In brief

President Joe Biden’s omnibus spending package included three pieces of new antitrust legislation: (1) the Merger Filing Fee Modernization Act; (2) the State Antitrust Enforcement Venue Act; and (3) the Foreign Merger Subsidy Disclosure Act.

In depth

1) Merger Filing Fee Modernization Act
The Merger Filing Fee Modernization Act will alter filing fees for transactions requiring antitrust review under the Hart-Scott-Rodino Act (“HSR Act”).  The HSR Act requires merging parties to provide notice to the Federal Trade Commission (“FTC”) and Department of Justice (“DOJ”) prior to closing certain transactions, generally those that have a nexus to the US and a transaction value over a minimum size, currently USD 101 million.
The new fee structure will reduce filing fees for smaller transactions, while significantly increasing fees for the largest ones.  At least in part, the new structure is intended to increase funding for the FTC and DOJ.  Senator Amy Klobuchar (D-MN), a supporter of the legislation, remarked: “We cannot expect our antitrust enforcers to take on the most powerful companies the world has ever known with duct tape and Band-Aids.  By restructuring outdated merger filing fees, our bipartisan legislation will enable Congress to get much-needed resources to our antitrust enforcers so they can protect competition.”

The Merger Filing Fee Modernization Act replaces the current three-tiered graduated fee schedule with the following six tiers—that have higher fees corresponding to increasing transaction values:

Transaction Value New HSR Filing Fee Current Filing Fee
Over USD 101 million but under USD 161.5 million $30,000 $45,000
Over USD 161.5 million but under USD 500 million $100,000 $45,000 – $125,000
Over USD 500 million but under USD 1 billion $250,000 $125,000
Over USD 1 billion but under USD 2 billion $400,000 $125,000 – $280,000
Over USD 2 billion but under USD 5 billion $800,000 $280,000
USD 5 billion or more $2,250,000 $280,000

The Merger Filing Fee Modernization Act’s impact will vary depending on the value of the transaction.  For many transactions, particularly those valued under USD 1 billion, the impact will be relatively small, and filing fees may be lower than they would be under the current schedule.
For larger transactions, however, filing fees will increase significantly, almost as much as ten-fold for transactions valued over USD 5 billion.  While the acquiring party still remains responsible for payment of the applicable filing fee by statute, these increased fees likely will result in more attention and negotiation around the antitrust risk-shifting provisions in transaction agreements.  In particular, the new fee burden may make fee-sharing agreements more prevalent for large transactions.  Moreover, the higher filing fees may dissuade parties from submitting notifications on the basis of anything short of a definitive agreement.
Notably, the filing fee amounts will be adjusted annually along with the transaction value thresholds, which typically happens in February or March.  The new fee structure will take effect in 2023, after the FTC’s Premerger Notification Office, which administers the HSR Act, posts the updated filing fees and the related changes to reporting and payment requirements. The specific implementation date is not yet available.
2) State Antitrust Enforcement Venue Act
The State Antitrust Enforcement Venue Act will prevent defendants from transferring parallel antitrust claims brought by state attorneys general into a single district.  Under current law, when state Attorneys General (“AGs”) bring antitrust claims in federal district courts in their home states related to similar conduct, defendants may request that the Judicial Panel on Multidistrict Litigation (“JPML”) transfer these claims into a single federal district court for common pre-trial proceedings. Under the new law, defendants would not be able to request JPML transfer of state AG antitrust claims, and thus may need to litigate related state AG cases separately in each state AG’s chosen venue.
The State Antitrust Enforcement Venue Act will make litigation more complex and costly for large companies defending antitrust litigation brought separately by multiple state AGs.  Specifically, companies will need to closely coordinate litigation teams across numerous states on varying procedural timelines.
Beyond the burden and expense of managing multiple duplicative lawsuits in different courts, the legislation also increases the risk of inconsistent rulings by separate district courts on similar issues in related cases.   
3) Foreign Merger Subsidy Disclosure Act
The Foreign Merger Subsidy Disclosure Act will require companies filing pre-merger notifications that have any subsidies from a “foreign entity of concern” to include notification of those subsidies in the filing.  “Foreign entity of concern” is defined under 42 USC. 18741(a), and includes China, Iran, North Korea, and Russia as well as other entities, or specific persons.
The Foreign Merger Subsidy Disclosure Act will require antitrust advisors to perform additional diligence when filing merger notifications.  Counsel will need to confirm whether any foreign entity has subsidized the proposed transaction and if so, whether the entity is of concern within the meaning of 42 USC. 18741(a).  This likely will require consultation with trade or sanctions experts to ensure proper identification of any entities that may require disclosure.

The post United States: Biden signs omnibus spending package with Antitrust Law changes appeared first on Global Compliance News.


In brief

Many digital advertising arrangements that companies commonly use may qualify as “selling” or “sharing for cross context behavioral advertising” personal information under the California Consumer Privacy Act (CCPA) in California and laws in a few other US states (NevadaVirginiaColorado, Connecticut, Utah). Businesses state in their online privacy disclosures whether they sold or shared personal information in the last 12 months and whether they will sell or share personal information. Businesses that “sell” or “share” personal information, or use or disclose consumers’ sensitive personal information for non-exempt purposes have to treat user-enabled global privacy controls as a valid opt-out request.1 Internet users can configure their software and devices to send such signals automatically to all websites with a browser plug-in or privacy setting or device setting. Website operators have to implement steps on their end to recognize “global privacy controls” and other signals and satisfy requirements pertaining to opt outs.

The required steps for recognizing global privacy controls under the CCPA are in flux as the California Privacy Protection Agency is finalizing its regulations (and it remains uncertain if the steps will be the same in Colorado, see 21 December 2022 version of the proposed Colorado Privacy Act Rules here). Meanwhile, businesses that sell, share, or use or disclose outside of permitted purposes, have to comply with the requirements set forth in the current version of the CCPA regulations concerning the “selling” of personal information.

Compliance with currently operative law and regulations

According to the statutory wording of the CCPA, businesses may elect to either provide opt out links on their webpages or recognize opt-out preference signals.2 Nevertheless, under the currently operative regulations, businesses do not enjoy this choice: If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls as a valid opt-out of sales of their personal information for that browser or device, or, if known, the consumer.3 If companies are charged with a violation of the regulations, they may challenge this inconsistency between the statute and regulations in court.

In responding to a request to opt-out, a business may present the consumer with the choice to opt-out of sale for certain uses of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices according to the current regulations.4 For consumers who exercise their right to opt-out of the sale or sharing of their personal information or limit the use or disclosure of their sensitive personal information, a business shall refrain from selling or sharing the consumer’s personal information or using or disclosing the consumer’s sensitive personal information and wait for at least 12 months before requesting that the consumer authorize the sale or sharing of the consumer’s personal information or the use and disclosure of the consumer’s sensitive personal information for additional purposes, or as authorized by regulations.5 That requires businesses to track opt-outs communicated via user enabled privacy controls across the business.

Draft new regulations

The CCPA provides that the California Privacy Protection Agency shall adopt regulations to further the purpose of the CCPA, including issuing regulations for opt-out preference signals.6 Any requirements and specifications defined by the agency should, among other things, state that in the case of a page or setting view that the consumer accesses to set the opt-out preference signal, the consumer should see up to three choices, including:

  1. Global opt out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information.
  2. Choice to “Limit the Use of My Sensitive Personal Information.”
  3. Choice titled “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”7

The 2 November 2022 version of the draft regulations includes further requirements related to user enabled privacy controls, and it is again asserted that businesses must honor opt-out signals. While complying with the currently operative law and regulations, business should also consider the following obligations under the new draft regulations:

All opt-out preference signals satisfying certain technical requirements shall be processed. The signal shall be in a format commonly used and recognized by businesses. An example would be an HTTP header field or JavaScript object. 

A valid opt-out preference signal shall be treated as a request to opt-out for a browser or device, any associated consumer profile including pseudonymous profiles, and, if known, the consumer. If a consumer uses a browser with an opt-out preference signal enabled, but is not otherwise logged into her account with the business and the business can’t otherwise associate her browser with a consumer profile the business maintains, the business shall stop selling and sharing personal information linked to her browser identifier for cross context behavioral advertising, but it would not be able to apply the request to opt-out of the sale/sharing of her account information because the connection between her browser and her account is not known to the business. Conversely, if she is logged in to an account with the business, the business shall honor the opt-out request also with respect to her account and any offline sale or sharing of personal information. 

Recognizing opt-out preference signals is in all cases mandatory. Per the draft new regulations, California Civil Code section 1798.135, subdivisions (b)(1) and (3), provides a business the choice between (1) processing opt-out preference signals and providing the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or the Alternative Opt-out Link; or (2) processing opt-out preference signals in a frictionless manner in accordance with the regulations and not having to provide the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or the Alternative Opt-out Link. Per the draft new regulations, it does not give a business the choice between posting the above-referenced links or honoring opt-out preference signals. Even if a business posts the above-referenced links, the business must still process opt-out preference signals, though it may do so in a “non-frictionless” manner.

Businesses that process opt-out preference signals in a frictionless manner, include particular information in their privacy policy, and are able through the signal to fully effectuate a consumer’s request to opt out are not required to also post a “Do Not Sell or Share My Personal Information” link. Processing an opt-out preference signal in a frictionless manner means that the business:

  • Shall not (1) charge a fee or require any valuable consideration if the consumer uses an opt-out preference signal, (2) change the consumer’s experience with the product or service offered by the business, or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal (but displaying if a consumer has opted out is ok)
  • Shall include in its privacy policy (1) a description of the consumer’s right to opt-out of the sale or sharing of their personal information by the business, (2) a statement that the business processes opt-out preference signals in a frictionless manner, (3) information on how consumers can implement opt-out preference signals in a frictionless manner, and (4) instructions for any other method by which the consumer may submit a request to opt-out of sale/sharing
  • Shall allow the opt-out preference signal to fully effectuate the consumer’s request to opt-out of sale/sharing

A business that sells consumers’ personal information acquired from third parties or offline to marketing partners may not be able to fully effectuate an opt-out request through an opt-out preference signal. The user-enabled signal would be associated only with a consumer’s browser or device. The business would not typically know whether it acquires and sells other information about the same consumer, unless the business only sells personal information that it acquires online from the particular consumer. This could be the case for businesses whose only “selling” activities pertain to online digital advertising. Even these businesses may not recognize a consumer who uses their sites with different browsers and devices and enables opt-out signals only on some of them. Most businesses could not apply opt-out requests received via user-enabled browser or device signals to selling or sharing of information they acquired offline or from third parties without additional information on the consumer and the consumer’s various browsers and devices. Consumers could provide some of this information by logging into an account, but they cannot be required to do so and few probably would voluntarily provide all information a business would need to identify the consumer across devices, browsers and information acquired offline and from third parties.

Nonetheless, according to the draft new regulations, a business that only sells and shares personal information online for cross-context behavioral advertising purposes may satisfy the requirements for not posting the “Do Not Sell or Share My Personal Information” link.8 Such a business gives the consumer using an opt-out preference signal on all devices and browsers an option to fully effectuate their right to opt-out of the sale of sharing of their personal information with user-enabled preference signals.

Industry Concerns

Views on user enabled privacy controls among privacy professionals and industry stakeholders vary. Some flag that the term global privacy control is misleading consumers about what happens when they enable privacy controls.9 Businesses will be required to recognize or treat signals in different ways across US states, because definitions and opt-out rights vary, rendering operationalizing the response process even more burdensome.


Businesses that do not take steps to recognize user-enabled opt-out signals have to stop disclosing personal information in ways that qualify as “selling” or “sharing” of personal information. One option is to require all vendors to sign contracts that qualify them as service providers under CCPA. But, this option does not allow businesses to work with vendors for cross-context behavioral advertising purposes, because this is not a permitted business purpose for service providers under CCPA.10 Another option is to seek directions to disclose personal information from users, for example, with a pop-up banner, because this will also negate “selling” and “sharing” under CCPA.11 In its draft regulations, the California Privacy Protection Agency clarifies that banners seeking affirmative acceptance of web cookies are not suited to meet requirements to enable opt-out requests under CCPA, because cookies concern the collection of personal information and not the sale or sharing of personal information.12 

1. CCPA Regulations §999.315(c) from the Cal. Attorney General and draft CCPA regulations 7026(a)(1) of the draft CCPA regulations from the California Privacy Protection Agency.

2. Per Cal. Civ. Code §1798.135(b)(3), “a business that complies with subdivision (a) is not required to comply with subdivision (b). For the purposes of clarity, a business may elect to comply with subdivision (a) or subdivision (b)”. The reference to “subdivisions (a) or (b)” seem intended to refer to §1798.135(a) or §1798.135(b)

3. CCPA Regulations §999.315(c). And the draft CCPA regulations specify in §7025 that recognizing opt-out preference signals is in all cases mandatory.

4. CCPA Regulations §999.315(d).

5. Cal. Civ. Code §1798.135(c)(4).

6. Cal. Civ. Code §1798.185 (a) (19), and §1798.199.40(b).

7. Cal. Civ. Code §1798.185 (a) (19) (A). This mandated choice language is different from the language mandated to be included on opt-out links provided by a business of “Do Not Sell or Share My Personal Information” per Cal. Civ. Code §1798.135(a)(1).

8. §7027(g)(3)(B) of draft regulations.

9. See, for example, When a “Global Privacy Control”​ really isn’t.

10. According to Cal. Civ. Code §1798.140 (ad) and (ah), disclosures of personal information to third parties qualify as “selling” or “sharing” unless certain limited exceptions apply. Under Cal. Civ. Code §1798.140(ai)(2), a service provider is not a third party. Under Cal. Civ. Code §1798.140(ag)(1), companies must use personal information only for business purposes recognized by CCPA to qualify as a “service provider” and avoid qualifying as a “third party.” Under Cal. Civ. Code §1798.140(3)(6), cross-context behavioral advertising is not a “business purpose.” Therefore, companies that receive personal information for purposes of cross-context behavioral advertising are not recognized as “service providers” and the businesses that provide personal information to them are typically considered to be “selling” and “sharing” personal information.

11. According to Cal. Civ. Code §1798.140 (ad)(2)(A)(i) and (ah)(2)(A).

12. Draft regulations §7026(a)(4) and 7027(b)(4).

The post United States: User-enabled privacy controls under CCPA regulations appeared first on Global Compliance News.


On December 16, 2022, the US Department of State’s Directorate of Defense Trade Controls (“DDTC”) issued a proposed rule that would treat two additional types of transactions as activities that are not exports, reexports, retransfers, or temporary imports (“controlled events”) (and, thus, not require authorization) under the International Traffic in Arms Regulations (“ITAR”).  The two additional activities that would not constitute controlled events are:

  • Taking defense articles outside a previously approved country by the armed forces of a foreign government or United Nations personnel on a deployment or training exercise, provided (i) the defense article is transported by and remains in the possession of the armed forces of a foreign government or United Nations personnel, and (ii) there is no change in end-use or end-user with respect to the subject defense article; and
  • Further reexports or retransfers of foreign defense articles that were previously imported into the United States and then subsequently exported from the United States pursuant to an ITAR license or other approval, provided (i) the foreign defense article was not modified, enhanced, upgraded, or otherwise altered or improved in a manner that changed the basic performance of the article prior to its return to the country from which it was imported or a third country, and (ii) a US-origin defense article was not incorporated into the foreign defense article.

DDTC stated in the proposed rule that while not previously specified in the ITAR, its long-standing policy is that these two activities are not controlled events.  DDTC is accepting comments on the proposed rule until February 14, 2023 here.

The post United States: DDTC issues proposed rule expanding scope of activities that are not controlled events appeared first on Global Compliance News.


In brief

US agencies such as the SEC, the CFTC and the FTC have extensive enforcement powers to seek significant financial penalties and limit or otherwise affect conduct through court injunctions or administrative orders. Companies and executives under investigation and threatened with enforcement actions by these agencies often choose to settle rather than litigate. Historically, from as cost-benefit analysis, settlement is preferable to the cost of litigation and the long term risks of extensive fights with agencies that would continue to be their regulators.

But it is worth revisiting litigating against the government in light of recent developments. The SEC and other civil agencies are seeking more draconian financial penalties and limitation on important business activities that may affect the cost benefit calculus such that settlement may not be the right choice. Further, defendants may now be on more equal footing in litigating against the government. Recent 5th Cir. decision ruled as unconstitutional SEC administrative proceedings, typically viewed as giving the government home court advantage. Now the SEC bring their litigated cases almost entirely before federal district court, with defendants’ right to jury and other benefits.

In this video, Peter Chan and Jeffrey Martino discuss the current landscape and considerations around litigating against the government. 

The post United States: Litigating against the Government appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled OFAC Designates Major Russian Financial Institutions and Issues New and Amended Russia-Related General Licenses; New FAQs on 20 December 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC designates major Russian financial institutions, issues new and amended Russia-related General Licenses; new FAQs appeared first on Global Compliance News.


Tax News and Developments December 2022

In brief

On 8 December 2022, the United States and Croatia signed their first convention for the avoidance of double taxation and the prevention of tax evasion with respect to taxes on income (“Treaty”). With this development, Croatia becomes the latest, and the only remaining, European Union (“EU”) member state to sign its first tax convention with the US. 


  2. The Treaty in More Detail
  3. Next Steps


The execution of a Treaty by the United States and Croatia is an important and welcome development which will affect many individuals, multi-national companies (e.g., Croatian IT businesses), particularly those providing services in the United States. The Treaty will enter into force after both contracting parties have approved it in accordance with their internal legislative procedures (i.e., after the United States Senate gives its advice and consent and after it is ratified in the Croatian Parliament). 

The Treaty in More Detail


In general, the Treaty reduces rather than eliminates withholding taxes on dividends. The Treaty rate is capped at 15%, unless the beneficial owner of the dividends is a company which has held a direct interest of at least 10% of the aggregate vote and value of the company paying the dividends for the twelve-month period ending on the date on which the entitlement to the dividends is determined, in which case the maximum rate under the Treaty is reduced to 5%.

Dividends paid to pension funds (and/or voluntary pension insurance schemes based on individual capitalized savings in Croatia) qualify for a full exemption from source country dividend withholding tax, provided they are not derived from the carrying on of a trade or business by the pension fund in the other contracting state.


In general, the Treaty eliminates withholding taxes on interest payments. However, withholding tax on interest payments are capped at 15% rather than eliminated for:

  • interest arising in Croatia that is determined with reference to receipts, sales, income, profits or other cash flow of the debtor, to any change in the value of any property of the debtor or to any dividend, partnership distribution or similar payment made by the debtor 
  • interest arising in the United States that is contingent interest of a type that does not qualify as portfolio interest under the law of the United States.

A special 10% interest rate is provided for companies that are a resident of a contracting state and function as a headquarter for a multinational corporate group consisting of the headquarter company and its direct and indirect subsidiaries. 


The Treaty limits the withholding tax rate on royalties to 5%. 


The United States reserved in the Treaty the right to impose the so-called “BEAT” tax under US Internal Revenue Code section 59A (“Tax on Base Erosion Payments of Taxpayers with Substantial Gross Receipts”) on the profits of a company resident of Croatia that are attributable to a US permanent establishment or on US companies. 

Limitation on Benefits

The Treaty is based on the 2016 US model tax convention and contains a complex limitation on benefits clause that is now standard in recently negotiated treaties with EU member states.  The application of the Treaty is generally limited to “qualified persons” as defined in Article 22 of the Treaty. Generally, companies whose principal class of shares are regularly traded on a recognized stock exchange and whose primary place of management and control is in the contracting state of which it is a resident will qualify for the treaty benefits. Their 50% subsidiaries will also qualify. Companies which are not “qualified persons” may still be entitled to benefits of the Treaty if they are at least 95% owned by seven or fewer persons that are equivalent beneficiaries that, among other criteria, are defined as resident of any state entitled to all the benefits of a comprehensive tax treaty between such state and the United States, respectively Croatia, from which Treaty benefits are sought. In contrast, some other treaties define the term equivalent beneficiary in reference to a resident of a member state of the European Union or of a European Economic Area state or a party to the North American Free Trade Agreement, as provided for in some other treaties such as in the case of the US income tax treaties with Malta or Bulgaria). 

Next Steps

The United States and Croatia will be bound by the Treaty once the Treaty is approved in accordance with the national legislation of each contracting party. Under the Croatian Constitution, tax treaties need a simple majority approval by the Croatian Parliament to become binding. It is expected that the Croatian Parliament will vote on the Treaty in early 2023. In contrast, the timeline in the United States is not known yet and the ratification could potentially be delayed for a few years based on pending and recently approved treaties. For example, the tax treaties with Hungary (signed in 2010) and Poland (signed in 2013) are still pending ratification in the US Senate, most recently due to BEAT reservation concerns mentioned above. Under the United States Constitution, tax treaties require the advice and consent of the US Senate, with a two-thirds majority vote of approval.

In the meantime, owners and businesses with investments or links in both the United States and Croatia should consider opportunities and efficiencies resulting from the certainty of the tax rules following the expected entry into force of the Treaty.

The post United States and Croatia sign their first income tax treaty appeared first on Global Compliance News.


Tax News and Developments December 2022

In brief

On 26 September 2022, the US Court of Appeals for the Eleventh Circuit, issued an opinion in United States v. Meyer, 50 F.4th 23 (11th Cir. 2022), holding that the Anti-Injunction Act (“AIA”), codified in Code Section 7421, did not bar a defendant taxpayer from seeking a protective order in a closed suit to restrain the government from using his admissions when assessing a tax penalty in a separate administrative proceeding. In reversing the district court, the Eleventh Circuit determined that a protective order was not a suit for purposes of the AIA, and limited the IRS’s ability to use the AIA to override procedural protections that taxpayers would otherwise have in a non-tax proceeding.  

In more detail

A taxpayer is generally barred from bringing a “suit” that enjoins IRS assessment or collection activities. See §7421. The purpose of the AIA is to protect “the Government’s ability to collect a consistent stream of revenue, by barring litigation to enjoin or otherwise obstruct the collection of taxes.” Nat’l Fed’n of Indep. Bus. v. Sebelius, 567 U.S. 519, 543, 132 S. Ct. 2566, 183 L. Ed. 2d 450 (2012). Recently, the Supreme Court clarified the contours of the AIA in CIC Servs., LLC v. IRS, 141 S. Ct. 1582 (2021) in determining whether a material advisor could challenge the lawfulness of IRS Notice 2016-66 (the “Notice”), which set forth a reporting obligation for micro-captive insurance transactions. In a unanimous decision, the US Supreme Court held that the AIA did not bar taxpayer’s suit challenging the Notice because that taxpayer’s suit was not an action against the tax penalty itself for at least three reasons: (1) the Notice imposed affirmative reporting obligations, which created non-tax administrative burdens separate from the potential tax penalty; (2) the reporting obligation was several steps removed from the tax penalty; and (3) violations of the Notice resulted in not only civil tax penalties, but also criminal punishment, which “practically necessitate[d] a pre-enforcement, rather than a refund, suit.” Id. at 1592. 

In United States v. Meyer, 50 F.4th 23 (11th Cir. 2022), the government again advocated for a broad reading of the AIA.  Meyer was a defendant in a lawsuit that the Department of Justice initiated in 2018 to enjoin Meyer from advising his clients to claim more than USD 35 million in federal income tax deductions for allegedly fictitious charitable contributions. Over the course of the suit and extensive discovery process, the government served and Meyer responded to over 1,500 requests for admissions. The parties eventually settled the case with Meyer agreeing to a permanent injunction, and the US District Court for the Southern District of Florida entered a final judgment in April 2019.  

The IRS subsequently opened a penalty exam, and in July 2020 sent a notice to Meyer proposing an assessment of nearly USD 7.1 million in section 6700 penalties for advising on an abusive tax shelter. The basis for the IRS’s decision specifically relied on Meyer’s responses to the requests for admissions in the earlier court proceeding.  Meyer objected and filed a motion for a protective order in the then-closed district court case, which requested the court to prohibit the IRS from using his admissions in the penalty exam. United States v. Meyer, No. 18-CV-60704-BLOOM/VALLE, (S.D. Fla. Apr. 2, 2021). 

The government objected to the motion and argued that the AIA barred a defendant taxpayer from moving for a protective order to restrain the government from using admissions in a separate IRS-initiated administrative proceeding. The district court, adopting the report and recommendation of the magistrate judge, found for the government. On appeal, the Eleventh Circuit reversed the district court decision, focusing on the definition of “suit.” Given the absence of a statutory definition of “suit,” the Eleventh Circuit looked to its ordinary meaning, which at the time of the AIA’s enactment had consistently been understood to mean a “judicial proceeding or action initiated for the purpose of enforcing a right or ensuring compliance with the law.” Meyer, 50 F.4th at 28. Further, the court determined that the term “motion” was not synonymous with suit and had long been understood as distinct from suit. Id.  Because the government, and not Meyer, filed the 2018 suit (i.e., the same proceeding in which Meyer subsequently filed the motion for protective order), Meyer’s motion for a protective order was not a suit and, therefore, was not barred by the AIA. Id. at 31.  The Eleventh Circuit distinguished many of the cases that the district court cited as support because in those cases the taxpayer seeking relief had initiated the action against the government. The court also rejected the government’s argument that the Seventh Circuit’s decision in United States v. Dema, 544 F.2d 1373 (7th Cir. 1976), favored barring the motion. In Dema, the Seventh Circuit focused on the spirit and purpose of the AIA as justification for dismissing taxpayer’s motion. However, the Eleventh Circuit declined this purposivist approach in favor of applying the clear statutory text, reasoning that Congress could have but chose not employ broader language.

The decision in Meyer is consistent with a more restrictive understanding of the AIA as advanced by CIC Services. Both cases reflect a departure from the notion that any relief sought by the taxpayer which impacts the IRS’ collection activities, no matter how remote or attenuated the impact, is presumptively invalid under the AIA. Rather they endorse a strict reading of the statutory text of the AIA and more measured case-by-case analysis that focuses on the scope and purpose of relief sought by the taxpayer. 

The post United States: Taxpayer’s motion to enforce discovery rules does not run afoul of the Anti-Injunction Act appeared first on Global Compliance News.


Tax Notes and Developments December 2022

In brief

In its press release published on 26 October 2022, The Financial Crimes and Enforcement Network (“FinCEN”) announced that its Acting Director renewed and expanded its Geographic Targeting Orders (GTOs) beginning on 27 October 2022 and ending on 24 April 2023 (with certain exceptions). 


  1. Background​​​​​​
  2. Summary of the FinCEN Renewed and Expanded Real Estate Geographic Targeting Orders  
  3. Takeaways


Under the GTOs, US title insurance companies are required to collect and report information about the persons involved in certain residential real estate transactions. The novelty is that the geographic coverage of the GTOs now also includes the counties encompassing the Texas cities of Houston and Laredo, which were not previously on the list. The threshold relating to the real estate purchase price did not change from the previous period and it remains USD 300,000 for each listed county, except for the City and County of Baltimore, where the applicable threshold is USD 50,000.

Summary of the FinCEN Renewed and Expanded Real Estate Geographic Targeting Orders  

Covered Business, Covered Transaction. Under the Geographic Targeting Order, the US title insurance companies are obliged to collect and report information about the persons involved in certain “Covered Transactions.” A “Covered Transaction” is defined as a transaction in which: (i) residential real property is purchased by a legal entity; (ii) the purchase price of the residential real property is in the amount of USD 50,000 or more (in the City or County of Baltimore in Maryland), or in the amount of USD 300,000 or more (in Boston; Chicago; Dallas-Fort Worth; Las Vegas; Los Angeles; Miami; New York City; San Antonio; San Diego; San Francisco; Seattle, the District of Columbia, Northern Virginia; the County of Fairfield, Connecticut, and the Hawaiian islands of Honolulu, Maui, Hawaii, and Kauai); (iii) purchase is made without a bank loan or other similar form of external financing; and (iv) the purchase is made, at least in part, using currency or a cashier’s check, a certified check, a traveler’s check, a personal check, a business check, a money order in any form, a funds transfer, or virtual currency.  

Scope of Reporting Obligation. The US title insurance companies are obliged to report the Covered Transactions by filing a FinCEN Currency Transaction Report, within 30 days of the closing of the Covered Transaction, through the Bank Secrecy Act (BSA) E-Filing system. Information that needs to be reported includes the identity of the individual primarily responsible for representing the legal entity, information about the identity of the legal entity, and information about the identity of the beneficial owners. The US title insurance company must obtain and record a copy the driver’s license, passport, or other similar identifying documentation. Further, the address of real property, the date of closing and the total purchase price of the real property, together with the method of payment, are the essential elements that need to be reported.  

Definition of Beneficial Owner and Legal Entity. Under the Geographic Targeting Order (GTO), the Beneficial Owner means an individual who, directly or indirectly, owns 25% or more of the equity interests of the Legal Entity purchasing real property in the Covered Transaction. The Legal Entity means a corporation, limited liability company, partnership or other similar business entity, whether formed under the laws of a state, or of the United States, or a foreign jurisdiction, other than a business whose common stock or analogous equity interests are listed on a securities exchange regulated by the Securities Exchange Commission (SEC) or a self-regulatory organization registered with the SEC, or an entity solely owned by such a business.  

Definition of Residential Real Property. Although the GTO does not stipulate the definition of residential real property, the Frequently Asked Questions document clarifies that the definition means real property (including individual units of condominiums and cooperatives) designed principally for the occupancy of from one to four families.  

Exceptions to Reporting Obligations. The US title insurance companies are obliged to take reasonable steps to determine whether any part of the purchase price was made using the specified method of payment. There are no de minimis exceptions regarding the methods of payment.  

Reporting Deadline. The US title insurance companies are obliged to file a FinCEN Currency Transaction Report within 30 days of the closing of the transaction.   

Retention of Records. The US title insurance companies are obliged to retain all records relating to compliance with the GTO for a period of five years from the last day that the GTO is effective (including any renewals of the GTO), and make those records available to FinCEN upon request.  

Potential Penalties for Noncompliance. The US title insurance companies, and any of their officers, directors, employees, and agents, may be liable for civil or criminal penalties for violating any of the terms of the GTO. 


FinCEN renewed its GTOs requiring US title insurance companies to identify the individuals behind shell companies used in various non-financed residential real estate purchases. Reporting applies to properties with a purchase price of USD 300,000 or more in certain counties enlisted in the GTO. The transaction is reportable if the purchase is made by a legal entity, without a bank loan or similar external financing, and using (at least in part) currency or a cashier’s check, a certified check, a traveler’s check, a personal check, a business check, a money order, a funds transfer, or virtual currency. The reporting needs to be done within 30 days of closing by the US title insurance company. 

The post United States: Updates on the FinCEN Renewed and Expanded Real Estate Geographic Targeting Orders appeared first on Global Compliance News.


On December 5, 2022, the US Department of State’s Directorate of Defense Trade Controls (“DDTC”) issued the International Traffic in Arms Regulations (“ITAR”) Compliance Program Guidelines (“ITAR Guidelines”).  The ITAR Guidelines set out DDTC’s expectations for an effective ITAR Compliance Program (“ICP”) and an introduction to controls contained in the Arms Export Control Act and ITAR.  More specifically, the ITAR Guidelines outline key elements of an effective ICP, and identify suggestions, common compliance pitfalls, and/or tips for best practices related to those key elements.  The ITAR Guidelines are similar to compliance program guidelines issued by other federal agencies, in particular, “A Framework for OFAC Compliance Commitments” issued by the US Department of the Treasury’s Office of Foreign Assets Controls (“OFAC”) (see our blog here) and the “Export Compliance Guidelines” issued by the US Department of Commerce’s Bureau of Industry and Security (“BIS”) (available here).  While the broad elements of the ITAR Guidelines should be familiar to seasoned compliance practitioners, and are generally consistent with expectations of OFAC and BIS in their respective compliance program guidelines, any organization participating in ITAR-controlled activities should review the ITAR Guidelines in detail and develop an action plan to address any gaps identified in its ITAR compliance program.

Below we provide a summary of the eight critical elements of an effective ICP as outlined in the ITAR Guidelines:

  • Element 1: Management Commitment

The ITAR Guidelines state that management commitment is essential for “fostering a proactive compliance posture” and internal culture of compliance.  Management commitment is necessary for generating support, designing clear policies and procedures with sufficient resources, and organizing compliance functions appropriately within the organization’s structure.  Additionally, the ITAR Guidelines suggest an Export Compliance Management Commitment Statement signed by the Chief Executive Officer, President, or other senior executives to underscore the organization’s commitment to ITAR compliance.

  • Element 2: DDTC Registration, Jurisdiction and Classification, Authorizations & Other ITAR Activities

In Element 2, the ITAR Guidelines provide substantive summary guidance related to: (a) the DDTC registration requirement under the ITAR; (b) jurisdiction and classification, including considerations related to submitting a commodity jurisdiction request; (c) authorizations, including the types of licenses, agreements and other approvals available under the ITAR; and other (d) ITAR-controlled activities, including restricted party screening, brokering, political contributions, fees, and commissions, and cybersecurity and encryption.  DDTC provides “suggestions” for each category to reduce risks of common ITAR violations, which are helpful to further understand DDTC’s compliance program expectations.  For example, regarding cybersecurity and encryption, the ITAR Guidelines state that DDTC “expects organizations to take steps to protect their technical data from cyber intrusions and theft and consider carefully what cyber security solutions work most effectively for them.”  Although the ITAR do not explicitly require organizations to implement specific cyber security or encryption measures, DDTC underscores that information/technical data controlled under the ITAR often needs to meet requirements of other federal agencies and programs (e.g., the Department of Defense Controlled Unclassified Information program or the National Institute of Standards and Technology standards).  

  • Element 3: Recordkeeping

Pursuant to 22 CFR Part 130, the ITAR require parties to maintain certain records regarding: (a) the manufacture, acquisition, and disposition of defense articles and technical data; (b) the provision of defense services; (c) brokering activities; and (d) information on political contributions, fees, and commissions.  To satisfy the recordkeeping requirements, the ITAR Guidelines suggest establishing recordkeeping roles and responsibilities with written policies and procedures.  For organizations that possess technical data, the ITAR Guidelines also suggest creating a Technology Control Plan with policies and procedures for protecting technical data and prevent unauthorized transfers.  

  • Element 4: Detecting, Reporting, and Disclosing Violations

The ITAR Guidelines suggest that organizations adopt policies and procedures to: (a) detect and report suspected ITAR violations early; (b) investigate and implement corrective actions; (c) properly submit voluntary disclosures to DDTC; and (d) communicate potential consequences of ITAR violations to employees.  DDTC reminds the trade community that early detection, reporting, and corrective actions may help minimize the organization’s legal exposure and harm to US national security.

  • Element 5: ITAR Training

The ITAR Guidelines recommend tiered ITAR training based on employee function.  The ITAR training program should be: (a) tailored to address the organization’s specific compliance risks; (b) dynamic and reviewed periodically for updates and revisions; and (c) adequately resourced with knowledgeable and experienced compliance instructors.  Additionally, the four-tiered model suggests increasingly detailed and comprehensive training spanning (1) all personnel, (2) senior management, (3) positions with export functions, and (4) the export compliance team.  Providing uniform training to all company personnel will likely not meet DDTC’s compliance program expectations related to ITAR training.  DDTC recommends that organizations include ITAR training within performance reviews to better ensure employee accountability.

  • Element 6: Risk Assessment

The ITAR Guidelines suggest implementing risk-based risk assessments to address common ITAR risk areas.  Risk assessments should be: (a) tailored to the organization’s ITAR-controlled activities; (b) regularly updated for changes in business or risk factors (e.g., exporting to a new geographic area, opening a new foreign office); (c) frequently conducted based on specific circumstances; and (d) prioritized based on likelihood and severity of violations.  Lastly, DDTC lists some common ITAR risk areas, including jurisdiction and classification, foreign person employees or visitors, international travel, and inventory management.

  • Element 7: Audits and Compliance Monitoring

The ITAR Guidelines recommend performing comprehensive, independent, and objective audits regularly to monitor ICP effectiveness.  Audits should consist of: (a) interviews with relevant functional area personnel, compliance team members, and senior management; (b) document collection and review; (c) IT systems access; and (d) site visits, as appropriate.  Based on the periodic audits, organizations should regularly review and revise their ICPs, as necessary.  Additionally, DDTC provides a sample audit checklist to guide auditors and supplement interview questions for employees within ten functional areas, including management, trade compliance, technical roles, and information technology, among others.

  • Element 8: ITAR Compliance Manual

Lastly, the ITAR Guidelines recommend developing an ITAR Compliance Manual (“ICM”) to provide all employees with a “written, authoritative source” of the organization’s ITAR compliance policies and procedures.  ICMs should be well-organized, user-friendly, and clearly define consistent responsibilities and expectations for employees regarding ITAR compliance.  Organizations should periodically review ICMs for changes in (a) ITAR or DDTC guidance, (b) best practices, lessons learned, and “close calls,” (c) vulnerabilities identified in audits, and (d) organizational risk factor changes.

*          *          *

DDTC cautions that the scope of ITAR activity varies substantially among different organizations, and thus, the ICPs should be tailored to address each organization’s ITAR-controlled activities, risk factors, and size.  Additionally, organizations engaged in ITAR-controlled activities should ensure their compliance program considers the above ITAR-focused elements within a holistic export and sanctions compliance program.

The authors acknowledge the assistance of Alexandra Kumar with the preparation of this blog post.

The post United States: DDTC Issues ITAR Compliance Program Guidelines appeared first on Global Compliance News.


The Office of Management and Budget offered the first details of agency progress against new cybersecurity metrics on Dec. 14.

The administration graded agencies against each of the five areas — identify, protect, detect, respond and recover — of the cybersecurity framework from the National Institute of Standards and Technology. Each agency received a composite score out of 15 for all but the protect category, which OMB based the score out of 40.

Chris DeRusha, the federal chief information security officer, said the goal for the fiscal 2022 Federal Information Security Management Act (FISMA) metrics was two-fold.

“It was important to align to what the inspectors general are using for their assessments. It just standardized around that,” DeRusha said in an exclusive interview with Federal News Network. “Second, all of the FISMA metrics that we put in 2022 are things that we want to be driving as a priority. Either things that agencies have been working on for a while or performance or institutional capabilities or things that came from [the cyber executive order from May 2021]. We’re looking to really capture them and drive them because maybe they need more work, or there’s opportunity for improvement in those areas or challenges that we want to address.”

Source: December 2022.

OMB released the new metrics and scores ahead of the release of the 15th Federal IT Acquisition Reform Act (FITARA) scorecard. OMB’s decision to change the cyber metrics last fiscal year caused much consternation among the Government Accountability Office and the House Oversight and Reform Committee.

DeRusha said agencies have made good steady progress over the last four years around things like hardware and software asset management or mobile device management so it was time to focus on areas such as logging of cyber data and encryption.

To that end, OMB and the Cybersecurity and Infrastructure Security Agency will release the FISMA 2023 metrics later this week.

DeRusha said the new metrics will not deviate too much from the previous metrics based on the administration’s priorities.

“We learned this from engaging the CIOs and CISOs that we need more granularity in what those barriers and challenges are, where they’re having successes, how they’re prioritizing implementation. You’ll see a lot of build out of certain metrics that are that are staying the same,” he said. “Then we’re asking more detailed questions around them to get key insights. That’s a big shift in the theme that you’ll see in 2023. We’ve also put some stuff in there because we learned that, for example, we set very aggressive targets on logging in 2022 and there’s a lot of work in that first maturity cone. We want to be able to measure progress along that curve to get into the first tranche because it’s harder than we’d initially anticipated.”

Chris DeRusha is the federal chief information security officer.

DeRusha added the 2023 metrics demonstrate that OMB and CISA need to be agile in how they measure cyber progress as well as accurately reflecting efforts to reach a target state.

The need to accurately measure progress toward a target state also is part of the reason why OMB and CISA worked with the IG community.

For decades, the OMB and the auditors have tried to find common ground around cyber metrics and how to measure progress. For example in 2017, the Council on IG Integrity and Efficiency Subcommittee on IT worked with OMB, CISA and others to bring more parts of the NIST framework into the maturity model IGs rated agencies against.

DeRusha said as OMB updated its FISMA metrics for 2022 and now 2023, the IGs played a big role in that discussion.

“We have worked closely on the IG on metrics that they develop and use. The reason that we do that is to ensure that there is alignment. I think that there’s a lot of agreement naturally between the IG community and us based on that they’re out there assessing agencies and see the same things that we do, where there are gaps, where we can make different types of decisions,” he said.

The end result of that collaboration is a two-step approach to assessing agencies.

New guidance, metrics and more

DeRusha said there now is a core set of metrics that the IGs will focus on annually and a second set of process metrics that they will review every two years — half one year and the other half the next year.

“There are three sets now. They’ve broken up all the controls that they need to review so every other year they will do half. Then in the meantime, the IGs also have a core set that gets assessed every year. Those core metrics really do align with a lot of the administration focus areas as well,” he said. “I think it’s just because we see that there’s a set of capabilities that stop bad actors in their tracks. If you look at multi-factor authentication (MFA), encryption and a lot of stuff we’ve prioritized around identity and access management, it’s all the things that we know we need to make faster progress on, and are really going to have the biggest impact. So they’ve decided to relieve the pressure a little bit, and assess a lot of the process controls, which are very important, on the annual basis to make sure agencies have enough time to address the gaps that are being discovered on those core metrics.”

OMB also recently issued its annual FISMA guidance to agencies, where it focused on automation and the expanded use of the continuous diagnostics and mitigation (CDM) program.

Within those core metrics that OMB and CISA laid out for 2022 are things like encryption, MFA and smart patching, which is focused on the most critical vulnerabilities first.

DeRusha said OMB and CISA also wanted to see agency progress with building out their vulnerability disclosure programs and building out red team capabilities to really assess their cyber posture.

“These are the emerging best practices for understanding your actual risk posture and can be really good proxies to assess whether an agency is moving in that right modern direction and modernizing their security program,” he said. “I think there are only around 10 metrics or so sitting behind what we’ve put out publicly. They are pretty representative, when you break them down, of whether there’s a robust program in place at the agency, and whether they’re also pushing on the areas that are the emergent areas. That’s what we’ll keep adjusting and grow to as we get more data in 2023. We’re really excited about some of the metrics we’ll be collecting on and we’ve got some good plans to add those to the public facing dashboard.”