consistent with the SEC’s recent focus on disclosing cybersecurity incidents (read more in this June 2024 blog post), the SEC settled charges with key market participants for failing to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity. The SEC also settled charges against one transfer agent for failure to ensure client securities and funds were protected against theft or misuse, and against one firm for disclosure and internal control failures relating to cybersecurity incidents.

Crypto

The SEC settled charges against one crypto firm for false and misleading disclosures about its compliance program, and against another crypto firm for failing to register its offer and sale of structured crypto-assets offered and sold as securities.

Reward for proactive compliance

SEC officials have continued to emphasize the importance of proactive compliance, including self-policing, self-reporting, remediation and taking other steps to meaningfully cooperate with the SEC’s investigations. According to Gurbir S. Grewal, former director of the Division of Enforcement at the SEC, effective cooperation may affect both the charges and the remedies that the SEC may impose:

“On the charging side, we may recommend bringing reduced charges or we may decline to recommend charges altogether. On the remedies side, we may recommend reduced or even zero civil penalties. And where there’s been real remediation that addresses the misconduct, that may impact whether we recommend undertakings and, if we do, their scope.”

The SEC’s report noted that a number of market participants – including public companies, investment advisers and broker-dealers – were credited with cooperation in FY2024. These matters involved a wide range of alleged violations, such as material misstatements, fraud, recordkeeping violations and control failures related to cybersecurity. The SEC noted that cooperation has led to reduced civil penalties or even no civil penalties – including in cases involving very large firms. For example, in the latest round of off-channel communications sweeps, the SEC credited one firm for taking substantial steps to comply, self-report and remediate, which led to the firm receiving a no-penalty resolution.

According to a recent report by Cornerstone Research, a top consulting and expert testimony firm, FY2024 saw the highest percentage of public company defendants being credited with cooperation since FY2019. In FY2024, 77 public company defendants (including individual defendants) were credited with cooperation, representing 75% of 103 public company defendants. This led to a shift in settlement outcomes, with 15% of all public company defendants settling with no monetary penalty – the highest percentage in more than a decade.

Looking ahead

The SEC’s annual reports generally provide helpful guidance for market participants regarding the SEC’s enforcement focus. With SEC Chair Gary Gensler stepping down on January 20, 2025, when the administration changes, however, it is unclear whether this past year’s enforcement activities shed light on what the next year will bring.

The offence

The ECCTA came into law  on 26 October 2023 as part of broad reforms to the UK’s current framework for addressing financial crime. Section 199 of the ECCTA, in particular, created the new criminal offence of failure to prevent fraud. Following publication of the guidance,[1] the offence will now come into force on 1 September 2025. We have written previously on the nature and scope of this new offence – in this April 2023 post and in this October 2023 post.

The guidance

A large organisation (as defined in the ECCTA) may have a defence to a failure to prevent fraud offence if it had reasonable prevention procedures in place at the time of the fraud offence,[2] designed to prevent persons associated with it from committing such offences.[3] The guidance sets outs six principles that businesses should use to inform the procedures they put in place to prevent fraud offences. The intention is that a nonprescriptive approach will enable a wide variety of businesses and circumstances to be addressed, and may be supplemented by more specific sectoral guidelines where appropriate.

1. Top-level commitment: The guidance indicates that individuals who are responsible for governance of a relevant company should lead the development and review of prevention procedures, either individually or by delegation to a relevant committee and senior managers should communicate and endorse the organization’s stance on preventing fraud, including mission statements.
2. Risk assessment: Any risk assessment should be well-documented and regularly reviewed, such that it continuously responds to business changes. The guidance suggests classifying any risks using the following structure and by reference to their likelihood and impact:
   • Opportunity Companies should identify who is in a position to commit a fraud offence, including departments which are particularly at risk (i.e., those with inadequate oversight or weak controls).
   • Motivation
     Companies should evaluate whether their reward systems (e.g., criteria for bonuses) may encourage fraud and, conversely, should assess whether there are any specific financial stresses that may encourage risky behaviour.
   • Rationalisation
     Companies should consider the culture at large to assess whether it is ‘quietly tolerant’ of fraud and whether any reporting lines in place (e.g., whistleblowing hotlines) are sufficient for employees to make their concerns known.
3. Robust but proportionate risk-based prevention procedures: The guidance suggests that each risk that has been recognised should be addressed by proportionate procedures. It acknowledges that some may be sufficiently addressed by sectoral regulations, such as those on tax evasion and audit requirements, but notes that this is not guaranteed.
4. Due diligence: Where services are performed on behalf of a company, the guidance states that it should carry out proportionate due diligence procedures in respect of those persons, either internally or by outsourced means. Notably, the guidance acknowledges that it may be proportionate not to implement procedures in respect of lower-level risks, but the reasons for this should be well-documented. Some procedures are mandated by law, such as anti-money laundering checks, but others may be necessitated by sector or circumstance. The guidance conveys an expectation on a company to review the effectiveness of its due diligence procedures and subsequently amend them as appropriate.
5. Communication (including training): The guidance notes that a company should seek to ensure that its prevention policies –including whistleblowing policies – and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Further, the guidance stipulates that this communication should be delivered, at least in part, through training programmes that are proportionate to the risk faced.
6. Monitoring and review: As risks can evolve over time as businesses change, preventative procedures will need to be updated accordingly. The guidance suggests that procedures should be reviewed periodically with reference to three key touchpoints: detection of fraud and attempted fraud, investigation of suspected fraud, and monitoring the effectiveness of fraud prevention measures.

The guidance states that what is ‘reasonable’ in any particular instance is for the courts to decide based on the facts and circumstances of the case (such as a company’s organisational structure and territorial reach).

Conclusion

Publication of the guidance commences a nine-month implementation period, throughout which large organisations will be expected to develop their ‘reasonable preventative procedures’. What is deemed ‘reasonable’ will be business-specific and will necessitate detailed risk assessments by each organisation to identify what is appropriate for its particular circumstances.

From 1 September 2025, a large organisation which fails to put appropriate and proportionate procedures in place may risk not having any defence to a criminal prosecution under the ECCTA. It is therefore essential that businesses have well-designed procedures in place to prevent this, and that these are regularly reviewed in line with regulatory and technological developments.

[1] Section 219(8) ECCTA.

[2] Section 199(4) ECCTA.

[3] Section 199(5) ECCTA.

In front of a live audience at the Society of Corporate Compliance and Ethics’ Annual Compliance & Ethics Institute, Principal Deputy Assistant Attorney General Nicole Argentieri delivered remarks regarding the latest changes to the ECCP – which is, in her words, “the roadmap Criminal Division prosecutors use to evaluate a company’s compliance program, including the questions prosecutors will ask as they assess a compliance program in determining how to resolve a criminal investigation.” Argentieri left no question about the message she hoped to convey to companies: “Now is the time to make the necessary compliance investments to help prevent, detect, and remediate misconduct.”

Background

The DOJ’s Criminal Division introduced the original ECCP in 2017 and has revised it four times, in April 2019, June 2020, March 2023 and September 2024. The ECCP helps prosecutors evaluate the effectiveness of corporate compliance programs – a factor prosecutors consider in making charging decisions, sentencing recommendations and determining the appropriate resolution in corporate criminal enforcement actions.

Instead of a rigid formula, the ECCP provides sample questions on 12 topics relevant to the evaluation of a corporate compliance program. The 12 topics are organized under three fundamental questions a prosecutor should ask:

• Is the corporation’s compliance program well-designed?
• Is the program being applied earnestly and in good faith?
• Does the corporation’s compliance program work in practice?

In Argentieri’s remarks regarding the latest changes to the ECCP, she highlighted key additions in three areas:

1. Emerging technologies (including AI)
2. Whistleblower incentives and protection
3. Whether a compliance program has appropriate access to data

AI and emerging technologies

While many companies view AI and related technologies as tools to help combat risk, the updated guidance explores technology as a source of risk. In particular, the updated ECCP instructs prosecutors to evaluate how companies manage the risks associated with the use of emerging technologies – both in their business and in their compliance programs. Prosecutors will consider:

• Whether and how the company assesses the potential impact of new technologies, including on the company’s ability to comply with criminal laws.
• Whether the company has controls to ensure that the technology is used only for its intended purposes and has taken steps to mitigate risks associated with the use of new technologies.
• Whether management of risks related to the use of AI and other new technologies is integrated into broader enterprise risk management (ERM) strategies.
• The company’s approach to governance regarding the use of new technologies.
• If the company uses AI for its compliance program, whether controls are in place to ensure the technology’s trustworthiness, reliability and compliance with law.
• The baseline of human decision-making used to assess AI.
• How accountability over use of AI is monitored and enforced.
• How the company trains its employees on the use of emerging technologies.

Whistleblower incentives and protection

The updated ECCP also highlights the DOJ’s continued commitment to whistleblower reward and protection, and includes additional questions to assess companies’ commitment to whistleblower protection and anti-retaliation, including:

• Whether the company incentivizes or disincentivizes its employees to speak up and report misconduct.
• Whether the company has an anti-retaliation policy.
• Whether the company trains its employees on its internal anti-retaliation policy as well as external whistleblower protection laws.
• To the extent the company disciplines employees involved in misconduct, whether the company treats those who reported internally differently from those who did not.

For more information on the DOJ’s incentive programs for corporate whistleblowers, check out our August 2024 and September 2024 blog posts.

Access to data

The updated ECCP also expands existing considerations regarding a compliance program’s access to data and resources. In addition to assessing whether compliance personnel have sufficient access to relevant sources of data, the ECCP now asks prosecutors to consider:

• Whether compliance personnel have access to relevant data sources in a timely manner.
• Whether the company leverages data analytics tools to increase efficiency of compliance.
• How the company manages the quality of its data sources and measures the accuracy of any data analytics tools.
• How the assets and resources available to compliance compare to those available elsewhere in the company, including whether there is an imbalance between the two.

Key takeaways

• The updated ECCP illustrates the dual nature of emerging technologies for corporate compliance. On the one hand, companies are expected to identify and manage risks related to new technologies in their business and compliance programs. On the other hand, companies are encouraged to leverage data analytics tools to improve their compliance programs.
• Companies should consider whether there is an imbalance in the technologies they use for their business and the technologies they use for compliance.
• In light of the DOJ’s continued focus on whistleblower incentives, companies should have appropriate whistleblower policies in place and train their employees on those policies, as well as on whistleblower protection laws.

This program is part of an ongoing effort by the Department of Justice (DOJ) and United States Attorney’s Offices across the country to encourage the voluntary disclosure of corporate criminal activity. In April 2024, DOJ launched a Pilot Program on Voluntary Self-Disclosures for Individuals, and in August 2024, it launched the Corporate Whistleblower Awards Pilot Program. (To learn more, check out our April 2024 and August 2024 posts about the announcements.) Most recently, in remarks made the same day as the EDNY Pilot Program announcement, Principal Deputy Assistant Attorney General Nicole M. Argentieri emphasized that these programs are “designed to encourage companies to invest in making their compliance programs effective,” and that they “create incentives for companies to step up and own up when misconduct occurs” before law enforcement learns of the conduct from other sources.

EDNY Pilot Program criteria

Under the EDNY Pilot Program, individuals who voluntarily disclose information about criminal conduct may be eligible for an NPA if they meet certain conditions.

The disclosure must involve one of the enumerated “covered crimes” – including fraud or corporate control failures; intellectual property theft and related violations; market integrity; bribery or fraud related to government funds; obstruction of justice, perjury, or false statements; healthcare fraud; or money laundering related to any of these crimes.

In addition:

• The disclosed misconduct must not have been made public and must not be known to DOJ.
• The disclosure must be voluntary, before there is an imminent threat of disclosure or government investigation, and not in response to a government inquiry or based on any obligation to report.
• The disclosing individual must cooperate fully with the investigation and prosecution, including by providing testimony and evidence.
• The information must be “complete, truthful, and accurate” and disclose “all criminal conduct in which the individual has participated and of which the individual is aware.”
• The disclosing individual must not be the highest-ranking person in the organization (i.e., the CEO) or someone who exercises “primary control” over the organization’s operations; the head of a public agency; an elected, or appointed and confirmed, federal, state, local or foreign official; or a federal law enforcement official.
• The disclosing individual must not have led or originated the illegal activity.
• The disclosing individual’s role in the conduct must not have involved violence, sex offenses or terrorism, and the individual must not have a prior felony conviction involving violence, sex offenses, terrorism, fraud or dishonesty.
• The disclosing individual must forfeit or disgorge any proceeds from the wrongdoing and pay restitution to any victims.

When the above conditions are not met, prosecutors nevertheless may consider exercising discretion to extend an NPA. In exercising that discretion, prosecutors can consider a set of factors, many of which overlap with the factors described above – including, for example, whether the conduct previously was made public or was known to EDNY and DOJ, whether the disclosure was made voluntarily, whether the individual is prepared to substantially assist the prosecution and investigation, and whether the individual fully and truthfully disclosed all criminal conduct they were aware of and participated in. Other considerations include:

• Whether the individual is outside the US and likely to remain there.
• Whether the information concerns a senior officer or board member of a publicly traded company, or a federal elected, or appointed and confirmed, official.
• Whether the individual is an official or in a leadership position or a position of public or private trust.
• The individual’s criminal history and the adequacy of noncriminal sanctions.

Takeaways

1. Understand who is eligible under the EDNY Pilot Program

Individuals and companies should understand the broad scope of potential reporters under this program. Employees ranging from entry-level workers to upper-level managers may be eligible. Notably, CEOs or other employees who exercise “primary control over the operations” of the organization are not eligible. But, in contrast with the Southern District of New York’s similar program, EDNY’s policy does not expressly deem chief financial officers (CFOs) ineligible.

The EDNY Pilot Program also diverges from the DOJ Corporate Whistleblower Award Pilot Program in an important respect: The DOJ program applies only to potential whistleblowers who were no more than “minimal participants” in the criminal activity, while the EDNY program remains open to those who played a larger role in the misconduct, provided they were not a leader or originator. Thus, while individuals who were more than minimally involved in misconduct may not be eligible for a financial award under DOJ’s Corporate Whistleblower Award Pilot Program, they still may be eligible for an NPA under either EDNY’s Pilot Program or DOJ’s Pilot Program on Voluntary Self-Disclosures.

2. Recognize incentives to employees for reporting and develop robust internal controls

The EDNY Pilot Program follows a series of disclosure initiatives announced by DOJ and US Attorney’s Offices across the country that incentivize employees to be the first to report corporate wrongdoing. Unlike the DOJ’s Corporate Whistleblower Award Pilot Program, EDNY’s Pilot Program does not account for whether an employee reported internally before approaching law enforcement. This emphasizes the need for companies to maintain strong controls to detect, investigate and respond to internal complaints before an individual is incentivized to report issues to prosecutors.

Moreover, the discretionary factors identified in the EDNY Pilot Program expressly note that even if the program criteria are not satisfied, an NPA still may be available if the information concerns “criminal conduct by a senior officer and/or a member of the board of directors of a publicly traded company.” Public companies therefore should be aware of the possible race to report that can emerge and should take steps internally to evaluate and address concerns when they arise. (To learn more, read our April 2024 blog post about how to address workplace complaints.)

3. Seek counsel in deciding whether to report

Because the conditions for receiving credit after making a report are complicated, both individuals and corporations should be mindful in deciding whether, when and where to report. Potential reporters should seek the advice of counsel in determining whether disclosure is appropriate based on the particular facts and circumstances of their situations.

The first case, Diaz, holds that expert testimony about the mental state of most people in a group collectively, rather than the defendant individually, does not violate the Federal Rules of Evidence. Although the decision was a win for the prosecution in that case, SCOTUS opened the door to a category of testimony that may benefit defendants in certain cases, as discussed below.

In the second case, Smith, the Supreme Court relied on the Sixth Amendment’s Confrontation Clause to hold that the prosecution may not introduce the findings of a forensic analyst at trial through the testimony of a surrogate analyst except in limited cases. This decision reaffirms the constitutional right of any defendant to test critical evidence at trial through cross-examination – a right equally essential in white collar matters.  

Expert testimony about mental state of ‘most people’ permissible under Federal Rules of Evidence

In Diaz v. United States, border patrol officers searched a car and discovered more than 50 pounds of methamphetamine within the vehicle. The driver, Diaz, was charged with importing methamphetamine in violation of federal law. Those charges required the government to prove that Diaz “knowingly” transported drugs. In her defense, Diaz insisted that she was unaware of the drugs in the car.

The parameters of satisfying this “knowing” burden ultimately percolated up to the Supreme Court. In the district court, the government gave notice that its expert witness would testify about the “common practices of Mexican drug-trafficking organizations.” This expert was expected to testify about drug traffickers’ general distrust of sending “large quantities of drugs to people who are unaware they are transporting them.” Diaz objected to the testimony under Federal Rule of Evidence 704(b), which provides that an expert witness in a criminal case cannot opine about “whether the defendant did or did not have a mental state […] that constitutes an element of the crime charged or of a defense.” The district court ultimately disallowed expert testimony about what all couriers know when transporting drugs – but permitted such testimony about what most couriers know when transporting drugs. The government’s expert went on to testify that, “in most circumstances, the driver knows they are hired […] to take the drugs from point A to point B.”

The jury convicted Diaz, and she received a prison sentence. On appeal, the US Court of Appeals for the Ninth Circuit affirmed the conviction, holding that only an “explicit opinion” on a defendant’s state of mind ran afoul of Rule 704(b). The expert testimony in question did not violate that rule.

The Supreme Court agreed, explaining that “[a]n expert’s conclusion that ‘most people’ in a group have a particular mental state is not an opinion about ‘the defendant’ and thus does not violate Rule 704(b).”

Situating its analysis, the Supreme Court chronicled the history of the “ultimate-issue” rule – a common law rule barring witnesses from infringing on the role of the jury by stating their conclusions on an issue – followed by the evolution of Rule 704. SCOTUS explained that when Rule 704 was adopted in 1975, it permitted all ultimate-issue opinions. Then, following the trial of John Hinckley Jr. (found not guilty by reason of insanity after his assassination attempt on then-President Ronald Reagan), Congress carved out an exception that a witness must not state an opinion about whether the defendant had the mental state aligning with an element of the crime or a defense.

In Diaz, the Supreme Court held that, because the government’s expert “did not express an opinion about whether Diaz herself knowingly transported methamphetamine,” the testimony did not violate Rule 704(b). In its analysis, SCOTUS also highlighted each party’s opportunity to present and cross-examine witnesses. Indeed, Diaz raised the unknowing courier defense before the jury, even presenting an expert who testified about the difficulty of suspecting or knowing about drugs hidden within a car. The Supreme Court reasoned that the jury, having heard both experts, was in the position to decide the ultimate issue of Diaz’s mental state:

[The government’s expert] asserted that Diaz was part of a group of persons that may or may not have a particular mental state. Of all drug couriers – a group that includes Diaz – he opined that the majority knowingly transport drugs. The jury was then left to decide: Is Diaz like the majority of couriers? Or, is Diaz one of the less-numerous-but-still-existent couriers who unwittingly transport drugs?

The Supreme Court confirmed the Rule 704(b) exception is a narrow one, given that Rule 704 “as a whole makes clear that an opinion is ‘about’ the ultimate issue of the defendant’s mental state only if it includes a conclusion on that precise topic, not merely if it concerns or refers to that topic.”

As seen in several Justices’ separate writings in Diaz, the effects of the majority opinion may be far-reaching – potentially affecting defense strategy in cases involving alleged corporate misconduct. Diaz applies to any crime that turns on a defendant’s state of mind. And as Justice Ketanji Brown Jackson’s concurrence makes clear, Rule 704(b) is “party agnostic” – meaning the government and defense counsel alike may use expert testimony “on the likelihood” of a defendant having a certain mental state. In a white collar criminal trial, the central dispute often focuses on the defendant’s mental state, i.e., their intent. In turn, the question of intent might depend on what a corporate executive defendant knew. In that case, Diaz allows the defendant to present expert testimony on what “most” people in their position would know. Even in a case where the government and defense both present expert testimony on this issue, competing expert opinions may reduce the risk of a unanimous guilty verdict. Thus, Diaz may prove an effective sword for defendants, while also providing a shield to prevent the prosecution from putting up an expert to testify about a particular defendant’s supposed state of mind.

Surrogate expert testimony may implicate Confrontation Clause.

Smith v. Arizona, too, began with drugs – but unlike in Diaz,the majority’s analysis turned on federal constitutional rights, not rules of evidence. In Smith, a large quantity of what appeared to be drugs and drug-related items were found during a search warrant execution. The defendant, Smith, was charged with drug offenses and pleaded not guilty.

In preparation for trial, seized items were sent to a government laboratory, where a lab analyst ran tests and generated notes and a signed report detailing her findings regarding the identities and quantities of drugs at issue. At trial, the prosecution made a last-minute decision to present this evidence through a different analyst—not the one who had performed the tests. (The Supreme Court stated that the original analyst had since stopped working at the lab “for unexplained reasons.”) The replacement testifying analyst relied on the original analyst’s records to come to the same conclusion regarding drug identities and quantities.

Smith was convicted and appealed. On appeal, he argued that the prosecution’s use of “substitute expert” testimony violated the Sixth Amendment’s Confrontation Clause, which “guarantees a criminal defendant the right to confront the witnesses against him,” and “bars the admission at trial of ‘testimonial statements’ of an absent witness unless [they are] ‘unavailable to testify, and the defendant ha[s] had a prior opportunity’ to cross-examine [them].’” The Arizona Court of Appeals disagreed and affirmed, reasoning that the underlying facts were used only to show the basis for the in-court witness’s opinion. The Arizona Supreme Court denied discretionary review of this decision.

The US Supreme Court took up the question of how the Confrontation Clause is implicated when an expert witness restates the factual assertions of an absent lab analyst to support their own opinion testimony. The Supreme Court held that “[w]hen an expert conveys an absent analyst’s statements in support of his opinion, and the statements provide that support only if true, then the statement come into evidence for their truth.” As such, if the statements are testimonial, the Confrontation Clause renders them inadmissible.

In arriving at this conclusion, SCOTUS first looked to whether the testifying lab analyst’s statements were hearsay (i.e.,used“for the truth”). The answer was yes. The Supreme Court explained that the truth and value of the original lab analyst’s statements were interrelated; only if the underlying basis of the expert’s testimony was true would it hold any value for the prosecutors.  Put differently, “those statements were conveyed to show [the original lab analyst] used certain standard procedures to run certain tests, which enabled identification of the seized items.”

With this holding, the Supreme Court foreclosed an “end run” around the Confrontation Clause and confirmed a defendant’s right to cross-examine forensic experts delivering testimonial lab reports – specifically the right to confront the expert with firsthand knowledge (not the one merely reading from another’s records). In doing so, SCOTUS explained that substitute experts could still testify to other topics drawing on personal knowledge, such as how the lab functioned and chain of custody, among others.

As with Diaz, criminal defense counsel should take note of the near-universal applicability of this expert testimony ruling. Counsel should be mindful that Smith applies broadly to any type of forensic testing – including the work of forensic accountants and others similarly situated – and may implicate any defendant’s rights under the Confrontation Clause. They also should take note of the potential downstream effects of Smith. If the Supreme Court is, in fact, moving away from a “mainstream conception” of hearsay – as outlined in Justice Samuel Alito’s dissent – and, in some cases, sidelining the Federal Rules of Evidence, that also may have considerable practical impacts for trial practice.

In March 2024, the DOJ announced that it would be undertaking a “90-day sprint” to develop this pilot program to create “new incentives” for individuals to report misconduct and to “drive companies to further invest in their own internal compliance and reporting systems.” (To learn more about the March announcement, check out our previous post.)

Now in effect, the Corporate Whistleblower Awards Pilot Program will serve as a new tool for the DOJ to identify potential misconduct that would otherwise go undetected. The program will last three years and cover corporate misconduct across specific subject matter areas, including financial fraud, foreign corruption and bribery, domestic bribery involving US, state, and local government, and healthcare fraud within private entities. Given this focus, companies operating in the healthcare sector or that do business with the government should pay particular attention to this new policy – and the increased scrutiny that may come from it – and ensure their internal reporting and compliance programs are ready to quickly detect and address any misconduct.

Along with this program, the DOJ amended its Corporate Enforcement and Voluntary Self-Disclosure Policy to expand benefits to companies that self-report misconduct before the DOJ contacts them.

Taken together, these programs make the DOJ’s expectations to companies clear: “Call us before we call you.”

Pilot program criteria

Whistleblowers aiming to recover a share of the money recovered by the government as a result of their cooperation must meet the criteria outlined by the DOJ for the pilot program.

Eligibility

A whistleblower must be an individual who was not a company officer or director, counsel, accountant, or hired to conduct internal compliance or audit processes.

A whistleblower also must not have “meaningfully participated” in the criminal activity they reported. Although “minimal participation” will not make an individual ineligible to participate in the pilot, it may serve as a factor to limit their award.

Information

The information provided to the DOJ under the pilot program must be nonpublic information not previously known to the DOJ, as well as original – meaning “derived from the individual’s independent knowledge or independent analysis.” It also must be voluntarily provided to the DOJ before any request or inquiry has been directed to them.

A whistleblower’s report must be truthful and complete, providing the DOJ with all information known to the whistleblower, including their role in the potential misconduct.

Reported misconduct also must fall into one of four subject matter areas to be considered under this pilot program, as listed below.

1. Financial institutions: Violations of financial regulatory laws and fraud against or noncompliance with financial institution regulators.
2. Foreign corruption: Violations involving foreign corruption and bribery, including violations of the Foreign Extortion Prevention Act, Foreign Corrupt Practices Act, and money laundering laws.
3. Domestic corruption: Payments of bribes or kickbacks to domestic government officials at any level.
4. Healthcare offenses: Violations related to federal healthcare offenses and related crimes involving private or other nonpublic healthcare benefit programs; fraud against patients, investors, and other nongovernmental entities in the healthcare industry; and any other federal violations involving healthcare not covered by the False Claims Act.

Award

To receive an award, the whistleblower must have provided information that led to the successful asset forfeiture of more than $1 million in net proceeds. Awards are determined at the DOJ’s discretion and will vary depending on the circumstances, but generally, an eligible whistleblower may receive:

• Up to 30% of the first $100 million in net proceeds forfeited.
• Up to 5% of any net proceeds forfeited between $100 million and $500 million.
• No award on net proceeds forfeited above $500 million.

Corporate self-disclosure

The amendment to the DOJ’s Corporate Enforcement and Voluntary Self-Disclosure Policy would provide a company that self-reports misconduct within 120 days of receiving an internal whistleblower complaint with highly favorable treatment by the DOJ – a “presumption of declination” – as long as the company fully cooperates and remediates.

Takeaways

Risk of race to report not eliminated

Through this new program, the DOJ is actively encouraging employees to report potential misconduct as quickly as possible – whether internally or directly to the DOJ – to be the first to come forth with original information. In Argentieri’s words: “We are telling employees […] now is the time to come forward to the Criminal Division.”

Although there is some incentive for an individual to report internally to their employer first, this is not required. Whether an employee reports internally to their employer (either before or at the same time as reporting to the DOJ) is one of three factors the DOJ considers in favor of increasing the amount of the individual’s award. But even if the employee decides to report internally, they also mustindependently and directly report the conduct to the DOJ within 120 days of their internal report in order to be eligible for an award.

Corporations should note that the internal reporting window does not necessarily delay the government’s investigation. Although employees are provided 120 days to report to the DOJ after reporting internally, if they decide to report sooner, it is unclear (but unlikely) that the DOJ will “wait” that same 120 days before beginning an investigation. Companies should quickly and effectively investigate internal complaints, and should expect that if the complaint falls into the categories of offenses covered by this program, that the employee will, or may have already, gone to the DOJ in an effort to reap the financial rewards of the program.

Increased incentives for companies to act quickly after receiving a complaint

In conjunction with this pilot program, the DOJ issued a temporary amendment to its corporate voluntary self-disclosure program that provides companies who receive a whistleblower’s report with 120 days to self-report to receive preferential treatment. However, according to the DOJ’s pilot program FAQ, companies can only get this benefit if they act before the government reaches out – even if the 120 days are not up.

This pilot program and the potential benefits to companies that self-report potential misconduct are further reason for companies to ensure that they not only have robust internal complaint management processes in place, but also that those processes are carried out with the DOJ’s time constraints in mind. This policy includes a 120-day period during which the DOJ expects a company to investigate a claim and make a decision about coming forward and self-reporting to the DOJ. In other words, companies should move quickly and efficiency upon receiving internal complaints. Companies also should seriously consider bringing in outside counsel early to investigate potential issues and evaluate the possibility of self-reporting.

Understand who’s eligible to participate in pilot program

It is important for companies to be conscious of which individuals are eligible to receive a benefit through this pilot program – although the pool is vast, the DOJ has placed specific limitations on program eligibility. An individual (or group of individuals) not eligible for an award through another US government or statutory whistleblower, qui tam, or similar program, may make a submission under this pilot program and potentially receive an award. Individuals who are elected or appointed public officials, company directors and officers, or those who were substantially involved in the alleged crime are not eligible to participate in the pilot program. Additionally, anyone whose job it is to facilitate the company’s compliance processes is ineligible, as well as company auditors, accountants and lawyers.

Notably, these eligibility criteria are more restrictive than those for the DOJ’s voluntary self-disclosure policy announced earlier this year, which offers non-prosecution agreements to individuals who voluntarily self-disclose information about certain corporate crimes. Nevertheless, even those who are “minimally” involved in the alleged criminal activity, whether they’re current or former employees, still stand to benefit from the new whistleblower program.

Heightened awareness for government contractors and healthcare companies

In addition to continuing to put pressure on crimes involving financial institutions and foreign corruption, this program demonstrates the DOJ’s focus on two more sectors: corrupt conduct involving US, state, and local government and healthcare fraud involving private entities such as insurers.

Companies whose work involves government contracts and companies operating in the healthcare sector should be aware of the DOJ’s new efforts to expand enforcement in these areas, starting with financial incentives for individual employees who step up and report.

Given the DOJ’s continued focus on corporate misconduct and compliance, all corporations – and particularly those potentially implicated by the subject matter of this program – should build out their compliance programs and internal reporting structures to both get ahead of any misconduct and be in position to timely address internal reports.

Dismissed claims

First, the court dismissed all claims about the company’s SEC filings prior to, during and after the SUNBURST cyberattack. The court found that the SEC’s allegations about SolarWinds’ disclosures in its annual and quarterly filings, as well as Form 8-K reports filed in response to SUNBURST, were not sufficient to support claims of security fraud or false filings.

Second, the court dismissed all claims that were based on press releases, blog posts, and podcasts by SolarWinds and its CISO regarding SolarWinds’ cybersecurity policies and practices. The court concluded that those statements were non-actionable puffery, and the SEC had failed to plead sufficient detail to state a viable securities claim.

Third, the court dismissed all claims that SolarWinds maintained insufficient internal accounting and disclosure controls for cybersecurity. The court categorically rejected the SEC’s theory that its authority to regulate internal accounting controls extends to a company’s cybersecurity controls. The court referred to this category of claims as “ill-pled” and held that the SEC’s statutory authority does not extend to regulating corporate cybersecurity.

The claims dismissed by Judge Engelmayer were noteworthy and novel in that they sought to:

1. Hold a CISO personally liable for a lack of detail in a company’s SEC filings.
2. Base liability on a company’s internal scoring against a nonbinding cybersecurity framework (the NIST Cybersecurity Framework).
3. Treat an issuer’s cybersecurity practices as internal accounting controls.

The court’s dismissal of these claims constitutes a significant victory for companies, their CISOs and cybersecurity. Earlier this year, Cooley filed an amicus brief on behalf of a coalition of more than 50 cybersecurity leaders and organizations. The brief highlighted fatal flaws in the SEC’s amended complaint and explained how the SEC’s novel and creative theories of liability (which the court rejected in its opinion) were “counterproductive given the real-world demands of cybersecurity, and risk harmful consequences, including elevating the frequency and harm of cyberattacks, impeding internal efforts to bolster cybersecurity, worsening the CISO hiring and retention crisis, and deterring CISOs from cooperating” with the government.

Other amici, including former law enforcement officials, raised similar arguments, and stressed that the SEC’s claims could make companies more reticent to voluntarily share information with law enforcement, hampering government efforts to combat cyber threats. Judge Engelmayer’s opinion echoed some of the concerns raised by Cooley and other amici. He noted, for example, that “spelling out a risk [in public filings] with maximal specificity may backfire in various ways, including by arming malevolent actors with information to exploit.”

Some claims allowed to proceed

The court permitted a narrow category of more traditional claims against SolarWinds and its CISO to proceed. The court held that the SEC’s allegations about SolarWinds’ “Security Statement,” and its CISO’s involvement with it, were sufficiently detailed to support claims that investors were materially misled about the company’s cybersecurity controls. The SEC alleged that the Security Statement – which SolarWinds published on its website in 2017 and maintained during the relevant period – contained misrepresentations about the company’s access controls, password protections, compliance with the NIST Cybersecurity Framework, network monitoring, and implementation of a secure software development life cycle. The court held that the SEC had successfully pleaded that two of these representations were materially misleading to investors – those concerning access controls and password protections. The court explained that the SEC “plausibly allege[d]” that SolarWinds and its CISO misrepresented “the adequacy of [the company’s] access controls,” and that “[g]iven the centrality of cybersecurity to SolarWinds’ business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material.”

Key points for companies and cybersecurity professionals

Despite dismissing the bulk of the SEC’s complaint, the court’s order counsels caution for companies, CISOs, their cybersecurity teams, and even marketing personnel, as to how they describe their cybersecurity policies and controls to investors and the public.

Security statement inventory

While the court dismissed some of SolarWinds’ public statements as puffery, the “Security Statement” was still found actionable because it described SolarWinds’ cybersecurity practices in enough detail for a reasonable investor to rely on. That statement also was allegedly contradicted by internal representations and communications within SolarWinds (including Slack and email messages, security reports, and assessment and audit results).

Cooley has been working with clients to inventory their public-facing statements around security. Targets include security whitepapers, security summaries/statements, ESG (environmental, social and governance) filings, marketing materials and, of course, financial statements. We’ve found that organizations like to talk about their security a lot, usually as a selling point or to establish credibility for their service offering. In fact, establishing sound security practices is often a threshold issue for closing deals with customers. Companies should consider undertaking a global inventory of their public statements about their cybersecurity functions and controls and a review for accuracy and consistency.

Going forward, companies also should consider whether their statements on security may constitute information on which investors may rely and, if so, apply appropriate review and public disclosure control processes to such statements. This would include processes to ensure that security-related statements to be issued by the company accurately describe – and do not overstate – its cybersecurity function, controls, and policies. Companies should carefully consider whether any content of such statements could be considered false, incomplete, or misleading to investors and the public, and whether these statements are consistent across the mediums and channels through which the company communicates.

Collaboration and communication between security function and relevant business stakeholders

Companies should open lines of communication between CISOs and management to break down silos hampering risk assessment and mitigation. The court allowed the securities fraud claim against SolarWinds’ CISO to proceed, which, as noted in Cooley’s amicus brief, could give CISOs and cybersecurity professionals an incentive to prioritize avoiding potential personal liability rather than focus on their company’s cybersecurity. Companies can combat this potential by encouraging effective communications between cybersecurity professionals and the CISO, as well as between the CISO and senior management, the board of directors, and other nonsecurity stakeholders.

Security team training on internal security-related communications

The claims surviving the motion to dismiss are based in large part on alleged inconsistencies between the internal communications of SolarWinds’ CISO and security team, and the content of their security statement. While open and frank communications about security challenges are necessary, informal, sloppy, or inflammatory communications can be harmful (and ultimately ineffective). Now, more than ever, security professionals need to know how to appropriately communicate to achieve their objectives. This not only increases the effectiveness of security teams but also reduces the risk of liability (including personal liability of security professionals). Cooley has developed training specifically targeted at security professionals to foster clear, concise, and complete internal communications on cybersecurity vulnerabilities and priorities. It addresses communicating using informal channels, drafting appropriate security reports, understanding the regulatory and legal context where communications are scrutinized, and prioritizing accuracy and completeness to obtain positive outcomes for the security team and their organization.

If you have questions or concerns about the impact of this ruling on your business, contact one of the Cooley lawyers listed below.

Cooley counsels corporate and individual clients on all aspects of cybersecurity – including strategy, governance, risk management, disclosures, incident response, investigations, and enforcement actions.

In the event of a suspected data incident, members of Cooley’s 24/7 data incident and breach response team can be reached at any time using the contact information below.

Cooley Incident Response Hotline
cyber/data/privacy
incident.response@cooley.com
+1 844 476 1248
+ 1 415 693 2888

For additional resources, visit Cooley’s SEC Cybersecurity Disclosure Rules Resources page.

Although dubbed a pilot, this voluntary self-disclosure program effectively codifies an approach that the DOJ has taken for years, offering agreements to individuals that allow them to avoid prosecution in exchange for full cooperation. The fundamental change in the announced program is that reporting individuals are now entitled to NPAs shielding them from criminal prosecution for their own misconduct, rather than such agreements being subject to the DOJ’s discretion. Ultimately, this type of certainty is likely to be the defining feature of the program if it is to succeed in changing the calculus for individuals with potential criminal liability who are considering whether to come forward and self-report.

The DOJ has defined the criteria that a reporting individual must meet to be eligible for an NPA under this pilot program:

• An individual must voluntarily (prior to any DOJ request or investigation) self-disclose original – nonpublic and not previously known to the DOJ – information about criminal misconduct.
• The information must relate to one of six types of violations committed by financial institutions or public or private companies, including money laundering, the integrity of financial markets, foreign corruption and bribery, healthcare fraud and illegal kickbacks, fraud related to federally funded contracting, and the payment of bribes or kickbacks to public officials.
• The information must be “truthful and complete,” meaning it comprises everything the individual knows related to the misconduct, including the extent of that individual’s role in it.
• The individual must fully cooperate with the DOJ in its investigation and prosecution, including by providing testimony and evidence.
• The individual must forfeit or disgorge any profit from the misconduct and pay restitution or victim compensation.
• Certain individuals are ineligible for the pilot, including chief executive officers, chief financial officers and their equivalents.

Note: Separate from the pilot program, Criminal Division prosecutors may still, in their discretion, offer NPAs to individuals in circumstances where the pilot program criteria are not fully satisfied.

Takeaways

1. Be aware of the potential for a ‘race to report.’

This pilot follows on the heels of a series of other disclosure incentives the DOJ has introduced. For example, in March 2024, DOJ announced its own whistleblower rewards program to financially incentivize individuals to report illegal activity of which they have knowledge. And, in October 2023, DOJ launched a corporate safe harbor policy for voluntary self-disclosures made in connection with mergers and acquisitions.

With an increasing variety of incentives to report, individuals and corporations likely will find it necessary to consider the prisoner’s dilemma, effectively competing to be the first to provide the DOJ with valuable information about potential criminal activity in exchange for protection from prosecution. This is no accident. As US Deputy Attorney General Lisa Monaco put it in March 2024: “When everyone needs to be first in the door, no one wants to be second – regardless of whether they’re an innocent whistleblower, a potential defendant looking to minimize criminal exposure, or the audit committee of a company where the misconduct took place.” What this means in practice is that companies should assume that everyone in the reporting chain and with knowledge of potential criminal activity, including those who engaged in the misconduct, will be incentivized to self-report – and to do so quickly.

2. Understand who is – and is not – eligible under the pilot program.

Individuals and companies should be mindful that the pool of potential government cooperators is vast: Anyone from an entry-level employee to a board member would be eligible for this program. At the same time, the DOJ did make clear that certain individuals, specifically including company CEOs and CFOs (or the equivalent), are not eligible. Other ineligible individuals include the leaders or organizers of the crime; those who have engaged in criminal conduct involving violence or terrorism; certain government officials; and those with prior felony convictions or convictions for any crime involving fraud or dishonesty.

3. Act swiftly to resolve issues internally.

Given the potential for this pilot program to create a race to report, companies should focus on building robust compliance programs to detect and resolve issues internally and to be in position to investigate and report misconduct if necessary. Taking workplace complaints seriously and addressing them effectively and efficiently is a critical step in this process – particularly given that prosecutors and regulators continue to offer significant financial rewards to whistleblowers to come forward in an effort to spur corporate enforcement. (To learn more, read our April 2024 blog post about how to address workplace complaints.)

4. Be mindful in deciding whether to self-report.

The question of whether to self-report is highly fact-dependent, and corporations and individuals should seek the advice of counsel before moving forward. Corporations should, at a minimum, take whistleblower reports seriously, move to investigate potential misconduct swiftly, be decisive in how they proceed based on the facts and, where the decision is made to self-report, do so promptly.

The SEC’s continued pursuit of charges, notwithstanding the chorus of dissent by cybersecurity, business and government leaders, highlights the stakes of this bellwether case for cybersecurity policy nationwide. The SEC’s charges also provide a stark warning for companies, executives and cybersecurity professionals that the SEC remains committed to policing cybersecurity in the years to come.

Case background

In October 2023, the SEC charged SolarWinds and its CISO with alleged securities violations based on the company’s public statements and SEC disclosures before, during, and after a two-year-long Russian government-backed cyberattack campaign (dubbed “SUNBURST”) against SolarWinds. This was the first time that a CISO faced charges for alleged cybersecurity misrepresentations in a company’s SEC filings.

SolarWinds and Brown moved to dismiss the SEC’s complaint in late January. In addition, in a rare showing of support at the motion to dismiss stage, four groups of interested parties filed amicus briefs in early February raising significant policy concerns with the SEC’s charges. A coalition of CISOs, cybersecurity professionals and cybersecurity organizations, represented by Cooley (including the authors of this post) and Freshfields Bruckhaus Deringer US, argued that the SEC’s theories of liability were “counterproductive given the real-world demands of cybersecurity, and risk harmful consequences, including elevating the frequency and harm of cyberattacks, impeding internal efforts to bolster cybersecurity, worsening the CISO hiring and retention crisis, and deterring CISOs from cooperating” with the government. BSA The Software Alliance, an industry group, filed a brief making similar arguments from the perspective of software companies.

In another amicus brief, former law enforcement officials stressed that the SEC’s theories could make companies more reticent to voluntarily share information with law enforcement, hampering government efforts to combat cyberthreats. And the US Chamber of Commerce and Business Roundtable argued that the Securities Exchange Act of 1934, which governs corporate financial controls and is central to the SEC’s charges, was never intended to reach cybersecurity practices.

Latest developments

On February 16, 2024, the SEC withdrew its original allegations and filed an amended complaint containing more detailed factual allegations against Brown and responding to some of the arguments made by amici. For example, amici argued that the SEC’s charges against SolarWinds and Brown were, in effect, an effort to impose new requirements on CISOs just as other government organizations were highlighting the importance of flexibility in the CISO role. But in the second paragraph of its amended complaint, the SEC insists: “This is not a case about isolated failures, attempts at compliance that were good but less than perfect, or the SEC seeking to impose its own set of specific cybersecurity protocols on SolarWinds or all public companies.”

SolarWinds and Brown filed a renewed motion to dismiss on March 22. According to their motion, the SEC’s amended allegations are “an attempt to find some theory to hold its case together” and are “contradicted by the very documents on which the [a]mended [c]omplaint relies.”

The latest filings by amici on March 29 echoed the concerns raised in their original briefs supporting dismissal filed before the SEC amended its complaint. Notably, the cybersecurity coalition filed a renewed amicus brief signed by 50+ cybersecurity heads, including more than 20 new individuals who joined after the earlier filing. Other amici groups rested on their previous filings. As BSA explained in a letter to the court, the amended complaint “advance[d] the same core theory of liability set forth in [the] original complaint … which will have the same troubling implications for cybersecurity described in BSA’s brief.” Below is summary of several of the main areas of dispute – all of which highlight the challenges for companies and CISOs raised by the SEC’s claims.

Amici’s concerns with amended complaint

First, in an apparent effort to justify claims based on statements about security, the SEC’s amended complaint adds comments from investors, including a large pension fund and securities analysts, stating that SolarWinds’s representations about cybersecurity were material in their investment decisions and recommendations. The amended complaint also relies heavily on statements made by SolarWinds outside the company’s SEC filings, citing its website, customer questionnaires, contracts, emails, letters, podcasts, blog posts, speeches, webinars and other publicity. Relying heavily on nonfinancial public statements highlights the Chamber of Commerce’s concern that “the SEC has attempted to position itself as a super-enforcer of corporate behavior well beyond the bounds of federal securities laws.”

Second, the SEC’s amended complaint alleges additional allegations of noncompliance with SolarWinds’ cybersecurity policies (e.g., access controls, password rules, employee trainings, incident response plans) and/or certain frameworks (e.g., National Institute of Standards and Technology frameworks).[1] But as amici noted in their initial briefs, basing liability on failure to adhere to an internal security policy or flexible cybersecurity frameworks may discourage companies and CISOs from adopting such policies and conducting self-assessments to improve their practices. Amici stressed that adopting corporate cybersecurity policies – and using those policies to identify and correct noncompliance – is essential to good cybersecurity hygiene.

Third, the SEC’s amended complaint adds detail about SolarWinds’ internal communications concerning cybersecurity risks, including discussions among cybersecurity employees,[2] presentations and warnings from cybersecurity professionals to corporate leadership,[3] and even incident response communications with customers affected by a cyberattack.[4] These details, the SEC maintains, belie the company’s external statements to customers and the public. But, just as software industry and former law enforcement official amici raised in their initial briefs, using internal discussions enforcing cybersecurity compliance as a basis for liability could chill both “candid internal deliberations” and “voluntary disclosure by companies or CISOs, who may become more cautious when considering how their communications … might increase future liability.” As the renewed CISO brief put it, “[c]ybersecurity professionals should not have to consult lawyers before sending an email.”

Fourth, the SEC’s amended complaint continues to assert that SolarWinds’s internal identification of cybersecurity gaps – such as through risk reviews or other self-assessments – could have been a basis for liability even if SUNBURST had never happened.[5] But as the renewed CISO brief pointed out, CISOs and their teams triage countless cybersecurity risks under “dynamic situations with incomplete information and no guarantee of perfect security” and identify hundreds of new risks as part of their day-to-day job functions. Amici warned that diverting scarce resources away from addressing gaps that CISOs find most critical and toward disclosing all newly identified risks can be counterproductive to cybersecurity.

Fifth, the SEC’s amended complaint asserts that SolarWinds should have disclosed any cybersecurity gaps and incidents “at [a] roughly comparable level of technical detail” as the company’s other cybersecurity statements, apparently in response to amici’s concerns that the original complaint could lead companies to disclose too much security information in a way that could benefit threat actors.[6] The difficulty, as the renewed CISO brief warned, is that this kind of public disclosure of identified cybersecurity risks could “provide a trove of useful intelligence to threat actors interested in exploiting those vulnerabilities.”

Moving forward

In short, the SEC’s amended complaint suffers from many of the same critiques raised in the amicus briefs about the SEC’s original complaint. Indeed, whether the SEC’s case against SolarWinds and Brown proceeds past the motion to dismiss stage, the amended complaint offers a strong warning that the SEC is committed to expanding its enforcement agenda to encompass corporate cybersecurity.

As a result, companies and cybersecurity professionals should be cautious about any statements they make concerning cybersecurity. And as they go about their jobs identifying cybersecurity risks, assessing vulnerabilities and responding to cyber incidents, they should actively consider how their internal and external communications may be interpreted by the SEC, customers, investors, and the public.

[1] AC, ¶ 72

[2] AC, ¶ 244

[3] AC, ¶ 45

[4] AC, ¶ 313

[5] AC, ¶ 12

[6] AC, ¶ 245

The facts alleged in a recent whistleblower retaliation case – which survived a motion to dismiss – exemplify the pathway from internal complainant to whistleblower. On March 18, 2024, the US District Court for the Southern District of New York denied a motion to dismiss a whistleblower retaliation claim against HSBC after finding that the plaintiff met the “relatively low bar” for pleading that his internal complaints contributed to his termination.

Steven Callahan, a former trader for HSBC Securities, alleged that he was terminated because he reported illegal “front-running” by traders at HSBC both internally and to a regulator. Judge J. Paul Oetken found that HSBC’s termination of Callahan and its filing of a negative post-termination Form U5 qualified as adverse employment actions under the Sarbanes Oxley Act of 2002 (SOX). Further, Judge Oetken determined that Callahan had adequately pleaded that his protected activity was a contributing factor to these adverse actions based on the temporal proximity between his reports and the actions, “indications of pretext” in the company’s explanation for his termination, and the company’s “inconsistent application of policies and its differential treatment of Callahan compared with that of other employees.” The court also sustained certain promotion, suspension and bonus claims that were effectively time-barred under SOX but still viable under state law.

Before reporting observations of front-running to the US Commodity Futures Trading Commission (CFTC), Callahan allegedly reported his concerns directly to company managers and supervisors on multiple occasions over the course of six months – which the company allegedly ignored. That is to say, Callahan did not become a whistleblower overnight. Ignored complaints to management combined with financial incentives from the Department of Justice (DOJ) and other federal regulators – including the CFTC – create the perfect conditions for a concerned and disgruntled employee to make the jump to federal whistleblower.

Effectively managing employee complaints

Investigations by the DOJ, the Securities and Exchange Commission and other federal agencies sparked by whistleblower complaints are an ever-present threat to employers that appear to be on the rise. Employers must pay close attention to their protocols for managing internal complaints to minimize the risk that such complaints will escalate into government investigations. Proactive measures for receiving and responding to complaints of workplace misconduct are crucial for minimizing and curtailing potential whistleblower complaints.

Companies can help protect themselves – and their business interests – by following best practices for receiving and responding to complaints of workplace misconduct.

1. Adopt whistleblower complaint policies.

Companies should establish complaint management policies that provide secure and efficient channels for employees to submit workplace complaints, including whistleblower-related concerns. These policies should establish confidential and anonymous channels for employees to bring their concerns to their employers’ attention. The instructions given to employees who wish to avail themselves of these channels should be clear and accessible. Processes for managing complaints after initial reporting should be fair and transparent as to the company’s procedure for evaluating claims and providing timely responses. Concerned employees also should receive assurances that they will be protected against retaliation for raising concerns.

Beyond formal complaint management policies, nurturing a company culture that emphasizes “open-door policies” can help prevent escalation of workplace complaints. Providing employees informal, trusted and accessible outlets to raise workplace concerns will not only help employees feel supported, but also will often facilitate earlier identification of potential employee-related concerns. Regardless of approach, it is critical to have a system in place that facilitates appropriate intake and resolutions to complaints of workplace misconduct.

2. Train personnel to respond appropriately.

Managers and supervisors should be adequately trained to recognize whistleblower complaints and to appropriately escalate and respond to those complaints. Without such training, complaints of workplace misconduct might not be treated or even viewed as “whistleblower complaints.” 

To that end, companies should train managers on the relevant company policies and give them the tools to field complaints with professionalism – and without skepticism. Employees will be more likely to participate in the company’s internal investigation if their complaint is received by well-trained individuals who take them seriously and help them effectively navigate the complaint management processes, while providing assurance that such complaints will be promptly addressed and retaliation will not be tolerated. These middle-managers will often be the ones interfacing most with whistleblowers – and their preparedness could mean the difference between an effective internal response and a full-blown federal investigation.

3. Engage outside counsel.

Although the procedures described herein are intended to encourage internal resolutions for complaints of workplace misconduct and harassment, there are times when outside counsel can provide an important “gut check” on whether a complaint merits deeper investigation.

If a company decides to investigate a whistleblower complaint internally, reliance on outside counsel can ensure that the investigation is sound and appropriately thorough. Alternatively, an investigation of a complaint that implicates the company at a higher level – for example, allegations of misconduct by officers or board members – will almost always be better addressed through an independent investigation by external counsel. Of course, not every workplace complaint will require a full investigation, but engaging outside counsel early to evaluate the severity of a claim can help an employer craft the appropriate investigative procedures in order to protect against, or at least minimize, scrutiny from regulators.  

4. Conduct thoughtful investigations.

A workplace investigation should be conducted when there exists a credible allegation of workplace misconduct or breach of ethical practices.

Any investigation should be structured to effectively address the issues identified while still being mindful of business imperatives. A thoughtful internal investigation that detects misconduct, ensures compliance with applicable laws and regulations, and identifies areas of improvement in the company’s internal operations will always aid in the protection of the interests of the company and its shareholders.

5. Implement remedial efforts as appropriate.

At the conclusion of an internal investigation, it may be appropriate to implement policy or personnel changes to address the underlying causes of misconduct or prevent future instances of wrongdoing. Additionally, a company that uncovers potential wrongdoing during an internal investigation should consult outside counsel to determine whether and when to self-report to the relevant regulatory body.

Even where no remedial steps are deemed necessary, employers must be thoughtful about their communications with the complainant, including “closing the loop” on the result of the investigation. Employees should be thanked for raising issues of potential workplace misconduct and encouraged to come forward if they become aware of misconduct in the future. And, of course, it should be emphasized that retaliatory actions against the complaining employee will not be tolerated and should be reported to the company immediately.

Following well-conceived policies and procedures for workplace complaints may often be enough for a whistleblower to feel heard and to ensure that any misconduct is addressed and remediated – minimizing the risk that whistleblowers will escalate their allegations to the government.

To mitigate risks, companies should implement clear policies on ephemeral messaging, offer alternative means to send company-related texts, and develop training programs for employees.

Regulatory Focus

Government regulators see text messages, including those sent over ephemeral messaging platforms, as vital evidence. While the DOJ’s guidance is easy to understand, it could be difficult to follow in practice. Prosecutors would no longer accept “at face value” a company’s failure to turn over ephemeral communications and noted that “[a] company’s answers—or lack of answers [concerning ephemeral messages]—may very well affect the offer it receives to resolve criminal liability.”

The widely understood implication was that the DOJ expected companies to play an active role in guiding and monitoring employees’ use of messaging applications for company business. Yet it was unclear how the policy would work in practice or if the DOJ’s focus would wane.

Regulators’ focus on ephemeral messaging didn’t turn out to be a passing fad, and the DOJ has continued to broadcast how important it believes this type of evidence can be. In January, the DOJ antitrust division and Federal Trade Commission announced that they are changing language in their standard preservation letters, grand jury subpoenas, and compulsory legal processes to specifically address increased use of ephemeral messaging platforms.

These changes ensure that companies can no longer “feign ignorance” when it comes to their need to monitor and preserve ephemeral messaging. The DOJ even warned that, under this new guidance, the failure to produce such documents can result in criminal charges for the company, including obstruction of justice charges.

Companies with clear policies concerning ephemeral messaging have been rewarded. For example, DOJ officials have consistently praised Corsa Coal Corp. for making voluntary disclosures to the DOJ that resulted in two former executives of the company being charged with offenses related to the Foreign Corrupt Practices Act. 

In declining to prosecute the company, the DOJ cited Corsa Coal’s significant cooperation as one of the factors leading to the decision not to prosecute. It also identified the case as an example of “the need for companies to develop policies concerning these messaging applications and, where appropriate, retrieve and then produce such communications.”

On the other hand, failure to adequately preserve messages can create additional risks for a company and its employees. Issues concerning ephemeral messaging were front and center in the criminal trial of FTX Trading Ltd. co-founder Sam Bankman-Friedin the Southern District of New York. There, the jury heard evidence concerning the involvement of FTX lawyers in creation and implementation of document retention policies.

This included testimony that company policies allowed for certain communication applications to be set to auto-delete, as well as testimony that Bankman-Fried had discussed with counsel the fact that certain messaging applications were so configured. Bankman-Fried was convicted of all charges and is awaiting sentencing.

Mitigating Risks

The past year has shown ephemeral messaging remains a source of significant peril for companies, particularly because regulators are unlikely to excuse companies’ inaction when their employees use these platforms. 

In certain regulated industries, an employee’s use of ephemeral messaging can trigger an enforcement action for failure to abide with recordkeeping requirements. For example, the Securities and Exchange Commission in September 2023 charged several broker-dealers and investment advisers with recordkeeping violations in connection with failure to preserve off-channel communications. 

There are actionable steps companies can take to mitigate these risks.

Have a policy. Implement a clear policy that bans the use of ephemeral messaging applications for company communications. This policy should be harmonized with the company’s acceptable use policies for technology. Company policies should also clarify that, should an employee use ephemeral (or any non-sanctioned) messaging communications, the company has a right to collect relevant data from the employee’s phone and make any disclosures to law enforcement as necessary.

Offer an alternative. In place of ephemeral messaging applications, companies should offer employees alternate messaging applications that are company-controlled and accessible for review, with practical retention policies that comply with applicable rules and regulations. Companies should also design and use functional mobile device policies and software to manage applications on devices used for business purposes, including personal devices.

Use training to understand the risks. Companies should develop training programs aimed at educating and empowering employees to understand their role in helping the company manage risks, including by using company-approved messaging applications.

Reproduced with permission. Published March 13, 2024. Copyright 2024 Bloomberg Industry Group 800-372-1033. For further use please visit https://www.bloombergindustry.com/copyright-and-usage-guidelines-copyright/.

According to Monaco, the DOJ’s whistleblower program aims to fill gaps in the existing enforcement framework, incentivize individuals to report misconduct, and encourage companies to invest in their internal reporting and compliance programs. While the mechanics of the program remain to be seen, with the recent uptick in whistleblower tips in other federal programs, corporate leadership and compliance officers should take note that this program may result in increased whistleblower activity, and they should carefully evaluate any internal whistleblower and employment complaints.

A new tool for corporate enforcement

Though current law authorizes the US attorney general to reward individuals who share information that leads to civil or criminal forfeiture of assets, this authority historically has been exercised on an ad hoc basis. By establishing this new program, the DOJ aims to systemically expand its use of this authority to target alleged corporate misconduct.

Put plainly, if a whistleblower shares information that assists in the discovery of “significant corporate or financial misconduct” that is “otherwise unknown” to the DOJ, that individual could be entitled to receive some portion of the resulting forfeiture. Although further details about the program are in the works, Monaco shared initial parameters.

First, any victims must be compensated before the whistleblower. Second, the whistleblower must not be personally involved in the alleged misconduct. Third, the program only applies in cases without other financial disclosure incentives (e.g., existing federal whistleblower programs or qui tam actions under the False Claims Act). Fourth, and critically, the whistleblower must report truthful information relating to misconduct that is unknown to the DOJ. In related remarks on March 8, 2024, Acting Assistant Attorney General Nicole Argentieri further explained that such information must be “provided voluntarily and not in response to any government inquiry, preexisting reporting obligation, or imminent threat of disclosure.” Argentieri also noted that there likely would be a monetary threshold of some kind (similar to other federal whistleblower programs, which limit rewards to cases where sanctions are at least $1 million).

Monaco stressed the importance of the requirement that whistleblowers provide information otherwise unknown to the DOJ, noting it as a common feature of all whistleblower programs and, critically, the DOJ’s voluntary self-disclosure programs. According to the DOJ, the requirement of being “first in the door” helps incentivize individuals and companies to share information about misconduct as soon as it’s known, creating a “multiplier effect.” As Monaco put it: “When everyone needs to be first in the door, no one wants to be second.”

So, what sort of information will pique the DOJ’s interest? Monaco made clear that the DOJ welcomes information related to violations of any federal law, but is particularly interested in criminal abuses of US financial systems, domestic corruption, and foreign corruption outside of Securities and Exchange Commission (SEC) jurisdiction – such as violations of the Foreign Corrupt Practices Act or the new Foreign Extortion Prevention Act.

Filling enforcement gaps

According to Monaco, this DOJ-run program will help fill enforcement gaps by incentivizing whistleblowers to share information about wide-ranging misconduct that falls outside the scope of existing federal whistleblower programs. Unlike other programs that are limited to the jurisdictional scope of individual agencies, the DOJ’s program will cover “the full range of corporate and financial misconduct that the [DOJ] prosecutes.”

The DOJ’s program will join those run by the SEC and the Commodity Futures Trading Commission, which have received “thousands of tips, paid out many hundreds of millions of dollars, and disgorged billions in ill-gotten gains” since their inception. Indeed, in fiscal year 2023, the SEC received 18,000 whistleblower tips and issued whistleblower awards of almost $600 million – both of which were all-time highs. Other existing programs include those overseen by the Internal Revenue Service and Financial Crimes Enforcement Network, as well as qui tam actions under the False Claims Act. The DOJ collected approximately $2.7 billion through False Claims Act settlements and judgments in fiscal year 2023 alone.

Other DOJ priorities

In addition to the new whistleblower program, Monaco highlighted other DOJ priorities, including pursuing individual accountability, penalizing corporate recidivism, promoting voluntary self-disclosure and monitoring disruptive technologies, particularly artificial intelligence (AI).

Individual accountability

The DOJ’s “first priority” continues to be pursuing individual accountability. Monaco cautioned that the DOJ recently has been taking more cases to trial, in part because it is “bringing serious charges, with significant penalties, against senior executives.”

Corporate recidivism

Monaco also warned that the DOJ will be “demanding stiffer penalties” for repeat corporate offenders, reaffirming that “penalties exist, in part, to deter future misconduct.” Monaco cautioned that companies with a history of misconduct should invest in compliance programs to mitigate the risk of new or repeat claims that threaten to bring increased penalties.

Voluntary self-disclosure

In addition, Monaco highlighted the DOJ’s efforts to incentivize corporations to voluntarily self-disclose misconduct, emphasizing that “no matter how good a company’s cooperation, a resolution will always be more favorable with voluntary self-disclosure. ”The DOJ announced multiple new voluntary self-disclosure programs last year, including a safe harbor specific to corporate mergers & acquisitions and a directive to US Attorney’s Offices nationwide to implement voluntary self-disclosure policies. The US Attorney’s Offices for the Southern District of New York and the Northern District of California have launched pilot initiatives that Monaco described as “in essence, voluntary self-disclosure programs for individuals” – offering non-prosecution agreements to qualifying individuals who self-disclose misconduct and cooperate with investigations into “more culpable targets.”

AI

Finally, Monaco revisited a topic she addressed in February 2024 in remarks at Oxford University – AI and its “supercharged” promise and risks. Monaco again emphasized that though AI is “the ultimate disruptive technology,” the underlying criminal conduct committed via AI is remains the same and will be prosecuted accordingly – in other words, “[f]raud using AI is still fraud.” Further, stiffer sentences will be sought for white collar crimes made substantially more serious through the deliberate misuse of AI. Monaco also announced that going forward, “prosecutors will assess a company’s ability to manage AI-related risks as part of its overall compliance efforts.” To that end, she has directed the DOJ’s Criminal Division to include the assessment of disruptive technologies (including AI) in its guidance on Evaluation of Corporate Compliance Programs.

In September 2023, the US Court of Appeals for the Ninth Circuit upheld a felony conviction for selling misbranded drugs, holding that the version of the offense that applies to repeat offenders does not require proof that the defendant knew the drugs were misbranded.[i] And in December 2023, the US Court of Appeals for the First Circuit upheld multiple misdemeanor convictions related to an adulterated and misbranded medical device.[ii] Perhaps most importantly, the First Circuit held that the convictions did not violate the First Amendment, even though the defendants asserted that the government relied on promotional speech to prove its case.

The upshot of these cases is that companies and executives should be vigilant about compliance with the FDCA – and mindful that criminal enforcement may follow any failure to voluntarily comply.

Federal Food, Drug and Cosmetic Act

The FDCA was enacted in 1938, and amended numerous times since then, to protect the public health. Key provisions of the FDCA include:

• Section 331(a), which prohibits the introduction of any adulterated or misbranded device or drug (among others) into interstate commerce.
• Section 333(a)(1), which provides that any person who violates Section 331 may be imprisoned for up to one year and/or fined.[iii]
• Section 333(a)(2), which provides that any person who violates Section 331 with the intent to defraud or mislead or who repeatedly violates Section 331 (both of which are felonies) may be imprisoned up to three years and/or fined.

Executives also should take note that under the Responsible Corporate Officer Doctrine (also known as the “RCO Doctrine” or “Park Doctrine”),[iv] individual corporate officers may be held liable for violations of federal laws, even without the officer’s intent, knowledge or direct participation in the wrongdoing, as long as the officer had the power and authority to prevent or correct the violation. This “strict liability” theory applies to cases against executives operating in US Food and Drug Administration-regulated industries – including against executives at food, pharmaceutical and medical device companies – for FDCA violations that occur on their watch.[v] The potential consequences include, but are not limited to, monetary penalties, probation, and imprisonment.[vi]

Ninth Circuit holds scienter not required for felony misbranding convictions

In US v. Marschall, the defendant – a naturopathic doctor previously convicted in 2017 for selling misbranded drugs – claimed that two products (the “Dynamic Duo”) could treat a myriad of bacterial, viral, fungal and parasitic infections, including COVID-19. Neither one of the “Dynamic Duo” was listed with the FDA or had been approved by the FDA, nor were the drugs exempted from receiving approval as new drugs. The indictment alleged that the labels were false or misleading because the defendant misrepresented himself as a naturopathic doctor on the labels, but in fact his ND license had been suspended after his 2017 conviction.[vii] The indictment further alleged that the drugs were misbranded because they were “not included in any list of drugs manufactured, prepared, propagated, compounded, and processed in a registered establishment” per the drug producer registration requirements of the FDCA.[viii] The defendant was indicted on the charge of introducing misbranded drugs into interstate commerce after a prior conviction under Section 333(a)(2). After a jury trial, he was found guilty and sentenced to eight months in prison and one year of supervised release.

On appeal, the defendant argued that the indictment was defective because it failed to allege that he intentionally and knowingly introduced misbranded drugs into interstate commerce (i.e., that he acted with scienter). The Ninth Circuit rejected this argument, holding that the aggravated version of the offense that applies to recidivists under Section 333(a)(2) does not require proof of scienter, even though it is a felony.  

No language imposing scienter requirement in underlying prohibition or penalties provision

The court first closely examined the language of various related provisions, including Section 331, and found that none contained a scienter requirement. The court noted that the relevant definition of “drug” “arguably could be understood” to refer to the defendant’s state of mind, because it referenced the “intended” use of the article. However, the court determined that this was in fact an objective inquiry into the article’s likely use, given its features and labeling, rather than a subjective scienter requirement. Similarly, the court found that the relevant penalties provision – Section 333(a)(2) – contained no reference to scienter.

No scienter required for public welfare offense

In perhaps the most notable aspect of the Ninth Circuit’s ruling, the court applied the framework established in US v. Dotterweich, the seminal case in which the US Supreme Court held that the defendant’s conviction involving misbranded and adulterated drugs did not require evidence of wrongdoing or even knowledge of such wrongdoing for executives operating in FDA-regulated industries, given the potential harm to the public health. In essence, the Supreme Court acknowledged a limited category of strict liability “public welfare offenses” involving items that could harm or injure the public (who otherwise would be helpless to defend against such danger). While Dotterweich had been confined to a limited scope – with the presumption of scienter being used only for public welfare cases with “minor penalties” – Marschall is significant in applying the presumption to a felony charge. The Ninth Circuit extended Dotterweich in this way partially because the recidivist provision applies only to those who have a previous conviction under Section 333 and thus are “personally aware” of the FDCA’s requirements. As the court explained, “a prior criminal conviction under § 333 effectively serves as a functional substitute for a scienter requirement.”

First Circuit rejects First Amendment, due process challenges to misbranding convictions

Misbranding also was at issue in US v. Facteau. In that case, two former executives of medical device manufacturer Acclarent were found guilty of multiple misdemeanor violations for commercially distributing an adulterated and misbranded medical device. Under the FDCA, a device is adulterated or misbranded if it is marketed for an “intended use” (determined “objectively by the seller’s statements and conduct”) that is different from the use authorized by the FDA. Here, the FDA initially cleared Acclarent’s device, referred to as “Stratus,” for the purpose of dispensing saline solution to the ethmoid sinuses and preserving an opening created by sinus surgery. In contrast, the government presented evidence at trial that Acclarent designed – and later marketed – Stratus for use with the steroid drug Kenalog to treat ethmoid sinusitis by reducing sinus inflammation, an “off-label” (or unapproved) use. The FDA previously had denied Acclarent’s request to expand the device’s existing cleared intended use to accommodate this new intended use, directing the company to obtain a new, separate clearance before marketing the device for this different intended use.

According to the First Circuit, the record reflected “a scheme that from the beginning was aimed at marketing Stratus to deliver Kenalog rather than saline.” With respect to design, the evidence reflected that the size of Stratus’s pores had been calibrated to accommodate Kenalog’s specific viscosity – meaning that Stratus did not even work to deliver saline, which is much less viscous and would rapidly seep out. With respect to sales, the government introduced evidence that Stratus “was promoted with a sales strategy devised to get physicians to associate Stratus with Kenalog and consider using it for drug delivery.” For example, sales trainees were not taught or given marketing materials for Stratus describing benefits of use with saline, and instead focused on the off-label uses related to Kenalog.

After a jury trial, Acclarent’s former CEO and former vice president of sales were convicted of 10 misdemeanor counts for distributing an adulterated and misbranded device by failing to submit a required premarket notification under 21 U.S.C. §§ 331(a), 333(a)(1), 351(f) and 352(o). The defendants challenged their convictions on appeal, arguing (among other things) that the convictions violated the First and Fifth Amendments.

First Amendment does not preclude use of speech as evidence of intended use

The defendants challenged the government’s use of their promotional speech as evidence to support a misbranding violation, arguing that such use effectively criminalizes the speech itself in violation of the First Amendment.

In 1993, the Supreme Court ruled in Wisconsin v. Mitchell that the First Amendment does not generally apply to the “evidentiary use of speech to establish the elements of a crime or to prove motive or intent.” However, the Facteau defendants relied on a 2012 Second Circuit ruling (US v. Caronia), where the court held that a misbranding conviction violated the First Amendment. In that case, “the prosecution repeatedly argued that [the defendant] engaged in criminal conduct by promoting and marketing the off-label use of an FDA-approved drug.” In other words, the defendant’s “speech was itself the proscribed conduct” (emphasis added).

In the wake of Caronia, many questioned whether and how the government could use a defendant’s statements about the intended use of a drug or device as evidence of misbranding. But in Facteau, the First Circuit distinguished Caronia and relied on the Supreme Court’s seminal holding that the evidentiary use of speech does not violate the First Amendment. The First Circuit held that the facts of Caronia were “meaningfully different” from Facteau, including that, unlike in Caronia, the government relied on “a wide array of evidence,” not just the promotional speech. As the court explained, the government’s evidence included “not only promotional speech about off-label uses but also internal communications regarding regulatory and marketing strategy and the product’s physical design.”

Additionally, in Facteau, the government’s argument and court’s instructions made clear that the defendants’ speech itself was not the target, but was only being used to “shed light” on how the defendants intended Stratus to be used. In contrast, in Caronia, “the government set out to punish appellants for what they said about the product.” The court also observed that the theory of misbranding adopted by the jury – that Stratus lacked the appropriate regulatory clearance – was not “intertwined” with the defendants’ speech. Finally, the court noted that unlike Caronia (who was a sales representative), the two defendants in Facteau were “high-level executives” who were “responsible not just for what was said about Stratus publicly but also for internal decisions on product design and regulatory strategy (in the case of Facteau), as well as sales strategy (in the case of both executives),” implicitly raising the RCO Doctrine.[ix]

Having identified the ways in which the facts of Facteau differed “meaningfully” from Caronia, the court held that there was “no basis to depart from the rule in Mitchell that the evidentiary use of speech does to violate the First Amendment.” The court further noted that its holding aligned with rulings from other federal courts of appeal (including the Second, Seventh, and DC Circuits), which similarly held that “using speech merely as evidence of a misbranding offense under the FDCA does not raise First Amendment concerns.”

‘Intended use’ not unconstitutionally vague

The defendants also argued that their convictions violated the Fifth Amendment’s due process clause, claiming that the phrase “intended use” is unconstitutionally vague because it may take into account “all circumstances from any relevant source relating to the device.” This, too, was rejected by the First Circuit, which held that the provision gives fair notice of what is forbidden. As the court explained, the provision is not unconstitutionally vague simply because it casts a “wide net” as to the “broad range of conduct that may reasonably reflect a device’s intended use.”

The court also rejected a related due process challenge, which the court characterized as a “fair warning” claim. In short, one defendant argued that after Caronia was decided, the government expanded its definition of intended use to go beyond promotional statements, given that Caronia may have made it more difficult to “carry a conviction based on promotional statements alone.” However, the defendant argued that he lacked notice of this “novel and more expansive interpretation” at the time of his conduct, which took place before Caronia. In response, the First Circuit explained that before Caronia, neither the government nor the courts were limited to proving or determining intended use only through promotional speech, and thus there was no broadening after Caronia – in other words, before and after Caronia, the authorities reflect that “relevant evidence of intended use can come from many sources,” not just promotional statements. Additionally, the court observed that the defendants received actual notice of their legal obligations when the FDA responded to Acclarent’s supplemental submission to the company’s 510(k) file notifying the company that it needed to receive additional clearance to market Stratus for the new and different use. As the First Circuit explained, “[h]aving been notified of the government’s view, [the defendants’] complaint of unfair surprise at being prosecuted for marketing Stratus to deliver Kenalog despite Acclarent’s failure to obtain such approval rings hollow.”

Takeaways

Taken together, these cases reaffirm that companies and executives should be vigilant about voluntary compliance with the FDCA. If compliance is not achieved, the government may very well pursue criminal prosecution – which, under the RCO Doctrine, may include liability for individual corporate officers, even when those officers were not directly involved in the wrongdoing.

Going forward, individuals and companies should be aware of the risk of felony charges without criminal intent. Under Marschall, the aggravated version of a misbranding offense that applies to recidivists under Section 333(a)(2) does not require proof of scienter, even though it is a felony with severe penalties. As the Supreme Court explained in Dotterweich – and as the Ninth Circuit wholeheartedly agreed – though “[h]ardship there doubtless may be under a statute which thus penalizes the transaction though consciousness of wrongdoing be totally wanting,” the onus to comply with the FDCA falls on those companies and individuals who have the opportunity to protect consumers, “rather than to throw the hazard on the innocent public who are wholly helpless.”

Likewise, Facteau clarifies that the government can use truthful, non-misleading speech as evidence of an unapproved intended use without violating the First Amendment, and intended use can be determined from “any relevant source” of evidence. With this ruling in the First Circuit, life sciences companies located in Maine, Massachusetts, New Hampshire, Puerto Rico and Rhode Island, where this ruling is controlling, should pay particular attention to their compliance practices, including training for their sales forces, given that sales force activity may be introduced as evidence of intended use for a company’s FDA-regulated medical products.

[i] United States v. Marschall, No. 22-30048 (9th Cir. Sept. 20, 2023).

[ii] United States v. Facteau, No. 21-1080 (1st Cir. Dec. 14, 2023).

[iii] 21 U.S.C. § 333(a)(1).  Fines under Section 333 follow the Alternative Fines Act.  See18 U.S.C. § 3571(d).

[iv] United States v. Park, 421 U.S. 658 (1975).

[v] See Plea Agmts., United States v. The Purdue Frederick Co. et al., No. 07-00029 (W.D. Va. May 10, 2007).

[vi] This doctrine has been applied in cases such as US v. Quality Egg, where two food executives were sentenced to three months in prison and fined $100,000 each.

[vii] 21 U.S.C. § 352(a)(1).

[viii] 21 U.S.C. § 352(o).

[ix] The court expressly invoked the RCO Doctrine when analyzing a separate sufficiency of the evidence claim brought by Facteau defendant Patrick Fabian. The court held that the record was “replete” with the relevant evidence, then further explained that “even in the absence of evidence specifically tying Fabian to the strategy of marketing Stratus to deliver Kenalog,” the jury verdict would stand under Park because as vice president of sales, Fabian was “well-situated to prevent or correct the marketing of adulterated and misbranded Stratus.”

Monaco’s comments are the latest confirmation that government regulators are laser-focused on both the promise and risks associated with AI, and that innovators and companies utilizing AI should be diligent in establishing their own effective guardrails with this technology. 

DOJ’s double-edged sword: AI as a source of peril and promise

AI remains a top enforcement priority for the Department of Justice (DOJ), and Monaco’s remarks confirmed that government regulators continue to view AI as a double-edged sword – with the ability to fuel criminal activity on the one hand and strengthen the government’s enforcement efforts on the other. With respect to AI’s peril, given the potential for AI to “enhance the danger of a crime,” Monaco warned that prosecutors would seek enhanced sentences for crimes aggravated by the misuse of AI.

On the flip side of the AI coin, Monaco recognized AI’s “promise” in supporting and strengthening DOJ’s work. For example, Monaco noted that DOJ has already implemented AI to help trace the source of drugs, triage the more than one million public tips submitted to the FBI and synthesize large volumes of evidence in high-impact cases. At the same time, Monaco emphasized that DOJ is committed to ensuring that it “applies effective guardrails for AI uses that impact rights and safety.” To that end, Monaco announced the creation of Justice AI, an initiative that will convene individuals from civil society, academia, science and industry to “understand and prepare for how AI will affect [DOJ’s] mission and how to ensure we accelerate AI’s potential for good while guarding against its risks.” Justice AI will eventually inform a report to President Joe Biden on the effective use of AI in the criminal justice system. Additionally, a new Emerging Technology Board, headed by Jonathan Mayer, DOJ’s first chief AI officer, will advise DOJ on the “responsible and ethical” use of AI to investigate and prosecute crime. These initiatives follow Biden’s October 2023 executive order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, which – among other provisions – charged the DOJ to “anticipate the impact of AI on our criminal justice system.”

Current enforcement trends involving AI

Monaco’s remarks are far from theoretical – DOJ has already been zeroing in on the use and misuse of AI. For example, in January 2024 DOJ subpoenaed multiple pharmaceutical and digital health companies to inquire about the algorithms they use to synthesize patient data and develop treatment recommendations in order to “learn more about generative technology’s role in facilitating anti-kickback and false claims violations.” Also in January 2024, the US Attorney’s Office for the Southern District of New York charged two men in an ongoing conspiracy to hack the accounts of a fantasy sports and betting website and resell the users’ credit card and other sensitive information on the dark web. The defendants allegedly used AI-generated images to advertise their services.

State attorneys general offices are likewise focused on the misuse of AI. In February 2024, the New Hampshire Attorney General’s Office issued a cease and desist order against a company that deployed AI-generated robocalls impersonating Biden’s voice to discourage recipients from voting in the January New Hampshire presidential primary election. In a statement about the case, New Hampshire Attorney General John Formella stated that, “AI-generated recordings used to deceive voters have the potential to have devastating effects on the democratic election process. … The [cross-agency] partnership and fast action in this matter sends a clear message that law enforcement, regulatory agencies, and industry are staying vigilant and are working closely together to monitor and investigate any signs of AI being used maliciously to threaten our democratic process.” The New Hampshire Attorney General’s Office also worked closely with the Federal Communications Commission’s Enforcement Bureau, which itself issued a cease and desist letter to a separate entity that allegedly originated the robocall traffic.

AI enforcement trends across federal agencies: SEC and FTC

DOJ is not the only government agency that has recently signaled a growing focus on AI. For instance, on February 13, 2024, Securities and Exchange Commission (SEC) Chair Gary Gensler delivered remarks at Yale Law School and similarly recognized that AI “opens up tremendous opportunities for humanity” but also presents challenges. Gensler explained that the SEC’s role entails “both allowing for issuers and investors to benefit from the great potential of AI while also ensuring that we guard against the inherent risks.”

Gensler observed that, “fraud is fraud, and bad actors have a new tool, AI, to exploit the public.” He went on to describe two types of harm the SEC considers when AI is used to perpetrate fraud. The first is programmable harm, which analyzes whether an algorithm was optimized to manipulate or defraud the public. The second is predictable harm, which considers whether an actor had a reckless or knowing disregard of the foreseeable risks of deploying a particular AI model. Gensler stressed that “[i]nvestor protection requires the humans who deploy a model to put in place appropriate guardrails.”

Additionally, Gensler cautioned SEC registrants to carefully consider their claims and disclosures about AI. Specifically, Gensler warned against “AI washing,” noting that companies and financial intermediaries “should not mislead the public by saying they are using an AI model when they are not, nor say they are using an AI model in a particular way but not do so. Such AI washing … may violate the securities laws.”

In the competition space, the Federal Trade Commission (FTC) recently issued an inquiry into generative AI investments by tech companies, which FTC Chair Lina Khan noted “will shed light on whether investments and partnerships [involving generative AI] pursued by dominant companies risk distorting innovation and undermining fair competition.”

Takeaways

In light of the increased enforcement focus on AI, companies and innovators must wield this double-edged technological sword carefully. As DOJ continues to adapt its enforcement policy to respond to the risks associated with AI, companies should be diligent in establishing their own effective guardrails. Such safety measures may include strengthening internal protocols to detect and manage AI risks, training employees on the responsible use of AI applications, and frequently testing AI systems to ensure they are fair, accurate and safe.

This groundbreaking prosecution against corporate officers reflects the Consumer Product Safety Commission’s (CPSC) and the US Department of Justice’s increasingly aggressive approach to enforcing the CPSA and holding corporate executives accountable for misconduct. While the CPSC has not historically pursued criminal enforcement for violations of the CPSA, signs point to this being the leading edge of a potential sea change at the commission. Companies making or selling products subject to the CPSA should be mindful of the increased enforcement focus and potential for corporate and individual criminal exposure that, regardless of administration, appears poised to continue.

Read this article (originally published in Law360) for more about increased criminal enforcement under the CPSA and what it means for companies and corporate executives.

Authors

However, the full implementation of the OSA will not be immediate. Ofcom, the UK’s communications regulator, has set out a phased implementation plan that is expected to span about three years, allowing in-scope providers time to adjust to and comply with their new obligations. Ofcom’s first consultation with affected services, regarding ‘illegal harms’, has already opened and will close on 23 February 2024. Its second consultation, on child safety, is due to open before the end of 2023.

Ofcom is responsible for enforcing the regime and is in the process of publishing guidance and codes of practice. The OSA provides several enforcement mechanisms and powers against companies, including (but not limited to):

• Fines, which may be up to £18 million or 10% of worldwide revenue (whichever is higher).
• Service restriction orders. Ofcom may apply to the court for a service restriction order requiring ancillary services (e.g., payments providers) to withdraw their services.
• Powers of entry, inspection and audit. Ofcom will have powers of entry and inspection, including without a warrant in certain circumstances (but with seven days’ notice).
• Notices to deal with terrorism or CSEA content (or both). Ofcom may require services to use accredited technology to identify and swiftly take down CSEA content and/or identify and swiftly secure terrorism content. Ofcom also may require services to use their ‘best endeavours’ to develop or source technology to satisfy such a notice.

Under certain circumstances, senior managers could also face criminal prosecution.

Our November 2023 Cooley client alert tackled the OSA in more depth, including the following topics:

1. The types of services that are subject to the OSA.
2. The law’s impact on in-scope services, including obligations and duties of care.
3. Key practical implications for in-scope services.
4. Enforcement by Ofcom, including fines and service restriction orders.
5. Compliance tips.

For further information, or to assess how the OSA will affect your business, please contact Cooley lawyers James Maton, Guadalupe Sampedro, Daniel Millard, Morgan McCormack, Joanne Elieli, Edward Turtle, Corina Demeter-Olive, Carol Holley or Carolina Ljungwaldh.

Parallel enforcement: considerations and dynamics

Life sciences companies frequently must determine what information to communicate to investors about key developments in clinical trials or the FDA’s regulatory review process. Although the details of a company’s interactions with the FDA during its approval process are not public, the valuation of a life sciences company often depends on its ability to bring a drug or device to market – making information about the likelihood of FDA approval critical to investors.

Deciding what to disclose is further complicated when a company has incomplete information. For example, a publicly traded pharmaceutical company may have only partial results from a pivotal clinical trial. When deciding what to say in such circumstances, the company must be mindful that its disclosures will be scrutinized by a separate regulatory agency – the SEC. Should the SEC conclude that the company’s disclosures were inaccurate or misleading, the consequences of enforcement may be severe, including prohibiting individuals from serving as directors or officers of publicly traded companies, substantial financial sanctions and, in extreme cases, referral to the Department of Justice (DOJ) for criminal prosecution.

The article provides an in-depth analysis on the interplay between the SEC and the FDA regulatory regimes concerning life sciences companies, including:

• The FDA’s enforcement powers.
• The SEC’s regulatory framework and enforcement actions that may specifically target FDA-regulated companies.
• The circumstances in which the SEC and the FDA act in conjunction to enforce their various statutes and regulations.
• Examples of companies that have experienced parallel enforcement.

Key takeaways for life sciences companies

Stay vigilant about compliance

Life sciences companies must remain vigilant to ensure compliance with the laws and regulations of other agencies, specifically the SEC. The FDA and the SEC have a formal policy concerning interagency cooperation, under which the FDA may inform the SEC of potential securities violations by FDA-regulated companies and share nonpublic information with the SEC.

Understand what’s important to regulators

Companies that are facing parallel enforcement should take care to understand the statutory mandates and key issues that will be important to each set of regulators, as well as the potential exposure presented by the allegations under the various statutes.

• For example, both the SEC and the DOJ are likely to be interested in evidence showing the necessary intent for various potential charges.
• However, the FDA, including its Office of Criminal Investigations, is likely to also be focused on public health risks and the elements required to prove violations (both civil and criminal) of the Federal Food, Drug, and Cosmetic Act (FDCA), such as the number of shipments that crossed state lines to support the interstate commerce elements required for most charges.
• Additionally, criminal investigations involving FDA-regulated products are likely to include other federal crimes, such as healthcare fraud, smuggling, and mail and/or wire fraud.

Anticipate enforcement strategies and timing

Being able to anticipate the government’s enforcement strategies and the timing of parallel investigations is crucial for companies and their C-suites as they navigate responses to government enforcement actions.

In November 2023, a jury convicted two corporate executives of conspiracy and failure to report information about defective residential dehumidifiers, as required by the Consumer Product Safety Act.[1]

The jury verdict in U.S. v. Chu is groundbreaking because it is the first-ever criminal conviction of corporate executives for failure to report under the CPSA.

The judge’s decision on sentencing for the two defendants will likely put an end to the yearslong series of civil and criminal enforcement actions involving multiple Gree companies relating to the recalled dehumidifiers.

The numerous actions over prior years were related to the companies’ recalls of multiple dehumidifiers linked to over “450 reported fires and millions of dollars in property damage.”[2]

Under Section 15(b) of the CPSA, manufacturers, importers and distributors of consumer products are required to immediately report information that “reasonably supports the conclusion that the product contains a defect which could create a substantial product hazard” or “creates an unreasonable risk of serious injury or death.”[3]

Though companies are required to immediately report to the U.S. Consumer Product Safety Commission when Section 15(b) reporting thresholds are met, the government alleged that the Gree companies were aware of numerous incidents and significant property damage, but chose not to submit a Section 15(b) report to the CPSC.

The government alleged that the information in Gree’s possession should have given rise to a reporting obligation sooner than when the company eventually reported.[4]

In 2016, following a recall, the Gree companies agreed to pay a nearly $15.5 million civil penalty to settle CPSC staff charges of knowingly violating the CPSA’s reporting requirement, using a false UL product certification mark and making material misrepresentations to the federal government.[5]

But that did not end the saga for the Gree companies. In 2021, Gree USA Inc. agreed to plead guilty to a felony[6] — knowingly and willfully failing to report to the CPSC — and the other companies entered into a deferred prosecution agreement related to the same charge.[7]

The companies’ criminal resolution included a $91 million penalty and represented the first corporate criminal enforcement actions ever brought for failure to report a product safety issue as required by the CPSA.[8]

At the same time the corporate prosecution was pending, the U.S. Department of Justice also individually indicted Gree USA’s former chief administrative officer, Simon Chu, and former CEO, Charley Loh.

The March 2019 indictment,[9] which was sought and filed during the Trump administration, alleged that the two executives had “received multiple reports that [the dehumidifiers] were defective, dangerous and could catch fire,” but failed to disclose these hazards to the CPSC for at least six months while they continued to sell the defective products — all while allegedly knowing that they were required to report this information.[10]

Following a six-day trial in November 2023, a jury in the U.S. District Court for the Central District of California found both executives guilty of conspiracy and failure to immediately report required information under the CPSA.

This first-of-its-kind prosecution and guilty verdict against corporate officers reflects the CPSC’s and the DOJ’s increasingly aggressive approach to enforcing the CPSA and holding corporate executives accountable for misconduct.

Companies making or selling products subject to the CPSA should be mindful of the increased enforcement focus and potential for corporate and individual criminal exposure that, regardless of administration, appears poised to continue.

Read on for more about criminal enforcement under the CPSA.

Reporting Requirement Under the CPSA

The CPSA was enacted in 1972 to protect the public from unreasonable risks of injury from consumer products.[11] It imposes an affirmative reporting requirement on manufacturers, importers and distributors of consumer products, which also applies to the directors, officers and agents of those companies.

Information must be reported when it “reasonably supports the conclusion that the product contains a defect which could create a substantial product hazard” or “creates an unreasonable risk of serious injury or death.” In practice, the CPSC advises, “when in doubt, report.”[12]

Given the interplay with consumer product safety, Congress purposefully set a tight deadline for this reporting obligation in the CPSA. Such information must be reported “immediately” — meaning “within 24 hours of obtaining reportable information,” though CPSC’s implementing regulations also allow companies time to conduct a reasonable investigation, not to exceed 10 working days.[13]

Failure to timely report the information required under the CPSA can result in civil penalties, which are currently capped at $120,000 per violation and about $17 million “for any related series of violations.”[14]

With respect to civil penalties, companies may be subject to monetary penalties if they knowingly violate the law, which is not a particularly high bar because “knowledge” includes information that a reasonable company should have had while exercising due care.[15]

The CPSA also provides for criminal penalties — and imprisonment of up to five years — for not only knowing, but also willful, violations, i.e., where a company knew of its legal obligation to report but voluntarily and intentionally chose not to do so.[16]

For individual officers or directors of a company, the CPSA provides for criminal penalties for knowing and willful authorization of the violation of law.[17]

This provision of the CPSA had never been utilized by the DOJ for the CPSA’s Section 15(b) reporting violations before — until now.

The Road Ahead: Increased Focus on Criminal Enforcement

While the CPSC has not historically pursued criminal enforcement for violations of the CPSA, signs point to this being the leading edge of a potential sea change at the commission.

For example, the CPSC’s fiscal year 2023 operating plan reflected an intention to review “all civil penalty cases for potential criminal referral to the Department of Justice”[18] — a sentiment repeated within the fiscal year 2024 operating plan.[19]

And a unanimous and bipartisan contingent of current CPSC commissioners have strongly voiced their intention to place more emphasis on the role of criminal penalties.

Chair Alex Hoehn-Saric, for example, noted that “[f]ailure to report in a timely fashion will result in an investigation and CPSC will pursue significant civil and potentially criminal penalties.”[20]

Commissioner Richard Trumka also made clear that “this Commission is serious about deterring corporate misconduct using every tool at our disposal, including the appropriate use of civil penalties and, where warranted, criminal referrals.”[21]

Commissioner Peter Feldman similarly noted in the wake of Chu and Loh’s convictions that “CPSC and its federal partners will use all available tools to keep consumers safe.”[22]

And finally, Commissioner Mary Boyle stated that “[c]ivil — and potentially criminal — penalties are essential to ensure that the interests of consumers are given their due.”[23]

While Gree is the first case involving corporate and individual criminal exposure for a violation of the CPSA, it assuredly will not be the last. The DOJ Consumer Protection Branch, working alongside the U.S. attorney’s offices, appears to have the appetite to pursue additional criminal investigations and prosecutions under the CPSA.

In fact, Generac Power Systems Inc. recently disclosed that in July 2023 it received a grand jury subpoena related to its failure to timely submit a report about defective portable generators.[24]

This criminal investigation follows Generac’s May 2023 settlement with the CPSC, under which it agreed to pay a civil fine of $15.8 million and implement and maintain a compliance program and certain internal controls to ensure compliance with the CPSA.[25]

As Hoehn-Saric cautioned last year, “companies should be on notice that the agency will be even more aggressive in the future.”[26]

And, in the words of Deputy Assistant Attorney General for the DOJ’s Consumer Protection Branch Arun Rao, “holding corporations and those who act on their behalf (such as managers who attempt to conceal potentially dangerous problems from customers … ) responsible for criminal wrongdoing has been, and remains, an important priority of the department.”[27]

The writing appears to be on the wall that, where there are indications of a willful violation, CPSC already is, and will continue, closely scrutinizing a company’s behavior through both a lens of civil penalty enforcement and referral to the DOJ for criminal prosecution.

What This Means for Companies

Given the CPSC’s increased focus on criminal referrals, companies should assess criminal exposure risk as part of regulatory investigations related to potential violations of the CPSA.

Corporate executives should also have it in the back of their mind when acting on recommendations of whether a product safety issue warrants a Section 15(b) report to the CPSC.

A realistic scenario in which a corporate executive should strongly consider the risk of potential criminal investigation is when an internal recommendation has been made to submit a Section 15(b) report, but the executive or a group of senior leaders chooses not to submit a report and instead takes other action.

In this situation, or in any situation in which a decision is made to forego a Section 15(b) report, strong consideration should be given to creating a contemporaneous record that documents the reasonable and good faith basis for choosing not to report at that time based on the factors outlined in CPSC’s reporting regulations.

To ensure recommendations on product safety issues are timely identified and escalated to senior managers, companies should take proactive steps to enhance their regulatory compliance and Section 15(b) reporting programs.

This includes establishing clear policies and procedures for handling sources of potential product safety issues, regardless of whether those originate from customer service calls, online reviews, warranty claims, safety-related design changes, concerns raised within the company or other sources.

Companies should also train responsible employees on Section 15(b) reporting obligations and the appropriate identification and internal handling of product safety-related information.

Beyond the regulatory compliance and Section 15(b) reporting components, companies should have robust internal compliance mechanisms that focus on both risk mitigation and accountability.

As only one example, to promote robust compliance and accountability for employees at every level, companies should have policies in place governing employee communications.

Companies should also ensure those communications are appropriately preserved and maintained in accordance with internal document retention policies.

In the context of a government investigation or litigation, these communications will be produced and form the basis for reconstructing what happened during the time period being investigated.

This includes managing the usage of ephemeral messaging tools that might not be captured by company systems and having policies regarding the appropriate use of personal devices, such as mobile phones.

Compliance is an ongoing process. Effective compliance programs should be tested and modified over time. Periodic audits should focus on areas of greatest compliance risk and look for opportunities to improve on existing policies and procedures.

Compliance also should be evaluated in real time, including immediate review of significant product safety issues that have recently concluded for any lessons learned prior to memories fading or key personnel departing.

Finally, compliance is a cultural issue. Companies should establish a culture that expects compliance, and reinforce that expectation through the tone from the top and through all levels of the organization.

[1] https://www.justice.gov/opa/pr/two-corporate-executives-convicted-first-ever-criminal-prosecution-failure-report-under.

[2] https://www.justice.gov/opa/pr/two-corporate-executives-convicted-first-ever-criminal-prosecution-failure-report-under.

[3] https://www.ecfr.gov/current/title-16/chapter-II/subchapter-B/part-1115.

[4] https://www.cpsc.gov/Newsroom/News-Releases/2016/Gree-Agrees-to-Pay-Record-1545-Million-Civil-Penalty-Improve-Internal-Compliance-for-Failure-to-Report-Defective-Dehumidifiers; https://www.cpsc.gov/Recalls/2013/gree-recalls-12-brands-of-dehumidifiers.

[5] https://www.cpsc.gov/Newsroom/News-Releases/2016/Gree-Agrees-to-Pay-Record-1545-Million-Civil-Penalty-Improve-Internal-Compliance-for-Failure-to-Report-Defective-Dehumidifiers.

[6] https://www.justice.gov/opa/pr/gree-appliance-companies-charged-failure-report-dangerous-dehumidifiers-and-agree-91-million.

[7] https://www.justice.gov/opa/press-release/file/1445401/download.

[8] https://www.justice.gov/opa/pr/two-corporate-executives-convicted-first-ever-criminal-prosecution-failure-report-under.

[9] https://www.law360.com/articles/1144506/attachments/0.

[10] https://www.justice.gov/opa/pr/two-corporate-executives-convicted-first-ever-criminal-prosecution-failure-report-under.

[11] https://www.cpsc.gov/s3fs-public/pdfs/blk_media_cpsa.pdf?epslanguage=en.

[12] https://www.cpsc.gov/Business–Manufacturing/Recall-Guidance/Duty-to-Report-to-the-CPSC-Your-Rights-and-Responsibilities.

[13] https://www.cpsc.gov/Business–Manufacturing/Recall-Guidance/Duty-to-Report-to-the-CPSC-Your-Rights-and-Responsibilities.

[14] https://www.federalregister.gov/documents/2021/12/01/2021-26082/civil-penalties-notice-of-adjusted-maximum-amounts.

[15] https://www.ecfr.gov/current/title-16/chapter-II/subchapter-B/part-1115.

[16] https://www.govinfo.gov/content/pkg/USCODE-2022-title15/pdf/USCODE-2022-title15-chap47-sec2070.pdf.

[17] https://www.govinfo.gov/content/pkg/USCODE-2022-title15/pdf/USCODE-2022-title15-chap47-sec2070.pdf.

[18] https://www.cpsc.gov/s3fs-public/FY2023CPSCOperatingPlan.pdf?VersionId=Z.vZzSezwTIX224uG66J5fHTkFcIvL.G.

[19] https://www.cpsc.gov/s3fs-public/FY2024OperatingPlan.pdf?VersionId=N46Kg9oFJtn_Slys4cdzuQYza29oFynS.

[20] https://www.cpsc.gov/About-CPSC/Chairman/Alexander-Hoehn-Saric/Statement/Statement-of-Chair-Alex-Hoehn-Saric-Regarding-Vote-to-Approve-75M-Settlement-Agreement-with-Vornado-Air-LLC.

[21] https://www.cpsc.gov/About-CPSC/Commissioner/Richard-Trumka/Statement/CPSC-Secures-19065-Million-Penalty-Against-Peloton-for-Corporate-Misconduct-Surrounding-Lethal-Defect.

[22] https://www.cpsc.gov/About-CPSC/Commissioner/Peter-A-Feldman/Statement/Statement-of-Commissioner-Peter-A-Feldman-on-Guilty-Verdicts-Against-Gree-Executives.

[23] https://www.cpsc.gov/About-CPSC/Commissioner/Mary-T-Boyle/Statement/Commissioner-Mary-T-Boyle-Statement-on-Peloton%E2%80%99s-Agreement-to-Pay-Major-Civil-Penalty.

[24] https://investors.generac.com/static-files/081b832b-5ec2-43e1-959a-64d64fb43a9d.

[25] https://www.cpsc.gov/Newsroom/News-Releases/2023/Generac-Agrees-to-Pay-15-8-Million-Civil-Penalty-for-Failure-to-Immediately-Report-Portable-Generators-Posing-Finger-Amputation-and-Crushing-Hazards.

[26] https://www.cpsc.gov/About-CPSC/Chairman/Alexander-Hoehn-Saric/Statement/Statement-of-Chair-Alex-Hoehn-Saric-Regarding-Vote-to-Approve-75M-Settlement-Agreement-with-Vornado-Air-LLC.

[27] https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-arun-g-rao-delivers-keynote-address-food-and-drug-law.

Record-breaking year for whistleblowers

The SEC continues to encourage whistleblowers to report potential securities violations.  According to the enforcement results, the SEC received 18,000 whistleblower tips in FY23 – an all-time high and approximately 50% more than were received last year. In total, the SEC received more than 40,000 tips, complaints and referrals (a 13% increase from FY22). The SEC issued whistleblower awards of almost $600 million, the highest amount ever awarded in one year. These awards included a record $279 million award that went to one whistleblower. 

Rewards for meaningful cooperation and self-disclosure

The SEC continues to reward meaningful cooperation “to efficiently promote compliance” across the industry. According to the enforcement results, “[r]ewarding parties that cooperate encourages other firms to proactively self-police, self-report, and remediate potential securities law violations and to provide meaningful cooperation with the Division’s investigations.” To that end, in FY23, the SEC rewarded cooperation in cases against public issuers, private companies and advisory firms in matters involving a wide range of violations – including material misstatements, recordkeeping violations, undisclosed perquisites and violations of whistleblower protection rules.

The enforcement results highlighted several actions in which companies promptly self-reported conduct to the SEC, undertook affirmative remedial measures and provided substantial cooperation. Such cooperation included the provision of “detailed financial analyses and explanations and summaries of factual issues” during the investigation, “proactively identifying key documents and witnesses,” and responding to several SEC requests without the need for a subpoena. As a result, in those matters no civil penalties were ordered, or the penalties ordered were significantly lower than are typical for the violations at issue.

Individual accountability – focus on executives and insiders  

As in prior years, the SEC reiterated that “[i]ndividual accountability remains a pillar of the SEC’s enforcement program.” Approximately two-thirds of the SEC’s cases in FY23 involved charges against one or more individuals, and, as mentioned above, the SEC obtained orders barring 133 individuals from serving as officers and directors of public companies. The enforcement results highlighted several fraud-related cases in which officer and director bars were imposed (among other remedies) – including cases against a former Wells Fargo executive, who was charged with fraud for misleading investors about “the success of Wells Fargo’s core business,” and the former CEO of McDonald’s, who was charged with making false and misleading statements about “the circumstances leading to his termination from McDonald’s.”  

Continued focus on ESG, crypto and other disclosures

Consistent with SEC Director Gurbir Grewal’s recent statements at the 2023 Berkeley Fall Forum on Corporate Governance, the enforcement results emphasize the increased importance of environmental, social and governance (ESG) issues to investors, resulting in an increased focus on related public company disclosures. In FY23, the SEC brought several enforcement actions addressing ESG issues, including charges against companies for making materially misleading statements about ESG-related controls and failure to maintain disclosure controls and procedures regarding employee complaints about workplace misconduct.

The SEC also continued its focus on crypto assets and expanded into non-fungible tokens (NFTs), filing its first actions against issuers of NFTs. The enforcement results highlighted charges alleging “massive crypto frauds” brought against multiple high-profile companies. The SEC also flagged multiple cases where “influencers” allegedly unlawfully “touted” crypto assets without disclosing that they were compensated to do so.

Read more about the SEC’s FY23 enforcement activity – including actions related to cybersecurity risks and incidents and charges against public companies related to alleged fraud, accounting misstatements, and deficient controls.

Authors

Luke Cadigan

Elizabeth Skey

Janelle Fernandes

According to the declination letter, the DOJ found evidence that bribes were paid both before and after Lifecore’s acquisition of the subsidiary, but the DOJ declined to bring charges against Lifecore because, among other things, the company timely and voluntarily self-disclosed the misconduct. What did “timely” mean here? While an officer of the subsidiary affirmatively concealed the bribes during Lifecore’s pre-acquisition due diligence, Lifecore learned about the misconduct during post-acquisition integration, then launched an internal investigation. The DOJ stressed that within three months of first discovering the possibility of wrongdoing – and just hours after the internal investigation confirmed that it had occurred – Lifecore voluntarily reported it to the DOJ. The declination letter also outlines other factors that went into the DOJ’s decision not to prosecute Lifecore, including the company’s “full and proactive cooperation,” the nature and seriousness of the offense, Lifecore’s disgorgement of the financial benefit fairly attributable to the misconduct, and its timely remediation – including terminating the officer engaged in the misconduct, withholding that officer’s compensation and improving the company’s compliance program.

Underscoring the DOJ’s focus on this type of voluntary self-disclosure, in October 2023, Deputy Attorney General Lisa Monaco announced a new Safe Harbor Policy for voluntary self-disclosures made in connection with mergers & acquisitions. A “safe harbor period” is generally defined as a time period where certain conduct won’t trigger a regulatory violation. The purpose of the new policy is to incentivize acquiring companies to timely disclose misconduct uncovered at acquired entities during the M&A process. In short, acquiring companies will receive the presumption of a declination (i.e., the government will not pursue a criminal prosecution) when they “promptly and voluntarily disclose criminal misconduct within the Safe Harbor period,” “cooperate with the ensuing investigation,” and “engage in requisite, timely and appropriate remediation, restitution, and disgorgement.”

After describing certain conditions required for the Safe Harbor to apply, Monaco identified two key takeaways for boards and deal teams. First, she made clear that the DOJ is “placing an enhanced premium on timely compliance-related due diligence and integration.” And second, she cautioned that going forward, “[c]ompliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction.” Read more about the new M&A Safe Harbor Policy below.

Requirements for M&A Safe Harbor

The new Safe Harbor Policy will be applied Department-wide, with each part of the DOJ applying the policy in ways that are tailored to fit its “specific enforcement regime.” The policy applies only to criminal conduct uncovered in “bona fide, arms-length M&A transactions,” and does not apply if the misconduct was: (i) otherwise required to be disclosed, (ii) already public, or (iii) known to DOJ. The Safe Harbor will have no impact on civil merger enforcement.

Timing

In an effort to provide greater predictability, the DOJ has included two baseline timing requirements in the policy. First, to qualify for the Safe Harbor, companies must disclose the misconduct at the acquired entity within six months of the deal closing date, regardless of whether the misconduct was discovered before or after the acquisition. Second, companies must fully remediate the misconduct within one year of the closing date. However, both baseline deadlines are subject to a reasonableness analysis, and prosecutors may extend them depending on the “specific facts, circumstances, and complexity of a particular transaction.” On the other hand, Monaco noted that “companies that detect misconduct threatening national security or involving ongoing or imminent harm can’t wait for a deadline to self-disclose.”

Aggravating factors

The acquiring company’s ability to receive a declination will not be impacted by the presence of aggravating factors – such as if the misconduct was egregious or pervasive, or if an executive was involved, or if the company profited significantly from it – at the acquired company. And if aggravating factors do not exist at the acquired company, that entity also may qualify for applicable voluntary self-disclosure benefits (including a possible declination).

Recidivist analysis

Misconduct disclosed under the new policy will not be factored into recidivist analysis for the acquiring company, either at the time of the disclosure or in the future. In other words, the acquiring company will not itself be considered a repeat offender based on misconduct at the acquired company – even if the acquiring company had a prior conviction when it disclosed the acquired company’s misconduct or if the acquiring company is subject to enforcement for unrelated misconduct in the future.

To put the benefits of this policy into perspective, but also drive home the importance of compliance, Monaco reminded companies that if they “do[] not perform effective due diligence or self-disclose misconduct at an acquired entity, [they] will be subject to full successor liability for that misconduct under the law.”

‘Era of expansion and innovation’ in corporate enforcement

Monaco plainly stated that “[c]orporate enforcement is in an era of expansion and innovation.” Indeed, the DOJ’s announcement of this Safe Harbor Policy builds on Monaco’s September 2022 memo outlining revisions to the DOJ’s corporate criminal enforcement policies, as well as the DOJ’s February 2023 announcement of a new voluntary self-disclosure policy for corporate criminal enforcement in US attorney’s offices nationwide, which offered incentives including significant discounts on fines and not guilty plea resolutions for corporations that meet the criteria for a voluntary self-disclosure of misconduct.

In addition to the M&A Safe Harbor Policy, Monaco’s remarks touched on other developments in corporate criminal enforcement, including those outlined below.

Expansion of corporate criminal enforcement related to national security

The number of “major national security corporate resolutions” has already doubled in 2023 as compared to 2022, and the DOJ is powering up the National Security Division by adding more than two dozen new corporate crime prosecutors and the Division’s first chief counsel for corporate enforcement.

New tools to penalize and deter corporate misconduct

This year saw the first criminal resolutions that include divestiture of entire business lines and specific performance as part of restitution and remediation.

Pilot program related to executive compensation

Under a new pilot program, all DOJ criminal resolutions will require companies to “add compliance-promoting criteria to their compensation systems.” Additionally, companies that claw back or withhold incentive compensation from executives responsible for misconduct receive a “clawback credit” (a deduction from the otherwise-applicable penalty).

What’s next?

The DOJ continues to focus on corporate and individual accountability for wrongdoing while incentivizing compliance and timely self-disclosure of wrongdoing. As for the new M&A Safe Harbor, the full written policy has not yet been released. For now, boards and deal teams – and their advisers – should take care to design diligence and compliance programs that strive to detect and remediate potential wrongdoing within the presumptive baseline timelines. For example, companies entering an acquisition should conduct aggressive diligence to identify potential issues prior to a transaction, but also should consider the diligence process as continuing after the acquisition in order to reap the benefits of the six-month Safe Harbor disclosure window. Conversely, companies that anticipate being the target of a merger or acquisition should expect more robust diligence focused on legal compliance. Those companies are advised to identify, investigate and address potential wrongdoing in advance of a transaction so that unaddressed issues emerging in the context of the acquisition do not disrupt the timeline or completion of the transaction.

By way of background, ENRC alleges that employees of the SFO improperly leaked sensitive information acquired in the course of the SFO’s investigation to journalists and other third parties. These allegations were internally investigated by the SFO. Its findings were contained in a document termed the Byrne Report, which concluded certain employees suspected of leaking information about ENRC – and other targets of SFO investigations – had a ‘case to answer’. The Byrne Report was disclosed by the SFO during proceedings with redactions made to it on the basis of three distinct grounds:

• Public interest immunity (PII), as certified by the director of the SFO.
• Privilege.
• Irrelevance and confidentiality.

ENRC made an application to challenge the redactions made by the SFO, and each category of redaction was considered in turn.

Public interest immunity

The High Court affirmed that the test for whether PII can legitimately be asserted in respect of a document remains the three-stage test set out in R v. Chief Constable of West Midlands Police, ex parte Wiley:[2]

1. Is the information in question relevant and material to an issue in the proceedings?

2. If it is relevant and material, is there a real risk that disclosure of the information in question will cause ‘substantial harm’ to a public interest?

3. Even where a real risk of substantial harm can legitimately be said to arise, is the public interest in withholding inspection nonetheless outweighed by the public interest in the fair administration of justice?

The SFO argued that the PII redactions concerned the identities of human sources that provided information to it for the purposes of compiling the Byrne Report. The High Court was satisfied that there was a public interest in protecting the identities of these confidential sources, and that the potential harm to the public interest (primarily, of dissuading any other individuals from coming forward) outweighed the interest in the fair administration of justice. The High Court therefore dismissed ENRC’s application on this ground.

Privilege

There were two substantive applications regarding the redactions made on the basis of privilege. ENRC argued that either the High Court should inspect the redacted material to determine whether privilege had been properly claimed, or the SFO should be ordered to provide an additional explanation for the basis on which it asserted the privilege claimed above the explanation it had already provided, in accordance with Practice Direction 57A.

The High Court considered each limb in turn:

1. Inspection

It was common ground that the High Court had the power to inspect documents before it, including, but not limited to, inspecting allegedly privileged documents to determine if privilege had been rightly claimed, but it was held that such a power must be exercised cautiously. The SFO relied on National Westminster Bank PLC v. Rabobank Nederland[3]andAtos v. Avis[4] to argue that the court should not inspect documents in the face of a claim to privilege unless there is credible evidence that the lawyers responsible for the redactions have misunderstood their duty, that their assessment is not to be trusted, or where there is no reasonably practical alternative.

The High Court held that although the Byrne Report is a single document and the number of challenged redactions on the grounds of privilege were limited, this was not itself sufficient to conclude that inspection of the document was the only practical route forward. The High Court also was of the view that it would not have the necessary factual context to reach an informed decision on privilege in any event, even should inspection be granted, and that meant it was not desirable for the High Court to make such an order. Finally, the High Court also highlighted that it must be particularly cautious about looking at documents out of context at the interlocutory stage. Therefore, the High Court dismissed ENRC’s application for inspection.

2. Additional explanation

It was common ground that in certain circumstances a party claiming privilege may be required to provide a relatively detailed explanation of the basis on which privilege has been claimed (particularly when the grounds for claiming that privilege are not self-evident).[5] However, in this case, the High Court held that an order requiring further detail be added to the explanation already provided by the SFO would ‘in all likelihood require the SFO in effect to disclose the substance of the communication’ and defeat its very claim to privilege. The High Court dismissed ENRC’s application for an additional explanation, as it considered that it went beyond what was required of the SFO by the authorities and the relevant Practice Direction.

Irrelevance and confidentiality

It was common ground that in order to redact on this basis the information must be both irrelevant and confidential. ENRC argued that nothing in the Byrne Report should be considered irrelevant.

The SFO sought to present what it considered a ‘principled dividing line’ between preserving the confidentiality of its internal operations while disclosing information relevant to the list of issues agreed between the parties. The High Court considered that this was too narrow of an approach, and that information must be considered relevant – and therefore be disclosed – if it relates to any point at issue between the parties, whether or not it has been included on the list of issues.

For the reasons discussed above, the High Court remained of the view that inspection was a poor method to consider which – if any – of the redactions should be unmade. Instead, the High Court directed the SFO to undertake a further review of the redactions made on the basis of irrelevance and confidentiality in light of its judgment.

Takeaways

The judgment in this matter is a helpful case study on the law surrounding the use of redactions in disclosed material. While PII will arise in relatively limited contexts, primarily when dealing with regulatory authorities, parties engaged in a redaction exercise would be well served to consider the guidance given in this case and be prepared to defend any redactions made in accordance with it.

[1] Eurasian Natural Resources Corporation Limited v.The Director of the Serious Fraud Office and Others [2023] EWHC 2488.

[2] [1995] 1 AC 274.

[3] [2006] EWHC 2332 (Comm) at [60].

[4] [2007] EWHC 323 (TCC) at [37].

[5] ENRC v. Dechert LLP, Gerrard and the Director of the SFO [2020] EWHC 1002.

Although the act is now the law of the land, the specific offence of failure to prevent fraud – which has generated the most heated commentary – will not come into force until the Secretary of State has published guidance on the procedure that relevant bodies can put in place to prevent persons associated with them from committing fraud offences. While there is no firm date on which that guidance is due to be published, companies should treat this interim period as an opportunity to revisit and improve their compliance procedures. This will not be an easy task, as the potential behaviour that now has to be monitored by companies will take a multitude of forms.

The impact that the act will have remains to be seen, and opinion is split as to whether it will help clean up an endemic of fraud or only serve to make business more difficult to conduct. Whichever way the fallout blows, it is certain that there are going to be significant consequences, and we can expect that the authorities will be very interested in flexing their newfound powers.

To read more of our thoughts on this developing area, please refer to our Failing to Prepare Is Preparing to Fail blog post from earlier this year.

We published a Cooley client alert summarising the regime in March 2023.

The FCA has now published a ‘final warning’ reminding companies promoting cryptoassets to UK consumers that they must get ready for the regime. The letter notes that the FCA has had constructive and productive conversations with some firms about how they can meet the requirements of the regime, but also mentions poor engagement from many unregistered, overseas cryptoasset firms with UK customers. 

Notably, this ‘final warning’ is not only directed at cryptoasset firms. The FCA specifically highlights that it expects social media companies, search engines and app stores to play their part in ensuring that illegal financial promotions are not communicated to UK consumers by unregistered cryptoasset firms and stresses that these intermediaries will be at risk of committing money laundering offences under the Proceeds of Crime Act 2002 (POCA) if they support unregistered cryptoasset firms by, for example, communicating their ads. In the same vein, the FCA reminds these companies that illegal cryptoasset promotions will be considered ‘illegal content’ under the new Online Safety Bill – and that the FCA and Ofcom are working closely together on this topic.

The FCA’s letter warns that illegally promoting cryptoassets to UK consumers will breach the Financial Services and Markets Act 2000 and could lead to the FCA taking steps to remove or block websites, social media accounts and apps, and/or civil or criminal enforcement actions. Contracts resulting from unlawful promotions also may be unenforceable against UK consumers.

Companies marketing to customers in the US can expect to face a different regulatory regime, which continues to evolve.

• The US Supreme Court held that for the scienter element of the False Claims Act (FCA), what matters is the defendant’s “knowledge and subjective beliefs” – not objective reasonableness
• In practice, defendants may no longer be able to achieve early dismissal of FCA cases based on objective scienter arguments – and may instead face burdensome discovery into their own knowledge and beliefs
• The Supreme Court’s opinion leaves consequential questions open for lower courts to address, including whether a defendant faced with an ambiguous regulation was aware of a “substantial and unjustifiable risk” that the claims submitted were false
• Defendants who can demonstrate good faith in their decision-making process may still be able to have success at summary judgment

In a much-anticipated opinion released on June 1, 2023, the US Supreme Court held that the scienter element of the False Claims Act (FCA) turns on the defendant’s “knowledge and subjective beliefs” – not on “what an objectively reasonable person may have known or believed.”

The unanimous decision in the consolidated cases, United States ex rel. Schutte v. Supervalu Inc. and United States ex rel. Proctor v. Safeway Inc., held that “what matters for an FCA case is whether the defendant knew the claim was false.” The Supreme Court’s application of this subjective standard appears to preclude scienter defenses based in objective reasonableness – a key argument FCA defendants had frequently relied on to seek early dismissal of cases.  Going forward, defendants may expect to face discovery probing their knowledge and state of mind before a court may deem dismissal is warranted.      

Background

FCA liability arises where a person “knowingly presents … a false or fraudulent claim for payment or approval.” To establish an FCA violation, a plaintiff – the government or qui tam relator – must prove both that the claim was false and that the defendant knew it was false (scienter). 

Here, the petitioners claimed that the two supermarket chains defrauded Medicaid and Medicare when seeking reimbursements that were limited by regulation or contract to the pharmacies’ “usual and customary” prices. According to the petitioners, the pharmacies offered discounted prices to their customers but reported higher retail prices when submitting reimbursement claims to the federal benefits programs. The petitioners presented evidence that ostensibly demonstrated the pharmacies believed their claims to be inaccurate, but still submitted them.

At summary judgment, the district court ruled that the pharmacies’ discounted prices were their “usual and customary” prices, and so their claims reporting the retail prices were false.  However, the district court held that the pharmacies could not have acted “knowingly,” because their position was objectively reasonable at the time. As a result, the district court granted summary judgment in favor of the pharmacies. 

The Seventh Circuit affirmed, relying in large part on a prior Supreme Court case interpreting the term “willfully” in the context of a different federal statute. The Seventh Circuit reasoned that the defendants’ actual knowledge was irrelevant if their actions were consistent with “any objectively reasonable interpretation of the relevant law,” and that the defendants’ subjective belief should only be considered if their acts were objectively unreasonable. The Seventh Circuit affirmed the grant of summary judgment for the pharmacies on the grounds that their acts were consistent with an objectively reasonable interpretation of “usual and customary,” which could have referred to the retail price, rather than the discounted price.

The Supreme Court’s decision

The Supreme Court granted certiorari to address the question of whether the pharmacies could have the scienter required by the FCA if they correctly understood the relevant standard and believed their claims were inaccurate – regardless of what an “objectively reasonable” person would believe. Relying on the text of the FCA and its “common-law roots,” the Supreme Court answered that question in the affirmative. The Supreme Court held that “[w]hat matters for an FCA case is whether the defendant knew the claim was false” – not “what an objectively reasonable person may have known or believed” (emphasis added). The opinion also made clear that FCA defendants cannot rely on after-the-fact interpretations that “might have rendered their claims accurate” – the crucial question is what the defendant knew when submitting the claim.   

Of course, discerning what a defendant knew at a moment in time is not necessarily straightforward. Justice Clarence Thomas, writing for the Supreme Court, stated that scienter under the FCA captures defendants who were “conscious of a substantial and unjustifiable risk that their claims are false, but submit the claims anyway.” Yet the Supreme Court declined to provide guidance on what constitutes a “substantial and unjustifiable risk,” or how a defendant would identify that type of risk when confronted with an ambiguous regulation.

Relatedly, though the Supreme Court acknowledged that the phrase “usual and customary” is not clear on its face, it rejected all of the pharmacies’ arguments urging it to adopt the Seventh Circuit’s reasoning that “because otherpeople might make an honest mistake, defendants’ subjective beliefs become irrelevant.” Instead, the Supreme Court concluded that, “it does not matter whether some other, objectively reasonable interpretation of ‘usual and customary’ would point to [the pharmacies’] higher prices. For scienter, it is enough if [they] believed that their claims were not accurate.”

Significance

In practice, the Supreme Court’s command to focus on subjective belief may stymie early dismissal of FCA cases, which had often been based on scienter arguments related to objective reasonableness. FCA defendants may instead be exposed to expansive and costly discovery exploring the defendant’s state of mind at the time claims were submitted. Litigants may also see protracted disputes as lower courts begin to address questions left unanswered – including whether a defendant faced with an ambiguous regulation was aware of a “substantial and unjustifiable risk” that the claims submitted were false. 

As this new landscape unfolds, companies will have to consider whether and how to create contemporaneous records documenting their interpretations of ambiguous regulations at the time claims are submitted. Defendants who can demonstrate good faith in their decision-making process may still be able to have success at summary judgment.

The Sixth Circuit opinion is also one of the first to consider the contours of the term “remuneration” under the Anti-Kickback Statute (AKS). In Martin, the court narrowly interpreted the term remuneration to include only payments and other transfers of value – rejecting the broad “anything of value” interpretation.

While the appellants claim that en banc review is warranted based on the circuit split and questions of exceptional importance, the appellees have urged the Sixth Circuit to deny rehearing. If the panel decision stands, it provides a powerful argument for defendants moving forward against an increasingly aggressive relators’ bar, and marks an important step in curbing government overreach in FCA litigation. By establishing a higher standard of causality and narrowing what constitutes remuneration under the AKS, this well-reasoned decision sets limits (at least within the Sixth Circuit) on the potential scope of FCA liability based on the plain language of the statute – a welcome development for FCA defendants.

Background

The FCA is the government’s primary mechanism to combat fraud and abuse in federal funding, particularly in the healthcare industry. In 2022, healthcare fraud was the leading source of FCA settlements and judgments, frequently resulting in staggering monetary penalties for FCA defendants.

The rise in FCA claims against providers and companies in the health care industry is due, at least in some part, to the enactment of the Affordable Care Act (ACA) in 2010, which amended and expanded liability under the FCA by providing that claims “resulting from” a violation of the AKS constitute false or fraudulent claims.

Before the Sixth Circuit decision, the Third and Eighth Circuits each considered the meaning of the phrase “resulting from” and reached very different conclusions. In 2018, the Third Circuit held in Greenfield v. Medco Health Solutions, Inc. that while “there must be some connection between a kickback and a subsequent reimbursement claim,” plaintiffs need not prove “but-for” causation.[1] The Third Circuit relied on legislative history of the ACA’s 2010 amendment to the FCA in reaching that conclusion.[2] By contrast, in 2022, the Eighth Circuit in Cairns v. D.S. Medical LLC rejected the Third Circuit’s approach. The Eighth Circuit held that under the plain language of the statute, when FCA plaintiffs seek to establish falsity or fraud through the 2010 amendment, they “must prove that a defendant would not have included particular ‘items or services’ but for the illegal kickbacks.”[3]

Sixth Circuit opinion

Causation

On March 28, 2023, the Sixth Circuit joined the Eighth Circuit by holding that the phrase “resulting from” should be interpreted as requiring but-for causation. The court first reasoned that “the ordinary meaning of ‘resulting from’ is but-for causation,” and that there was no “‘textual or contextual indication’ to indicate a ‘contrary’ meaning.’”[4] The court then observed that Congress added the phrase “resulting from” “against the backdrop of a handful of cases that observed similar language as requiring but-for causation.”

Invoking the Eighth Circuit’s analysis in Cairns, the Sixth Circuit pointed out that had Congress intended an alternative causation standard, it would have used other language, such as “[t]ainted by” or “provided in violation of.”[5] Instead, Congress chose the phrase “resulting from” – an “‘unambiguously causal’ standard.” Like the Eighth Circuit, the Sixth Circuit rejected the Third Circuit’s contrary conclusion, which relied on legislative history rather than the plain meaning of the statute.[6] Ultimately, the court found that the plaintiffs in Martin failed to allege but-for causation because “the alleged scheme did not change anything.”[7]

In Martin, the plaintiffs alleged that a hospital’s decision not to hire an internal ophthalmologist (Dr. Martin) in return for a general commitment of continued surgery referrals from another ophthalmologist (Dr. Hathaway) violated the AKS. The court dismissed the case, in part because the plaintiffs failed to identify a single claim for reimbursement that would otherwise not have occurred:

Indeed, the plaintiffs only identified one surgery performed by Dr. Hathaway for which the hospital sought reimbursement, and that procedure took place seven months after the hospital decided not to hire Dr. Martin. The court reasoned that “[t]emporal proximity by itself does not show causation, and seven months would create few inferences of cause and effect anyway.”[9] And in response to the plaintiffs’ identification of claims that Dr. Hathaway’s practice submitted for reimbursement after the hospital decided not to hire Dr. Martin, the court observed that the hiring decision was made by the hospital’s board – not its physicians, who make patient referrals. Because the plaintiffs failed to allege the hospital could “control or direct the referral decisions of its physicians,” the independent decision-making of the physicians “doom[ed] the chain of causation.”[10]

Remuneration

The Sixth Circuit separately rejected the overly expansive “anything of value” definition of remuneration and found that the problem with such a broad definition is that it “lacks a coherent end point.”[11] Instead, the court held that remuneration should only cover payments and other transfers of value – not “any act that may be valuable to another.”

The AKS establishes criminal and civil liability for knowingly and willfully offering or paying any remuneration (including any kickback, bribe or rebate) to induce or reward referrals for items or services that are reimbursable under a federal health care program.[12] At issue in this case was whether a hospital’s decision not to hire an ophthalmologist – in return for another local ophthalmologist’s general commitment to continue to refer patients to its surgery center –counted as “remuneration” under the AKS. The Sixth Circuit held that it did not.

Relying on other statutory uses of the word “remuneration” (including those from around 1977, when Congress first penalized the offer of “remuneration” in return for patient referrals), the court found that Congress clearly intended prohibited remuneration to have a “payment quality.”[13] Further, the court reasoned that while other appellate courts had not addressed this exact issue, they generally define remuneration in the same way: “one that entails a payment or transfer.”[14] The court also applied the rule of lenity applicable to statutory language that gives rise to both civil and criminal liability, which further supported the narrower reading. As such, the court concluded that “remuneration” must be interpreted as a payment or transfer of value, and did not include something as “non-concrete” and “vague” as the alleged kickback scheme in this case.[15]

The court further cautioned that “reading causation too loosely or remuneration too broadly appear as opposite sides of the same problem,” given that “[m]uch of the workaday practice of medicine might fall within an expansive interpretation of the Anti-Kickback Statute.”[16] 

What’s next?

The US Supreme Court recently heard a pair of consolidated cases addressing the FCA’s “knowledge” standard. Many predict that the Sixth Circuit’s decision – and corresponding circuit split – will similarly make its way before the Court, which may ultimately decide the requisite standard for causation in FCA cases based on violations of the AKS. It is uncertain whether other circuits, such as the First and Ninth Circuits, with their active FCA dockets, will face this question and deepen the split in the meantime.

If the reasoning of the Sixth and Eighth Circuits ultimately prevails, but-for causation would be a significant barrier to proving damages in FCA cases that rely on the “resulting from” standard in the 2010 amendment – and may motivate plaintiffs to explore alternative theories of proof for alleged AKS violations.

[1] US ex rel. Greenfield v. Medco Health Solutions, Inc., et al., No. 17-1152 (3d Cir. Jan. 19, 2018) at 22.

[2] Id. at 14-15.

[3] Cairns, et al. v. D.S. Medical LLC, et al., No. 20-2445 (8th Cir. July 26, 2022) at 14.

[4] US ex rel. Martin, et al. v. Hathaway, et al., No. 22-1463 (6th Cir. Mar. 28, 2023) at 12.

[5] Id. at 13.

[6] Id. at 15.

[7] Id. at 13.

[8] Id. at 13.

[9] Id. at 14.

[10] Id. at 14.

[11] Id. at 9.

[12] See 42 U.S.C. § 1320a-7b.

[13] Martin, No. 22-1463 at 6-7.

[14] Id. at 7.

[15] Id. at 10.

[16] Id. at 15.

The UK government has now introduced amendments to the bill intended to reform corporate criminal liability. The proposals are summarised in a ‘factsheet’ issued by the government. The stated aim is ‘to hold organisations to account if they profit from fraud committed by their employees’. This follows exhaustive debate for many years concerning the most desirable route forward, most recently reflected in the Law Commission’s 10 June 2022 options paper, which presented various guiding principles and options for reform.

There is an existing framework of specific ‘failure to prevent’ offences in the UK – the failure to prevent bribery (contrary to the Bribery Act 2010) and the failure to prevent the facilitation of tax evasion (contrary to the Criminal Finances Act 2017). The number of actual convictions and prosecutions for these offences is low by comparison to the expectation that surrounded their introduction. While there have been some bribery-related convictions, it is particularly striking that there have been zero prosecutions for failing to prevent the facilitation of tax evasion since the introduction of the offence. However, the introduction of these offences has undoubtedly materially altered the UK’s compliance landscape and improved industry standard corporate controls, procedures and training.

The proposals will introduce a new corporate offence of failure to prevent fraud. The proposed draft text in its current form reads:

‘Failure to prevent fraud

(1) A relevant body which is a large organisation is guilty of an offence if, in a financial year of the body (“the year of the fraud offence”), a person who is associated with the body (“the associate”) commits a fraud offence intending to benefit (whether directly or indirectly)

• (a) the relevant body, or
• (b) any person to whom, or to whose subsidiary, the associate provides services on behalf of the relevant body.

(2) But the relevant body is not guilty of an offence under subsection (1)(b) if the body itself was, or was intended to be, a victim of the fraud offence.

(3) It is a defence for the relevant body to prove that, at the time the fraud offence was committed –

• (a) the body had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place, or
• (b) it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place.

(4) In subsection (3) “prevention procedures” means procedures designed to prevent persons associated with the body from committing fraud offences as mentioned in subsection (1). […]’

The new offence will cover a wide range of matters, including fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, obtaining services dishonestly, participating in a fraudulent business, false statements by company directors, false accounting, fraudulent trading and cheating the public revenue. The wide scope of the new offence may make it challenging for companies to implement reasonable procedures that can effectively prevent fraud, given that the fraudulent behaviour in question could take a multitude of forms.

The proposed offence will apply to companies, partnerships and charities. However, only ‘large organisations’, defined as those meeting two out of three of the following criteria, will be in scope:

1. More than 250 employees.
2. More than £36 million turnover.
3. More than £18 million in assets.[2] 

It also will have extraterritorial effect: Foreign companies can be prosecuted if they (and their fraudulent employees) commit fraud under UK law or target UK victims.

Fines for committing this new offence will be unlimited and will fall to be assessed by reference to the specific facts of the case before the court.

What next?

This new wider offence is another step change in the UK’s compliance landscape and will require a renewed focus on internal procedures intended to prevent fraud. We will wait to see if it also will bring more prosecutions and deferred prosecution agreements; however, Serious Fraud Office Director Lisa Osofsky has said, ‘This new offence would be a game changer for law enforcement – bringing the law on fraud in line with bribery. As the UK’s top economic crime prosecutors, this would help us crack down on fraudulent enterprises, compensate their victims and ultimately protect the integrity of our economy’.

The new offence certainly will make it easier to secure convictions against companies for fraud committed by employees for the benefit of their employer, as it will be unnecessary to prove knowledge of the fraudulent activities by the ‘directing mind’ of the company, which the UK authorities view as a significant barrier to prosecution of large companies. In conclusion, any corporate entity that currently does business within the UK, or which is seeking to enter the market for the first time, will need to give careful consideration to its future compliance programme to ensure that it is fit for purpose – and that it does not inadvertently ‘fail to prevent’ a broad range of economic crimes.

[1] This is the complementary legislation to the Economic Crime (Transparency and Enforcement) Act 2022, which we have posted about previously.

[2] Section 465 of the Companies Act 2006.

Authors

Tom Epps

James Maton

Ben Sharrock

As early as 2017, the DOJ’s Foreign Corrupt Practices Act (FCPA) enforcement division had published guidance that organizations being investigated for FCPA violations could obtain a cooperation credit only if they disallowed the use of ephemeral messaging by employees. However, noting that many organizations use ephemeral messaging for legitimate business reasons, it later softened its stance, instead requiring organizations using ephemeral apps to have safeguards to ensure information is retained pursuant to retention policies and legal requirements.

What is ephemeral messaging?

Ephemeral messaging apps are communication platforms that automatically erase the conversation between parties immediately or after a short amount of time. Automatic deletion can be the application’s default or a feature that users or administrators can turn on and off. While ephemeral messaging has several real-world benefits, including privacy and security, it can be problematic for businesses that need to preserve information for regulatory, compliance, litigation or legal holds, or other reasons. Similar communication mediums such as text messages, in-application chat features and direct messages in social media accounts can prove equally problematic due to their decentralized nature, with the messages often residing on users’ devices or accounts beyond the reach of company controls. Other issues can arise when messaging apps are used to further illegal or disfavored activities by way of eliminating incriminating conversations or evidence of wrongdoing. Courts and regulatory agencies such as the DOJ have taken notice, cautioning organizations on the potential hazards of using messaging apps for business activities without sufficient policies and procedures in place to monitor compliance and preserve communications when necessary.

Actions against broker-dealers and investment advisers

In September 2022, the Securities and Exchange Commission and the Commodity Futures Trading Commission (CFTC) reached a combined $1.8 billion settlement with 15 broker-dealers and an investment adviser related to a failure to preserve electronic communications. Regulators focused on the widespread use of what the SEC called “off-channel” messaging communications, in particular text messages and messaging apps, that were not preserved as required of broker-dealers and investment advisers by SEC and CFTC record-keeping regulations. In December 2021, the SEC announced a $125 million fine against a large financial institution related to failures to preserve staff communications on personal mobile devices and messaging applications.

The SEC highlighted concerns related to ephemeral messaging in a Risk Alert issued in December 2018 reminding registered investment advisers of their retention obligations pursuant to SEC rules.¹ Noting an increase in the use of text messaging or chat apps to communicate, the SEC recommended that advisers review their policies and processes related to electronic messaging to ensure compliance with retention rules. In October 2021, SEC Division of Enforcement Director Gurbir Grewal indicated that companies “need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.”

Litigation pitfalls

Ephemeral apps and text messages also have proven to pose issues for judges and parties in litigation, particularly in the context of preservation obligations in discovery. In Herzig v. Arkansas Foundation for Medical Care, Inc.,² the defendant alleged that the plaintiffs decided to install and use the ephemeral messaging application Signal to intentionally destroy discoverable evidence, despite the fact that they were subject to legal holds. The court found that the Signal communications were most likely responsive and that the plaintiffs’ decision to use Signal was done in bad faith.

Organizations that do not have controls or effective legal hold policies in place also run the risk of increased costs as the focus of the case shifts away from the merits to expensive discovery disputes that could result in case-ending sanctions.

Minimizing legal and compliance risks

It is imperative that companies have enforceable policies and controls in place to minimize legal and compliance risks from employee use of ephemeral messaging apps. Below, we’ve summarized actions companies can take.

Retention program and information policies

Create and implement practical retention policies for electronic messaging apps that are authorized by the company, and ensure compliance with applicable rules and regulations. This includes monitoring compliance and addressing noncompliant use of prohibited applications for business purposes. These policies also need to harmonize with the organization’s acceptable use policies for technology – and clearly define business communications and messaging guidelines.

Mobile devices and applications

Design functional mobile device policies and administer mobile device management software to manage apps on devices used for business purposes, including personal devices.

Legal holds

Establish proactive legal hold response procedures to prepare for potential litigation or regulatory activity.

Training and oversight

Develop training programs to educate employees regarding company policies and permissible communication applications, as well as apps prohibited for business purposes. Empower employees to understand their role in helping the company manage risk.

Next steps

Cooley can assist you in creating practical and effective information, device, and electronic messaging policies, and we can guide you through the implementation, administration and oversight process. We also can help your company design and implement defensible legal hold processes and procedures to navigate the complexities of the eDiscovery process. For more information, please reach out to one of the lawyers listed below.

Notes

1. Advisers Act Rule 204-2, which is also known as the “Books and Records Rule,” requires advisers to make and keep certain books and records relating to their investment advisory business, including typical accounting and other business records as required by the SEC.
2. No. 2:18-CV-02101, 2019 WL 2870106 (W.D. Ark., July 3, 2019).

Authors

Matthew Krengel

Ruth Hauswirth

Michelle Galloway

Luke Cadigan

Andrew D. Goldstein

Whistleblowers and voluntary self-disclosure

In a recent American Bar Association Corporate Counsel Seminar session on whistleblower reports (held prior to the DOJ’s policy announcement), a panel of in-house and outside counsel discussed the many difficulties companies face in deciding whether and when to self-disclose potential wrongdoing. These decisions often implicate a variety of complex considerations, including:

• The potential for cooperation credit, including reduced fines.
• The need to weigh the economic impact of a penalty against possible reputational damage to the business.
• The risk of collateral consequences, such as disqualifications under the federal securities laws (particularly since SEC settlements can no longer be conditioned on a waiver of disqualification).
• Whether the issue is company-specific or industry-wide.
• Whether a whistleblower has raised an internal complaint.

Regarding whistleblower complaints specifically, the panelists noted the practical reality that the presence of an internal whistleblower often weighs in favor of self-disclosure, given the likelihood that the whistleblower will (or already has) made a similar report to the relevant regulatory agency or brought a qui tam action. Indeed, as we previously observed in a November 2021 post on whistleblower complaints, financial incentives to blowing the whistle to regulators have grown exponentially in recent years.

False Claims Act

The False Claims Act’s strong whistleblowing incentives (including up to 30% of the recovery plus attorney’s fees and expenses) continued to generate considerable activity last year. In fiscal year 2022, qui tam relators filed 652 lawsuits – an average of 12 per week – and the DOJ obtained $1.9 billion in settlements and judgments from whistleblower lawsuits. Currently pending legal cases and potential legislative activity may result in even more protections for FCA whistleblowers, including limiting the burden to show that an allegedly violated regulation was material to the government and limiting the government’s ability to dismiss claims brought by whistleblowers.

Securities and Exchange Commission

Fiscal year 2022 was another record-setting year for the SEC whistleblower program. In FY 2022, the SEC received over 12,300 whistleblower tips (the largest number received in a fiscal year) and awarded $229 million to 103 individuals – the second-highest year in terms of dollar amounts and number of awards. Fiscal year 2023 has already seen significant whistleblower activity, with the SEC reporting seven awards totaling more than $138 million in recent months. 

Of particular interest, on December 19, 2022, the SEC announced an award of more than $37 million to a single whistleblower who not only blew the whistle to the SEC (and to another agency), but also was the initial source of the company’s internal investigation. The SEC noted that the company self-reported the alleged conduct, but that the whistleblower received credit for the investigation because they “provided the same information to the SEC within 120 days of providing it internally.” This illustrates both the very real risk that an internal whistleblower will also report potential misconduct to regulators, and the importance of considering whistleblower reports when deciding whether to self-disclose. 

Key takeaways

• In light of the government’s increased focus on voluntary self-disclosure of potential misconduct and the proliferation of whistleblower reports to regulators, companies must be prepared to investigate allegations from internal whistleblowers promptly, diligently and efficiently. 
• Companies should review their whistleblowing procedures and consider these best practices, including:
  • Take whistleblower allegations seriously.
  • Know when to hire outside counsel and when to raise issues with auditors, the audit committee and/or the board.
  • Treat whistleblowers thoughtfully and respectfully, and stay in contact where possible.
  • Don’t do anything that could be construed as retaliation or limiting communications between the whistleblower and regulators.
  • Keep the whistleblower’s identity confidential to the extent practicable.
  • Consider whether – and when – to self-report whistleblower allegations.
• In considering whether and when to self-report, do not assume that cooperating with later government inquiries will be treated as favorably as voluntary self-disclosure. As a senior DOJ official explained in connection with the recent policy announcement: “Even outstanding cooperation on the back end is not going to make up for a lack of voluntary self-disclosure on the front end.”

Authors

Shamis Beckley

Samantha Kirby

• With the creation of the new Disruptive Technologies Strike Force, the US Departments of Justice and Commerce are committing new resources and increasing their emphasis on pursuing export enforcement involving sensitive and emerging technologies
  

The federal government sent another big signal that it’s stepping up efforts to keep cutting-edge, dual-use and military technologies out of the hands of adversarial foreign governments when it announced the launch of the Disruptive Technology Strike Force (DIS-TECH) on February 16, 2023. The strike force, led by the Department of Justice and Department of Commerce, will focus on “investigating and prosecuting criminal violations of export laws” and leveraging international partnerships to protect American technology in fields such as biosciences, artificial intelligence, semiconductor technologies, supercomputing and quantum computing. 

“Our goal is simple but essential – to strike back against adversaries trying to siphon our best technology,” said Deputy Attorney General Lisa O. Monaco.

Emerging technologies companies should be alert to the government’s focus on export law violations.   

“Illegally exporting sensitive technology is not an abstract economic concern – it is a crime with a direct impact on the safety of the American people,” said FBI Deputy Director Paul Abbate in the announcement, adding that export crimes also have a negative effect on American businesses.

DIS-TECH will operate in 12 cities across the US and work with the FBI, Department of Homeland Security and multiple US attorney’s offices, according to the announcement. The strike force will use data analytics, intelligence gathering and private-sector partnerships to identify illicit activity, according to the announcement.       

The federal government had been signaling plans to step up enforcement efforts in this area.  Last year, the Commerce Department announced it was revamping its own enforcement program by imposing significantly higher penalties for export violations, increasing incentives for companies to voluntarily self-report and eliminating “no admit, no deny” settlements. 

Authors

Daniel Grooms

Kevin King

Tina Jensen

In fall 2022, the US Department of Justice clearly signaled that it is cracking down on workplace use of personal devices and third-party messaging applications. On September 15, DOJ Deputy Attorney General Lisa Monaco issued a memo detailing revisions to the DOJ’s corporate criminal enforcement policies. Among other things, the memo focuses on corporate compliance programs and, notably, companies’ ability to monitor employee use of personal devices and third-party apps:

The ubiquity of personal smartphones, tablets, laptops, and other devices poses significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover data from them during a subsequent investigation.  The rise in use of third-party messaging platforms, including the use of ephemeral and encrypted messaging applications, poses a similar challenge.

The memo makes clear that in evaluating the effectiveness of a corporate compliance program and in assessing a corporation’s cooperation in an investigation, the DOJ will consider a corporation’s policies and procedures governing the use of personal devices and messaging platforms for business communications. The memo also previewed that additional guidance on best practices would be forthcoming.

In mid-October 2022, the DOJ announced a $778 million plea deal by Lafarge, a French industrial company and the world’s largest cement manufacturer, for conspiring to support terrorist organizations. Referencing the September 2022 policy memo, Monaco addressed the role that off-channel electronic communications played in the investigation:

We also emphasize that companies should have policies to enable retention and production of communications over third- party messaging systems.  Lafarge did not.  Nonetheless, thanks to the efforts and ingenuity of our agents and prosecutors, we were able to locate the inculpatory emails that Lafarge executives tried to hide off-system.

For financial services firms that are registered with the Securities and Exchange Commission and thus subject to the SEC’s record-keeping rules, the stakes can be even higher. For example, in September 2022, the SEC announced a more than $1.1 billion resolution of an investigation involving 15 broker-dealers and one affiliated investment adviser and failures to maintain and preserve electronic communications in violation of certain record-keeping provisions in the federal securities laws. As part of the investigation, SEC staff collected communications from the personal devices of a sampling of various firm personnel, including senior executives. The SEC found that the use of “off-channel communications” at each of the firms was “pervasive” at all seniority levels, noting that it had found thousands or tens of thousands of off-channel messages about business matters at each of the firms. In the September 2022 announcement of charges against multiple firms, SEC Chair Gary Gensler explained the need to communicate “about business matters within only official channels,” and he promised that the SEC would “continue to ensure compliance with these laws” in its investigations and enforcement work. Indeed, in early November, Gensler announced that the agency was continuing to investigate the use of platforms such as WhatsApp by firms subject to SEC oversight. And in their latest quarterly filings, at least three private equity firms disclosed that they had received inquiries from the SEC about their employees’ use of third-party text messaging applications.

The government’s focus on this area extends far beyond these high-profile matters. Indeed, it has become routine in any investigation for the government to insist that companies forensically image their employees’ personal devices, and that any document collection and production include data from third-party messaging apps. Claims that employees do not text or message about work will be met with skepticism; the government knows how common it is for employees to use these channels. Yet when a company seeks to comply with such a request from the government, it can expect serious resistance from its employees, who understandably seek to shield their personal data from scrutiny.

In navigating these competing interests, companies should also be mindful of local, state, federal, and foreign privacy and labor laws that apply to employee data.  For example, some laws grant employees rights over their data, including deletion rights, which could impair a company’s ability to archive or share certain employee data. Similarly, companies that monitor the communications of their employees, including through mobile device management software, should ensure that they comply with applicable laws such as those on surveillance. Companies should keep in mind that laws governing employee data may apply irrespective of any DOJ, SEC, or other regulatory investigations or enforcement actions.     

What can companies do now to address these issues?

• Implement or strengthen policies and procedures governing the use of personal devices and third-party messaging platforms.
  • Limit work-related communications to specific platforms and apps with settings prohibiting the permanent deletion of data (i.e., no work-related communications on “ephemeral and encrypted messaging applications” like WhatsApp, Signal, etc.)
  • Notify employees that data on their personal devices can and will be preserved, collected, and produced if the devices are used for business purposes
  • Conduct ongoing assessments to ensure that data on personal devices is preserved and can be collected if needed
  • Include and enforce clear consequences for violating policies and practices

• Provide training on policies and procedures. It is not enough that the policies and procedures exist; companies must be able to demonstrate awareness, compliance and enforcement.

• Survey employees to understand use of personal devices and third-party messaging apps for work purposes. Survey responses will help companies better tailor their policies and procedures, as well as any related training.

• Consider the impact of privacy and labor laws that may apply to employee data and the company’s related activities.

In addition, Monaco instructed the DOJ’s Criminal Division to investigate and include corporate best practices on the use of personal devices and messaging apps in the next edition of its Evaluation of Corporate Compliance Programs, so be on the lookout for this publication, and update any policies and procedures as needed.

Authors

Randall R. Lee

Alexandra Mayhugh

Christian Lee

Bloomberg had published two reports about a US-based executive who was the subject of a criminal investigation in the UK. One of the reports described a confidential letter of request for mutual legal assistance to foreign authorities, including details of the theory of suspected fraud. The executive successfully sued Bloomberg for the misuse of private information. Bloomberg appealed, arguing that individuals under investigation do not have a reasonable expectation of privacy, and that the general public is cognisant of the presumption of innocence.

Last month, the UK Supreme Court dismissed Bloomberg’s appeal, explaining:

‘[A]s a legitimate starting point, a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation and that in all the circumstances this is a case in which that applies and there is such an expectation’ (emphasis added)

The Supreme Court emphasised that while each individual case must be assessed according to the particular facts in play, it is a broad matter of public policy that individuals are not identified by enforcement authorities prior to charge because there is a significant risk to causing irreversible damage to an individual’s reputation by publishing such a fact. The Supreme Court’s view was that there was scant justification to allow media organisations to bypass this principle.

What this means for businesses and individuals

Media organisations in the UK must be cautious when reporting about individuals who are under criminal investigation but not yet charged. Individuals can take some comfort in knowing that they will have recourse if their identity, or details relating to their involvement in a criminal investigation, are made public before a charging decision. We note, however, that these cases generally turn on their facts. We recommend that businesses and individuals under investigation take steps to prevent the identities of suspects under investigation prior to charge, and the facts under investigation, from being disclosed, particularly now that the Supreme Court has re-emphasised the right of suspects to privacy in the UK.

Contributors: Tom Epps, Andrew Goldstein, Benjamin Sharrock

We have previously written about the risks of government enforcement for companies that received CARES Act funds. Companies and their executives may face civil and criminal liability under federal law, including under the False Claims Act, for their actions related to participation in the pandemic relief program. To date, the DOJ has brought criminal charges against 1,000+ defendants with alleged losses exceeding $1.1 billion, and more than 240 civil investigations into 1,800+ individuals and entities for misconduct in connection with a total of more than $6 billion in pandemic relief loans. While the majority of those prosecutions and investigations have involved clear fraud schemes, the DOJ has signaled aggressive scrutiny of a broader range of activity, including by entities that processed fraudulent loans. As we explained previously, while government enforcement may be slow at first in the wake of a crisis, it often increases, rather than decreases, as the crisis wanes.

White House and DOJ plan significant increase in pandemic fraud investigations

President Joe Biden first previewed the DOJ’s plans to appoint a Director for COVID-19 Fraud Enforcement in his State of the Union Address on March 1. In a fact sheet released that same day, the White House explained that the director would lead teams of specialized prosecutors and agents focused on major targets of pandemic fraud, such as those “committing large-scale identity theft, including foreign-based actors.” The teams, which the White House called “strike force teams,” will also use “state-of-the-art data analytics tools” to identify complex fraud schemes, signaling that investigations could be initiated by data analytics tools alone. This focus on the use of data analytics continues a trend that has been predominant in other areas of fraud investigations, particularly healthcare fraud enforcement.

Further exemplifying the commitment by Biden and the DOJ to uncover pandemic fraud, Attorney General Merrick Garland announced during a speech on March 3 that the DOJ will hire 120 additional attorneys to bolster efforts to combat pandemic-related fraud. Garland also promised continued focus on white collar crime more broadly, and noted that in 2021, US attorney’s offices throughout the country charged 5,521 individuals with white collar crimes, representing a 10% increase over the previous year. Garland touted this increase as due in part to “a major crackdown on all forms of pandemic-related fraud, particularly as related to CARES Act programs like the Paycheck Protection Program and the Provider Relief Fund.”

Dealing with a government investigation

The DOJ has been conducting COVID-related investigations into companies and individuals since soon after the CARES Act was enacted, but the DOJ’s increased commitment to pursuing pandemic-related fraud with the appointment of a Director for COVID-19 Fraud Enforcement and additional attorneys likely will result in a greater number and broader range of investigations and enforcement actions over the next few years. Additionally, the DOJ’s use of data analytics tools to identify what it deems to be outlier or questionable loans could result in companies receiving a subpoena or civil investigative demand (CID) based on nothing more than statistics. Of course, analytical data is rarely definitive proof of misconduct. A company that is prepared to promptly respond to a subpoena or CID with documents and information supporting eligibility and compliance with program requirements may be able to resolve or significantly narrow an investigation.

That is why we recommend that companies get ahead of any potential investigation by verifying that appropriate documentation exists – and will continue to be preserved – to support initial loan certifications, compliance with loan terms, and any subsequent certifications and/or claims made to the government. This becomes particularly important as time passes, and especially if employee turnover has occurred since this documentation was originally created. The same is true for nonrecipient entities, such as lenders and other financial institutions, who may begin receiving an increased number of inquiries.

As we have previously written, while most inquiries to lenders will still target potentially fraudulent borrowers, lenders could expose themselves to greater scrutiny if they are unable to produce the documents and information they were required to collect from borrowers under certain CARES Act programs, or if regulators notice a pattern of fraudulent borrowing tied to a single institution. Further, companies – both borrowers and lenders – can minimize exposure by ensuring that internal allegations are taken seriously, addressed and resolved in a timely fashion, as whistleblowers often report claims of fraud internally before going to the government. Finally, a parallel internal investigation or review in the face of a government investigation is often critical to identifying helpful and potentially problematic information to best protect and advocate on behalf of the company.

Contributors: Daniel Grooms, Andrew Goldstein, Shamis Beckley, Michelle Rogers, Alexandra Eber, Allegra Flamm

Speaking on a panel at the American Bar Association’s National Institute on White Collar Crime, Powers was asked whether the DOJ was committed to prosecuting monopolization cases, and whether this meant the Antitrust Division was prepared to bring criminal charges under Section 2 of the Sherman Act. Powers responded that he was not “making any announcements,” but that the short answer was “yes, absolutely.”

Powers further explained that “Congress made violations of the Sherman Act, both Section 1 and Section 2, a crime … and Section 2 is a felony just like Section 1, and that’s been true since the 1970s.” He said that Section 2 charges were historically brought alongside Section 1 charges, “when companies and executives committed flagrant offenses intended to monopolize markets.” Powers further stressed that “[m]arket concentration and consolidation is not only a civil antitrust issue; consolidated industries tend to harbor price-fixing conspiracies and other forms of collusion or anticompetitive conduct.”

Powers’ comments came after Assistant Attorney General Jonathan Kanter’s January 2022 remarks in which he expressed concerns about “a dearth of Section 2 case law addressing modern markets.”

Section 2 of the Sherman Act makes it a felony punishable by up to ten years of imprisonment for any person to “monopolize, or attempt to monopolize, or combine or conspire with any other person or persons, to monopolize any part of the trade or commerce among the several States, or with foreign nations … .”
 
But even though attempts to monopolize commerce are a felony under the statute, the DOJ has not brought criminal charges against companies or individuals under Section 2 for decades.

What to know

Undoubtedly, Powers’ comments came as a surprise – not only because the DOJ has not criminally prosecuted Section 2 violations in more than 40 years, but because Powers did not provide concrete guidance as to how the Antitrust Division intends to implement this significant policy shift. Without further guidance, it is difficult for companies to understand what they should be doing to avoid DOJ scrutiny and how to best stay clear of potential criminal exposure.

Powers noted that criminal prosecutions would be directed to those who have committed the most obvious and “flagrant offenses intended to monopolize the market.” But it is unclear how this new approach will work in practice. Being a monopolist is not, in and of itself, unlawful under Section 2 of the Sherman Act. That is because sometimes monopolists or attempted monopolists have gained market power through better products or services, not through illegal means. In an attempt to not penalize companies who have succeeded on their merits, or suppress modernization, the antitrust laws are designed to only punish actors who are gaining monopoly power in an exclusionary way that harms competition. An analysis of what is exclusionary conduct that’s actionable under Section 2 requires an intensive market and economic analysis under the “rule of reason” – which provides that “antitrust law needs to be applied only to the unreasonable restraints of trade” – and can be complicated in the new economy, particularly for tech and pharma companies. To criminally prosecute some of these actors may result in overcorrection and a stifling of innovation.

In addition, Powers hinted that criminal Section 2 prosecutions could accompany charges under Section 1 of the Sherman Act, as “consolidated industries tend to harbor price-fixing conspiracies and other forms of collusion or anticompetitive conduct.” However, the Antitrust Division already has the ability to criminally prosecute Section 1 agreements, so it is unclear why the DOJ needs this additional tool in its arsenal.

The Antitrust Division declared a similarly drastic policy shift in 2016, announcing that it would be criminally prosecuting certain labor agreements, such as naked no poach or wage-fixing arrangements, which had previously been treated civilly. In that instance, the Antitrust Division and the Federal Trade Commission issued a joint publication titled “Antitrust Guidance for Human Resource Professionals,” which provided guidance on the types of conduct that may be a criminal violation. In the future, the Antitrust Division may issue more concrete guidance on the criminalization of Section 2.

A significant policy shift

In the meantime, companies should be on notice that criminal charges under Section 2 may be on the horizon. This is a significant policy shift and an aggressive expansion of the DOJ’s antitrust enforcement efforts, but it very much reflects the Biden administration’s strong emphasis on antitrust enforcement. Last year, in enacting a sweeping executive order focused on antitrust reform, President Joe Biden said, “[w]e are now 40 years into the experiment of letting giant corporations accumulate more and more power, and what have we gotten from it? Less growth, weakened investment, fewer small businesses. … I believe the experiment failed.”

As a result, as a first step, we encourage clients to invest in their antitrust compliance programs. The Antitrust Division has made clear that in evaluating charging decisions in criminal antitrust investigations, it will evaluate the effectiveness and robustness of a company’s pre-existing antitrust compliance program. This may prove critical in the face of criminal Section 2 charges.

Contributors: Beatriz Mejia, Dee Bansal, Andrew Goldstein, Howard Morse, Jacqueline Grise, Megan Browdie, Tanisha James, Alexandra Eber, Wazhma Sadat

Background

ZXC v. Bloomberg LP

In May 2020, the English Court of Appeal handed down its judgment in Bloomberg, a case concerning a US executive under investigation by an unspecified UK law enforcement body for allegations of corporate corruption. Having identified the subject in an initial report, Bloomberg published a second report describing a letter of request for mutual legal assistance from the investigator to foreign authorities, including details of the theory of suspected fraud. Of note:

• The letter was marked confidential.
• The investigation was in its early stages.
• The individual had not been arrested.

The individual successfully obtained an award of damages for violation of their Article 8 privacy rights, and Bloomberg appealed.

The Court of Appeal affirmed the ruling, relying on the two-stage balancing exercise customarily used by UK courts:

1. Does the claimant have a reasonable expectation of privacy in the relevant information?
2. If yes, is this expectation outweighed by a countervailing interest in the right to freedom of expression?

The Court of Appeal found that the balance tipped in favour of privacy, even though the investigation related to the business dealings of a large international company and included matters of ‘high public interest’.¹ A key reason why the suspect’s Article 8 rights prevailed was the potential damage to the suspect’s reputation and the risk that the public would overlook the fundamental legal principle that those accused of an offence are deemed innocent until proven guilty.²

Bloomberg appealed to the Supreme Court. Counsel for Bloomberg argued that the Court of Appeal applied an incorrect approach, and that individuals under investigation do not have a reasonable expectation of privacy, even in the absence of charges. If the Supreme Court were to adopt Bloomberg’s argument, it would constitute a marked shift in how UK courts have treated these cases. The Supreme Court’s judgment is expected imminently.

Amec Foster Wheeler Energy Limited deferred prosecution agreement

Relatedly, the English High Court recently addressed the privacy rights of individuals under investigation by the UK Serious Fraud Office (SFO) in the course of its approving a deferred prosecution agreement (DPA) between the SFO and Amec Foster Wheeler Energy Limited (AFW) that brought allegations of bribery and corruption against AFW.

In its consideration of the DPA, the High Court noted that the individuals allegedly involved in the misconduct had neither testified nor agreed to the DPA’s version of the facts. As such, the High Court ordered the postponement of publication of the statement of facts and the indictment containing those individuals’ names in order to avoid substantial risk of prejudice to the administration of justice. The High Court also added a third-party disclaimer to the DPA clarifying that only AFW had been found culpable – not any particular individual.

The High Court intended to consider whether the statement of facts and indictment should be published once individual charging decisions had been made, but the SFO has since declined to prosecute any individuals. On 4 February 2022, the High Court approved an agreement between the SFO and the relevant individuals that only an anonymised statement of facts be published, thus balancing the SFO’s goal of transparency and those individuals’ right to privacy.

Looking ahead

The Supreme Court’s judgment in ZXC v. Bloomberg LP will provide much-needed clarity on the scope of the right to privacy of individuals in criminal investigations. The impact of the judgment will be significant, and may curb the privacy rights of individuals identified as under investigation, especially in cases where charges may not be brought, and thus no evidence would be tested through a trial process.

While the High Court in the AFW case erred on the side of protecting the privacy of the individuals under investigation, courts will likely revisit these issues as future DPAs arise. It is also worth noting that the SFO’s current guidance on DPAs states that consideration must be given to the necessity and impact of publication of the identities of third parties, and whether it is compliant with data protection law and the ECHR.

In the meantime, on a practical note, companies and individuals who are weighing the impact of reporting possible misconduct to the authorities may wish to consider the potential effect of individuals’ identities being revealed to the public – and seek to mitigate such risk through careful negotiation with the authorities if a report to the authorities is made.

Contributors: Tom Epps, Benjamin Sharrock

Notes

1. See the judgment at https://www.bailii.org/ew/cases/EWCA/Civ/2020/611.html, para. 126.
2. See the judgment at https://www.bailii.org/ew/cases/EWCA/Civ/2020/611.html, para. 82.

Rao supervises the DOJ’s Consumer Protection Branch (CPB), which brings criminal and civil actions to enforce health and safety-related laws. The CPB works closely with the Food and Drug Administration to enforce the Food, Drug and Cosmetic Act (FDCA), the operative statute outlining the FDA’s mandate to protect the public health. The FDCA includes civil and criminal penalties, and these cases often begin with a referral from the FDA to the DOJ outlining the legal violations. The CPB has expanded significantly in recent years, and now has more than 90 prosecutors and more than 100 support personnel equipped to bring FDCA enforcement actions. Rao highlighted recent prosecutions against companies and individuals who falsified clinical trial data – and promised that more enforcement actions are on the way.

Here’s what you need to know.

Why the DOJ is focused on clinical trial fraud

According to Rao, clinical trial fraud has been and will continue to be a point of emphasis for the CPB, with a particular focus on cases in which companies have allegedly falsified clinical data. The CPB is devoting substantial attention to these cases both because they can pose immediate dangers to consumers and because fake studies can cause broader damage to “confidence in the healthcare industry as a whole.” These comments echoed recent remarks from CPB Director Gustav Eyler. In late 2020, Eyler called clinical trial fraud a “key area of drug and device related enforcement,” and warned that “bad research” can “do great harm – both to patients and to trust in the system.” Eyler also discussed these topics at this month’s FDLI conference.

The CPB’s priorities dovetail with the FDA’s focus on clinical trial data. Of note, Dr. Robert Califf, Biden’s nominee for FDA commissioner who led the agency in 2016, has been deeply involved in data initiatives related to FDA applications. He will likely continue to focus on clinical trials and data issues if confirmed to head the FDA. In his prepared remarks at a Senate confirmation hearing last week, Califf rated patient and consumer protection among his top priorities and identified the need for a “systematic approach to evidence generation” to improve patient safety.

Enforcement in the clinical trial space helps maintain the public’s trust in the FDA to determine the safety and efficacy of medical products. With heightened importance of the FDA’s processes during the COVID-19 pandemic, clinical trial fraud has, and will continue to be, top of mind for government regulators.

Recent prosecutions

Rao highlighted two recent examples of the CPB’s enforcement in the area of clinical trial fraud. First, he discussed a trial fraud scheme based at a facility called Unlimited Medical Research in Miami. According to the CPB, five individuals purported to conduct an asthma medication trial, reporting pediatric subjects’ visits, trials and payments. But according to Rao, “none of these things happened.” CPB has already secured multiple guilty pleas and significant prison terms – one doctor was sentenced to 63 months in prison – with at least one defendant awaiting trial.

Second, Rao discussed a clinical trial fraud scheme based at Tellus Clinical Research, also in Miami. In this case, eight individuals purported to perform trials intended to evaluate a number of medical conditions, including opioid dependency and diabetic nephropathy. CPB alleges that these conspirators wholly “invented” the information they submitted to the FDA, including trial data, medical records and the subjects themselves. This case is ongoing.

Potential penalties

Companies and individuals alleged to have committed clinical trial fraud face a range of civil and criminal penalties and remedies, depending on which charges prosecutors bring. In addition to possible FDCA felony violations, which can carry prison sentences of up to three years, prosecutors frequently bring wire and mail fraud charges where the penalties can escalate to up to 20 years of prison. FDCA and Title 18 charges – such as making false statements to the FDA – also carry heavy criminal fines.

Considering the DOJ’s stated emphasis on clinical trial fraud, we urge companies to stay vigilant with their compliance efforts.

Contributors: Andrew Goldstein, Daniel Grooms, Zach Hafer, Natasha Leskovsek, Sonia Nath and Vince Sampson

Since the onset of the COVID-19 pandemic, the number of whistleblower complaints received by regulators has exploded on both sides of the Atlantic. On November 15, 2021, the US Securities and Exchange Commission (SEC) reported that it paid out more in whistleblower awards in fiscal year 2021 than in all prior years combined since the whistleblower program began in 2011.[1] The agency announced that it paid out approximately $564 million to 108 individuals based on over 12,200 whistleblower tips – an approximately 76% increase in tips from fiscal year 2020. This comes after the agency reported a historic increase in the number of tips received in fiscal year 2020, including 6,900 whistleblower tips, which was the most it had ever received in a single fiscal year until that time.[2] The trend is similar in Europe, with two notable whistleblower protection charities (Protect[3] and WhistleB[4]) reporting an increase of up to 40% in the number of whistleblowing complaints in 2020-21 when compared to previous years.

COVID-19 itself is a major contributor to these growing whistleblower numbers. With many employees working from home, they may feel less connected to their employers and colleagues and more inclined to reach out to the authorities without first raising allegations to their employer (for example, by way of the confidential whistleblowing hotline maintained by the Financial Conduct Authority in the UK). In addition, whistleblowers may also find it easier to anonymously collect information relevant to their complaints when they have access to these materials from home.

Another factor is the exponentially growing size of financial incentives to blowing the whistle. In the past two years, for example, the SEC paid a $114 million award to a single whistleblower in October 2020 and a $110 million award to a whistleblower in September 2021, as well as two $50 million awards paid out since the onset of the pandemic.[5] With these awards, the program has now awarded more than $1.1 billion to whistleblowers since it began in 2011.[6]

Expectations are that this trend will only accelerate in light of the new harmonized protection environment for whistleblowers in the European Union (see the EU Whistleblowing Directive[7] due to be fully implemented by December 17, 2021). The legislation introduces new, broader protections to whistleblowers, not only during their working relationship with their employer, but also before they begin working and after they have left. While the UK is under no obligation to implement this new legislation, it is facing internal political pressure to pass legislation that broadly mirrors the rights and obligations contained within the directive.

In this environment of increased whistleblower complaints, it is vital that companies do two things well:

1. Be on the alert for whistleblowers and make sure they have an internal outlet for their complaints.
2. Have in place sound corporate governance policies and practices for handling complaints when they do arise.

Whistleblower hotlines

Well-designed whistleblower hotlines are critical for two reasons: Regulators in the US and the UK focus on them, and they encourage employees to report issues internally first, before reporting to a regulator. And the US Department of Justice (DOJ) corporate compliance program guidelines, the UK Bribery Act 2010 and the EU Whistleblowing Directive all make clear that regulators now expect companies to have strong whistleblower policies in place (with potentially serious inferences being drawn during an investigation in the absence of such policies). As such, effective whistleblower hotlines not only encourage internal reporting first – but may also help protect a company’s position vis-à-vis regulators in the long run.

In evaluating a company’s corporate governance framework, the DOJ considers an “efficient and trusted” whistleblower channel to be a “hallmark of a well-designed compliance program.”[8] In assessing the adequacy of a company’s whistleblower channel, the first thing the agency asks is whether the company has an anonymous reporting mechanism such as a whistleblower hotline that is publicized to employees and which they feel comfortable using.[9] Similarly, in the UK, the Department for Business, Energy & Industrial Strategy maintains a Code of Practice on whistleblowing, which notes that it is “good practice” for employers to “create an open, transparent and safe working environment where workers feel able to speak up” with “a facility for anonymous reporting.”[10] This is particularly important in the context of the Bribery Act 2010, under which it is a defense to an allegation of a failure to prevent bribery for an organization to demonstrate that it had “adequate procedures” in place designed to prevent such conduct.[11] The UK Ministry of Justice’s guidance makes it clear that whistleblowing policies and practice will be key elements to be assessed when determining whether a company has such “adequate procedures.”[12]

These days, the term “hotline” should be understood to refer to multiple avenues for submitting whistleblower complaints, including phone, email, text, mail and/or through a website, often managed by independent third-party providers. While there is no one-size-fits-all model for whistleblowing hotlines, a whistleblowing hotline should have several key features in order to promote good corporate governance. Among other things, a whistleblowing hotline should be:

• Toll-free, well publicized and accessible 24/7.
• Available with multilanguage support (as applicable).
• Anonymous, confidential and secure.
• Capable of escalating urgent matters to the executive level quickly (to the extent necessary).

Strategies for managing companies and other best practices

In addition to establishing and publicizing an anonymous whistleblower hotline, there are other best practices (outlined below) that companies should follow to handle whistleblower complaints to investigate properly, mitigate fall-out and be prepared for regulator inquiries.

Take whistleblower allegations seriously

All allegations should be appropriately investigated in order to determine what (if any) further action is required to correct the alleged misconduct. Resist the instinct to immediately question the veracity of the report or the motive of the whistleblower, and instead focus on the substance and seriousness of the complaint. Whistleblowers who are not taken seriously are more likely to report the allegations to regulators first without taking part in a company’s internal investigation. In addition, while there are of course instances in which whistleblower complaints are ill-informed or conceived from bad motives, many are not. And an investigation that is compromised by skepticism about the whistleblower may not be objective and may compromise the company’s ability to effectively respond, both internally and to regulators. To ensure that the allegations are viewed without skepticism, it will often be best practice for compliance, human resources or similarly situated departments – as opposed to the business chain of command – to bear principal responsibility for the investigation.

Know when to hire outside counsel and when to raise issues with auditors, the audit committee and/or board

Consulting with outside counsel early can ensure that the design of your whistleblower complaint investigation is sound, and the investigation is appropriately thorough. Depending on the significance of the matter, regulators may expect a thorough investigation conducted by external counsel, and may not view an internal investigation as independent. For example, complaints that rise to the level of misconduct by executives within the company, or relate to a company’s financial reporting, may require external counsel and are best escalated quickly. Of course, retaining outside counsel can be particularly helpful when allegations relate to fraud or bribery. Not all whistleblower complaints will require the assistance of outside counsel, but an early assessment and consultation with counsel typically should be conducted.

Treat whistleblowers thoughtfully and respectfully, and stay in contact where possible

Treating whistleblowers with respect is not only key to a corporate culture that fosters openness and encourages those with complaints to report internally first, but it is also sound practice from an investigative standpoint, as it will encourage whistleblowers to remain communicative and provide as much detail and information about the allegation as possible.

Don’t do anything that could be construed as retaliation or limiting communications between the whistleblower and regulators

In the US, the UK and the EU, whistleblower protections prohibit retaliation of any kind against a whistleblower. This includes explicit retaliation such as firing or demoting a whistleblower, as well as less-explicit retaliation such as changing a whistleblower’s hours, excluding a whistleblower from training meetings that affect prospects for promotion, or even isolating or ostracizing the whistleblower.[13]

Keep the whistleblower’s identity confidential to the extent practicable

Knowing that confidentiality will be maintained to the maximum extent will encourage whistleblower use of a company’s hotline and help avoid reporting outside of the company before first raising concerns internally. In addition, the fewer company officials and employees who know the whistleblower’s identity or even the existence of the whistleblower’s complaint, the fewer opportunities for retaliation. Of course, there will be times that investigations require counsel and key company contacts to know the identity of the whistleblower in order to conduct an effective investigation.

Stay in contact with the whistleblower

If the whistleblower hasn’t obtained outside counsel who won’t allow such contact, interview and speak with the whistleblower as much as possible – and maintain ongoing contact throughout the investigation. This should include setting expectations with the whistleblower regarding how long an investigation might take, so that the time it takes to make a thorough inquiry isn’t perceived as inattention to the complaint. While it won’t be possible to share certain information with the whistleblower, keeping the whistleblower as informed as possible may prevent the whistleblower from reporting to the government out of a sense that the company is not taking the allegations seriously. This will better position the company to self-report if and when the time is right.

Consider whether – and when – to self-report whistleblower allegations

If the company uncovers potential wrongdoing while investigating a whistleblower allegation, it should consider with its attorneys whether and when to self-report the allegations to the relevant regulatory agency. Self-reporting – particularly if done early – may result in reduced penalties for wrongdoing. In many instances, if the above steps are followed, a whistleblower may feel heard and not inclined to report the alleged misconduct to the authorities at all.

Conclusion

In this environment of increased whistleblower complaints and scrutiny from regulators, all companies – even those that have not yet received whistleblower complaints – would benefit from conducting an internal review of their whistleblowing procedures and internal investigation capabilities to ensure they are appropriate for the size of the company and in line with current standards set by regulators. This will help the company be ready to respond appropriately if and when whistleblower complaints arise.

Contributors: Shamis Beckley, Luke Cadigan, Russell Capone, Alexandra Eber, Tom Epps, Andrew Goldstein, Daniel Grooms, Randall Lee, Benjamin Sharrock

[1] US Securities and Exchange Commission, “2021 Annual Report to Congress: Whistleblower Program,” available at https://www.sec.gov/files/owb-2021-annual-report.pdf.

[2] US Securities and Exchange Commission, “2020 Annual Report to Congress: Whistleblower Program,” available at https://www.sec.gov/files/2020%20Annual%20Report_0.pdf.

[3] Protect. “Our 2020 Impact Report – Record Number of Whistleblowers Supported,” available at https://protect-advice.org.uk/our-2020-impact-report-record-number-of-whistleblowers-supported.

[4] WhistleB. “Sharp Increase in Whistleblowers During Corona,” available at https://whistleb.com/blog-news/sharp-increase-in-number-of-whistleblowers-during-corona.

[5] US Securities and Exchange Commission, “Whistleblower Awards,” available at https://www.sec.gov/page/whistleblower-100million.

[6] US Securities and Exchange Commission, “2021 Annual Report to Congress: Whistleblower Program.”

[7] Directive (EU) 2019/1937. European Union, EUR-LEX, available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32019L1937

[8] US Department of Justice (Criminal Division), “Evaluation of Corporate Compliance Programs”(updated June 2020), available at https://www.justice.gov/criminal-fraud/page/file/937501/download.

[9] Id.

[10] Department for Business, Energy & Industrial Strategy, “Whistleblowing: Guidance for Employers and Code of Practice,” available at https://www.gov.uk/government/publications/whistleblowing-guidance-and-code-of-practice-for-employers.

[11] See https://www.legislation.gov.uk/ukpga/2010/23/crossheading/failure-of-commercial-organisations-to-prevent-bribery.

[12] Ministry of Justice, “The Bribery Act 2010 Guidance,” available at https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf.

[13] See US Department of Labor, “Whistleblower Laws Enforced by OSHA,” available at https://www.whistleblowers.gov; and the Employment Rights Act 1966 (as amended by the Public Interest Disclosure Act 1998), available at https://www.legislation.gov.uk/ukpga/1996/18/contents and https://www.legislation.gov.uk/ukpga/1998/23/contents.

Last week, the #2 official at the Department of Justice announced significant new measures intended to strengthen the DOJ’s response to criminal corporate misconduct. In an address to the ABA’s National Institute on White Collar Crime in Miami, Deputy Attorney General Lisa Monaco announced three policy changes and identified future focus areas for corporate criminal enforcement, while stressing the importance of corporate compliance programs designed to prevent misconduct.

Three key policy changes

First, Monaco announced that the DOJ will restore 2015 guidance that required companies seeking cooperation credit in an investigation to provide the government with “all non-privileged information about individuals involved in or responsible for” potential misconduct “regardless of their position, status, or seniority.” To be eligible for such credit, companies will now be required to provide information about all relevant individuals, and not just those who are “substantially involved” in potential misconduct.

Second, the DOJ plans to evaluate the full universe of a company’s prior misconduct when making enforcement decisions, regardless of “whether or not that misconduct is similar to the conduct at issue in a particular investigation.” The DOJ’s amended “Principles of Federal Prosecution of Business Organizations” will direct prosecutors to “consider the full criminal, civil and regulatory record” of a company to reach an appropriate resolution.

Finally, Monaco reversed prior DOJ guidance disfavoring corporate monitors. Instead, she indicated that the DOJ may “require the imposition of independent monitors whenever it is appropriate to do so” in order to ensure “that a company is living up to its compliance and disclosure obligations” under deferred prosecution or non-prosecution agreements with the DOJ. Monaco also said that monitorships would no longer be considered an exception to the rule.

Monaco characterized these three shifts as “first steps,” but discussed additional areas where the DOJ is considering further action. For example, its newly formed Corporate Crime Advisory Group is considering whether deferred prosecution or non-prosecution agreements are appropriate for recidivist companies after a recent review found that between 10% and 20% of all significant corporate criminal resolutions involve companies that have previously entered into a resolution with the DOJ. Monaco cautioned that the DOJ has “no tolerance for companies that take advantage of pre-trial diversion by going on to continue to commit crimes.”

Monaco summarized the DOJ’s new approach as follows:

• Companies should actively review their compliance programs to ensure they are adequately monitoring for and remediating misconduct.
• For companies facing investigations, effective immediately, the DOJ will review their entire criminal, civil and regulatory record.
• Companies cooperating with the government will now need to identify all individuals potentially involved in the misconduct – not just those substantially involved – and produce all non-privileged information about those individuals’ involvement.
• For companies negotiating resolutions, there is no longer a default presumption against corporate monitors.
• These policy shifts represent the beginning, and not the end, of this administration’s actions to toughen its approach to corporate crime.

Key takeaways

As we previewed last year, the new DOJ policies continue to emphasize the crucial role that an effective compliance program will play in resolving corporate investigations. Each of these policy announcements makes clear the DOJ’s expectation that companies will make robust efforts to identify and prevent misconduct at the corporate and individual levels, and that expectation will be taken into account when determining the potential outcome of any enforcement action against the company being investigated.

To that end, companies should ensure their compliance programs reflect sincere efforts to identify and address the principal risks they face, and they should engage in a regular process of assessment and improvement of their compliance programs. Companies also should be prepared for more extensive proactive cooperation with the DOJ in criminal investigations, including measures to identify and provide information on all individuals involved in the conduct under investigation. Such updated policies and proactive remediation may also help prevent the perceived need for corporate monitors, which promise to make a comeback.

Monaco’s comments make clear that the DOJ will take a more holistic and aggressive approach to determining the appropriate outcome of its corporate criminal investigations, particularly for companies with a repeated history of misconduct. Such companies should expect their full record of past conduct to be a factor in any enforcement determination by the DOJ and should expect the DOJ to be less willing in repeat-offender situations to offer DPA and NPA resolutions.

Contributors: Russell Capone, Melissa Gohlke, Danny Grooms, Andrew Goldstein, Zach Hafer, Sonia Nath, and Wazhma Sadat

Using the False Claims Act (FCA) and other civil enforcement tools, the DOJ Fraud Section plans to target companies that provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations in their government contracts and elsewhere to monitor or report cybersecurity incidents and breaches. In her announcement, Monaco also noted that the FCA includes a unique whistleblower provision that awards individuals who report fraudulent conduct, incentivizing insiders and others to report cybersecurity incidents to the DOJ. The FCA also allows for triple damages, which means that the government can recover three times the amount of payment on a government contract that involves cyberfraud.

Monaco’s announcement is the latest in a series of efforts by the government to combat cybersecurity threats, which have become increasingly prevalent in recent months. Colonial Pipeline became a household name earlier this year when the company suffered a ransomware attack that shut down its operations, affecting gas supplies along the East Coast. Colonial reported the incident to the FBI, and the government later recovered part of the ransom Colonial paid to the hackers. In announcing the recovery in June by the DOJ’s Ransomware and Digital Extortion Task Force, Monaco emphasized the US will “spare no effort” in response to ransomware attacks targeting critical infrastructure.

In May, President Joe Biden issued an executive order outlining a range of initiatives to enhance cybersecurity and improve coordination and information-sharing with the private sector. Those initiatives include enhanced requirements on certain companies to collect and share data related to cybersecurity with federal government agencies and a requirement that IT service providers work with federal authorities to investigate cyber incidents.

Several bills are pending in Congress that would impose stricter reporting requirements on companies and give more power to the Cybersecurity and Infrastructure Security Agency (CISA) to investigate and regulate responses to cyberattacks. The Senate’s Sanction and Stop Ransomware Act would require critical infrastructure providers to report within 24 hours after discovering a ransomware attack, even if it is only “reasonably likely” to compromise the performance of a crucial function. Other proposals in the Senate and House would permit a 72-hour reporting window and give CISA subpoena power to investigate noncompliance. Proposed updates to the Federal Information Security Modernization Act would ensure that CISA, which operates under the Department of Homeland Security, is the primary organization regulating and responding to cyberattacks.

In addition, the SEC’s 4-year-old Cyber Unit has focused on targeting cyber-related misconduct, including charging companies for allegedly misleading investors by failing to disclose data breaches. As reported in a previous Cooley blog post, the SEC brought enforcement actions against two companies this summer for alleged failures to maintain adequate disclosure controls and procedures in connection with disclosing cybersecurity incidents at the companies.

What does this mean for businesses?

Preventing and rapidly responding to cyberattacks will remain a key priority for the DOJ for the foreseeable future. The recent expansion of the tools available to DOJ means that companies can expect to see increased scrutiny on their cybersecurity products and programs, their internal controls, and their assessment and reporting of potential threats and breaches. Companies may also see an increase in parallel civil and criminal investigations or multi-agency investigations (including by the FBI, SEC and CISA) relating to company cybersecurity programs and policies. Companies that do business with or receive government funding must ensure that their products are sufficient to prevent cyberattacks, and that they are fulfilling their obligations in their government contracts to safeguard data and maintain sufficient data security.

Other businesses should also expect increased scrutiny regarding their cybersecurity measures. The recent SEC settlements for disclosure controls violations involved a financial services company and educational services company, unrelated to government contracts. All companies should therefore proactively evaluate the strength of their cybersecurity infrastructure, including their internal monitoring and reporting processes, to identify and address potential issues before they become the subject of a government investigation.

Contributors: Russell Capone, Tiana Demas, Andrew Goldstein, Danny Grooms, John Hemann, Matt Kutcher, Julie Landsvik,

Enforcement scrutiny of SPACs

Over the past year, US securities markets have experienced an exponential rise in the use of special purpose acquisition companies (SPACs) as an alternative to traditional initial public offerings and direct listings. SEC staff members have published a stream of investor alerts, bulletins and other warnings, which are summarized here, about potential disclosure issues surrounding SPACs. Although the number of SPAC registrants has recently slowed, Chairman Gensler and SEC staff have continued to voice concerns about the SPAC boom.

During his congressional testimony in May 2021, for example, Chairman Gensler stated that the surge of SPACs raises several questions: “First and foremost, are SPAC investors being appropriately protected? Are retail investors getting the appropriate and accurate information they need at each stage – the first blank-check IPO stage and the second target IPO stage?” Chairman Gensler also expressed concern that the interests of SPAC sponsors, advisers and private investment in public equity (PIPE) investors may not be completely aligned with the interests of other investors. Chairman Gensler reported that the SEC is considering additional rules and guidance, and that multiple SEC divisions are closely monitoring SPACs to ensure the protection of investors.

There was little doubt that the Enforcement Division would also be focused on SPACs. On July 13, 2021, the SEC announced settled charges against a SPAC named Stable Road Acquisition Company, the SPAC’s CEO, and its proposed merger target Momentus Inc., an early-stage space transportation company, as well as litigated charges against Momentus’s CEO. The SEC alleged that Momentus and its CEO violated federal antifraud provisions by, among other things, falsely claiming that its propulsion system had been “successfully tested” in space. The SEC brought non-scienter claims against Stable Road and its CEO, alleging that Stable Road repeated the target’s misleading statements in public filings and failed to conduct adequate due diligence on the company. In a press release announcing the charges, Chairman Gensler pointedly observed: “The fact that Momentus lied to Stable Road does not absolve Stable Road of its failure to undertake adequate due diligence to protect shareholders.” 

Momentus, Stable Road and Stable Road’s CEO agreed to pay civil penalties of $7 million, $1 million, and $40,000, respectively. Momentus and Stable Road also agreed to provide PIPE investors with the right to terminate their subscription agreements prior to the shareholder vote to approve the merger, while Momentus agreed to create an independent board committee and to retain an independent compliance consultant to review the company’s ethics and compliance programs.

The Momentus action makes clear that, as expected, the SEC will be taking an aggressive approach to enforcement in the SPAC arena, with a focus not only on individuals and entities that mislead investors but also on those that it claims were negligent in failing to conduct adequate due diligence to ensure that statements appearing in public filings are accurate and not misleading. The speed with which the SEC brought this action is particularly noteworthy – the registration statement and amendments at issue were filed in late 2020 and March 2021, signaling a rapid investigation. And the fact that Chairman Gensler took the unusual step of commenting on these actions in the SEC’s press release reflects a clear intent to send a strong public message.

Highly active whistleblower program

Chairman Gensler has also emphasized his support for strengthening the SEC’s whistleblower program, pledging in written responses to questions by US Sen. Chuck Grassley that he is committed to reducing “processing times in SEC whistleblower award determinations” and agreeing “that awards should be granted in a timely manner, as whistleblowers often have to incur significant expenses and withstand significant uncertainty and distress when waiting for the SEC’s determination.” Recent trends indicate that he intends to follow through on these promises.

In fiscal year 2020, the SEC authorized whistleblower awards of roughly $175 million to 39 individuals – three times the number of individuals receiving awards as in the next-highest fiscal years. The pace and amount of SEC whistleblower awards have continued to increase at a rapid rate in Chairman Gensler’s first 100 days. Since issuing its first award under Chairman Gensler on April 23, 2021, the SEC issued awards to 35 individuals, totaling approximately $130 million.¹ These awards represent approximately 13% of the total awarded to all whistleblowers since the program’s inception in 2011, and more than 160% of the total awarded over the same time period in 2020.

On June 2, 2021, the SEC awarded approximately $23 million to two whistleblowers whose assistance led to successful SEC and related actions. One of the whistleblowers filed the application for the award 18 days after the 90-day deadline, typically a fatal procedural defect. Nevertheless, the SEC invoked its rarely used discretionary authority under Section 36(a) of the Exchange Act to waive the procedural defect and grant the whistleblower award. In doing so, the SEC noted that “[s]trict application of the deadline would result in undue hardship to [the claimant], particularly in light of [the claimant’s] significant contributions to the successful enforcement of the Covered Action and certain unique obstacles faced by” the whistleblower. Given that the waiver of the deadline has been denied in the past, this decision to invoke its discretionary authority demonstrates the value that the SEC’s current leadership places on whistleblower tips they deem meritorious.

Recent whistleblower awards also suggest that the SEC intends to interpret provisions of the federal securities laws in a manner designed to encourage whistleblowers to come forward. On May 19, 2021, the SEC announced an award of $28 million, one of largest ever issued under the program, even though the SEC determined there was “not a strong nexus between the Claimant’s information” and the underlying charges. In the final order, the SEC noted that although the “charges involved misconduct in geographical regions that were not the subject of the Claimant’s information,” an award would nonetheless be granted that “appropriately recognizes Claimant’s level of contribution to the Covered Action and Related Action.”

The pace of recent activity suggests that the SEC may soon surpass total whistleblower awards of $1 billion since issuing its first award in 2012. Moreover, the SEC’s recent decision not to require compliance with the application deadline signals the SEC’s emphasis on encouraging others to take advantage of the whistleblower program by reporting potential violations of the federal securities laws. In light of the increased activity of the SEC’s whistleblower program, companies should maintain robust compliance programs to identify and address potential issues proactively and through appropriate internal processes.

Continued focus on cybersecurity disclosures

The SEC has been scrutinizing public company disclosures surrounding cybersecurity risks for several years. In 2017, former Chairman Jay Clayton created a dedicated Cyber Unit within the Enforcement Division. This unit was responsible for the investigation that led to 2018 charges against Yahoo for allegedly misleading investors by failing to disclose a large data breach. And, in 2018, the SEC issued a public statement and new interpretive guidance on public company cybersecurity disclosures. Yet, despite the SEC’s professed focus on the space, charges against public companies for alleged cybersecurity disclosure failures have been rare. Indeed, past enforcement leadership was careful to message that the agency would not second-guess “good faith exercises of judgment about cyber-incident disclosure.”

In June 2021, however, the SEC announced settled charges against title insurer First American Financial Corporation arising out of the company’s disclosures regarding past cybersecurity incidents. According to the SEC, First American publicly disclosed in a June 2019 press statement and Form 8-K a cybersecurity vulnerability that had exposed more than 800 million images from title and escrow documents dating back to 2003, including images containing sensitive personal data such as Social Security numbers and financial information. In the 2019 press statement, First American claimed that it “took immediate action to address the situation and shut down external access to the application.”

The SEC found that at the time of the June 2019 disclosures, First American’s “information security personnel had been aware of the vulnerability for months and the company’s information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months.” According to the SEC, the senior executives responsible for the company’s public disclosures were not informed that information security personnel had flagged the vulnerability months earlier but didn’t remedy the issue. The SEC alleged that “[t]hese senior executives thus lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk from the … vulnerability at the time they approved the company’s disclosures.” 

In the SEC’s announcement of the matter, Kristina Littman, chief of the Cyber Unit, stated: “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.” First American agreed to an order charging it with failing to maintain adequate cybersecurity disclosure controls and requiring it to pay a $487,616 penalty.

The First American case is notable because it is one of the first instances in which the SEC has brought charges in the absence of an actual data breach or intrusion by a third party. The focus was solely on whether the issuer’s policies, procedures and controls were adequate to ensure that senior management is made aware of significant cybersecurity vulnerabilities and incidents so that they can assess their materiality and disclosure implications.

In addition, in mid-June 2021, the SEC requested information from what appears to have been hundreds of public companies that it had reason to believe had been affected by the SolarWinds cyberattack. The SEC requested that these companies voluntarily provide information about when they learned they might have been affected, what if any impact it had had, and what, if anything, they had done to remediate the matter. In return, the SEC indicated it would not take enforcement action on those who voluntarily provided the requested information. To get the benefits of this offer, however, companies also had to disclose information about other cyber incidents (e.g., hacks, data breaches or ransomware attacks) since October 1, 2019, where third parties gained unauthorized access for more than 24 hours, regardless of materiality. With respect to this information about other compromises, the SEC said it would not promise no enforcement action but would instead evaluate each incident on a case-by-case basis.

The SEC’s request was notable for several reasons. It was signed by Melissa Hodgman, then acting director of the Division of Enforcement. Given that such requests typically come from line-level staff attorneys, and directors rarely if ever make such requests themselves, the SEC was clearly signaling the importance of this inquiry and the heightened importance of cyber investigations more generally. The breadth and scope of the request – sent to hundreds of public companies and requesting information about not only SolarWinds but also other incidents – was no doubt calculated to send a message to public companies as to the seriousness of the SEC’s focus on cybersecurity disclosures. Even though the majority of companies that received these requests are unlikely to have had incidents that should have been disclosed, the SEC’s actions have caused public companies to scrutinize their policies, procedures, and controls with respect to cyber incidents, their remediation and their disclosure. Indeed, with this voluntary request, the SEC has likely had more of an impact on the conduct of public companies than it could have with any single enforcement action.

Renewed emphasis on insider trading and Rule 10b5-1

Although insider trading has always been an Enforcement Division priority, the early days of Chairman Gensler’s term suggest a renewed focus on insider trading violations. In recent months, the SEC has brought multiple cases highlighting the agency’s ability to police difficult-to-detect insider trading schemes. For example, in June 2021, the SEC filed a case against a six-person Silicon Valley insider trading ring, and in July, it announced an enforcement action against a Greek national for selling insider trading tips on the dark web. In announcing the actions, the SEC emphasized the “sophisticated data analysis” employed by the SEC’s Market Abuse Unit and its commitment “to target misconduct wherever it occurs and regardless of perpetrators’ efforts to hide their tracks.” We expect the Enforcement Division to continue to devote considerable resources to insider trading investigations under Chairman Gensler’s leadership. 

Relatedly, in sweeps and various other investigations, the SEC has been requesting information focused on Rule 10b5-1 trading plans, including their implementation and execution. Since taking the helm, Chairman Gensler also has expressed concern about potential abuses of Rule 10b5-1 trading plans. Rule 10b5-1 was adopted by the SEC in 2000 to create an affirmative defense for companies and insiders who transact in company stock pursuant to a preestablished trading plan. The SEC’s updated rulemaking agenda suggests that the staff may soon recommend amendments to the rule.

Chairman Gensler has highlighted five potential gaps in the coverage of Rule 10b5-1: 

1. He has suggested that it may be appropriate to impose a mandatory multi-month delay between adoption of a plan and the first trade to mitigate the potential for misuse of material nonpublic information
2. He has asked the staff to consider limitations on when and how plans may be canceled
3. He has asked staff to consider requiring that companies, directors and officers disclose the adoption and terms of their plans
4. He has expressed concern that there is currently no limit on companies or insiders adopting multiple 10b5-1 plans or choosing among multiple plans one that is most favorable for a particular transaction
5. He has requested that staff consider amendments to address the relationship between 10b5-1 plans and corporate stock buybacks

The coming months will demonstrate whether the SEC truly intends to make sweeping amendments to Rule 10b5-1. In the meantime, companies should reevaluate their 10b5-1 policies. Companies that have already adopted some of these best practices, such as prohibiting cancelation of plans, adopting a plan during an issuer’s open trading window (usually shortly after announcing quarterly or annual results) and disclosing use of such plans in a company’s public filings, will be best positioned to adapt to future amendments to the rule and to avoid unwanted Division of Enforcement scrutiny.

ESG Task Force

Chairman Gensler’s SEC also appears poised to bring enforcement actions against companies that fail adequately to disclose environment, social and governance (ESG) risks. On March 4, 2021, the SEC announced the creation of a Climate and ESG Task Force within the Division of Enforcement. According to the SEC, the task force, consisting of 22 members drawn from throughout the Enforcement Division, will use “sophisticated data analysis” and focus initially on identifying material gaps or misstatements in issuers’ disclosures regarding climate risks. The task force will also analyze disclosure and compliance issues surrounding ESG strategies employed by investment advisers.

Since the creation of the task force, Chairman Gensler has reemphasized the SEC’s focus on ESG disclosures. In a statement on June 23, 2021, he announced that the SEC may adopt proposed rules to require enhanced ESG disclosures in areas including human capital management, diversity and climate change. In keeping with the agencywide focus on ESG disclosures, the Division of Examinations recently announced that an “Enhanced Focus on Climate-Related Risks” will be a key priority for 2021 exams of SEC registrants; these exams may in turn yield referrals to the Enforcement Division.

As Commissioner Hester Peirce has observed, the SEC has always pursued violations of its antifraud provisions, and the ESG task force’s enforcement actions will presumably “not be based on any new standard.” But with dedicated staff focused on scrutinizing potentially false or misleading ESG-related statements, the task force is sure to bring enforcement actions in this space. Public companies and registered entities should carefully consider their unique ESG and climate risk profile and the adequacy of existing disclosures to investors.

Conclusion

The SEC’s fiscal year ends on September 30, 2021. Typically, as the fiscal year end approaches, the SEC brings enforcement actions at an increased rate. The last months of the fiscal year also often include particularly significant and impactful cases. As the year progresses, we will continue to monitor emerging enforcement trends under Chairman Gensler and Director Grewal.

Contributors: Luke Cadigan, Patrick Gibbs, Randall Lee, Julianne Landsvik and Michael Welsh

Notes

1. Compare Press Release, SEC Awards Over $50 Million to Joint Whistleblowers, Release No. 2021-62 (Apr. 15, 2021) (noting approximately $812 million awarded to 151 individuals since 2012), available at https://www.sec.gov/news/press-release/2021-62, with Press Release, SEC Awards Nearly $3 Million to Whistleblower, Release No. 2021-134 (Jul. 21, 2021) (noting approximately $942 million awarded to 186 individuals since 2012), available at https://www.sec.gov/news/press-release/2021-134.

In a 6-3 opinion authored by Justice Amy Coney Barrett, the Court ruled against the government and for the criminal defendant, holding that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders or databases – that are off limits to him.” The court rejected the Justice Department’s argument that a person may “exceed authorized access” by accessing information on a computer for an “improper purpose” beyond the scope of authorized access (whether by contract, terms of service or other private agreement).

The Court’s decision emphasizes that the CFAA is focused on computer hacking, as opposed to “attach[ing] criminal penalties to a breathtaking amount of commonplace computer activity.”

Subsequently, on June 14, the Supreme Court vacated the Ninth Circuit’s judgment in another significant CFAA case, LinkedIn Corp. v. hiQ Labs, Inc., and remanded it for further consideration in light of Van Buren.

United States v. Van Buren

Nathan Van Buren was a state police sergeant authorized to use a database of license plate records for law enforcement purposes. In a sting operation, an FBI informant paid Van Buren to access the license database for personal reasons, which was a violation of departmental policy. Van Buren was convicted of violating the CFAA and sentenced to 18 months in prison. The US Court of Appeals for the Eleventh Circuit affirmed the conviction.

The Supreme Court – which had not ruled on the meaning of the CFAA since its enactment in 1986 – took the case to resolve a circuit split about whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) if they access the same information for an improper purpose. The case turned on the meaning of “exceeds authorized access.” Van Buren advocated for a narrow reading that would cover only where an authorized individual exceeds the scope of authorization by accessing an area of the computer that is prohibited. This interpretation, Van Buren argued, would align with the CFAA’s purpose to prevent hacking and ensure that otherwise authorized persons would not face federal criminal penalties for violating workplace computer-use policies or website terms of service. In contrast, the Justice Department contended that the statute’s plain text and historical background indicate Congress’s intent to broadly cover improper computer access, including circumstances in which an authorized individual accessed a computer with an improper purpose, as Van Buren indisputably had.

In reversing Van Buren’s conviction, the Court conclusively rejected the government’s position, holding that the “exceeds authorized access” prohibition only “covers those who obtain information from particular areas in the computer – such as files, folders or databases – to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” The Court rejected the government’s argument that the “exceeds authorized access” clause “incorporate[s] purpose-based limits contained in contracts and workplace policies.” The Court characterized its ruling as a “gates-up-or-down” approach: “[O]ne either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” If a person “can” access the system or certain areas within it, that person does not violate Section 1030(a)(2) by doing so for an improper purpose.

The Court underscored that adopting the government’s interpretation of the statute “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” It would, for example, criminalize the conduct of an employee who uses a work computer to send a personal email and “everything from embellishing an online-dating profile to using a pseudonym on Facebook.” The Court rejected such a sweeping interpretation.

Impact on civil cases brought under the CFAA

The same provisions of the CFAA that provide for criminal liability allow, in certain circumstances, civil remedies for “[a]ny person who suffers damage or loss by reason of a violation of this section,” 18 U.S.C. § 1030(g). The Court’s reasoning in Van Buren concerning the meaning of “exceeds authorized access” also indicates its inclination to limit civil remedies under the CFAA to “hacking” cases in which the plaintiff suffers “technological harms” to computer systems or data.

Specifically, in rejecting the government’s position that the CFAA “incorporate[s] purpose-based limits contained in contracts and workplace policies,” the Court identified a “structural problem” related to the statute’s civil remedies. Justice Barrett explained that the defined terms “damage” and “loss,” which are a prerequisite to a CFAA civil action, “focus on technological harms – such as the corruption of files – of the type unauthorized users cause to computer systems and data.” Limiting the terms to technological harms “makes sense in a scheme ‘aimed at preventing the typical consequences of hacking.’” “Damage” and “loss” as defined by the CFAA, however, are “ill fitted … to remediating ‘misuse’ of sensitive information that employees may permissibly access using their computers.”

Impact on LinkedIn v. hiQ

Since September 2020, the Supreme Court had been holding the fully briefed petition for certiorari in another CFAA case, LinkedIn, presumably pending the resolution of Van Buren. LinkedIn presents additional interpretative issues about the CFAA’s “without authorization” bar. On June 14, 2021, the Court declined LinkedIn’s request to keep and decide the case itself, and instead remanded the case back to the Ninth Circuit for further consideration in light of Van Buren.

Analytics firm hiQ provides business intelligence based on publicly available user data it scrapes from LinkedIn. After receiving LinkedIn’s cease-and-desist letter that alleged it was violating the CFAA, hiQ sued for a preliminary injunction and a declaration that its conduct did not violate the CFAA. The district court granted the preliminary injunction forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles. The US Court of Appeals for the Ninth Circuit affirmed, holding that “when a computer network generally permits public access to its data,” automated data collection is not “without authorization.” In other words, it held that the CFAA does not prohibit scraping of material that is publicly available on the internet.

LinkedIn’s certiorari petition urged the Supreme Court to grant review to address whether companies deploying automated bots to scrape personal data from public websites – even after the website owner has expressly denied permission to access the data – violates the CFAA. Although Van Buren focused on the “exceeds authorized access” CFAA prong, whereas LinkedIn is focused on “without authorization,” the Court’s reasoning in Van Buren arguably is pertinent to several aspects of the dispute in LinkedIn. The remand presents the Ninth Circuit with its first opportunity to interpret Van Buren, including analyzing whether code-based measures to prevent scraping and sending a cease-and-desist letter constitute “gates” under the Court’s “gates-up-or-down” inquiry and thereby renders hiQ’s scraping “without authorization.” 

Implications for cybersecurity researchers

The Van Buren decision appears particularly favorable to cybersecurity researchers, whose work often involves accessing computer systems in ways that violate terms of service or other policies. For instance, a researcher might send automated requests to a website or computer network for the purpose of detecting security vulnerabilities. Many websites publish terms of service that forbid all types of automated requests, even if those requests are limited to public URLs and cause no damage on their own. Many white-hat researchers have thus been deterred by the threat of criminal prosecution under the CFAA for exceeding authorized access.

Van Buren mitigates this threat by rejecting the view that the CFAA allows criminal penalties for violating “circumstance-based access restrictions,” such as terms-of-service prohibitions on automated access to public systems. Rather, the criminal prohibitions are limited to someone who “accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders or databases – that are off limits to him.” In footnote 8, the Court expressly did not resolve the issue of whether an enforceable access restriction must be a technological restriction or it could also be contained in a policy or contract. Nonetheless, Van Buren is clear that the prohibition on “exceeding authorized access” is limited to areas of a computer that are off limits.

Contributors: Tiana Demas, Kathleen Hartnett, John Hemann, Travis LeBlanc, Joseph Mornin and Darina Shtrakhman

In a recent client alert, we discussed the dramatic rise in offerings of special purpose acquisition companies (SPACs) and some of the attendant litigation and enforcement risks. A raft of recent public statements and actions by Securities and Exchange Commission (SEC) staff reflect the agency’s enhanced scrutiny of these transactions and suggest that enforcement investigations (and ultimately actions) cannot be far behind.

In late March 2021, it was reported that the SEC’s Division of Enforcement had requested information from Wall Street banks regarding SPAC transactions. According to the reports, Enforcement staff requested information on topics including SPAC deal fees, compliance, reporting and internal controls. Enforcement’s areas of focus may include potential deficiencies in the due diligence SPACs perform before acquiring assets, and whether payouts to sponsors are sufficiently disclosed to investors.

Then, on March 31, 2021, Paul Munter, the SEC’s acting chief accountant in the Office of the Chief Accountant (OCA), issued a public statement titled, “Financial Reporting and Auditing Considerations of Companies Merging with SPACs.” In the statement, Munter observed that the “merger of a SPAC and target company often raises complex financial reporting and governance issues” and identified several areas of potential risk. Among other things, the statement highlighted the risk that “private companies that were not contemplating an IPO or were otherwise earlier in their preparations” may be unprepared for the rigorous financial reporting and internal control requirements expected of public companies and asked stakeholders to give “careful consideration [to] whether the target company has a clear, comprehensive plan to be prepared to be a public company.”

Next, on April 8, 2021, John Coates, the acting director of the SEC’s Division of Corporation Finance (Corp Fin) issued a public statement titled, “SPACs, IPOs and Liability Risk under the Securities Laws.” According to the statement, the SEC staff “are continuing to look carefully at filings and disclosures by SPACs and their private targets.” The statement specifically identified a range of potential federal securities law violations that may arise in the context of SPAC transactions. Notably, Coates questioned whether de-SPAC transactions are covered by the protections of the Private Securities Litigation Reform Act (PSLRA) and observed that, in any event, the PSLRA does not apply to actions brought by the SEC. Correspondingly, he cautioned on the risks of using forward-looking information, which he noted can be “untested, speculative, misleading or even fraudulent.” This was the second time in five months that Corp Fin had addressed the issue.

Most recently, on April 12, 2021, Munter and Coates issued a joint statement on accounting and reporting considerations for SPAC warrants. Walking through two “fact patterns” related to SPAC warrants, the Corp Fin and OCA staff indicated that under the circumstances presented, the warrants should have been classified as liabilities. In the first fact pattern, the staff opined that warrant provisions providing for potential changes to the settlement amounts based on the characteristics of the holder would preclude the warrants from being indexed to the entity’s stock, and thus the warrants should be classified as a liability. In the second fact pattern, the staff stated that warrants should be classified as liabilities if, in the event of a tender offer, all warrant holders would be entitled to cash, while only certain of the holders of the underlying shares of common stock would be entitled to cash. The staff concluded by advising SPAC registrants to consider the impact of the guidance on previously issued financial statements and to assess potential restatements.

Why it matters

These statements (along with two recent investor alerts) make clear that the SEC is heavily focused on the burgeoning SPAC market, that it is seeing issues that concern it, and that it is warning SPAC participants to attend to these issues. While statements from the SEC staff may come from different divisions and offices, they are clearly and carefully coordinated to meet certain goals. As a primary matter, these statements are designed to put parties, as well as their attorneys, accountants, and other advisers, on notice that the SEC is watching. As a secondary matter, such statements by staff in other divisions and offices should be viewed as harbingers of future Enforcement activity. Particularly in recent years, the SEC staff has become adept at issuing statements by the likes of Corp Fin and the Office of Compliance Inspections and Examinations and then following up with Enforcement activity on the same issues. The staff statements make it more difficult for parties to say to Enforcement that they did not realize they were engaged in violations.

Enforcement’s focus on SPACs is likely to be bolstered by the arrival of its new chair. Gary Gensler, who took an aggressive enforcement approach as head of the Commodity Futures Trading Commission, was sworn in on April 17, 2021. Gensler is expected to bring a more aggressive approach to enforcement than his predecessor, Jay Clayton, and he has already stated that at the top of his enforcement agenda, he intends to bring a heightened scrutiny to SPACs.

The recent public statements provide some insight into potential subjects of SPAC-related enforcement activity. Based on the statements by Corp Fin and OCA, one can expect Enforcement will initiate more investigations into SPAC disclosures in SEC filings. Ominously, in his April 8 statement, Munter made a point of reminding SPAC participants that material misstatements or omissions in de-SPAC proxy solicitations are subject to negligence-based liability under Exchange Act Section 14(a) and Rule 14a-9 thereunder, suggesting that the SEC may be willing to pursue a wider scope of conduct beyond outright fraud.

The most significant SPAC enforcement risks arise from disclosures during the IPO and in proxy and registration statements. The sponsor is expected to provide full and fair disclosures around potential risks, conflicts of interest, and other material facts related to each proposed transaction, including:

• Sponsors’ obligations and allegiance to parties other than the SPAC, i.e. relationships between the SPAC and target company and relationships between SPAC management and target management or any private investors;
• The control that the SPAC’s sponsors, directors, officers and their affiliates have over approval of a merger and their economic interest therein;
• The degree to which additional funding may dilute shareholders’ interest in the combined company; and
• The economic terms of the securities held by a SPAC’s sponsors, directors, officers and affiliates.

Enforcement (with the help of Corp Fin and OCA) will closely scrutinize disclosures around these issues. 

SPAC transactions and targets are primarily valued by the sponsor through the use of fairness opinions, due diligence, valuation assessments, financial projections and statements about the target’s future prospects (i.e. projections), rather than the market-based valuation that accompanies a traditional IPO process. (The valuation tends to be validated by the PIPE investors who often accompany transactions.) Enforcement will examine these forward-looking statements, particularly where high valuations have been assigned to early stage companies based on projected future performance.  Enforcement will also scrutinize whether risks of nonperformance have been adequately identified. Where a target’s expected future performance turns on assumptions such as business pipelines, for example, the SEC staff will likely pay particular attention to whether those assumptions have been vetted and whether the risks have been adequately described. And, as the SEC staff has recently reminded market participants, whatever the applicability of the PSLRA safe harbor to private litigation over SPACs, it provides no protection against government enforcement actions. We expect that the SEC staff will also focus on the post-merger combined public company. Post-merger public companies must abide by a myriad of financial reporting rules and regulations. Accordingly, like other public companies, they must maintain sufficient personnel, processes and controls to meet disclosure obligations and comply with financial reporting standards. A failure to scale these functions adequately creates a high risk of unwanted SEC scrutiny. In light of its recent inquiries to Wall Street, the SEC appears to be examining the role of gatekeepers—particularly underwriters and auditors—in the SPAC market with a critical eye. Finally, SPACs present multiple insider trading and selective disclosure concerns, particularly given the number of participants who may not be familiar with these issues and how they apply to SPACs. While the SEC has yet to issue any statements on this topic, we fully expect that Enforcement will be looking at these issues as well.

Conclusion

For questions about the litigation and enforcement risks related to SPACs or more information on SEC enforcement matters, please contact a member of Cooley’s white collar defense and investigations and securities litigation groups. For more content on SPACs and the public securities arena generally, please visit Cooley’s SPACtivity page and Cooley’s PubCo blog.

Contributors: Luke Cadigan, Shannon Eagan, Koji Fukumura, Patrick Gibbs, Andrew Goldstein, John Hemann, Randall Lee, Jessica Valenzuela Santamaria, Elizabeth Skey and Walker Newell

The SEC recently brought charges against AT&T and three mid-level executives for selectively providing information to Wall Street analysts in alleged violation of Regulation Fair Disclosure (Reg FD). According to the complaint filed in the Southern District of New York, AT&T learned in March 2016 that a “steeper-than-expected” decline in its first quarter smartphone sales would lead the company to fall an estimated $1 billion short of analysts’ quarterly earnings estimates.

According to the SEC’s allegations, AT&T decided to make a public disclosure “to manage market expectations.” At a scheduled investor conference on March 9, 2016, AT&T’s CFO noted that its previous earnings release had included comments about the company’s decline in wireless equipment revenue and stated that he “would not be surprised” if that trend continued. 

Per the SEC’s complaint, the CFO then instructed an investor relations executive to make sure that his team was “working the analysts that still have equipment revenue too high” to get them to lower estimates in light of the decline. Three mid-level investor relations executives allegedly disclosed that data selectively, during private one-on-one calls, to approximately 20 analysts. The SEC alleges that these mid-level executives knew that the sales data was “material” to investors and therefore should have been widely disseminated.

Rather than settling the case as is typical in these matters, AT&T has pledged to fight the lawsuit and has characterized the SEC’s complaint as “a significant departure from the SEC’s own long-standing Regulation FD enforcement policy and … inconsistent with the testimony of all who participated in these conversations.” According to AT&T, the SEC did not “cite to a single witness involved in any of the analyst calls who believes that the investor relations executives conveyed material nonpublic information.” AT&T also contends that the conversations “concerned the widely reported, industry-wide phase-out of subsidy programs for new smartphone purchases and the impact of this trend on smartphone upgrade rates and equipment revenue,” which had already been discussed publicly. AT&T’s statement standing by its employees and attacking the SEC’s evidence and the basis for its action as “meritless” constitutes a remarkable public challenge to the SEC.

The case is notable for a few reasons. While the rule was promulgated more than 20 years ago, Reg FD enforcement cases are quite uncommon. Indeed, this is only the second time in the last five years that the SEC has brought Reg FD charges. Litigated Reg FD cases, particularly ones where individuals are charged, are even more uncommon; only a few such cases have been filed since Reg FD’s adoption in 2000. It is even more unusual given AT&T’s stature.

Typically, public companies, particularly those of AT&T’s size, would opt to settle – even when they believe the charges are not warranted – rather than take on the cost, exposure, and potential reputational harm that can attend litigation against the SEC. Clearly AT&T must have believed that the SEC was demanding too much in settlement. By the same token, the SEC’s willingness to litigate the case (including its claims against the employees) rather than settle the matter may suggest that the SEC’s current leadership is taking an even more aggressive view of public company enforcement, if not individual liability. The litigation will offer a rare chance for a court to clarify the parameters of this important rule governing selective disclosure.

Why it matters

The SEC’s charges signify that, although Reg FD enforcement actions have been rare, the SEC remains committed to pursuing Reg FD violations where it believes such action is warranted. Accordingly, public company legal, finance, and investor relations teams should pay close attention to the AT&T case. One-on-one meetings with analysts are nothing new, but public companies should tread lightly. Such have long been viewed as a vehicle for disproportionate disclosure, and this case may indicate a more active SEC focus on potential Reg FD violations. Public companies can mitigate this risk by:

• Adopting and enforcing a compliance policy, an earnings guidance policy and comprehensive disclosure controls designed to promote Reg FD compliance and to detect violations
• Ensuring that at least two company representatives are present for any discussion with analysts
• Providing regular Reg FD compliance training
• Maintaining all public statements in one repository (SEC filings, press releases, transcripts of conference calls, etc.)
• Establishing a protocol for unintentional selective disclosures (public companies must publicly disclose material nonpublic information following an unintentional selective disclosure before the later of 24 hours or the beginning of the next day’s trading on the New York Stock Exchange)
• Designating a corporate officer to be responsible for deciding whether information is material, determining whether it already has been disclosed to the public and answering questions regarding Reg FD compliance
• Identifying a team responsible for working with that corporate officer on any Reg FD disclosures.  That team should include representatives from legal, investor relations and finance

For questions about mitigating Reg FD enforcement risks or more information on SEC enforcement matters generally, please contact a member of Cooley’s white collar defense and investigations and securities litigation groups. For more information and content on corporate disclosures and the public securities arena generally, please visit Cooley’s PubCo blog.

Contributors: Luke Cadigan, Shannon Eagan, Koji Fukumura, Patrick Gibbs, Andrew Goldstein, John Hemann, Randall Lee, Jessica Valenzuela Santamaria, Elizabeth Skey and Walker Newell

This first civil settlement confirms that the government will actively and aggressively pursue borrowers and individuals involved in alleged PPP loan fraud.

The government’s allegations

The settlement agreement sets out a lengthy recitation of facts, for which SlideBelts and Taylor “admit, acknowledge[d], and accept[ed] responsibility.” Specifically, the settlement agreement states that, on April 3, 8 and 14, SlideBelts submitted three applications for PPP loans to three different federally insured banks, ranging from $300,000 to $350,000, and falsely stated, in response to Question 1 on each loan application, that SlideBelts was not “presently involved in any bankruptcy,” although at the time SlideBelts was in fact a debtor in bankruptcy proceedings.

The settlement agreement states that, on April 10, the first lender rejected SlideBelts’ application and advised Taylor that he had answered Question 1 incorrectly because the lender knew SlideBelts was presently in bankruptcy. According to the settlement agreement, “Taylor responded that his answer was an ‘[o]versight,’ but nonetheless argued that the question regarding bankruptcy in the application was ‘an overreach’” by the US Small Business Administration. On April 14, Taylor again reached out to the first lender and stated that the term bankruptcy should not be included in Question 1 of the PPP loan application and asked the lender to approve the loan. But the lender again rejected the request, repeating that SlideBelts was definitively not eligible for a PPP loan because it was in bankruptcy. Three hours later, SlideBelts submitted a third application to a different lender, making the same false statement.

The second lender ultimately approved SlideBelts’ application before the third lender and extended a $350,000 PPP loan. According to the settlement agreement, “Taylor signed the loan note with [the second lender] and stated falsely that SlideBelts was not in bankruptcy to influence [the second lender] to execute the note and disburse the loan proceeds to SlideBelts.” The settlement agreement also states that “Taylor’s and SlideBelts’ false statements caused [the second lender] to submit a false claim to the SBA for $17,500 in loan processing fees, which the SBA paid to” the second lender.

On April 22, the day after the second lender disbursed the loan to SlideBelts, Taylor emailed the second lender “explaining that SlideBelts had ‘just realized that we may not have answered [Question 1] correctly since we filled out the application quickly and wanted to bring it to your attention[.]’” SlideBelts did not return the loan; instead, eight days later, SlideBelts filed a motion in bankruptcy court seeking retroactive approval of the PPP loan. According to the settlement agreement, SlideBelts’ motion “did not disclose to the [bankruptcy] [c]ourt that it had obtained the loan by making a false statement to [the second lender] concerning its status in bankruptcy.”

On June 16, the SBA opposed SlideBelts’ motion and requested that the court order SlideBelts to return the loan. The second lender joined the SBA’s opposition. However, SlideBelts did not return the loan and instead asked the bankruptcy court to dismiss the case so that it could refile for bankruptcy later and “apply for [PPP] funds while the case is dismissed.” The bankruptcy court granted SlideBelts’ motion to dismiss its bankruptcy case and, on July 8, SlideBelts returned the $350,000 loan to the second lender.

Notably, the government does not appear to allege that SlideBelts would not have qualified for a PPP loan had it not been in bankruptcy proceedings or that SlideBelts had misspent the loan funds before it returned them.

The government contends that SlideBelts and Taylor (i) violated the FIRREA for having made false statements on its loan applications and having committed bank and wire fraud, and (ii) violated the FCA for having made false statements and having caused the lender to submit a false claim for processing fees, and, as a result, that they “are liable to the United States for damages and penalties totaling $4,196,992.”

Lessons learned

The government’s civil settlement with SlideBelts and Taylor sends several notable messages to the PPP borrower community:

• Individuals will be held responsible: The settlement with Taylor is consistent with the DOJ’s continued pursuit of individuals in FCA cases. Indeed, the settlement agreement specifically calls out Taylor as having answered the questions on the PPP loan application and for having made allegedly false statements to lenders. The settlement, which was done on an “inability to pay” basis, also considered Taylor’s financial disclosures and provides that $17,500 of the $100,000 settlement amount (likely attributable to the $17,500 in loan processing fees) “constitutes restitution from Taylor”

• The DOJ and SBA will not shy away from smaller civil settlements: SlideBelts received a $350,000 PPP loan, which is far less than the loan amounts at issue even in some of the DOJ’s recent criminal prosecutions. That the DOJ would announce a comparatively small loan as its first civil settlement signals that the DOJ will not shy away from pursuing borrowers of smaller PPP loans that it suspects of wrongdoing

• Expect to hear more about FIRREA: FIRREA imposes large civil penalties for violations of 14 specified criminal statutes, such as bank and mail/wire fraud statutes “affecting a federally insured financial institution.” Little was said of FIRREA following its enactment in 1989, but it received new life following the 2008 financial crisis. FIRREA’s prominence in the settlement with SlideBelts and Taylor indicates that the government will not hesitate to use this potent tool in future civil settlements. Likewise, although the government opted to settle these claims under FIRREA, with its less demanding burden of proof, the settlement serves as a reminder that borrowers, and particularly individuals, may be subject to criminal liability for PPP loan fraud

• Inability to pay settlements may get a shot in the arm: The DOJ has long been willing to consider an entity’s assertion that it is unable to pay the amount the DOJ demands because it lacks sufficient assets to pay the government and meet its ordinary and necessary expenses. In policy guidance recently issued in September, the DOJ clarified this policy around a defendant’s “inability to pay,” perhaps in anticipation of PPP settlements. Considering the economic factors driving PPP loan applications, the DOJ’s settlement with SlideBelts and Taylor – which was done on an inability to pay basis with an upfront partial payment and payments over time, with interest – may signal that the DOJ will be willing to settle other civil PPP cases on similar terms

• The DOJ and SBA are staying true to their word: The SBA has consistently reminded borrowers that it retains the ability to review any PPP loan at any time for any reason and included clear language in the application documents regarding the applicability of civil and criminal statutes and penalties for intentional misstatements. This settlement confirms the SBA is serious

Conclusion

With more than $525 billion in PPP funds disbursed for more than five million loans through the end of the original program last August, and more on the way as first-draw PPP loans were reauthorized and second-draw PPP loan applications are now being accepted, this long-awaited first civil settlement under the PPP is likely the first of many more to come. Indeed, over the next few months, it is likely that civil qui tam cases are likely to come to light, making this case just the tip of the iceberg.

Contributors: Daniel Grooms, Erin Estevez and Michael McMahon

President Joe Biden announced that he would nominate Gary Gensler to serve as the next chairman of the US Securities and Exchange Commission. Gensler formerly served as head of the Commodity Futures Trading Commission, where he developed a reputation as a tough regulator in the wake of the financial crisis. This change in leadership at the SEC will likely herald an increased focus on enforcement matters.

Corporate disclosure and financial reporting investigations have always been a key feature of the SEC’s mission. Under the leadership of former Chairman Jay Clayton, the SEC was criticized by some policymakers as not being tough enough. Given the profile of new leadership, recently passed legislation that expands the SEC’s authority and increases its budget and the likely priorities of a Democratic-controlled government, corporations should be prepared for a better resourced and more aggressive SEC Division of Enforcement, with a renewed focus on investigating perceived misconduct at both publicly traded and emerging companies.

Why it matters for public companies

The SEC has traditionally considered public company disclosure cases an area of focus, and this focus should intensify under the new administration. With more resources, the Division of Enforcement will open more investigations into public companies.

One likely area of increased scrutiny will be the conduct and culpability of senior executives. Under the outgoing leadership, CEOs were charged in about one-third of the SEC’s public company cases and CFOs were charged at a similar rate. New leadership will likely empower the Division of Enforcement staff to pursue more cases against senior executives, using creative legal tools in the agency’s toolbox to charge those individuals even when there is no evidence of fraud, rather than charging only the company.

More broadly, to prove the agency’s renewed commitment to policing public companies, new leadership will likely rely on lesser charges and creative factual theories to bring more cases. The SEC has long had the ability to bring negligence-based fraud charges against public companies and executives where, presumably, the evidence did not support knowing or reckless fraud. It has traditionally threatened companies with intentional fraud charges as a means of getting them to settle ultimately to negligence-based fraud charges. Cases that result in negligence-based fraud charges are no less expensive to defend, and like intentional fraud cases, they also cause reputational damage and often include significant monetary penalties. For example, the SEC’s settled actions against General Electric ($200 million penalty), Yahoo ($35 million penalty), Walgreens ($34.5 million penalty), Mylan ($30 million penalty) and Super Micro Computer ($17.5 million penalty) were all negligence-only matters. As the SEC’s new leadership seeks to prove it is more aggressive than its predecessor, we are likely to see the agency willing to pursue more marginal cases and ultimately seek more settlements and/or bring more litigated actions charging only negligence. Finally, even in the absence of negligence, the agency will likely bring more strict liability charges against public companies, including reporting, books and records and internal controls violations.

In addition, US Congress recently passed the National Defense Authorization Act, which authorizes the SEC to seek disgorgement and extends its statute of limitations period from five to 10 years. After a series of US Supreme Court decisions seen as limiting the SEC’s authority, these changes dramatically expand the potential relief the SEC can seek and will expand the scope and cost of its investigations. At the same time, one can expect that, as under prior administrations, the SEC will push for higher penalties from corporations.

We expect that under the new administration, the SEC will use its expanded authority and resources to more aggressively pursue securities violations at public companies. In the near term, we expect particular scrutiny of high-visibility tech companies, life sciences companies under the microscope in the age of COVID-19 and post-IPO companies experiencing rapid growth.

Why it matters for private companies

Under the last Democratic administration, the SEC announced its Silicon Valley Initiative, which included a focus on the accuracy of disclosures made by pre-IPO unicorns. This focus bore some fruit under the outgoing SEC leadership, as the agency brought several enforcement actions against prominent venture-backed companies and funds in the last few years. To date, the SEC has brought fraud charges against multiple founders, deployed Rule 701 to penalize a company for failing to provide employees with financial statements in connection with stock options grants and charged various individuals (including venture fund principals) in connection with pre-IPO investment management and advice.

Enforcement activity in this space will likely increase under new SEC leadership. High-visibility pre-IPO tech companies continue to attract sizeable investments and make frequent media headlines. Also, an ever-growing pool of investors – including retail investors – have exposure to these companies’ securities. To show that it is keeping this area safe for investors, the SEC is likely to bring more actions. All of this adds up to an increased risk of costly SEC enforcement investigations, which can create significant headwinds for emerging companies scaling quickly. 

Conclusion

For questions or more information on SEC enforcement matters, please contact a member of Cooley’s white collar defense and investigations and securities litigation groups. For more content on the public securities arena, please visit Cooley PubCo.

Contributors: Luke Cadigan, Shannon Eagan, Koji Fukumura, John H. Hemann, Randall R. Lee, Walker Newell, Jessica Valenzuela Santamaria and Elizabeth Skey

We have previously discussed what borrowers need to know if they accepted coronavirus relief funds and the many ways CARES Act funding can provide critical sources of money for both small and large businesses. We also have described the oversight bodies created by the CARES Act to police the use of disbursed funds, some of which are discussed below.

The CARES Act called on lenders to act with unprecedented speed to implement critical portions of the largest economic relief package in American history. In exchange, the government provided lenders with key liability protections, but those protections were not unlimited, and it appears at least some of those limits may begin to be tested. Here are answers to some of the top questions that may be on lenders’ minds during this uncertain time.

What do we know about regulator inquires of lenders so far?

In the past week, Reuters reported that federal regulators including the Department of Justice (DOJ), the Pandemic Response Accountability Committee (PRAC) and the Small Business Administration (SBA) Inspector General, have begun investigating whether lenders broke PPP program rules or other lending regulations. A source told Reuters that lenders are “looking for signs that lenders did not follow procedures, such as failing to properly vet borrowers’ payroll expense calculations; whether staff knowingly helped ineligible borrowers get loans; if lenders favored or discriminated against a borrower or group of borrowers; or had inconsistent lending processes or policies.” Reuters also reported that the Federal Deposit Insurance Corporation (FDIC), the New York Department of Financial Services (NYDFS), DOJ’s Civil Rights Division, and the Consumer Financial Protection Bureau (CFPB) all have expressed interest in assessing fair lending and anti-discrimination compliance in PPP lending practices.

On October 16, 2020, the House Select Subcommittee on the Coronavirus Crisis released a report finding that many large PPP lenders “failed to prioritize small businesses in underserved markets, including minority and women-owned businesses.” As part of its investigation, which began in June, the Select Subcommittee sent letters to several major investment banks and two banking industry associations. The report found that three of them processed PPP loans for larger commercial clients at more than twice the speed of smaller loans, contrary to what Congress intended for the program.

At least some targeted inquiries began while the PPP was still underway. On May 5, 2020, one large financial institution – whose participation in the PPP program initially was limited by the growth cap imposed by the Federal Reserve after the bank’s fake-account scandal – disclosed in a securities filing that it had received “formal and informal inquiries from federal and state governmental agencies regarding its offering of PPP loans.” On May 27, 2020, a regional bank based in Georgia, received a civil investigative demand from the DOJ pertaining to its PPP loan approvals and payment of agent fees.

What are the limits on lender protections?

Potential liability for PPP lenders has been limited in key ways. Most importantly, lenders were permitted to rely on borrowers’ certifications and supporting documentation in order to determine loan eligibility, including certifications regarding the necessity of the loan request, affiliate entities, employee headcount, payroll costs, and that the signer of the application was an authorized representative of the applicant. Lenders also are not required to externally verify the documentation a borrower submits in support of loan forgiveness.

Lenders were required, however, to perform a good faith review of PPP applicants’ payroll calculations and make an independent determination as to whether an applicant’s employees’ principal places of residence are in the United States. In addition, lenders were not relieved of their Know Your Customer and Bank Secrecy Act obligations and were required to comply with fair lending rules, which prohibit discrimination in lending.

Should lenders be worried if they receive document requests from regulators or oversight entities?

The overwhelming majority of inquiries that lenders receive from regulators still will target potentially fraudulent borrowers. In those instances, lenders risk losing the fees associated with loans for which borrowers are determined to be ineligible. Lenders could expose themselves to greater scrutiny, however, if they are unable to produce the documents and information they were required to collect from borrowers.

Lenders that do receive inquiries from state or federal regulators or from Congress that request documents or information probing their broader lending practices should take the outreach seriously. Lenders that have met their obligations should not expect to face liability where they relied in good faith on borrower representations that turned out to be fraudulent. In contrast, lenders that fell short of their obligations may face liability or reputational harm from these inquiries. Lenders that originated a significant number of ultimately fraudulent loans need to ensure these were not a result of employee complicity or failures of internal controls. Finally, particularly with the change in administrations, it is reasonable to expect regulators to scrutinize more closely any lending practices that may have disproportionately impacted minority and other underserved communities or that otherwise implicated fair lending rules.

What can lenders do now to limit their exposure?

Many lenders have already begun conducting post-lending reviews to make sure their compliance procedures were sound and that employees followed program rules.  Those that have not should consider whether such a review may pay dividends in later inquiries.  In addition, lenders should continue to preserve relevant documents pertaining to their PPP lending activity, including documentation of their own internal policies and practices for review and approval of PPP loan applications.

Contributors: Andrew Goldstein, Daniel Grooms, Alexandra Eber and Erin Estevez

1. Background

In February 2017, the DOJ’s Criminal Division released a document titled “Evaluation of Corporate Compliance Programs,” which was the first formal guidance issued by the DOJ dedicated to corporate compliance matters. The effectiveness of a corporate compliance program is a factor that prosecutors consider in making charging decisions, sentencing recommendations and determining the appropriate resolution in corporate criminal enforcement actions. The DOJ updated the guidance in April 2019 and again on June 1 this year.

Instead of a rigid formula, the guidance provides sample questions on 12 topics relevant to the evaluation of a corporate compliance program. The 12 topics are organized under three fundamental questions a prosecutor should ask:

• “Is the corporation’s compliance program well designed?”
• “Is the program being applied earnestly and in good faith?”
• “Does the corporation’s compliance program work” in practice?

2. June 2020 update

In the updated guidance, the DOJ provided additional questions on nine of the 12 topics while leaving the substance of the guidance unchanged. The key revisions, discussed below, reflect the DOJ’s evolved thinking in two areas.

An effective compliance program is tailored to the company’s specific needs and circumstances. While the previous version of the guidance recognized that companies have different risk profiles and solutions to reduce their risks, the updated guidance emphasizes that prosecutors should make a “reasonable, individualized determination,” and should consider factors such as “the company’s size, industry, geographic footprint, [and] regulatory landscape.” The updated guidance also instructs prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

A compliance programs is only considered effective if the company continually assesses and updates it. The updated guidance instructs prosecutors to evaluate the company’s performance on the 12 topics “both at the time of the offense and at the time of the charging decision and resolution.” Prosecutors are asked to consider whether the company’s risk assessment is subject to periodic review and whether the periodic review is “limited to a snapshot in time or based upon continuous access to operational data and information across functions.” The updated guidance places emphasis on whether a company’s compliance and control personnel have access to the relevant data to effectively monitor and test internal compliance. Prosecutors also are instructed to consider whether a company updates its risk assessment and compliance policies based on lessons learned from its own misconduct and that of companies with similar risk profiles. In addition, the updated guidance asks whether a company periodically tests the effectiveness of the reporting hotline and employees’ comfort in using it.

3. Key takeaways

In providing the updated guidance, the DOJ makes clear that an effective compliance program is one that is designed to meet the particular risk profile and needs of the company and then evolves with the company over time. A company should consider how it would explain the intentional design and implementation of its compliance program. It then needs to be proactive in testing the effectiveness of the program and making adjustments over time to address evolving needs and risks. A company should analyze the data it collects through its compliance program and perform periodic testing to identify compliance gaps and close them. Even a well-designed compliance program may become ineffective if the company’s risk profile changes and the company does not take necessary steps to update the program. In short, the DOJ will not consider a compliance program to be effective unless it works in practice, not only in theory.

Contributor: Bingxin Wu

You might recall that, under the PPP, to be eligible for a loan, a borrower had to certify that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.” FAQs from the SBA indicated that borrowers were required to make this certification in good faith, taking into account their current business activity and their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that was not significantly detrimental to the business. However, the FAQs also made clear that public companies that applied for PPP loans would be under special scrutiny. For example, according to the FAQs, “it is unlikely that a public company with substantial market value and access to capital markets will be able to make the required certification in good faith, and such a company should be prepared to demonstrate to SBA, upon request, the basis for its certification.” The FAQs ultimately provided safe harbors for loans that were repaid in full by May 18, as well as loans under $2 million. Loans over that amount would be subject to SBA review and evaluated “based on their individual circumstances in light of the language of the certification and SBA guidance.” According to the FAQs, if the SBA determines “that a borrower lacked an adequate basis for the required certification concerning the necessity of the loan request, SBA will seek repayment of the outstanding PPP loan balance and will inform the lender that the borrower is not eligible for loan forgiveness. If the borrower repays the loan after receiving notification from SBA, SBA will not pursue administrative enforcement or referrals to other agencies based on its determination with respect to the certification concerning necessity of the loan request. SBA’s determination concerning the certification regarding the necessity of the loan request will not affect SBA’s loan guarantee.” (See “SBA Provides “Safe Harbor” for PPP Loans Under $2 Million.“)

SideBar

Early Justice Department actions appear to have focused primarily on potential fraud in obtaining PPP loans. Treasury Secretary Steven Mnuchin has warned that companies that received PPP loans “could be subject to investigation” if it turns out they could not make their certifications of necessity in good faith, even suggesting, as reported in the Washington Post, that “I want to be very clear it’s the borrowers who have criminal liability if they made this certification and it’s not true…We will make sure that what was the intent for taxpayers is fulfilled here.” In early May, as reported in the WSJ, the DOJ charged two men with fraudulently attempting to obtain over $500,000 in PPP loans, after they claimed “to have dozens of employees…when in fact they had no workers,” and a number of their entities were not even open prior to the pandemic. According to the WSJ, the investigation was part of a broad search for fraud in the program, using data analytics to look for “red flags in loan applications and other documents submitted” to governmental agencies. A government affidavit submitted in the case noted that the investigation was aided when a complaining witness brought information about the case to the local police. The DOJ has made enforcement of fraud in connection with the CARES Act a priority. (See “What You Need to Know About Potential Exposure if You’ve Gotten a CARES Act Loan.“) And Reuters is reporting that the DOJ has sent grand jury subpoenas to several banks seeking records as part of a broader investigation into potential abuse of the PPP by borrowers.

SEC’s Division of Enforcement, with its mission emphasizing the investigation of potential violations of the federal securities laws, appears to be looking at the representations in the certifications, as well as analyses, projections and other information, for a different purpose – the adequacy of companies’ prior disclosures. Its inquiry is seeking information about companies’ qualifications for PPP loans, their demonstrations of necessity for PPP loans to support their ongoing operations, the timing and extent of any going-concern assessments and the financial effect of COVID-19 and related remedial measures on the companies’ business operations and obligations. The SEC is also interested in any considerations of return of PPP loans. Presumably, SEC’s Division of Enforcement is examining whether, in light of representations made in the PPP certifications and any underlying analyses performed to demonstrate the validity of those representations, companies were timely and complete in their disclosures to the public regarding their financial condition. While the SEC investigation is framed as a voluntary request pursuant to an “informal” inquiry, it’s worth keeping in mind that the SEC routinely shares information with the Justice Department when it believes a criminal investigation may be warranted.

SideBar

A House oversight subcommittee has announced that it has sent letters to public companies that met certain criteria demanding that they return the PPP funds. (See “House Select Subcommittee Announces First Public Investigations Involving CARES Act.“) In many cases, the letters also highlighted statements in each company’s own SEC filings, press releases or other communications touting its leadership position in the industry, implicitly raising the question of whether there might be inconsistencies between the company’s public statements and its certification that the PPP loan funds were necessary. (See “House Subcommittee Insists Certain Public Companies Return PPP Loans.“)

Key contacts: Luke Cadigan, Andrew Goldstein and Randall Lee

What is the House Select Subcommittee?

The subcommittee is a recent addition to the oversight bodies created by the CARES Act that we described in March. The House of Representatives established the subcommittee on April 23 and authorized it “to conduct a full and complete investigation” of the “efficiency, effectiveness, equity and transparency of the use of taxpayer funds and relief programs to address the coronavirus crisis.” Speaker Nancy Pelosi compared its mandate to the Truman Committee during World War II, which investigated waste and fraud in defense spending. While the Truman Committee had an initial budget of $15,000, the subcommittee’s budget for 2020 is $2 million.

The subcommittee’s seven Democratic members were named on April 29 and include Majority Whip James Clyburn and the chairs of the Financial Services, Small Business and Oversight and Reform Committees. The five Republican members include Minority Whip Steve Scalise and the ranking members of the Judiciary and Oversight and Reform Committees.

What did the subcommittee demand?

Barely two weeks after its creation, the subcommittee sent, and publicly released, letters to five public companies demanding that they return their PPP loans and threatening investigations if they refuse. The letters, which were signed by all seven Democratic members and none of the Republicans, stated that Congress “did not intend for these funds to be used by large corporations that have a substantial investor base and access to capital markets,” and gave the companies three days to commit to returning their loans. The letters go on to state that if the company “choose[s] not to return some or all of these funds,” the subcommittee will request the production of documents about the company’s loan application and communications with the Small Business Administration. The subcommittee’s language about access to capital echoes guidance provided by the SBA in its April 23 FAQ, which stated, “It is unlikely that a public company with substantial market value and access to capital markets will be able to make the required certification in good faith.”

Why these companies, and who is next?

According to the subcommittee, it targeted these companies because they are publicly traded, have more than 600 employees, have market capitalizations of greater than $25 million and received loans of at least $10 million. On May 11, the first of the five companies announced it was returning its full $10 million loan. The subcommittee promptly announced, “Our actions have already resulted in the return of $10 million in taxpayer funds – five times our entire budget for the year – which is exactly why we were created in the model of the Truman Committee during World War II.”

This initial result is likely to spur further investigative activity, by both the subcommittee and other oversight bodies. Indeed, while the subcommittee’s actions are public, investigative steps by the Inspectors General and the Department of Justice often occur over months or years before being disclosed, typically in connection with an enforcement action or agreed resolution. One would expect additional investigations moving down the list of companies that received CARES Act loans, particularly among public companies that have relatively higher market capitalization. The SBA has stated that it will review all loans – regardless of whether a company is public or private – in excess of $2 million following submission of the borrower’s application for loan forgiveness under the PPP. And even companies whose loan amounts fall below that threshold face the risk of government scrutiny, as federal and state prosecutors and investigative agencies pore over data about companies that received federal money and look for ripe investigative targets.

What can your business do?

As this is the first time many of the businesses that received PPP loans have applied for and received federal funds, companies should take extra care to ensure that all applications and required certifications are accurate and consistent with other public and internal company statements and that they have documented their process and reasons for seeking, and keeping, PPP loans.

If a business believes that its certifications may not be accurate or that it otherwise may be ineligible for funds it received, the SBA has extended the safe harbor date to return PPP funds until May 18. The SBA also issued FAQ 46, which provides limited safe harbors related to the necessity certification.

Finally, businesses should take steps to ensure they continue to follow their internal compliance and fraud detection processes carefully. While the current focus is on PPP loan funds, companies that face scrutiny on this front cannot afford to have other misconduct come to light through this process.

Additional information about CARES Act enforcement issues:

Paycheck Protection Program Loans and Risk of Government Investigation: Advice From Former Federal Prosecutors

What You Need to Know About Potential Exposure if You’ve Gotten a CARES Act Loan

Contributors: Andrew Goldstein, Daniel Grooms, Chris Waidelich and Vince Sampson

For a small minority, the risks may be too great and may ultimately deter them from accepting a CARES Act loan; but for many businesses, a CARES Act loan may be the life raft they need to make ends meet during these difficult times. Because the government’s fraud recovery efforts will undoubtedly increase in coming years, businesses that accept CARES Act loans should be mindful of the potential liability that comes from accepting government funding.

What happens if the government later decides our company was not eligible to receive the funds?

The lack of clarity in eligibility requirements and evolving guidance by the Small Business Administration has caused considerable concern among borrowers, raising questions about whether companies should return funds already received. For example, among other requirements, applicants for the Paycheck Protection Program, which the CARES Act established for eligible small businesses, must certify that the “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.”

Guidance issued by the SBA on April 23, 2020 explained that “[b]orrowers must make this certification in good faith, taking into account their current business activity and their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that is not significantly detrimental to the business.” The SBA opined that “it is unlikely that a public company with substantial market value and access to capital markets will be able to make the required certification in good faith, and such a company should be prepared to demonstrate to SBA, upon request, the basis for its certification.” In its interim final rule issued on April 24, 2020, the SBA further addressed whether the SBA’s affiliation rules prohibit a portfolio company of a private equity fund from being eligible for a PPP loan. The SBA confirmed that “[t]he affiliation rules apply to private equity-owned businesses in the same manner as any other business subject to outside ownership or control.” The SBA concluded by reiterating prior guidance that “all borrowers should carefully review the required certification” concerning the necessity of the loan, which would include an assessment of their ability to access other sources of liquidity.

While confirming that “[b]orrowers and lenders may rely on the laws, rules, and guidance available at the time of the relevant application,” the SBA guidance also notes that “borrowers whose previously submitted loan applications have not yet been processed may revise their applications based on clarifications reflected in” the recent guidance. And for borrowers that already submitted a PPP application, but now believe they may not be eligible, the SBA also clarified that the borrower may repay the loan in full by May 7, 2020, and any prior certifications will be deemed to have been made in good faith.

Other borrowers, including those who acted in good faith when applying for funds and certifying their eligibility, and those who may be unable to take advantage of the PPP safe harbor, may need to move quickly once they know or should know that they received money for which they were not eligible. In other contexts involving federal funds, such as entities that receive Medicare or Medicaid payments, failure to timely report or return an overpayment may result in a violation of the federal False Claims Act, 31 U.S.C. § 3729 et seq., which carries the steep fines and penalties described below. From the government’s perspective, borrowers are expected to take care to assess and, to the extent possible, confirm their eligibility before applying for any CARES Act loan, and if it later becomes clear they were ineligible, they should take steps to mitigate their exposure, including potentially by returning any funds received.

What happens if the government decides we submitted false paperwork?

The FCA creates civil liability for any person who knowingly presents or causes to be presented a false claim for payment to the government. The FCA also proscribes knowingly making, using or causing to be made a false record or statement material to a false or fraudulent claim. For FCA purposes, “knowingly” can mean having actual knowledge, or acting in deliberate ignorance or reckless disregard of the truth or falsity of the information.

The potential for FCA liability stems in large part from the fact that the CARES Act requires prospective borrowers to make a variety of certifications that they meet loan requirements; this ensures that the FCA will be central to the government’s fraud enforcement and recovery efforts. In many cases, borrowers’ CARES Act certifications are being made on an expedited basis and without ready access to books, records and personnel, increasing the risk that misrepresentations will be made, particularly by borrowers largely foreign to accepting government funds and the documentation and recordkeeping requirements government loans entail. Nonetheless, the SBA’s April 23, 2020 guidance confirms that it is the borrower’s obligation to ensure its own eligibility for CARES Act loans and to provide appropriate and accurate certifications as to its eligibility.

FCA fines and penalties can be steep, as the FCA allows the government to recover up to three times the amount of its actual damages – with damages in this context likely viewed by the government as the full amount of the loan – plus penalties for each false claim of $11,665 to $23,331.

One reason the FCA has become such a powerful tool in the federal government’s fraud deterrence arsenal is its whistleblower provisions, which empower private individuals – often company employees – to bring suit on behalf of the government in exchange for a share of the government’s ultimate recovery.

What certifications do I need to be particularly careful about?

Nearly all of the loan programs set up by the CARES Act require some form of certification in order to receive funds and/or to retain them. Some of these certifications are objective and not likely to lead to FCA litigation, such as a certification that the borrower is domiciled in the United States. But others are ripe for FCA scrutiny. For example, the PPP promises to forgive a substantial portion of the loan principal, but loan forgiveness is subject to reduction if staffing and salary levels are reduced and not restored. Borrowers will necessarily present various certifications to the government regarding their initial eligibility for the loan, and subsequent certifications will require representations about, among other things, ongoing staff and salary levels. Both the initial and subsequent certifications will be subject to scrutiny and could prompt FCA liability if ultimately found to be untrue or misleading.

The CARES Act also authorizes funding for loans targeted at mid-sized eligible businesses and non-profits with between 500 and 10,000 employees, and requires that borrowers certify they intend to restore not less than 90% of the borrower’s workforce that existed as of February 1, 2020, and to restore all compensation and benefits to workers no later than four months after the declared termination of the COVID-19 public health emergency. There is no shortage of FCA pitfalls in these certifications; indeed, the government could make much of the borrower’s subjective mindset at the time it applied for the loan, or the applicant’s efforts, or lack thereof, to restore its workforce, compensation and benefits thereafter.

Can a company’s executives or owners be held personally liable?

Yes. The Department of Justice has been aggressively pursuing individuals in FCA cases. DOJ guidance issued in recent years requires that DOJ attorneys explore individual culpability in conducting their investigations; it also requires that, when deciding whether to award cooperation credit to corporations, DOJ attorneys consider the extent to which the corporation affirmatively identified the individual(s) responsible for the misconduct. In the case of a CARES Act loan, these individuals would include, but would not be limited to, the authorized representative of the company who signed the application.

Liability can extend to others in the business to include executives, owners and board members who participate in the decisions concerning the application and certifications. As a possible bellwether case, DOJ recently pursued a pharmacy’s private equity fund owner for allegations that it had engaged in a kickback scheme resulting in the submission of false claims. The private equity owner, two executives and the pharmacy at issue reached a $21 million settlement with DOJ in September 2019.

Can a company’s executives or owners face criminal exposure?

Yes, if they knowingly made false statements. In the wake of the 2008 financial crisis, for example, numerous executives faced harsh criminal penalties for fraud committed on federal loan programs, such as the Troubled Asset Relief Program (TARP). The Special Inspector General for TARP (SIGTARP), the independent watchdog set up to police TARP funds, reports that, as of December 31, 2019, it criminally charged 438 individuals, of which 300 were sentenced to prison time, including 92 bank borrowers and 76 bankers.

The potential for criminal liability stems from, among other things, strict federal statutes prohibiting the making of false statements in connection with loan applications (which includes CARES Act loans), i.e., 18 U.S.C. § 1014, and with making false statements to the government, i.e., 18 U.S.C. § 1001. Liability under either statute carries significant monetary penalties and potential jail time, and can stem from both “knowing” and “willful” misstatements. These are often unforgiving standards, and the government need only show that the defendant conducted a deliberate act, like submitting a loan application, with knowledge that its contents were false. And in certain circumstances, the government need not even prove that the defendant knew the statement was false; it must prove only that a defendant made a material false statement and acted with a conscious purpose to avoid learning the truth.

What can I do now to limit my exposure?

As we have previously reported, government enforcement often ramps up after national emergencies, and in these unprecedented times it is already well underway. On March 20, 2020, the DOJ announced that “Attorney General Barr [had] directed all U.S. Attorneys to prioritize the investigation and prosecution of Coronavirus-related fraud schemes.” Media and congressional scrutiny of CARES Act funding recipients will only serve to focus public and DOJ scrutiny.

Accordingly, now is not the time to skip important compliance safeguards. Any business applying for government assistance should exercise care to ensure:

• the accuracy of required certifications, and to know exactly what they are certifying;
• appropriate documentation exists to support the borrower’s initial certifications, compliance with the loan terms and any subsequent certifications and/or claims made to the government;
• public and internal statements by company representatives, including in SEC filings and to existing and prospective investors, for example, are consistent with representations made to the government;
• continued compliance with any follow-on requirements for retaining the loan, obtaining loan forgiveness or submitting subsequent certifications;
• internal compliance mechanisms (i.e., hotlines, auditing, etc.) are appropriately administered, funded, structured, staffed and maintained; and
• complaints or allegations of fraud are taken seriously and appropriately investigated – indeed, whistleblowers often report fraud internally before going to the government.

Contributors: Erin Estevez and Michael McMahon

In October 2019, the UK home secretary and US attorney general signed one such reciprocal agreement, the US-UK Bilateral Data Access Agreement[1] (the Agreement), which is due to take effect this year. Announcing the Agreement, Home Secretary Priti Patel stated: “This historic agreement will dramatically speed up investigations, allowing our law enforcement agencies to protect the public.” The announcement explains that “under the current MLA process, requests for data can often take anywhere from 6 months to 2 years. Once in place, the agreement will see the process reduced to a matter of weeks or even days.”[2]

Once the Agreement takes effect, US communications service providers should expect to begin receiving overseas production orders (OPOs) directly from the UK on behalf of UK enforcement agencies, including the Serious Fraud Office, National Crime Agency, Financial Conduct Authority and police, to obtain evidence. Likewise, UK-based providers should expect to begin receiving orders directly from US authorities.

Recipients of an OPO issued by the UK will have, as a default[3], seven days to produce the data stipulated to the UK authorities. Failure to comply with the order may render the recipient in contempt of court. A person cannot be extradited for such a contempt, so in theory it could be difficult for the UK to force compliance with an OPO. However, in reality, being found in contempt of court and the associated publicity and reputational damage is likely to be an unattractive prospect for most companies. An additional important consideration to bear in mind is that a director or officer of the recipient company can in certain circumstances be held personally liable for a contempt of court and could be arrested if they were located within or traveled to the UK. The penalties for contempt of court are imprisonment or an unlimited fine.

Although the aim of OPOs is to significantly speed up the process for UK law enforcement to gather evidence, it also represents a radical change in process, which we expect will generate a raft of legal challenges to OPOs in order to protect the recipient’s interests and rights and produce a number of practical challenges for companies.

The old system

Previously, if UK enforcement agencies wanted to obtain data from a US communications service provider, in the main they were reliant on the mutual legal assistance process (MLA).[4] MLA involves the UK authorities formally requesting assistance from an executing authority in the country to which the request is made. Where the provision of evidence requires a coercive measure, it is sanctioned by the judicial authorities in the overseas jurisdiction. MLA requests from the US to the US for data held in the US are therefore subject to the scrutiny of the US courts and can be challenged in the US, subject to US law and procedure.

The new system

The COPOA allows UK authorities to bypass the MLA process and apply to the UK courts directly to compel a US communications service provider to provide data under an OPO.

The COPOA is a significant departure from the MLA process in that US companies wishing to challenge an OPO will now be forced to do so principally in the UK, under English law and procedure, rather than in the US.

The COPOA provides for an “appropriate officer” from an enforcement agency to make an application to the Crown Court for an OPO. A judge may make an OPO against a US communications service provider where there are reasonable grounds for believing:

• that the recipient is based in or operates in a country or territory outside the UK which is a party to an arrangement such as the Agreement;
• that there is an ongoing investigation or proceedings in respect of any indictable offence;
• the recipient has possession or control of all or part of the electronic data specified;
• that all or part of the electronic data is likely to be of substantial value to the proceedings or investigation;
• that all or part of the electronic data is likely to be relevant[5] evidence in respect of the offence;[6] and
• that it is in the public interest for all or part of the electronic data to be produced or accessed, having regard to
  • the benefit likely to accrue, if the data is obtained, to the proceedings or investigation; and
  • the circumstances under which the recipient has possession or control of any of the data.

Once an OPO is issued by the court, it will be served directly on the recipient by the UK secretary of state. Importantly, the OPO does not require the production of “excepted material,” which includes items subject to legal privilege and confidential personal records.

Neither the COPOA nor the Agreement prohibit companies from encrypting data and impose no obligation to de-encrypt data.

Challenging an OPO

The new legislation is widely anticipated to be a game changer in terms of the substantial volume of data that will most likely be obtained on both sides of the Atlantic and the anticipated speed of response by recipients of the OPOs. However, there are a number of important areas that may merit challenge at least in the short term, whilst a workable process is established.

Recipients of OPOs will want to ensure they are in a position to comply lawfully with OPOs, whilst avoiding handing over data in circumstances where they may breach other legal duties to their customers and the attendant risk of potential follow-on litigation.

One of the first actions taken on receiving notice of an OPO application may well be to request further time to comply. It is anticipated that such requests will be granted so that many of the novel issues and challenges arising from the COPOA and Agreement can be given due consideration.

US recipients of an English OPO will be able to apply to vary or discharge an OPO in the English crown courts and may be able to challenge them by way of judicial review in the High Court. As with other domestic search warrants and production orders, a vast number of potential challenges could be made to an OPO depending on the facts of each particular case. By way of example, there may be arguments that a request is too broad, that the recipient is not in possession or control of the data, that it is not in the public interest for all or part of the electronic data to be produced or accessed, or that other conditions that must be met in order to grant an OPO are not satisfied.

Data protection issues will need careful consideration, particularly when data is held in a country outside the UK or US. While the COPOA does not require a recipient to do anything that would breach the UK data protection legislation, the data protection law of other jurisdictions, such as France, may prevent the disclosure of the data in the absence of an international treaty like the Agreement being entered into by that country.

Preventing the disclosure of privileged material is also likely to present important legal issues for the recipient, which will give rise to potential challenges. For instance, while the COPOA makes plain items subject to legal privilege fall outside of the proper scope of an OPO – and privilege is defined with reference to English law – it remains to be firmly established whether there is scope for arguing against compliance on the basis that the requested material is privileged under US law. Existing English case law suggests that even where it is accepted that documents are protected by privilege under US law, if the documents are not protected by privilege under English law they will be disclosable in English proceedings.[7] However, further judicial clarity regarding the position may well be sought once OPOs are brought into force either by way of an application to the Crown Court in the first instance or subsequently by judicial review.

Judicial guidance may also need to be sought to clarify the methodology that should be applied to determine the extent of privileged material given that in most instances the recipient of the OPO will not be the privilege holder, and a non-disclosure order may prohibit the recipient from disclosing the existence of the order to anyone.

In addition, each OPO must be reviewed by the secretary of state and can only be served on the recipient if the secretary of state certifies in writing that they consider doing so would be in accordance with the Agreement. Separately to the Crown Court process, the Agreement specifically provides another mechanism for challenge, under which recipients of an OPO who believe the Agreement may not be properly invoked may raise objections in the first instance to the issuing party’s designated authority. The Agreement and COPOA contain some separate provisions that mean this mechanism will have to be invoked where the COPOA has not imported requirements contained within the Agreement. By way of example, an OPO cannot intentionally target certain categories of individuals or entities (such as a citizen or national of the US, to give one example) under the Agreement, but the COPOA does not contain these exclusions.

The UK’s designated authority must respond to the objections, and if they are not resolved, the recipient may raise the objections to their own country’s designated authority. The two countries’ designated authorities may then confer in an effort to resolve the objections.

It seems likely that challenges to the new powers may also be made in the US courts on the basis that OPOs issued in the UK violate fundamental or constitutional rights under US law. You can read more about potential challenges in our recently posted article on the topic.

The future landscape

The US is reportedly in negotiations with the European Commission and Australia to negotiate equivalent data sharing agreements. Other countries likely to follow suit are New Zealand and Canada.

Many OPOs will be served on companies that otherwise have no involvement in an investigation and that would previously have been regarded by enforcement agencies as out of reach on a practical basis.

Any parties served with an OPO are best served to seek legal advice as soon as possible to ensure suitable steps are taken to challenge the order, if necessary, and ultimately to assist in successful compliance with the order and balance the various competing interests whenever possible.

Companies that are likely to receive multiple OPOs would be especially well advised to consider designing a suitable system for handling OPOs and become familiar with the types of issues that may give rise to challenges, some of which are touched on above.

The COPOA and the Cloud Act Agreement seem likely to bring a torrent of litigation and we shall see if the process is in fact speedier as a result of their implementation.

If you have any questions or would like to find out more about this topic, please contact Tom Epps, Sascha Grimm, William Schwartz, Andrew Goldstein, Daniel Grooms, Marie Kavanagh or Oliver McGlashan.

Notes

[1] Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, 3 October 2019

[2] https://www.gov.uk/government/news/uk-and-us-sign-landmark-data-access-agreement

[3] The judge approving the OPO may grant a longer or shorter period as appropriate

[4] The SFO can also, under certain circumstances compel the production of documents held overseas by a company with no presence in the UK under section 2(3) of the Criminal Justice Act 1987, following the decision in R (on the application of KBR Inc) v The Director of the Serious Fraud Office [2018] EWHC 2012 (Admin) The SFO’s assertion that section 2(3) had extraterritorial effect in that case was challenged on jurisdictional grounds but the High Court held that in the circumstances of that case, there was a ‘sufficient connection’ between KBR Inc. and the UK KBR Inc. is appealing the decision to the Supreme Court and the decision has been widely criticized by legal commentators

[5] Under Section 4(11) of the COPOA “relevant evidence,” in relation to an offence, means anything that would be admissible in evidence in proceedings in respect of the offence

[6] This requirement does not apply where the data in respect of which the OPO is sought, is for the purposes of a terrorist investigation

[7] The RBS Rights Issue Litigation [2016] EWHC 3161 (Ch)

The CARES Act creates three new oversight bodies

1. The Pandemic Response Accountability Committee: The Pandemic Response Accountability Committee has an $80 million appropriation and the broadest oversight and enforcement powers of the three oversight bodies established by the CARES Act. The committee members will be selected from among existing inspectors general, and the committee is tasked with conducting, coordinating and supporting inspectors general in the oversight of covered funds in order to “detect and prevent fraud, waste, abuse, and mismanagement; and mitigate major risks that cut across programs and agency boundaries.” The committee has auditing, reviewing and reporting responsibilities and the ability to refer matters to the Department of Justice for criminal or civil investigation. Most significantly, the committee has the authority to conduct independent investigations with the power to hold public hearings and issue subpoenas for both documents and testimony to private entities and individuals.
2. Special Inspector General for Pandemic Recovery: The Special Inspector General for Pandemic Recovery is established within the Treasury Department and is responsible for conducting, supervising and coordinating “audits and investigations of the making, purchase, management and sale of loans, loan guarantees, and other investments” by the secretary of the Treasury under any program established under the CARES Act. The special inspector general will have authority to conduct investigations and issue reports, and will also be able to refer matters to the DOJ for criminal or civil investigation. The special inspector general’s office has a $25 million appropriation and will operate for the next five years.
3. The Congressional Oversight Commission: The Congressional Oversight Commission will consist of five members selected by majority and minority leadership from both the House and Senate and have authority to conduct oversight of the implementation of the stimulus package by the Treasury and the Federal Reserve. The oversight commission will have the authority to hold hearings, take testimony, receive evidence and issue reports. The oversight commission will operate until September 30, 2025.

In addition to these three oversight bodies, the CARES Act allocates substantial funds to the Government Accountability Office and provides a mandate for the GAO to issue reports on all expenditures of funds under the act. The act also directs millions of dollars to existing inspectors general and directs them to increase their investigative and enforcement activities of programs tied to CARES Act funds.

The additional oversight authorities built into the CARES Act are reminiscent of the creation of the Office of the Special Inspector General for the Troubled Asset Relief Program (SIGTARP) following the 2008 financial crisis. For perspective on the impact these new entities may have, consider that, more than a decade after the last financial crisis, SIGTARP remains quite active. To date, its investigations have resulted in the collection of more than $11 billion ($900M in 2019 alone), including multibillion-dollar penalties across the financial industry, as well as 381 criminal convictions.

And TARP pales in comparison to the CARES Act in terms of the amount of money to be distributed to the private sector. The CARES Act will be the largest expenditure of money in a single piece of legislation in US history. Companies should expect oversight and enforcement to be aggressive and last for years after the current pandemic crisis has ended. The multiple enforcement bodies established by the CARES Act, along with a public eager to deter and prosecute the kinds of fraud and self-dealing that came out of the 2008 stimulus package, mean that any recipient of funds under the CARES Act should be prepared for scrutiny in the months and years to come.

Contributors: Caitlin Munley and Vince Sampson

An ounce of prevention is worth a pound of cure

Neglecting the warning signs or putting off dealing with problematic behavior can have long-term costs – even well after the immediate crisis has been weathered. Corporate penalties regularly involve disgorgement of all gains plus substantial fines, and executives and employees can face criminal exposure. As such, ignoring fraud now is like creating an account payable, but payable on demand at a future date outside your control.

In these times, strict adherence to and enforcement of policies on compliance, anti-bribery, sound accounting practices and internal controls should be top of mind. Organizations facing internal and external pressures should remain vigilant by immediately and thoroughly investigating and addressing any signs of misconduct or fraud.

For organizations involved in acquisitions and other due diligence processes, crisis times can present additional difficulties. Documents may be harder to obtain, and the ability to scrutinize transactions and other aspects of the deal through face-to-face interaction may be limited or altogether impossible. Organizations should give critical thought to how to approach due diligence under these circumstances, considering not only logistical concerns, but also how to assess the target’s ongoing compliance functions while maintaining their own.

Government enforcement often ramps up after national emergencies

Believing the government is too busy or preoccupied to pursue fraud during a crisis is a mistake. While its focus may be elsewhere in the near term, the government’s memory is long (and so are statutes of limitations). Taxpayers also demand accountability in the wake of government stimulus efforts. Here are a few notable recent enforcement examples in the US and UK, with lessons for today:

• Special Inspector General for TARP: The 2008 financial crisis led to the US government’s establishment of the Troubled Asset Relief Program, and fraud committed against the TARP inevitably spawned an entirely new investigative and enforcement agency: SIGTARP. A decade later, SIGTARP remains active, having collected over $11 billion ($900M in 2019 alone) and 381 criminal convictions, including multibillion-dollar penalties across the financial industry. Many enforcement actions related to trading in residential mortgage backed securities. One case resulted in the 2013 conviction of the former CEO of The Bank of the Commonwealth for bank fraud and other crimes related to concealment of lending losses and the $28 million in TARP funds sought by the bank. Following a 10-week jury trial, the CEO was sentenced to 23 years in prison and ordered to pay $333,569,732 in restitution to the Federal Deposit Insurance Corporation.
• Hurricane Katrina Fraud Task Force: Within just two years of its establishment, the task force had brought federal charges against over 700 individuals for various hurricane fraud-related crimes, such as emergency benefit fraud, identity theft, procurement fraud and public corruption. Private whistleblowers also aided the government’s post-Katrina fraud detection efforts by bringing a slew of cases under the federal False Claims Act, including one such action by two claims adjusters who alleged that State Farm Fire and Casualty Company ordered its claims adjusters to misclassify wind damage as flood damage to shift liability away from company-issued general homeowners’ policies to government-backed flood insurance policies. The lawsuit resulted in an award for the whistleblowers of $758,250, which included treble damages and a civil penalty. Later, the task force became part of the National Center for Disaster Fraud, which focuses on detecting, preventing, investigating and prosecuting fraud relating to all types of disasters, including many such frauds perpetrated at an organizational level and not simply by opportunistic individual scammers.
• UK Serious Fraud Office and Financial Conduct Authority investigations: Following the economic crisis of 2008 the UK Serious Fraud Office and the Financial Conduct Authority opened numerous high-profile investigations into alleged fraud and misconduct by major financial institutions around the time of the crisis. Some of these investigations have only recently concluded and some remain ongoing even now. For instance, the FCA is currently investigating the actions of senior management at HBOS in relation to the near-collapse of the bank during the financial crisis, before it was rescued by a government bailout. This follows public criticism of the FCA for its failure to take action immediately after the collapse.

Experience shows us that there is a large increase in investigations activity by international enforcement agencies following crises and often intense political pressure for such agencies to investigate and take action. That events occurred during a time of crisis is not a defense. To the contrary, enforcement agencies will often use company action during difficult economic times to suggest that economic imperatives drove alleged misconduct and illegal activity.

Now is the time to act

Now is the time to be vigilant. Existing resources devoted to fraud detection should be leveraged, emphasized, highlighted and enforced, not relaxed. Transactions should be scrutinized with no less rigor than in good economic times, and internal complaints should be investigated, addressed and resolved. Failing to do so places organizations at greater risk tomorrow even if they successfully get through today.

Contributors: Tom Epps, John Hemann, James Maton, William Schwartz and Michael McMahon

Key points

• COPOA came into force on 12 February 2019 – it gives UK law enforcement agencies the means to apply for a UK court order to compel production of stored electronic data directly from a company or person based outside the UK.
• It overhauls the system previously known as Mutual Legal Assistance (MLA).
• To date, the only cooperation agreement (which is currently still in draft) is between the UK and USA so COPOA will only apply to requests between these countries…BUTit is expected that other countries will sign up to similar reciprocal arrangements (based on these terms) in the near future.
• The power to apply for an Overseas Production Order (OPO) is available to all major investigating agencies, including the Serious Fraud Office, National Crime Agency, police, HMRC and FCA.
• The recipient of an OPO has, as a default, just seven daysto produce the data stipulated in the order, but can apply to the English court to vary or set aside the order.
• There are carve-outs for legal privilege and data protection considerations.

Under the old regime, if a UK law enforcement agency wanted to obtain electronic documents or data from a party based outside the UK, it would make an MLA request to the relevant law enforcement agency in the country where the recipient of the request was based, which would then need to be sanctioned by the judicial authorities in that jurisdiction. This process takes on average 10 months to complete.

The introduction of COPOA is a significant departure from this process. It gives UK law enforcement the right to apply to the English court for an OPO. If this is granted, the UK law enforcement agency can serve the OPO directly on a party based in another jurisdiction and order them to produce data, provided that the host country has signed an international agreement. At the moment, the only country with an advanced agreement is the US, but a similar EU instrument is planned.

The are several criteria which must be satisfied before the Court will make the order including that the data is likely to be of value to the proceedings or investigation by law enforcement and that the OPO is in the public interest. Importantly, COPOA also contains carve outs for legally privileged information and confidential personal information (which would result in a breach of data protection legislation, such as the GDPR).

Practical implications

The introduction of COPOA has attracted significant criticism due to the potential access it grants to individuals’ emails and social media messages, given much of this communication is stored on overseas servers, for example in the USA. It is expected those most likely to receive OPOs will be communications providers. It is a concern that these companies (often with no “skin in the game” as the data is not theirs) will be the ones determining whether the request is appropriate and whether legal privilege applies.

If a company or individual is served with an OPO, they have seven days in which to produce the data stipulated in it; alternatively they may apply to a judge in the English court to vary or revoke it. Failure to comply with an OPO renders the recipient in contempt of court. While this is not an offence for which an individual/director could be extradited, it may lead to significant reputational damage for not doing the ‘right thing’ and could mean the relevant individual is arrested if they travelled to the UK. Some critics have suggested this is the principal shortcoming of the COPOA, as it lacks teeth in enforcement.

Overall, this legislation provides a powerful tool to UK investigating agencies in their efforts to gather data from abroad. While at present its scope is limited by a lack of reciprocal agreements, it is expected that this will change over years to come. Any parties served with an OPO should seek legal advice as soon as possible.

For more information please contact Sascha Grimm or Ollie McGlashan.

Since the Bribery Act came into force there has only been one other prosecution under S7, that of Sweett Group in 2015[1] which pleaded guilty.

The Facts

It was alleged that SIL agreed to pay a fee to a senior project manager at a company (DTZ) in order to ensure that SIL won the tenders for two office refurbishment contracts in London worth approximately £6m. This was achieved through the project manager passing confidential information to SIL, giving it an advantage over other tenderers.

The payment was to be made in three stages: two payments totaling £10,000 followed by a third payment of £29,000. The third payment was never paid after SIL’s newly appointed CEO became concerned by the legitimacy of this arrangement. He launched an internal investigation and implemented a new anti-bribery policy. SIL did not previously have an anti-bribery policy. It was a small company with only thirty employees. Despite agreeing to comply with the new anti-bribery policy, the Managing Director tried to make the third payment of £29,000. The payment was stopped and he was dismissed. SIL then submitted a suspicious activity report to the National Crime Agency and self-reported the matter to the City of London Police.

During the criminal investigation, it was not disputed that SIL cooperated fully and even voluntarily providing confidential and legally privileged documents to the City of London Police.

SIL became dormant in 2014 whilst the investigation was ongoing.

The Section 7 Offence

Section 7 of the Bribery Act imposes liability on a company for failing to prevent bribery and has a statutory defence of “adequate procedures”.

The Ministry of Justice Guidance on this offence (which mirrors the general CPS guidance on prosecution) states that: “whether to prosecute an offence under the Act is a matter for the prosecuting authorities. In deciding whether to proceed, prosecutors must first decide if there is a sufficiency of evidence and, if so, whether a prosecution is in the public interest… The more serious the offence, the more likely it is that a prosecution will be required in the public interest.”

Self-Reporting and Deferred Prosecution Agreements (“DPAs”)

The narrative from the SFO in various speeches and public statements of policy has been that whilst a DPA will not automatically follow self-reporting, co-operation is strongly encouraged in order to maximise chances of receiving such an agreement.

The outgoing SFO director, David Green, giving a speech in January 2018, said “Companies feel they need certainty and now they have certainty. They know that if they cooperate with us, and I mean fully cooperate, then odds on they are heading for a DPA. If they do not they will be prosecuted.” [2]

It has been reported that the SFO justified the decision not to offer SIL a DPA because, as a dormant company, SIL did not have the assets or resources to pay any fine that a DPA would carry.

The decision to prosecute

The judge, at an abuse of process hearing, queried why SIL had been prosecuted given its status as a dormant company and willingness to cooperate. It was said that a successful conviction would send a message to other small and medium-sized companies that bribery needs to be taken seriously, and appropriate procedures must be put in place regardless of the number of employees.

SIL was convicted of breaching s7 of the Bribery Act because the jury was not persuaded that the company had adequate procedures in place to prevent bribery. However, owing to its status as a dormant company and lack of assets, the only sentence available to the judge was an absolute discharge.

The question has been raised whether the decision to prosecute a dormant company was a proportionate and appropriate use of resources, given the end result, meaning that the conviction will not be registered on SIL’s record and it will not face any penalties.

Conclusion

Whilst the prosecution of SIL has certainly shown that small and medium-sized companies will be prosecuted, the lack of a DPA means that some now query whether there is any meaningful incentive for offering DPAs to companies that self-report and cooperate throughout an investigation. SIL provided extensive documentation, conducted its own internal investigation and dismissed all senior executives previously involved. However, others argue that this case can be distinguished because of its particular facts, and does not represent a change to UK DPAs.

For more information please contact Louise Delahunty, Prina Patel (ppatel@cooley.com) or Julia Maskell (jmaskell@cooley.com)

[1] https://www.sfo.gov.uk/cases/sweett-group/

[2] https://www.youtube.com/watch?v=UvFpgwUZgw8#action=share

Law enforcement agencies such as the National Crime Agency and Serious Fraud Office will be able to apply to Court, without notice to the recipients, for an Order requiring foreign politicians, and their family members and close associates, to identify any interest in an asset worth over £50,000 and explain how it was obtained.

An Order can be made only where the assets appear disproportionate to known legitimate income.   An application can also be made for a UWO against individuals or companies suspected of involvement with other forms of serious criminality, again if their assets appear disproportionate.

A failure to respond to a UWO will create a rebuttable presumption that the assets it targets are recoverable as the proceeds of crime in civil recovery proceedings brought by law enforcement under the Proceeds of Crime Act.

Injunctions can be obtained to secure assets pending a satisfactory response to a UWO, and again can be sought without notice to the defendants.

Deliberately providing false or misleading information or documents in response to a UWO will be a criminal offence.

The regime is based on proposals made in a paper published in March 2016 by Transparency International UK entitled ‘Empowering the UK to recover corrupt assets: Unexplained Wealth Orders and other new approaches to illicit enrichment and asset recovery’.   Our partner James Maton was one of the external experts that assisted TI to prepare the proposal after an evaluation of the problems faced by the UK authorities in securing and recovering the proceeds of corruption.

The authors concluded that a UWO could be most effective when UK law enforcement have material to suspect that an asset has been corruptly acquired but need more time to collect evidence.  That is a common problem, for example, after the filing of a suspicious activity report.

It is a testament to the hard work and quality of research of the TI team that the proposal has been adopted into law.  Its true utility can, of course, only be demonstrated by the use of the power by law enforcement, and it is just one tool that can be used to tackle the problem of identifying and recovering the proceeds of corruption (and other serious crimes).

A final Code of Practice outlining the circumstances in which UWOs will be used is awaited.  There are various factors that will need to be weighed when considering whether to deploy UWOs, including whether there will be any adverse impact on an ongoing investigation, and we wait to see whether law enforcement will be proactive in using this innovative investigatory tool where meaningful action could not otherwise be taken.  The draft Code of Practice is here.

The original TI paper is here.

In the past, compliance with sanction and export regimes was largely seen to be an issue for companies that dealt with military hardware or products that had a clear potential military use & for banks supplying financial assistance to sanctioned entities. That mind-set is now dangerously outmoded.

Technological advancement in ‘civilian’ products and software has resulted in many of these products and services being caught by sanctions and export control regimes. The most obvious example being the now widespread use of encryption software in civilian products and services used to secure data that is transmitted wirelessly between electronic devices. This presents significant challenges for tech companies. These challenges are compounded by the ease with which technology and software services can be transferred globally and the difficulties with identifying and restricting potential access. With the ever-increasing use of cloud services, this is a growing issue.

Tech companies considering sanction and export compliance must address three fundamental questions:

• Are any of our products or services (or part of them) controlled?

To establish the status of products/services, tech companies operating in the UK must refer to the UK Strategic Export Control Lists (which incorporate EU controls). They should also be aware of the US export control regime, which has wide-reaching extraterritorial effect. Exemptions may apply. For example, certain open source software and “mass-market” software products using encrypted technology are exempt from requiring a license.

• To whom do we supply our products/services?

Companies should have a method of screening customers and related parties before access is given to products/services to ensure they are not on any sanctions list. This can be managed internally with specialised software or subcontracted to third party providers. These checks should also be carried out periodically on existing customers to capture any updates to sanction lists.

• What is our geographic scope?

This can often be the hardest question for tech companies that supply goods/services electronically. All companies should understand their potential geographic scope of supply to ensure they are not providing goods or services to sanctioned states or entities. For companies supplying controlled products or services, it is essential that access is geographically limited or that appropriate export licences are obtained. Limitation can be achieved in a number of ways: by restriction of supply to specific servers; or, if cloud services are being used for distribution, ensuring that the cloud service itself has appropriate restrictions in place.

Navigating the complexities of international sanctions and export control regimes is daunting but crucial. Where there is any doubt as to the status of goods, the geographic scope of supply, or the application of sanction and/or export control regimes, legal advice should be sought as a matter of urgency.

In 2011, ENRC began an internal investigation into allegations of corruption, bribery and fraud within its operations, remaining in regular contact with the SFO whilst doing so. In 2013, the SFO launched its own criminal investigation into the company.

As part of their investigation, the SFO compelled ENRC to hand over certain documents under a Section 2 Notice. ENRC refused on the basis that the documents were protected by legal professional privilege (“LPP”).

Mrs Justice Andrews largely rejected ENRC’s claims to privilege. She held that there was no legal advice privilege because the documents in question, which included interview notes, did not contain legal advice. With regard to litigation privilege, Andrews J held that this could not protect the documents as they were not prepared with the sole or dominant purpose of conducting litigation. She made a distinction between “the reasonable contemplation of a criminal investigation” and “the reasonable contemplation of a prosecution”.

Part of her reasoning was that ENRC had, when conducting its investigation, intended to report to the SFO: documents produced with the intention of later disclosing them to the SFO could not attract privilege. In addition, she cited the fact that at the time ENRC was conducting its investigation, it did not know what had occurred and whether litigation or prosecution was in reasonable contemplation.

The Judgment has been met with concern by many commentators. The Law Society of England and Wales has branded it as “harmful” and an erosion of the fundamental right of LPP. Others see it as a logical interpretation of the rules of privilege.

It remains to be seen whether companies will be dissuaded from self-reporting and engaging with the SFO, as by doing so they may find themselves dealing with a ‘contemplated investigation’, rather than a ‘contemplated prosecution’. In the meantime, companies should be aware that all documents produced during internal investigations could potentially be disclosable to the SFO if they do not attract LLP.

ENRC has indicated that it intends to appeal the decision.

SFO v Eurasian Natural Resources Corporation Ltd [2017] EWHC 1017 (QB)

The facts of the recent case of The National Crime Agency v N and Royal Bank of Scotland [2017] EWCA Civ 253 were that RBS froze certain of the accounts of a customer, N (a foreign exchange trading business), and sought consent from the NCA under s335 POCA to return the funds to N upon termination of the banking relationship. NCA gave consent. RBS did not request consent from the NCA to perform specific transactions, which N was seeking to undertake but merely to return all funds to N. The effect of RBS’s freezing of the accounts was to bring N’s business to a halt with potentially catastrophic consequences. N sought interim injunctions and declarations to require the Bank to process its transactions. RBS opposed the applications on, among other grounds, that it had no consent from the NCA to process the particular transactions, only to return the funds to N, and that if it did so without the NCA’s consent, it would be potentially liable to a criminal offence under POCA. The NCA, appearing on the application, and at first having been neutral, adopted the position at the hearing that the Judge had no jurisdiction to override the statutory regime by granting any orders, that RBS was obliged to seek consent for the specific transactions from the NCA, and that the statutory period the NCA would have to respond could not be shortened. N argued that its business would collapse before the statutory period elapsed.

At first instance, Burton J granted N’s applications. The balance of convenience favoured N given the catastrophic position it would be in if the relief were not granted given the statutory periods which would be required if the consent process for the specific transactions. Moreover, as the NCA had consented to the return of the money to N, it could be inferred that there was no suspicion that the money was or was suspected to be criminal property under s340 of POCA and therefore that RBS could be guilty of an offence if they transferred the funds prior to seeking the NCA’s consent. The Judge considered that he had jurisdiction to make the orders, the Court’s jurisdiction not having been ousted by the POCA statutory regime, and that he could also make a declaration that RBS would not be guilty of any criminal offence under POCA in effecting the transfers. He considered that the overall balance of convenience favoured the making of the orders so as to (a) protect N’s business from catastrophic failure and (b) not expose RBS to criminal sanction for complying with the order to effect the transfers.

The NCA appealed against the orders on several grounds, including that the Judge lacked the relevant jurisdiction to make the orders thereby overriding the POCA statutory framework, that the consent given by the NCA to transfer the funds to N did not mean that there was no evidence the monies were or were suspected to be criminal property, and that if the Judge did have jurisdiction this was not a sufficiently exceptional case to justify the interim declaration.

The Court of Appeal concluded that the Judge had been wrong to make the orders. The Court of Appeal, importantly, accepted that the Court’s jurisdiction to make such Orders was not ousted by the POCA statutory provisions. However, they were a highly relevant consideration to whether the discretion should be exercised to which the Judge had given insufficient weight. The Judge had also been wrong to conclude that the NCA’s consent to transfer of the funds back to N showed the funds were clean or that there was no criminality associated with them; judges should generally be careful about reaching similar conclusions at an interim hearing. A bank would be unlikely to be able provide sufficient evidence at an interim stage to allow a court to be satisfied that there was no criminality associated with the funds, and it would therefore be proper to make a declaration that the bank was not committing any offence by transferring the funds. Moreover, there could be many legitimate reasons where NCA consent might be given to release the money where there remain suspicions that it is criminal property and the Judge’s reliance on the NCA’s consent to transfer the funds to N as demonstrating that there was no evidence of criminality was misplaced. Moreover, the Judge had failed to consider that the tipping off provisions of POCA might well prevent the bank from adducing evidence at the application that would allow the court to determine the issue with sufficient certainty. It followed from all of that that the judge had been wrong to declare that RBS would not commit any criminal offence by transferring the funds.

As the Judge’s view that he could make the declaration that RBS would not be committing any criminal offence by transferring the funds was fundamental to his reasoning that he could then order the funds to be transferred, the appeal succeeded on that basis alone. However, the Court of Appeal also criticised the Judge’s weighing of the balance of convenience. He had been heavily influenced by the potential problems N would face if the transfers were not immediately permitted. The Court of Appeal considered that the balance of convenience would generally always favour the bank, as the potential prejudice the bank would face by being ordered to perform an act that could be a criminal offence would usually outweigh the inconvenience to the customer of the transactions not being processed. Although the prejudice against the bank could be overcome if there was no real evidence that the money could be criminal property, the Court of Appeal observed that there is rarely likely to be enough evidence before the court to determine this, which is why such orders would likely be truly exceptional.

The Court of Appeal was also influenced by a change in position of the NCA between the first instance hearing and the appeal. At first instance the NCA had indicated it was not willing to commit to any shortening of the statutory timelines for it consider whether to give consent to transactions under POCA. By the time of the appeal, the NCA noted in a case of real urgency, where a customer could face significant loss the NCA would act much faster than the periods specified in the statute, even within hours. A future court considering such an application is likely to be heavily influenced by whether the appropriate application has been made to the NCA as a matter of urgency, and how they have reacted.

As the Court of Appeal observed, the stringent and sometimes difficult provisions of POCA are Parliament’s carefully struck balance between the fight against money laundering and organised crime, and permitting commercial transactions to take place in a sensible and uninterrupted manor. Where those principles collide, as they did in this case, the court has jurisdiction to intervene, but will only rarely do so in truly exceptional circumstances.

This is an eminently sensible answer to a complex question. While the importance of the POCA regime has been underlined, the NCA’s commitment to act quickly to clear transactions should assist to avoid the worst injustice that the regime might provoke.

European and UK financial services firms, accountants, and lawyers have been here before. When they were brought into the anti-money laundering regulatory world they were transformed into “gatekeepers”. A big cultural shift had to follow, as organisations and professionals, (some under protest), eventually subscribed fully to the notion of being responsible stakeholders with government in the international fight against terrorism and organised crime. This time though, the net is wider. This offence is not just for regulated firms in the EU/UK. All corporates and firms in all sectors, and potentially anywhere in the world, will be affected.

Section 7 of the UK Bribery Act (“UKBA”), upon which this new offence is modelled, brought in strict liability for UK and international corporates, making them responsible for the acts of their “Associated Persons”, so this concept is familiar. Compliance procedures are in place, with the UKBA being perceived as the new post “FCPA “gold standard”. International firms and partnerships must in the same way pay attention to this new law. Both the UK and the foreign tax evasion offences could affect them.

The law first creates a corporate offence of failure to prevent UK tax evasion by an entity’s “Associated Persons”. The one available statutory defence is that reasonable procedures were in place to prevent the facilitation, or at the time it was reasonable not to establish additional procedures. A second offence, the “foreign tax offence” is also created, effective as long as the “foreign tax” and facilitation crimes would be recognised as offences in the UK. The UK Government ostensibly plans to prosecute, or encourage overseas governments to prosecute foreign tax evasion by international companies which have a link to the UK. Potentially this offence has enormous scope. It could cover foreign tax evasion facilitation by an employee of an overseas company, which has no links at all with the UK but which sends an employee on a flying UK visit, if such visit plays a part in foreign tax evasion. Will this actually happen, and will foreign governments support the UK in this initiative?

Is this new law a positive step in the right direction, to discourage “professional enablers” from aiding and abetting criminals, or does it go too far in imposing yet further regulatory and criminal risk burdens on UK and international entities which are already incurring substantial costs for regulatory compliance?

Whatever the pros and cons of this legislation, it is crucial for firms and corporates to undertake a risk assessment for this offence now. How will you draft your procedures after your risk assessment? The UK Government draft guidance (incorporating core principles as in the Bribery Act), is now being scrutinised by the various sectors, who will want to assist their members with some specific guidance. Such guidance can be submitted to Government for approval.

For the UK legal profession, Louise Delahunty is chairing the group that is assisting the Law Society of England and Wales to draft such guidance. The group includes Natasha Kaye and other Cooley lawyers.

Under the agreement, Tesco is to pay a financial penalty of £129 million plus costs. The precise terms of the DPA will not be revealed until it has received court approval, so it is not yet known what discount Tesco received as a result of its cooperation. The standard discount is 33%, which is what ICBC Standard Bank received in 2015 in the first DPA to be concluded. However, the subsequent two settlements, with “XYZ Limited” in 2016 and Rolls Royce in January 2017, both involved a 50% discount for reasons including ability to pay and “extraordinary” cooperation. Tesco announced the discovery of the irregularities in September 2014, after a whistle-blower approached the newly appointed CEO, David Lewis, regarding improper accounting practices.

Unlike the fates of Rolls Royce executives, which are yet to be decided by the SFO, it was announced in October 2016 that three Tesco executives would face trial for fraud and false accounting in September 2017. This does not include the chief executive at the time, Philip Clarke, who was interviewed under caution as part of the investigation but is not to face further action.

It was also announced that Tesco has agreed with the FCA to a finding of market abuse in relation to a trading update published on 29 August 2014. The FCA is not imposing an additional financial penalty but Tesco has agreed to establish a compensation scheme for those who purchased Tesco shares and bonds on or after 29 August 2014 and still held those securities when the statement was corrected on 22 September 2014. It estimates the cost of this to be approximately £85 million (before interest). It is the first time the FCA has used its section 384 powers to compensate losses, rather than fine, which will be of interest to listed companies considering future self reports.

The total cost to Tesco of the penalty, the compensation scheme and associated costs is estimated to be approximately £235 million.

On 6 March, the Home Secretary, Amber Rudd, announced that remaining in the European Arrest Warrant (EAW) system will be “a priority” in the Brexit negotiations. The following day, Europol’s director, Rob Wainwright, declared that the UK will be heading into “unchartered territory” should it wish to continue to have access to Europol’s shared platforms post Brexit.

Ms Rudd’s statement will cause some controversy. Remaining in the EAW system does not sit with the Government’s determination to extract the UK from the influence of the European Court of Justice.

However, as demonstrated in the 2014 Commons debate about the UK’s membership of the EAW system, there are mixed views on it. There is significant unease about there being no opportunity for UK judges to review the evidence underlying the warrant but during the debate in 2014, Theresa May, then Home Secretary, was an advocate of the system and argued that opting out would make the UK “a honeypot for all of Europe’s criminals on the run from justice”. The fact that over 7,000 individuals suspected of serious crimes have been extradited from the UK under the EAW system since 2010 is a strong reason to stay in it.

In contrast, the need to secure the UK’s continued access to the EU’s criminal intelligence network is uncontroversial. The UK is one of the most active users of Europol’s various platforms. How exactly that will be achieved and at what cost is not yet clear. Europol now has agreements with 19 non-EU states, which include access to a communication system and arrangements for the exchange of information. However, new regulations coming into force in May 2017 give the EU significant supervisory power over Europol and prevent it from entering into operational agreements with non-EU states. As a result, a direct agreement between the UK and Europol will not be an option. The alternatives are yet to be fully explored but if the arrangement is similar to those with the non-EU states currently in place, the UK is unlikely to have immediate access to the intelligence network.

These are significant issues and it is important that they are prioritized by the Government for the safety of both Remainers and Brexiteers alike.

The Government agreed with seven recommendations:

• assess the extent of money laundered through the UK and continue to lobbying the UK’s Overseas Territories and Crown Dependencies to apply the same level of transparency and accountability;
• develop a cross-government Anti-Corruption Strategy;
• continue prioritisation of anti-corruption efforts during Brexit negotiations and afterwards;
• apply research into the effectiveness of different anti-corruption methods;
• include foreign parliaments in DFID’s anti-corruption country strategies;
• work with foreign governments to increase protection for whistleblowers; and
• DFID to monitor progress of anti-corruption programmes.

The Government partially agreed with the following four recommendations:

• reappoint the anti-corruption “Champion”;
• further work on the inclusion of developing countries in discussions and decisions on international tax matters;
• develop DFID rolling strategies with a 10 year horizon; and
• DFID’s publication of anti-corruption country strategies.

The Government disagreed with the following proposals:

• lobby the UK’s Overseas Territories and Crown Dependencies to create public beneficial ownership registers; and
• publish country by country reporting of profits and payments to governments by multinationals.

The two areas where the Government declined to follow the Committee’s recommendations appear to reflect a concern that although the UK should be seen as a leader in the fight against anti-corruption, it should not go too far ahead. The Government emphasises that the UK’s Overseas Territories and Crown Dependencies already go further than other jurisdictions as they allow law enforcement to access the information. In respect of the publication of profits and payments to governments by multinationals, the Government expressly states that this should be a multilateral effort.

Currently, in order to establish criminal liability on the part of a corporate body, prosecutors in the UK must show that the individuals involved in the wrongdoing represent the “directing mind” of the company. It has, however, been argued that this high hurdle has prevented the successful prosecution of companies, particularly in the financial sector, and the Government is asking for views on potential alternatives. The proposals under consideration (as set out in a Consultation Paper published with the Call for Evidence) include a ‘vicarious liability’ offence under which the corporate entity could be liable for the acts of its employees irrespective of whether it was complicit in them and a ‘failure to prevent’ approach, so that companies which cannot prove they have taken steps to prevent offences such as fraud, money laundering and false accounting will be held liable. This initiative follows on from The Section 7 Bribery Act ‘failure to prevent’ offence, and the UK Government’s more recent initiatives to consult on a ‘failure to prevent fraud’ offence and the launch of the ‘failure to prevent tax evasion’ offence under the Criminal Finances Bill.

The implications are potentially very significant for corporations as the reverse burden of proof and increased risk of being found liable for the acts of individuals will result in the need to incur further expense on corporate governance. The Call for Evidence will remain open until 24 March 2017 and views can be submitted here. Unsurprisingly, there is a range of opinions on this issue but we will continue to monitor developments in this area as the Government appears committed to strengthening the UK regulatory regime in its efforts to repair trust in businesses and improve corporate accountability.

1. enable the seizure and forfeiture of the proceeds of crime that are stored in the UK, extending the current provisions to include value stored in bank accounts and high-value property, such as precious metals and jewels;
2. enable the sharing of information between regulated companies, helping to ensure that they provide the best possible intelligence for law enforcement agencies to investigate;
3. create new powers to assist investigations, including a power to extend the moratorium period in which Suspicious Activity Reports (SARs) can be investigated (originally 31 days) with extensions of 31 days (with a cap of six extensions equating to 186 additional days) and giving the National Crime Agency new powers to request information from regulated companies; and
4. permit disclosure orders for money laundering investigations, requiring someone suspected of possessing information relevant to an investigation to provide information (bringing disclosure powers in money laundering investigations in line with corruption and fraud investigations).

The introduction of the Bill progresses the legal changes outlined in the UK Government’s Action Plan for Anti-Money Laundering and Counter-Terrorist Finance that was published in April this year and its Response to the Consultation on the Legislative Proposals, published on 13 October 2016. The Bill shows that, despite the change of prime minister and much of the cabinet, the Government remains determined to tackle financial crime.

UWOs would allow the police to apply for an order to require individuals to explain their source of wealth where it exceeds their lawful income. They will be an useful antidote to foreign public officials on low salaries and no other obvious source of legal income who hold valuable UK property, as reported  following the release of the Panama Papers.

Our James Maton was a member of the Transparency International panel that developed a detailed proposal for UWOs (see summary here). We will publish our analysis of the Government’s proposal once it is published.

The Committee, who consulted various stakeholders and experts in the course of its inquiry, highlighted the inadequacy of the key tool for detecting suspicious financial activity across the financial services sector and connected industries as an ongoing and serious issue. The report concluded that the ‘ELMER’ database (which captures Suspicious Activity Reports (SARs) on behalf of the National Crime Agency (NCA)) is overloaded, rendering it “completely ineffective”. This is perhaps unsurprising if the NCA report to the Committee, that ELMER was currently processing 381,882 SARs, despite having been designed originally to cope with just 20,000, is correct.

However, the Committee concluded that more is needed than simply an upgrade of the SAR processing database highlighting the regret expressed by many of those providing evidence that the recovery of criminal assets was often only an afterthought after a conviction. The report also highlighted an inconsistent and seemingly unenthusiastic approach to the recovery of the proceeds of crime at both prosecutor and court level and confirmed its agreement with the National Audit Office that the Asset Recovery Incentivisation Scheme (ARIS) was flawed and unfit for purpose.

In addition, as Mr Vaz emphasised: “Investment in London properties is a major route which tarnishes the image of the capital. Supervision of the property market is totally inadequate, and poor enforcement has laid out a welcome mat for launderers and organised criminals”[2] and yet, of the 1.2 million property transactions in the UK last year, only 355 suspicious activity reports were actually generated. According to Transparency International, who were themselves consulted in the preparation of the report, 36,342 properties in London are held by ‘offshore’ companies and that, while in many cases there may be nothing untoward in that, 75% of properties owned by people under criminal investigation for corruption are held through secret offshore companies[3].

The Committee called for much tougher oversight of the market, including stronger supervision of agents, buyers and sellers and for full responsibility for tackling money laundering, which is currently fragmented between different authorities, to be handed to the NCA. The Committee also proposed various other specific measures to be taken to address the issues it highlighted in general including:

• The freezing of assets simultaneously with criminals becoming aware of the investigation against them for the first time – often at the time of arrest.
• Initial and ongoing financial investigative training to be given to police officers.
• An overhaul of ARIS.
• The replacement of ELMER with a robust system for handling SARs by 31 December 2016.
• The creation of a specialist ‘confiscation court’ designed to hear complex cases featuring cross-border financial transactions, use of corporate vehicles or very high value proceeds to combat the current lack of interest and expertise in confiscation orders among prosecutors and judges.

The report comes just a couple of months after the Government published its new anti-money laundering Action Plan[4] and the new Prime Minister, then Home Secretary, emphasised the importance of sending a clear message that such behaviour will not be tolerated and announced that the Home Office was reviewing its anti-money laundering rules. She also announced that it was considering a number of new policies, including “unexplained wealth orders (UWO), requiring those suspected of money laundering to declare their wealth”, as well as tougher powers for the NCA[5]. However, the report also comes at a time of distinct uncertainty following the Brexit referendum which, with a weakened pound and cuts to law enforcement budgets that have been reported to have increased the attractiveness of London to those who wish to launder their money through property, should make the Government’s response to the report of even greater significance.

[1] http://www.parliament.uk/business/committees/committees-a-z/commons-select/home-affairs-committee/news-parliament-2015/proceeds-of-crime-report-published-16-17/

[2] http://www.parliament.uk/business/committees/committees-a-z/commons-select/home-affairs-committee/news-parliament-2015/proceeds-of-crime-report-published-16-17/

[3] http://www.transparency.org.uk/publications/corruption-on-your-doorstep/

[4] https://www.gov.uk/government/publications/action-plan-for-anti-money-laundering-and-counter-terrorist-finance

[5] https://www.gov.uk/government/news/biggest-reforms-to-money-laundering-regime-in-over-a-decade