By Britton Burton, Senior Director of Product Strategy at CORL Technologies, and Ryan Patrick, Vice President of Adoption at HITRUST

HITRUST and CORL Technologies (CORL) specialize in delivering cybersecurity assurance products and services for the healthcare industry including Third-Party Risk Management (TPRM) programs. We have had the privilege of working closely with many of the nation’s premier healthcare organizations. Our companies have been listening attentively to our clients and colleagues and one message has come across loud and clear: TPRM is broken and we need to collaborate as an industry to fix it.

This blog provides a summary of the feedback and perspectives from cybersecurity and risk leaders charged with managing healthcare TPRM programs. Our goal is to surface the primary obstacles facing TPRM programs and set the stage for further collaboration around leading practices and standards for TPRM success in the months and years to come.

Challenge #1: We Are Overwhelmed

As healthcare organizations continue to expand their reliance on third parties for critical business functions, the sheer volume of digital health technologies supporting the healthcare ecosystem has created a chokepoint for security teams to vet vendors during the procurement process. Accurate and thorough due diligence takes time when using standard questionnaire-based vendor assessment models.

Requests for due diligence assessments are coming in faster than we can manage, creating a backlog for inbound assessments and leaving our internal business owners highly dissatisfied. On top of that, we know we need to reassess critical vendors in our portfolio over time as their technology changes and threats evolve, but we can’t get our heads above water to begin to tackle reassessments any time soon.

Vendors in the supply chain are equally overwhelmed. Every prospective customer requires some form of security due diligence that stands in the way of closing deals and getting down to business. Questionnaires are inconsistent from customer to customer and there is a high variance of expectations across healthcare entities. The goal posts keep moving and vendors are inundated with more security audits than their finite resources and teams can deliver in a timely fashion. This leaves customers highly dissatisfied and introduces risks for the ability to close deals.

On top of all this, companies often find themselves as both a client and a vendor in the healthcare ecosystem. That means most of us are overwhelmed on both sides of the equation: managing our own third-party risk and responding to inquiries by clients to manage their third-party risk.

Challenge #2: We Have Blind Spots on Vendor Risks

While all healthcare organizations acknowledge that we are obligated to scrutinize our third-party providers from a risk management and compliance perspective, our vendor risk assessments cover only a small fraction of our full vendor portfolio. We have had trouble accurately identifying all vendors that service our organization. For those vendors that we do know about, we have had to prioritize assessments for our mission-critical vendors and those that present the highest inherent risks to our organization.

This leaves hundreds of vendors that have not been recently assessed for cyber risks and creates gaping blind spots for our visibility into risks to our patient data and systems across the enterprise.

The emergence of vulnerabilities and breaches in fourth-party products and services including prominent examples such as Log4j, SolarWinds, and Okta have left us unable to identify which of our third-party vendors have been impacted. Our third-party vendors do not maintain accurate inventories of their own supply chain products which in turn means that both we and our third-party vendors are blind to the potential exposures of our critical data and applications.

While advances in tools like CAASM, CSPM and EASM offer exciting possibilities, no single technology or tool can solve our risk blind spot problem.

Challenge #3: There is Limited Follow Through on Remediation of Identified Risks and Very Little Continuous Monitoring

Our teams have limited bandwidth to continually follow up and track remediation of risks identified in vendor assessments. This means that we are surfacing vendor risks to our business stakeholders to help them make informed decisions, but we aren’t doing enough to validate that our vendors are closing the security gaps we identify over time.

This leaves us with a default position of accepting far more risks than we would prefer rather than mitigating or reducing risks across our vendor portfolio. And even when we can track critical risks from identification to full remediation, we struggle to accurately report and articulate the reduction in risk that our efforts provided.

Compounding this issue, continuous monitoring of third-party risk is virtually non-existent in the healthcare industry. We know that ensuring vendor security programs continue to function after our initial assessment is critical to protecting our organizations and their sensitive data. However, pointing back to challenge #1, we are so overwhelmed with new vendor intake, that we fail to continuously monitor the security posture of our vendors after the initial contracting cycle ends.

Challenge #4: TPRM Solution Offerings are Incomplete

There are a slew of TPRM technologies on the market that are helping to accelerate communication and reporting around vendor risk management. Examples include questionnaire automation tools, Governance Risk and Compliance (GRC) platforms, cyber risk scorecard solutions, digital workflow management tools, and more.

These automation tools are helping us with some aspects of the problem like speeding up the collection of risk data from the vendor. However, these automation solutions often produce noisy risk reporting that is difficult for stakeholders to understand. More importantly, these tools do not meet the final objective of obtaining validated, trusted risk intelligence on vendors and driving them to remediate and eliminate their risk exposures.

Point solutions for TPRM also often operate independently from other TPRM tools and processes and do not communicate effectively to support a reporting of a complete risk posture for the vendor. Some of these solutions, including cyber risk scores, provide external indicators of a vendor’s security posture, however, they do not provide the risk intel we need on the vendor’s specific products and services that are in-scope for our own implementations. This provides us with only a partial view of the vendor’s risk posture as it relates to our organization.

Challenge #5: There is No Defined “Gold Standard” for TPRM Programs

When speaking with peers in the industry about their TPRM programs, it becomes evident that there is no “typical” process for healthcare TPRM functions. TPRM programs vary greatly in design and implementation depending on organizational maturity, prioritization, staffing, budget, and many other factors.

Some organizations rely heavily upon TPRM tech solutions or validated assessments like HITRUST and SOC 2 to inform vendor risk decisions, while others are questionnaire-centric and heavily dependent on manual audit processes. Yet other programs will outsource part or all of their TPRM programs to third-party TPRM solution providers.

Healthcare risk leaders also have varying interpretations and models for defining the inherent risk of vendors. This leads to vendors being held to different standards of criticality from organization to organization. For example, some organizations define the criticality of the vendor based on the vendor’s size or the organization’s spending with the vendor, while others define criticality based on the volume of sensitive information (e.g. ePHI) maintained by the vendor. These are just examples; it seems like every healthcare organization has its own inherent risk paradigm.

Reporting of vendor risks is often incomplete and limited to highly-technical audit results on a vendor-by-vendor basis. Few TPRM programs are able to report risks across the entire vendor portfolio in a way that both technical and non-technical stakeholders in the business can understand.

This lack of consistency in healthcare TPRM programs also leaves vendors in the impossible position of trying to satisfy all customer expectations.

Challenge #6: Insufficient Adoption Certifications and Assurance Models

Healthcare leaders can’t seem to agree on which certifications and assurance models are sufficient for vendors to demonstrate compliance with security expectations. For example, many healthcare entities promote and require HITRUST assurance including certifications while others will accept SOC 2 attestations or other industry assurance models.

Yet other TPRM programs neither require nor promote any assurance or certification models and instead rely on heavily manual questionnaire-based assessments that drive inefficiencies and costs for all parties involved.

Challenge #7: Inability to Satisfy all Stakeholders

The internal politics of multiple stakeholders with competing priorities has proven to be an obstacle for successful TPRM. Organizations often struggle to simultaneously address the needs of the business owners who want to onboard a third-party to meet a business need, the CISO who is focused on the security risk a third-party presents, the procurement team who wants to follow their established process, and others, like the CFO, who may be cost conscious.

This organizational complexity tends to result in security risk management being deprioritized. We must find a way to effectively collaborate with ALL internal stakeholders and do a better job enabling the business, or we will always be ineffective at managing third-party risk.

Conclusion

We have all heard the saying, “if it ain’t broke then don’t fix it”. Well, it’s become abundantly clear that TPRM is broken in healthcare and we all need to work together to fix it. The current models are unsustainable and inadequate to meet the evolving threat landscape facing our industry.

HITRUST and CORL are committed to bringing industry leaders together to create the catalyst for change that is needed in the TPRM space in healthcare.

  • We envision a future where TPRM programs provide standardized, efficient, and cost-effective evaluation and reduction of vendor and supply chain risks.
  • We believe in creating norms around inherent risk and vendor tiering in the TPRM ecosystem.
  • We believe there is immense value in the inherited trust the industry can provide through rigorous third-party assurance mechanisms.
  • We believe that pushing the industry towards the concept of healthy security program indicators and focusing on cyber resiliency is a rising tide that lifts all boats.
  • We believe that it is far better for cybersecurity risk managers to understand some risk for all of their vendors than to have a deep risk understanding of a small percentage of their vendors.
  • We believe in the value of driving constant security improvement through continuous monitoring and remediation.
  • We believe in changing the conversation about third-party cybersecurity risk from one that is deeply technical and confusing to one that is easily understood by business and clinical leaders.
  • We believe that all of us – healthcare providers and payors, third party vendors, and cybersecurity professionals – must collaborate to create a better way forward

In short, we believe there is a better way. TPRM is broken, but CORL and HITRUST are going to work together with our healthcare industry partners, on the vendor side and the healthcare organization side, to fix it.

We look forward to continued dialog and plan on launching proactive initiatives to engage the healthcare TPRM community to carve a better path forward together as an industry. Stay tuned for more updates as we look to continue to make additional investments toward these worthy and necessary objectives.

We are up for the challenge. Are you?

About CORL Technologies

CORL is a service-centered solution for vendor risk management, compliance, and governance that is 100% focused on the unique needs of the healthcare space. Driven by the belief that third-party vendor risk should be about business acceleration and not business prevention, we are the only platform and partner on the market to enable the velocity and validation needed for healthcare organizations to simultaneously achieve their digital goals and contain their digital risks.


 

About the Authors

Ryan PatrickRyan Patrick, Vice President, Adoption HITRUST

Ryan Patrick brings over 20 years’ experience in security and information technology. Prior to joining HITRUST, Ryan served as the Senior Vice President of Security for Intraprise Health. Working within organizations like MetLife and Memorial Sloan-Kettering Cancer Center as a security analyst, Ryan has gained a wealth of experience conducting risk assessments against HIPAA, ISO 27001, NIST 800-53 and PCI-DSS. He is a retired Colonel in the United States Army, holds a CISSP, a Masters of Strategic Studies from the U.S. Army War College, and an MBA from Norwich University.

Ryan served as the Executive Director for the Tampa Warriors Hockey Program for 2.5 years a disabled veteran non-profit organization focused reducing veteran suicide in the US. He currently serves on the Board of the Girls, Inc of Pinellas Park.
 

Britton BurtonBritton Burton, Senior Director of Product Strategy CORL Technologies

Britton is a cybersecurity and risk management practitioner with over a decade of experience designing and leading security programs and teams in the healthcare setting. Prior to joining CORL, he served as Director of Risk Management at HCA Healthcare. In that role, Britton was responsible for a from-scratch rebuild of the security risk program that covered the entire portfolio of businesses under the HCA umbrella. He executed against the strategic vision to make risk visible, facilitate well-informed decision making, and drive accountability across the organization by implementing a risk framework, developing operational processes and GRC tools, and using data analytics and BI visualization. Prior to his national role, Britton served as the Director of Information Security in Kansas City for HCAs MidAmerica Division where he led TPRM, risk management, Incident Response, and Disaster Recovery efforts for the division.

The post TPRM is Broken: Healthcare’s Unsustainable Approach to Third-Party Vendor Risk Management appeared first on HITRUST Alliance.

Source

In brief

Labor unions seem to be having a resurgence after being on the decline for many years. Employers are concerned with this shift, and are wondering what they can do to within the bounds of the law to keep a direct relationship with their workforce.

In this Quick Chat video, our Labor & Employment lawyers discuss the current labor union landscape, what’s causing this wave of union activity, and some steps employers can take to get out in front of the escalation in union organization.

Video link

Speakers: William (Bill) DuganJoseph (JT) CharronRemy Snead

Our US Labor Unions Capabilities

We advise unionized and union-free companies on compliance with all US labor laws and counsel clients on effective hiring procedures, employee resolution processes, wage and benefit packages, leave management, terminations, and other terms and conditions of employment.

Read more about our expertise and how we can help in Baker McKenzie’s US Labor Unions Capabilities Brochure.

US Labor Unions Capabilities Brochure

Subscribe to The Employer Report blog where Baker McKenzie lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers. Past videos are linked in the blog sidebar for easy access to topics including guidelines for accommodating sincerely held religious beliefs, COVID-19 employment litigation trends, and much more. 

The post United States: Labor unions and the workforce: What’s trending and how to get out in front (Video Chat) appeared first on Global Compliance News.

Source

In brief

The California Privacy Rights Act of 2020 (CPRA) amended the California Consumer Privacy Act of 2018 (CCPA) with most changes taking effect on 1 January 2023 with a twelve-month look-back. Limited exceptions concerning the personal data of employees and business contacts will expire. The new California Privacy Protection Agency (CPPA) has published draft regulations that will, once finalized, expand on the rules in the statute and existing regulations from the California Attorney General. The CPPA is conducting hearings on 24 and 25 August 2022 to solicit input on the draft regulations from the public and may make further changes to them. But with the CPPA’s attention partially focused on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws, it is unclear if the CPPA will finalize the regulations before the CPRA amendments to CCPA take effect. In the current draft of the regulations, the CPPA does not yet address all of the topics and issues mandated by the CPRA, so we expect further draft regulations to come. Despite the fluid situation, companies should take steps now to prepare before 1 January 2023.


Contents

  1. Continue updating contracts
  2. Prepare for customer privacy audits
  3. Update and document data subject request program
  4. Operationalize data minimization principles
  5. Avoid dark patterns
  6. Summary

Continue updating contracts

Many companies are still working on updating their contracts to account for the European Union’s standard contractual clauses from 2021 (EU SCCs). The amended CCPA will, and the CPPA’s draft regulations would, impose new and different data protection requirements in contracts among parties that disclose personal information among themselves. Companies should standardize the legal terms as much as possible and have a consolidated set of data protection standards that they would be willing to agree to as customers or service providers. Just as the EU SCCs do, the CPPA’s draft regulations require specifics. Under the draft regulations, the business purpose or service for which the service provider, contractor, or third party is processing personal information may not be described in generic terms, such as by referencing the entire commercial contract generally. To manage the contracting process, companies should consider separating out the mandatory legal terms under the CCPA and the factual descriptions of the particular relationship (similar to the factual annexes that are populated in the EU SCCs). Also, companies need to establish efficient processes to update vendor and customer contracts without protracted negotiations and elaborate signature procedures, including by agreeing on notice and object mechanisms concerning changes mandated by law, standardized terms (see article on Standardizing Data Processing Agreements Globally) and electronic signatures (see article on Electronic Form Over Substance: eSignature Laws Need Upgrades). Contracting parties can align their interests on data processing agreements, which they must update frequently as laws change, by separating those data processing terms that satisfy compliance requirements from commercial terms, which allocate risks and liabilities and determine the framework for dispute resolution and laws governing disputes between the contracting parties (and which cannot be unilaterally updated by one party).

Prepare for customer privacy audits

Companies often spend time on lengthy negotiations of what audit rights should be included in data processing agreements even though such rights are rarely exercised in practice. But under the draft regulations, whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and its regulations. Simple contract terms for audit rights probably still make sense for many companies, but companies should prepare internally for the possibility that customers will enforce contract terms or exercise rights to audit or test systems.

Update and document data subject request program

The draft regulations elucidate how businesses must respond to requests from California residents to exercise their rights under the amended CCPA, including to know, access, port, delete and correct personal information, to limit the processing of sensitive personal information, to opt-out of the “selling” and “sharing” of their personal information, and to withdraw from financial incentive programs. Businesses should examine which of these rights apply to them and how. For example, if a business does not use personal information for any purposes other than those listed at subsection 7027(l) of the draft regulations, it does not have to offer a “Limit the Use of My Sensitive Personal Information” link. Businesses should then implement required technical controls to respond to requests (including the capacity to respond to opt-out preference signals) and protocols that provide clear guidance to personnel on how to respond to written requests.

The draft regulations also introduce the concept of “disproportionate effort” within the context of a business responding to a consumer request. Disproportionate effort is defined as the time and resources expended by a business to respond to an individualized request significantly outweighing the benefit provided to the consumer from responding to the request. A business can only claim disproportionate effort as an exemption to the duty to respond to a data subject request if they have in place adequate processes and procedures to comply with consumer requests in accordance with the CCPA. Since having in place such processes and procedures is a requirement or necessity under numerous privacy laws globally, businesses should document their program.

Operationalize data minimization principles

The draft regulations introduce further restrictions on the collection and use of personal information. Use, collection, and retention of personal information must be reasonably necessary and proportionate to achieve the purpose(s) for which it was collected or processed. Any collection, use or retention not necessary or proportionate or that is unrelated or incompatible with the purposes for collection requires consumer’s explicit consent. Taken together, section 7002 of the draft regulations suggest that up front explicit consent is required even with detailed notice if the data collection, use, retention, and/or sharing is unrelated or incompatible with the purposes(s) for collection.

Avoid dark patterns

”Dark patterns” refer broadly to tactics that companies use to coerce individuals into making decisions that are likely more favorable for the company than the individual. The amended CCPA provides that consent is not effective if obtained through the use of a dark pattern, and the CPPA’s draft regulations explain in greater detail what might constitute a dark pattern, including by providing several examples of user interfaces that would be considered dark patterns. Outside of the CCPA, the consumer privacy laws of Connecticut and Colorado also restrict the use of dark patterns, and the Federal Trade Commission has issued warnings against the use of dark patterns and taken enforcement actions against companies that allegedly engaged in their use. Businesses should review their user interfaces to ensure that they are clear, present positive and negative options in a symmetrical way, do not hinder users from executing decisions that are less favorable to the company, and generally avoid manipulating users or substantially subverting their autonomy.

Summary

Companies should continue to prepare for the known 1 January 2023 requirements in the amended CCPA itself, but also get ahead of addressing some of the requirements in the draft regulations that improve a company’s overall privacy law compliance program (and that are helpful to address even if the details of the regulations are further changed before they are final). Companies should not delay action merely because the fact that laws and regulations are in flux. This has been the case since 2018 in California and elsewhere. This is the new normal.

The post United States: How to comply with CCPA while the new Agency revises Regulations appeared first on Global Compliance News.

Source

Following initial announcements last year, on July 20, 2022, the US Department of State’s Directorate of Defense Trade Controls (“DDTC”) published two Open General Licenses (“OGLs”) permitting certain reexports and retransfers to certain parties under the International Trade in Arms Regulations (“ITAR”).  The OGLs, which are part of a DDTC pilot program, will be valid for one year, effective from August 1, 2022 through July 31, 2023.  The related DDTC fact sheet can be found here.  DDTC also issued several Frequently Asked Questions (“FAQs”) on the new pilot program and the related OGLs. 

Open General License (OGL) No. 1 authorizes retransfers (as defined in ITAR § 120.51) of unclassified defense articles to the Australian, Canadian, and UK governments; members of the Australian and UK communities (as defined in ITAR §§ 126.16(d) and 126.17(d), respectively, which include specified Australian and UK government and non-governmental entities authorized to use the existing country-specific exemptions in the ITAR); and Canadian-registered persons (as defined in the Canadian exemption at ITAR § 126.5). 

Open General License (OGL) No. 2 authorizes reexports (as defined in ITAR § 120.19) of defense articles to, and among, the same recipients in Australia, Canada, and the United Kingdom as Open General License No. 1.

Both OGLs are limited to the specific transactions described within each authorization, and are subject to various conditions.  For example:

  • The OGLs explicitly do not authorize retransfers or reexports to support the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, or processing of (i) a missile, (ii) an unmanned aerial vehicle, (iii) a space-launch vehicle, or (iv) an item listed on the Missile Technology Control Regime Annex, or an item annotated with the parenthetical “(MT)” at the end of an entry on the United States Munitions List under the ITAR. 
  • These OGLs cannot be used to export defense articles.  To that end, DDTC explains in its related fact sheet that these OGLs are “designed to support the mission readiness of our allies by facilitating defense trade activity related to the maintenance, repair, and storage of unclassified defense articles deployed or in-inventory rather than supporting new acquisitions or capabilities.”  For potential exemptions available for export transactions, other provisions of the ITAR should be considered, including Section 125.4(b)(5) related to technical data related to a defense article already lawfully exported or authorized for export. 

The full texts of the OGLs should be considered before relying on them to make a retransfer or reexport. 

Both OGLs require users to maintain various records.  These recordkeeping requirements include: a description of the defense article, including technical data; the name and address of the recipient and the end-user, and other available contact information (e.g., telephone number and email address); the name of the natural person responsible for the transaction; the stated end use of the defense article; the date of the transaction; and the method of transfer.  Transferors are required to make these records available to DDTC upon request. 

Shortly after the issuance of the OGLs, DDTC issued several related FAQs.  Some highlights of these FAQs are below:

  • The OGLs authorize certain “reexports” and “retransfers,” and not “exports” of unclassified defense articles to the end-users and for the end-uses specified in the OGLs.  
  • Only the legal entity enrolled in an approved community may receive, retransfer, or reexport defense articles under the OGLs.  Other legal entities, including affiliates and parent entities, must enroll separately in the approved community to receive or reexport defense articles under the OGLs.
  • Once a legal entity has one facility enrolled in either the UK or Australian approved community, that legal entity can receive, store, retransfer, or reexport defense articles as permitted pursuant to the OGLs at any location where it maintains operations within the same country (e.g., the UK or Australia, respectively).
  • Technical data may only be retransferred or reexported under the OGLs for use in the direct provision of services for the maintenance, repair, or storage of a defense article.  
  • Provided the retransfer or reexport satisfies the requirements, limitations, and provisos of the OGLs, technical data can be retransferred or reexported for the purposes described in the OGLs even if it was originally exported under the authority of a Technical Assistance Agreement (“TAA”) that remains active.  The TAA would qualify as an approval issued by DDTC pursuant to section 38 of the Arms Export Control Act for purposes of subparagraph (b)(2)(i) of the OGLs, and the OGLs would authorize the subsequent retransfer or reexport without amendment of the TAA.    
  • The Canadian exemption at ITAR § 126.5 qualify as “other approval” for purposes of the OGLs.  ITAR § 120.20(b) defines “other approval” to include “use of an exemption to the license requirements as described” in the ITAR.  Accordingly, a defense article that has been properly exported under the exemption at ITAR § 126.5 has been originally exported pursuant to “other approval” issued by DDTC pursuant to section 38 of the Arms Export Control Act. 

The authors acknowledge the assistance of Ryan Orange with the preparation of this blog post.

The post United States: DDTC Issues ITAR-Related Open General Licenses and Related FAQs appeared first on Global Compliance News.

Source

In brief

Please join us for a weekly series, hosted by Baker McKenzie’s North America Government Enforcement partners Tom Firestone and Jerome Tomas.

This weekly briefing is available on demand and will cover hot topics and current enforcement actions related to white collar crime and criminal investigations in the US and abroad to arm you with the information you need for your business week.

As one of the largest global law firms, we will call upon our exceptionally deep and broad bench of white collar experts throughout the world and particularly in the commercial hubs of Europe, Asia, Africa and Latin America to join our weekly discussion series.

These briefings cover:

  • High-profile DOJ case updates and implications
  • SEC enforcement developments 
  • CFTC enforcement developments
  • Other white collar defense industry developments

5 August 2022

This week’s discussion will cover the following: 

  1. Our white collar thoughts on this week’s “Economist” article on ESG
  2. SEC breaks new ground in insider trading case involving crypto assets
  3. DOJ remains vigilant in promoting competition in the labor markets through several recent enforcement efforts:
    • Health care staffing company and former regional manager are negotiating an agreement with DOJ to resolve wage-fixing charges
    • DOJ announced a civil settlement with poultry processors to end a conspiracy to exchange compensation information and collaborate on compensation decisions
    • DOJ and FTC are joining with NLRB to strengthen their partnerships in combating labor competition issue

Video link

Podcast link

21 June 2022

This week’s discussion will cover the following: 

  1. The Antitrust Division’s updates of its leniency policy and revisions to the leniency FAQs and the increased burden on applicants
  2. Policy shifts and the revival of criminal enforcement under Section 2 of the Sherman Act

Video link

Podcast link

24 January 2022

This week’s discussion will cover the following:

  1. Indictment of Belarus government officials for air piracy in connection with forced landing of Ryanair jet
  2. First DOJ indictment over threatening of election officials 
  3. SEC v. David P. Forte, et al.  – SEC and DOJ Continue to Pursue Insider Trading Based on Circumstantial Evidence
  4. Discussion of most recent tipper-tippee insider trading case

Video link

Podcast link

20 January 2022

This week’s discussion will cover the following:

  1. SEC v Panuwat
  2. Shadow Trading Case – Defendant’s Motion to Dismiss Denied

Video link

Podcast link

12 January 2022

This week’s discussion will cover the following:

  1. Sentencing in Elizabeth Holmes case
  2. SEC Pays Out Whistleblower Bounty for Overseas Tip
  3. A Discussion of the Geographic Sources of Whistleblower Tips

Video link

Podcast link

13 December 2021

This week’s discussion will cover the following

  1. 6 January Investigation Update
  2. White House Anti-Corruption Strategy
  3. New OFAC Anti-Corruption Sanctions
  4. DOJ Notice of Proposed Rulemaking on FARA 
  5. ESG Update: Office of Comptroller of the Currency’s National Risk Committee Identifies Climate Change Initiative in Semiannual Risk Perspective report

Video link

Podcast link

30 November 2021

This week’s discussion will cover the following:

  1. New OECD guidance on anti-corruption
  2. SEC Enforcement Focus Relating to Undisclosed Executive Compensation and Perquisites Continues: ProPetro Holding Corp. matter.

Video link

Podcast link

22 November 2021

This week’s discussion will cover the following: 

  1. Update on Elizabeth Holmes trial
  2. Update on Belarus Sanctions
  3. FinCEN Notice on Environmental Crimes  
  4. Insights on SEC Enforcement – SEC Enforcement’s FY21 report and the NYU Pollack Center for Law & Business and Cornerstone Research report on SEC Corporate Enforcement

Video link

Podcast link

15 November 2021 

This week’s discussion will cover the following: 

  1. New Cambodia Sanctions
  2. Steve Bannon Indictment

Video link

Podcast link

8 November 2021 

This week’s discussion will cover the following: 

  1. Deputy Attorney General Lisa Monaco on corporate enforcement priorities under the Biden Administration
  2. The Consumer Financial Protection Bureau (CFPB) is targeting big tech 
    • What do they want and why do they want it?
    • How should tech firms prepare, whether they receive a request from CFPB or not?

Video link

Podcast link

1 November 2021

This week’s discussion will cover the following: 

  1. Managing Allegations of Workplace Wrongdoing: Independent Investigator’s Report on Chicago Blackhawks Allegations of Sexual Misconduct

Video link

Podcast link

25 October 2021 

This week’s discussion will cover the following: 

  1. Tether Holdings CFTC Crypto Settlement: Reminder that the CFTC is asserting a prominent role in the regulation and enforcement of cryptocurrencies. 
  2. SEC Report on January 2021 Market Frenzy: “Staff Report on Equity and Options Market Structure Conditions in Early 2021”
  3. Will DOJ Prosecute Steve Bannon for Contempt?

Video link

Podcast link

18 October 2021

This week’s discussion will cover the following: 

  1. 6 January Commission and possible prosecution of Steve Bannon for contempt.
  2. SEC Enforcement Director Grewal’s speech on appropriate approaches to compliance, proactive enforcement, electronic message retention/production, cooperation, and civil penalties.

Video link

Podcast link

27 September 2021

This week’s discussion will cover the following: 

  1. CFTC v. HDR GLOBAL TRADING LIMITED, ET AL
  2. Motion to Dismiss Unregistered Crypto Exchange Claims
  3. Control Person Liability Runs Into “Minimum Contacts”   
  4. House Committee on January 6 Attack Subpoenas Trump Advisors

Video link

Podcast link

20 September 2021

This week’s discussion will cover the following: 

  1. Details Behind The SEC Whistleblower Award That Pushed the Program Over USD 1 Billion in Whistleblower Payouts
  2. SEC v. DAYAKAR R. MALLU – Tipper-Tippee Insider Trading Case – SEC Investigation Tactics and Trends
  3. Indictment of lawyer by Trump-appointed Special Counsel for lying to the FBI in Russia investigation.

Video link

Podcast link

14 September 2021

This week’s discussion will cover the Elizabeth Holmes Theranos trial. 

Video link

Podcast link

30 August 2021

This week’s discussion will cover the following: 

  1. Organized crime charges in new elder abuse case
  2. Novel SEC Insider Trading Action — Shadow Trading — SEC v. Matthew Panuwa
  3. Quick blurb on 18 year old and under crackdown on video game playing in China
  4. SEC v. MANISH LACHWANI – The SEC’s Enforcement Focus on Unicorns

Video link

Podcast link

23 August 2021 

This week’s discussion will cover the following: 

  1. Special Inspector General for Afghanistan Reconstruction (SIGAR) Report on Lessons of Corruption in Afghanistan
  2. Novel SEC Insider Trading Action — Shadow Trading — SEC v. Matthew Panuwa

Video link 

Podcast link

9 August 2021

This week’s discussion will cover the following: 

  1. SEC brings charges unregistered crypto exchange: In the Matter of Poloniex, LLC
  2. The need to keep your auditor at arm’s length — SEC brings auditor independence case for audit bid-related misconduct against accounting firm, it’s partners and the Chief Accounting Officer of public company: In the Matter of Ernst & Young LLP, et al. and In the Matter of William G. Stiehl
  3. Accusations against Governor Cuomo: Key Legal Issues
  4. New Belarus Sanctions

Video link

Podcast link

3 August 2021

This week’s discussion will cover the following: 

  1. New DOJ opinion on Trump tax returns
  2. New DOJ policy on subpoenas to new organizations
  3. New DOJ memorandum on White House communications
  4. SEC Chair Gensler’s Public Statement on Disclosures Required by Chinese Companies Listed In US

Video link 

Podcast link

26 July 2021

This week’s discussion will cover the following:

  1. The Importance of Having Up-To-Date Automated Accounting Procedures, Effective Manual Accounting Procedures, and Trained Accounting Staff:  The SEC’s Latest Accounting Case Against Tandy Leather Factory Inc. and its former chief executive officer Shannon Greene.
  2. Indictment of Trump Advisor Thomas Barrack
  3. Biden Executive Order on Promoting Competition

Video link  

Podcast link

13 July 2021

This week’s discussion will cover the following:

  1. Manhattan DA’s Indictment of the Trump Organization and Allen Weisselberg
  2. New SEC Enforcement Director – New Jersey Attorney General Gurbir Grewal
  3. SEC and federal criminal charges filed arising out of alleged fraudulent scheme to sell “insider trading tips” on the Dark Web- SEC v. Apostolos Trovias

Video link

Podcast link

29 June 2021

This week’s discussion will cover the following: 

  1. SEC Cybersecurity Enforcement Sweep:  The SEC Clarifies, Sort Of
  2. Latest, and Interesting, Comments By SEC Commissioner on ESG
  3. Combating Global Corruption Act of 2021
  4. Global Magnitsky Reauthorization Act
  5. New Belarus Sanctions 

Video Link

Podcast Link

22 June 2021

This week’s discussion will cover the following: 

  1. New Charges in 1MDB Case
  2. FARA Reform Proposals
  3. Possible New Russia Sanctions  
  4. Cyber SEC Enforcement: Latest SEC Disclosure Controls and Procedures Enforcement Case
  5. A New SEC Cyber Enforcement Sweep

Video Link

Podcast Link

9 June 2021

This week’s discussion will cover the following: 

  1. Potential SEC ESG Disclosure Rulemaking and Materiality:  Commissioners Allison Herren Lee and Elad Roisman Continue to Volley
  2. White House strategy statement on corruption and national security
  3. Belarus sanctions
  4. Bulgaria sanctions
  5. Executive Order on Western Balkans

Video Link 

Podcast Link

25 May 2021

This week’s discussion will cover the following: 

  1. Insight on Gary Gensler’s SEC Enforcement Agenda: SEC Chair’s Remarks at 2021 FINRA Annual Conference
  2. Discussion of Treasury’s Plan to Increase IRS Enforcement and Narrow the Tax Gap
  3. Update on Nord Stream 2 Sanctions 

Video link 

18 May 2021

This week’s discussion will cover the following:

  1. Russian Response to US Sanctions and Designation of US as an “Unfriendly” Country  
  2. Trial of Mayor of Fall River, Massachusetts for Extorting Marijuana Businesses  
  3. The Challenges of Fitting Modern Practices into Old Laws: SEC Commissioner Hester Peirce’s Statement Regarding an Index Fund SEC Settlement  
  4. SEC’s Continued Slow Embrace of Crypto Assets: Division of Investment Management’s Statement on ETF Holdings of Crypto Assets and Potential Enforcement Implications  to Assets and Potential Enforcement Implications  

Video Link

10 May 2021

This week’s discussion will cover the following:

  1. Crypto developments:  SEC Chair Gensler’s Testimony, Dogecoin and Saturday Night Live
  2. The “Swiss George Floyd Case”  (for more information about this case, please see this documentary featuring Simon Ntah here

Video Link

3 May 2021

This week’s discussion will cover the following:

  1. First Voluntary Self-Disclosure of Sanctions and Export Violations Leads to Settlement between Software Company and DOJ
  2. The Sudden Resignation of SEC Enforcement Director Alex Oh:  What is Next For SEC Enforcement?

Video Link

26 April 2021

This week’s discussion will cover the following:

  1. New SEC Enforcement Director Alex Oh: What It May Mean For SEC Enforcement
  2. DOJ Pattern and Practice Investigation of Minneapolis Police Department

Video Link

19 April 2021

This week’s discussion will cover the following:

  1. First guilty plea in Capitol attack cases: What it means for future prosecutions
  2. New Russia sanctions: What they do and don’t do, and what could be next
  3. Comments by Acting Director of the SEC’s Division of Corporation Finance, “SPACs, IPOs and Liability Risk under the Securities Laws”: What it means for SEC enforcement

Video Link

12 April 2021

This week’s discussion will cover the following:

  1. Criminal Antitrust Prosecutions of No Poaching and Wage Fixing Agreements: Perspective of a Leading Antitrust Lawyer.
  2. Enforcement perspectives arising out of the SEC’s April 9, 2021 “Risk Alert” relating to ESG products and services offered by investment advisers, registered investment companies and private funds.
  3. DOJ Priorities under the Biden Administration: What the Budget Tells Us.

Video Link

30 March 2021

This week’s discussion will cover the following:

  1. SEC Enforcement Sweep Looks Into SPAC IPOs
  2. New Legal Issues in the Capitol Riot Cases

Video Link

15 March 2021

This week’s discussion will cover the following:

  1. DOJ/SEC FCPA priorities
  2. Oath Keepers conspiracy case
  3. New Russian law to protect officials against corruption charges
  4. Does SEC Commissioner Crenshaw’s speech about increased corporate penalties foreshadow a possible retraction of the SEC’s 2006 Statement Concerning Financial Penalties and what we can expect from corporate securities enforcement over the next 4 years?

Video Link

8 March 2021

This week’s discussion will cover the following:

  1. This week, Jerome is joined by his partners Amy Greer and Jen Klass and they will dig deep into the enforcement issues presented by the SEC’s “Enforcement Task Force Focused on Climate and ESG Issues” 

Video Link

1 March 2021

This week’s discussion will cover the following:

  1. The SEC’s Plan to Dig Into Public Company Climate Change Disclosures: A White Collar Enforcement Perspective
  2. Key Takeaways from Merrick Garland Confirmation Hearing
  3. Update on Capitol Riot Cases
  4. Secretary Blinken Statement on Anticorruption Champions 

Video Link

22 February 2021

This week’s discussion will cover the following:

  1. Potential prosecution of former President Trump for incitement of the Capitol attack
  2. The SEC’s latest message following the “The Market Events”: trading suspension in In the Matter of SpectraScience, Inc. 
  3. New Transparency International Corruption Report
  4. The SEC’s ICO enforcement initiative lives on: SEC v. Coinseed, Inc., et al. (S.D.N.Y. 17 February 2021)

Video Link

15 February 2021

This week’s discussion will cover the following:

  1. Update on Capitol riot cases
  2. The legal definition  of “incitement of insurrection” 
  3. Discussion of the reported DOJ and SEC investigations into the retail traders in last month’s market events
  4. A reminder on the scope of the US insider trading laws, courtesy of SEC v. Mark Ahn (D. Mass) (also a parallel criminal case was filed)

Video Link

8 February 2021

This week’s discussion will cover the following:

  1. An update on the Capitol Riots
  2. Consideration of new sanctions on Russia
  3. An update on stock market events, including the FINRA notice on broker-dealer “game-style” trading apps 

Video Link

1 February 2021

This week’s discussion will cover the following:

  1. Analysis of the Reddit/WallStreetBets-driven stock surges, with a special appearance by Jerome’s 15 year old son, Sam, who has been following the events on Reddit and Discord  
  2. Discussion of the Hoskins appeal and the future of the FCPA’s “Agency” theory
  3. Update on the Capitol raid prosecutions

Video Link

18 January 2021

This week’s discussion will cover the following:

  1. New SEC Enforcement Statute of Limitations and Disgorgement Provisions Contained in the NDAA
  2. New AML Whistleblower Bounty Provision in the NDAA
  3. Criminal charges against Capitol rioters
  4. Julian Assange extradition case

Video Link

4 January 2021

This week’s discussion will cover the following:

  • What criminal statutes might apply to the attack on the Capitol?
    1. 18 USC 2383 – Rebellion or Insurrection
    2. 18 USC 2384 – Seditious Conspiracy
    3. 18 USC 1752 – Restricted Building or Grounds
  • What, if any, criminal statutes might apply to President Trump’s call last week with Georgia Secretary of State?
  • The 25th Amendment — A brief history of the amendment, what the amendment provides for and how it might apply in light of these events.

Video Link

14 December 2020

Video Link

07 December 2020

Video Link

23 November 2020

Video Link

16 November 2020

Video Link

9 November 2020

Video Link

26 October 2020

Video Link

19 October 2020

Video Link

5 October 2020

Video Link

29 September 2020

Video Link

8 September 2020

Video Link

24 August 2020

Video Link

17 August 2020

Video Link

10 August 2020

Video Link

3 August 2020

Video Link

27 July 2020

Video Link

20 July 2020

Video Link

13 July 2020

Video Link

6 July 2020

Video Link

29 June 2020

Video Link

22 June 2020

Video Link

17 June 2020

Video Link

9 June 2020

Video Link

26 May 2020 

Video Link

The post United States: This Week in Government Enforcement (Video Chat) appeared first on Global Compliance News.

Source

In brief

On 9 July 2021, President Joe Biden issued an executive order (EO) announcing his administration’s commitment to increasing vigorous antitrust enforcement. At the one-year anniversary of the EO, a recent flurry of enforcement efforts signals that the Department of Justice (DOJ) remains vigilant in carrying out the EO’s initiatives, especially in the labor markets.


Contents

  1. Background
  2. Health care staffing resolution
  3. Poultry settlement
  4. DOJ-NLRB partnership
  5. Key takeaways

Background

In 2016, the DOJ Antitrust Division and Federal Trade Commission (FTC) published guidance signaling that anti-competitive conduct in the labor markets could violate the antitrust laws. This guidance warned that competing employers’ agreements to fix employees’ compensation or not to poach each other’s employees may be subject to criminal prosecution.

More recently, the EO called on federal agencies to scrutinize anti-competitive conduct and pursue more aggressive enforcement. The EO promoted a “whole-of-government approach” to competition policy encouraging agencies to protect competition using their statutory authority.

Health care staffing resolution

A health care staffing company and its former regional manager are nearing a resolution for charges of conspiring with a competing staffing company to suppress wages for Las Vegas school nurses.

On 30 March 2021, a federal grand jury returned an indictment in the US District Court for the District of Nevada charging the company and manager with participating in a conspiracy to allocate employee nurses and to fix their wages in violation of the Sherman Act. Specifically, the indictment charges the manager with agreeing with a co-conspirator not to recruit or hire nurses staffed by each other’s companies at Clark County School District facilities and not to raise the wages of those nurses.

In his motion to dismiss, the manager accused the DOJ of prosecutorial misconduct, arguing that an FBI agent improperly interviewed him without counsel present and without informing him that there was an active criminal investigation and that three DOJ attorneys were listening to the interview through real-time audio livestream.1 The manager contended that these violations of his constitutional rights necessitated dismissal of the indictment or suppression of the illegally obtained interview statements. The company filed a motion to dismiss as well, arguing that there is no precedent or statutory basis for treating the alleged agreement as a per se violation under the Sherman Act.2

During a status conference on 12 May 2022, the court preliminarily stated that the company’s motion to dismiss would be denied and also scheduled an evidentiary hearing for 29 June 2022 regarding the manager’s motion to suppress. A few days before the scheduled hearing, the parties requested that the hearing be continued, explaining that they had reached a preliminary resolution and needed additional time to finalize the agreement.3

The potential resolution would mark the DOJ’s first successful criminal prosecution of antitrust violations in the labor markets following consecutive acquittals earlier this year. On 14 April 2022, a jury acquitted a therapist staffing company’s former owner and former clinical director of conspiring to fix compensation for physical therapy professionals. The jury convicted the owner only of obstructing a related FTC investigation. The next day, a jury acquitted a dialysis company and its former chief executive officer of conspiring to suppress competition for employees.4 Following these acquittals, an alleged co-conspirator in a related prosecution filed a notice of additional authority—namely, the acquittals—supporting its pending motion to dismiss the criminal antitrust charges against it.5 However, these setbacks have not deterred the DOJ, as demonstrated by the forthcoming resolution in the health care staffing prosecution.

Poultry settlement

On 25 July 2022, the DOJ announced a civil settlement with a data consulting firm, its president, and three poultry processors to end a conspiracy to exchange information about wages and benefits for poultry processing plant workers and to collaborate on worker compensation decisions in violation of the Sherman Act.

In a complaint and proposed consent decree filed in the US District Court for the District of Maryland, the DOJ set forth a range of settlement terms, including a requirement that the poultry processors pay USD 84.8 million in restitution for workers who were harmed by the information exchange conspiracy. The proposed consent decree would prohibit the poultry processors from sharing competitively sensitive information about poultry processing plant workers’ compensation.

The proposed consent decree would also impose a court-appointed antitrust compliance monitor who will ensure the poultry processors’ compliance with the settlement terms for the next ten years. The compliance monitor would have broad authority to ensure the poultry processors’ compliance with the federal antitrust laws as they relate to the companies’ poultry processing facilities, plant workers, chicken growers, and other areas of their businesses. The compliance monitor would submit regular reports on the poultry processors’ antitrust compliance. The requirement of a compliance monitor in the poultry settlement is consistent with recent remarks by the Deputy Attorney General and Assistant Attorney General for the Criminal Division making clear that the DOJ will increasingly impose compliance monitors to ensure that companies are living up to their compliance obligations.

Notably, on the same day that the DOJ announced the poultry settlement, New York Attorney General Letitia James announced a settlementwith two title insurance companies to end a no-poach conspiracy, requiring the companies to pay USD 1.25 million and to cooperate with the ongoing investigation. This settlement shows that protecting competitive labor markets is a priority not only for the DOJ, but for state antitrust enforcers as well.

DOJ-NLRB partnership

On 26 July 2022, the DOJ and National Labor Relations Board (NLRB) signed a memorandum of understanding (MOU) to strengthen their partnership in protecting competitive labor markets and promote workers’ rights under the labor laws. The DOJ-NLRB MOU encourages greater coordination and information sharing between the two agencies to maximize the enforcement of the labor laws under the NLRB’s jurisdiction and the antitrust laws enforced by the DOJ.

One week prior to the MOU between the DOJ and NLRB, the FTC announced that it was joining the NLRB in a similar MOU to protect workers against anticompetitive practices. The FTC-NLRB MOU outlines how the FTC and NLRB will work together to address issues such as labor market concentration, labor developments in the “gig economy,” and one-sided and restrictive contract provisions, including noncompete and nondisclosure provisions. Stemming from the EO’s whole-of-government approach, these MOUs demonstrate a commitment across federal agencies to work together proactively to attack labor competition issues.

Key takeaways

The recent flurry of enforcement efforts emphasizes the DOJ’s continued focus on protecting competition in the labor markets. Indeed, the potential resolution in the health care staffing prosecution, along with the DOJ’s recent poultry settlement and partnership with the NLRB, underscore that the DOJ is maintaining its momentum in its campaign against antitrust violations in the labor markets. In light of these enforcement efforts, companies should review and invest in improving their compliance programs to ensure they adequately monitor for and remediate anti-competitive conduct affecting the labor markets.


1 Defendant Ryan Hee’s Motion to Dismiss or in the Alternative Motion to Suppress at 4, USA v. Hee et al., No. 21-CR-00098 (D. Nev. Sept. 3, 2021), ECF. No. 38.
2 Defendant VDA OC’s Motion to Dismiss at 5, USA v. Hee et al., No. 21-CR-00098 (D. Nev. Sept. 3, 2021), ECF. No. 37.
3 Order Granting Stipulation to Continue Evidentiary Hearing, USA v. Hee et al., No. 21-CR-00098 (D. Nev. June 24, 2022), ECF. No. 93. The court granted this request and rescheduled the hearing for August 10, 2022. Id.
4 Jury Verdict, USA v. DaVita Inc. et al., No. 21-CR-00229 (D. Colo. Apr. 15, 2022), ECF No. 264.
5 Defendants’ Notice of Additional Authority, USA v. Surgical Care Affiliates LLC et al., No. 21-CR-00011 (N.D. Tex. Apr. 21, 2022), ECF No. 109.

The post United States: DOJ continues to prioritize the protection of competitive labor markets appeared first on Global Compliance News.

Source

Baker McKenzie’s Sanctions Blog published the alert titled OFAC Issues New General Licenses Related to Russia-Related New Investment Prohibition and Updates FAQs on 27 July 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC Issues New General Licenses Related to Russia-Related New Investment Prohibition and Updates FAQs appeared first on Global Compliance News.

Source

In brief

In 2021 and 2022, as the market continued to focus increasingly on environmental, social, and governance (ESG) issues, government financial regulators across many independent agencies strongly indicated that increased enforcement relating to ESG is on the horizon, while private plaintiffs filed novel securities class actions based on ESG issues.

Given the rapid development of legal ESG issues in the financial services industry, market participants must remain cognizant of the potential legal risks relating to ESG, and take adequate precautions to protect themselves against both government investigations and private civil litigation. This article analyzes the emerging framework of ESG regulation and litigation in order to advise market participants of the upcoming legal risks relating to ESG issues.


Click here to access the full article.

The post United States: The evolving securities legal framework of ESG issues appeared first on Global Compliance News.

Source

Baker McKenzie’s Sanctions Blog published the alert titled OFAC issues new and amended Russia General Licenses, FAQs; new fact sheet on agricultural trade on 19 July 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC issues new and amended Russia General Licenses, FAQs; new fact sheet on agricultural trade appeared first on Global Compliance News.

Source

On July 14, 2022, the U.S. House of Representatives passed the National Defense Authorization Act for Fiscal Year 2023 (“NDAA”). One of the amendments included in the House-passed version of the NDAA is a revised version of the “Federal Contracting For Peace And Security Act.” The amendment would prohibit the federal government from entering into, extending, or renewing contracts with contractors that conduct business operations in Russia during its war against Ukraine, with certain exceptions and exemptions as summarized below.

Summary

Based on the version of the amendment that was submitted to the House Rules Committee on July 11, 2022, the proposal would enact the following legislative changes:

  • Prohibition on new, extended, or renewed federal contracts with contractors conducting business operations in Russia during its war against Ukraine

The amendment formally establishes that “[i]t is the policy of the Federal Government not to conduct business with companies that undermine United States national security interests by continuing to operate in the Russian Federation during its ongoing war of aggression against Ukraine.”

The amendment prohibits federal government agencies from entering into, extending, or renewing a “covered contract” with any company that conducts “business operations” in territory internationally recognized as the Russian Federation during the “covered period.”

  • “Business operations” are defined as engaging in commerce in any form, including acquiring, developing, selling, leasing, or operating equipment, facilities, personnel, products, services, personal property, real property, or any other apparatus of business or commerce.  
  • A “covered contract” is defined as a prime contract entered into by an executive agency with a company conducting business operations in territory internationally recognized as the Russian Federation during the covered period.
  • The “covered period” is defined as the period of time beginning 90 days after the date of the enactment of the law and ending on a date that is determined by the Secretary of State based on steps taken by the Russian Federation to restore the safety, sovereignty, and condition of Ukraine, or 10 years after the date of the enactment of the law, whichever is sooner.
  • Exceptions and exemptions

The amendment excludes business operations that:

  • benefit the country of Ukraine;
  • serve humanitarian purposes to meet basic human needs, including through a hospital, school, or non-profit organization;
  • provide products or services for compliance with legal, reporting, or other requirements of the laws or standards of countries other than the Russian Federation;
  • journalistic and publishing activities, news reporting, or the gathering and dissemination of information, informational materials, related services, or transactions ordinarily incident to journalistic and publishing activities;
  • support the suspension or termination of business operations for the duration of the covered period, including:
    • an action to secure or divest from facilities, property, or equipment;
    • the provision of products or services provided to reduce or eliminate operations in territory internationally recognized as the Russian Federation or to comply with sanctions relating to the Russian Federation; and
    • activities that are incident to liquidating, dissolving, or winding down a subsidiary or legal entity in Russia through which operations had been conducted.

Further, the amendment includes the following exemptions:

  • Good Faith Exemption:  the Office of Management and Budget, in consultation with the General Services Administration, may exempt a contractor from the prohibition if it is determined that the contractor has:
    • pursued and continues to pursue all reasonable steps in demonstrating a good faith effort to comply with the requirements of the amendment; and
    • provided to the executive agency a reasonable, written plan to achieve compliance with such requirements.
  • Permissible Operations:  the prohibition shall not apply to business operations in Russia if they are authorized by a license issued by the Office of Foreign Assets Control or the Bureau of Industry and Security, or are otherwise allowed to operate notwithstanding the imposition of sanctions.
  • Individual Contracts:  the prohibition shall not apply to any contract that is:
    • for the benefit, either directly or through the efforts of regional allies, of the country of Ukraine; or
    • for humanitarian purposes to meet basic human needs.
  • National Security and Public Interest Waivers

The amendment permits waivers when they are for the national security of the United States or in the public interest of the United States.

Specifically, the head of an executive agency is authorized to waive the prohibition with respect to a covered contract if the head of the agency certifies in writing to the President that such waiver is for the national security of the United States or in the public interest of the United States, and includes in such certification a justification for the waiver and description of the contract to which the waiver applies.

If the agency head issues such a waiver, they must also submit the associated certification to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives.

  • Implementation and Enforcement

The amendment grants emergency rulemaking authority to implement its prohibition.

Specifically, not later than 60 days after the date of the enactment of the amendment, the Director of the Office of Management and Budget, in consultation with the Administrator of General Services and the Secretary of Defense, shall promulgate regulations for agency implementation of the amendment using emergency rule-making procedures, while considering public comment to the greatest extent practicable that includes the following:

  • A list of equipment, facilities, personnel, products, services, or other items or activities, the engagement with which would be considered business operations, subject to the prohibition.
  • A requirement for a contractor or offeror to represent whether such contractor or offeror uses any of the items on this list.
  • A description of the process for determining a “good faith exemption” described above.

Next Steps

The U.S. Senate is still considering its version of the NDAA for Fiscal Year 2023. It is anticipated that the Senate version of the NDAA will be brought to the floor for consideration in September. Currently, there is no companion measure to this amendment in the Senate. If similar language is ultimately not contained in the Senate-passed version of the NDAA, a compromise will need to be worked out in conference committee, at which time the committee will decide to retain, modify, or remove the amendment. As such, it is still unclear whether the present version of the amendment will be enacted or changed. Further attention must be paid to determine its final form and business ramifications.

Key Takeaways

  • This measure could potentially create a business risk for any company that contracts with the U.S. government and conducts business in Russia. As a result, upon the NDAA’s passage, such companies should conduct a business assessment to determine whether current operations are in compliance with the amendment, or whether any mitigation or other measures are warranted.
  • Because of the fluctuating nature of this proposal and its potential business impact, it will be necessary to monitor its development and final form, if it is included in the version of the NDAA signed into law. We will continue to monitor updates to the language contained in the NDAA for this amendment.  Please reach out to us with any questions.

The post United States: House NDAA would ban federal contracts with businesses operating in Russia appeared first on Global Compliance News.

Source