Baker McKenzie is pleased to present the 2020 edition of the Global Employer: Focus on US Immigration & Mobility.

Whether you need information about a specific US visa type, or are looking for a high-level overview of employer obligations related to the movement of foreign nationals under US immigration and employment law, this handbook covers a wide range of topics and serves as a go-to desk-side guide for US employers.

Order your complimentary copy or download a PDF version.


The post The Global Employer: Focus on US Immigration & Mobility (2020 Edition) appeared first on Global Compliance News.


Schrems II case – the data importer perspective

Following our previous analysis of the consequences of the opinion of the advocate general Hendrik Saugmandsgaard Øe (a.g.) in the Schrems II case, from the data exporter perspective (available here), we now focus on the implications of the same with respect to the position of the data importer.

Indeed, in the following paragraphs, we will turn our attention to the content of the Controller to Processor Standard Contractual Clauses (SCC) and, in particular, to some of the obligations imposed on the data importer, notably, Clauses 4(d); 5(a); 5(b) and 5(d). We will consider these obligations in light of the a.g.’s opinion in order to explain their ‘new’ meaning and scope.

Appropriate Security Measures – Clause 4(d)

Although the content of the obligation under Clause 4(d) is directed to the data exporter, its text has an impact on the activities of the data importer as well. Indeed, the exporter is required to agree and warrant that “after assessment of the requirements of the applicable data protection law, the security measures [put in place by the data importer] are appropriate” to protect the data that the latter is processing on its behalf. The clause, therefore, implies that (following a periodical request from the data exporter) the data importer regularly supplies a report indicating all the security measures that the importer has in place, in order for the exporter to be able to assess whether said measures are appropriate to its purposes. In light of the principle of transparent and accurate processing, in fact, the analysis on the importer/processor shall be performed or at least reviewed on a regular basis.

Moreover, the data importer has a number of additional information requirements towards the data exporter, including:

Non-Compliance – Clause 5(a)

The main obligation of the importer is enshrined under Clause 5(a) that requires the same to agree and warrant that it will process personal data only on behalf of the exporter and in compliance with its instructions and the Clauses. Clause 5(a), quite frankly also considers the possibility that the importer may not be able to comply with its obligations: indeed if “for whatever reasons” the importer cannot honour its obligations, Clause 5(a) requires it to inform promptly the data exporter. It is indeed not an easy task for the importer. In line with the principle of good faith in contractual relationship, the importer shall make the exporter aware of any and all circumstances that may hinder the protection of personal data in the course of the processing activities it performs. Clause 5(a) is a prerequisite for the accountability of the exporter/controller, which, following the receipt of said information, can decide the consequent actions. The range of said actions is the widest possible, up to the termination of the contract.

Changes in Legislation – Clause 5(b)

This clause is structurally similar to the one just mentioned and imposes an obligation on the data importer to notify the data exporter when a change in the applicable legislation is likely to negatively affect the capacity of the importer to comply with its obligations. Again, the consequences of said notification are for the exporter to define, being the data controller the one in charge of deciding purposes and modalities of data processing (including data transfers). What is relevant in all those circumstances is that the exporter is made aware of such changes, so that it can act accordingly and in a timely fashion.

Requests for Disclosure – Clause 5(d)

Another similar obligation is the one included in Clause 5(d), according to which the importer has a duty to inform the exporter, without undue delay, on all those circumstances where it is the addressee of specific requests or actions – i.e. a legally binding request for disclosure by a law enforcement authority; any accidental or unauthorised access; a data subject request. The idea behind this Clause is for the exporter to be in control of what happens on the importer side; indeed, it is relevant to remember that the importer is a data processor and the exporter/controller is responsible before data subjects for its compliance with the data protection laws.

Finally …

In conclusion, the a.g. suggests increasing the exporter’s scrutiny on the importers data processing activities. It is indeed the importer’s obligation to facilitate the data exporter in performing its analysis of the importer’s factual compliance. Following this line of thoughts, the importer will be expected to provide all necessary information to support the exporter in this effort.

It is of paramount importance, for the data importer, to make sure to set up an assessment and reporting process, to enable a timely identification of all non-compliance situations, and to become aware of circumstances relating not only to the data processing itself, but also to external factors. For example, the disclosure of requests from national security agencies, or changes in national legal regime. In parallel, the data importer should also make sure to open and maintain proper communication channels with its exporters and effectively comply with its duties under the SCC.

The post International Data Transfer Solutions Under GDPR appeared first on Global Compliance News.


Read publication

We are pleased to enclose the February issue of Tax News and Developments, a publication of Baker McKenzie’s North America Tax Practice Group. This month’s edition features a discussion on three Tax Court opinions under section 6751 (b), final withholding regulations, a review of final and proposed BEAT regulations and more!

In this Issue

  • Transformation of “Initial Determination” to “Definite Decision” in Penalty Approval Case
  • Final Withholding Regulations Provide Some Taxpayer Relief
  • A Review of the Final and Proposed BEAT Regulations
  • IRS BEATs on Partnerships with Final Section 59A Regulations
  • Proposed Section 162(m) Regulations: A Due Diligence Disaster
  • The Illinois Appellate Court Shuts the Door on the Secretary of State’s Aggressive Attempt to Subject An Out-of State Corporation to Double Taxation
  • Passing-through the SALT Deduction Cap: New Jersey Edition
  • DAC6: The EU’s Mandatory Disclosure Regime
  • Getting Better All the Time…Baker McKenzie Adds New Talent to its Miami Office

The post North America Tax News and Developments – February 2020 appeared first on Global Compliance News.


HITRUST Announces Availability of Shared Responsibility Matrix

FRISCO, Texas – March 4, 2020 – HITRUST, a leading data protection, standards development, and certification organization, announces the general availability of the HITRUST Shared Responsibility Program and Matrix™ Version 1.0. The Matrix is the first ever common model for communicating and assigning security and privacy responsibility between cloud service providers (CSPs) and their tenants or customers.

The Matrix is part of the HITRUST Shared Responsibility Program, which was established to address the growing misunderstandings, risks, and complexities when leveraging service providers. The Shared Responsibility Program clarifies the roles and responsibilities regarding ownership and operation of security controls while automating and streamlining the assurance process when privacy and security controls are shared or inherited. Organizations will benefit from streamlined communication processes as well as reduced inefficiencies and burdens of compliance when leveraging services from cloud providers.

The Shared Responsibility Program is led by Becky Swain, Director of Standards Development at HITRUST, and supported by a Working Group comprised of representatives of leading cloud service providers, including Armor, AWS, Google, Microsoft Azure and Salesforce, as well as enterprise cloud customers, cloud professional services firms, and solution providers. “With the continued adoption of cloud services, being able to understand and accurately inherit controls from service providers in an automated manner will be key to an organization’s information risk management and assurance process,” said Swain. “The next milestone will be HITRUST continuing to work with leading CSPs to ensure they provide the Matrix to their customers.”

“As PDHI collaborates with cloud service providers, we will leverage the HITRUST Shared Responsibility Matrix in understanding, documenting, and inheriting privacy and security control responsibility,” explains Lee Penn, the Chief Financial Officer and Chief Compliance Officer for PDHI and Shared Responsibility Working Group Member. “The Matrix simplifies providing evidence to our auditors and other interested parties that what we deliver, together with services we contract from Microsoft Azure cloud, meets the HITRUST guidelines and certification requirements—from end-to-end.”

HITRUST will continue to collaborate with leading CSPs as they provide the Matrix to their customers to further streamline security control ownership and responsibility. The Matrix offers many benefits, including:

  • A standard set of core principles and common language for all cloud service model types (e.g., SaaS, PaaS, IaaS, and Colo).
  • Helping organizations navigate an agreed-upon shared security and privacy responsibility in a way that is transparent, traceable, and accountable.
  • The ability to be tailored by CSPs in a completely customizable template to support their proprietary products and services.
  • Supporting an Assess Once, Inherit Many™

Businesses around the globe spent $107 billion in 2019 for cloud computing infrastructure services, fueled by 37% growth in Q4. With the proliferation of enterprise cloud computing, HITRUST continues its commitment to provide industry-leading risk management and vendor risk solutions for global organizations across all industries.

David Houlding, Director of Healthcare Experiences, Microsoft Azure: Healthcare Cloud and Shared Responsibility Working Group Member said, “The continued growth and strategic reliance on cloud computing, coupled with the ever-growing risk and compliance landscape, make communicating control responsibility and assurances more complex and intricate. The HITRUST Shared Responsibility Program addresses the need for a common language around security risks and responsibilities between the customer and cloud service provider, and to have confidence that nothing will fall through the cracks.”

“When control responsibility is shared, organizations must have these discussions with their cloud service providers to ensure everyone is on the same page,” says HITRUST Shared Responsibility Working Group Member Bob Smith, Senior Manager of Security Compliance at Salesforce. “The HITRUST Shared Responsibility Matrix will make those conversations much easier and serve as a guide to ensure every party knows what is required of them as well as that all reasonable steps are taken to protect information entrusted to their cloud service providers.”

IDC reported that 48% of organizations have applications in one public cloud that communicate regularly with applications in a different public cloud. The Matrix will help organizations more easily come to agreements with their CSPs as to which party is responsible for individual security and privacy controls, in turn ensuring that all applicable controls are properly addressed.

For more information on the HITRUST Shared Responsibility Program and how to access the HITRUST Shared Responsibility Matrix, visit the HITRUST Shared Responsibility Program webpage.

Join us on Tuesday, March 17th at 12 pm CT for the HITRUST Shared Responsibility Program Webinar; register here.

The post HITRUST Delivers on Commitment to Reduce Supply Chain Risk and Streamline Compliance Management in the Cloud appeared first on HITRUST.


The Treasury Department (“Treasury”) and the Internal Revenue Service (“IRS”) issued the highly anticipated final regulations (the “Final Regulations”) implementing the base erosion and anti-avoidance tax (the “BEAT”) on December 2, 2019.  Treasury and the IRS simultaneously issued proposed regulations (the “Proposed Regulations” and with the Final Regulations, the “Regulations”). The Regulations resolve several areas of uncertainty in the statute in a taxpayer-favorable manner.

This column focuses on certain important changes Treasury and the IRS made to the proposed BEAT regulations introduced December 13, 2018 (the “2018 Proposed Regulations”), and provides some updates to our column on the 2018 Proposed Regulations. This column also notes some key requests that Treasury and the Service did not adopt. Among other items, we will cover:

  • Clarifications to the Aggregation Rules;
  • Treasury’s refusal to exempt certain “pass-through,” middleman, or global services payments;
  • Modifications to the rules with respect to tax free transactions;
  • The interaction between the BEAT, ECI, Subpart F and GILTI; and
  • The proposed election to forgo deductions.


The post US: The Final Proposed Base Erosion and Anti-avoidance Tax Regulations: A Favorable Turn appeared first on Global Compliance News.



The Federal Trade Commission has announced the annual adjustment to notification thresholds that determine whether proposed transactions may trigger a filing obligation under the Hart-Scott-Rodino Antitrust Improvements Act of 1976, as amended. The revised thresholds will apply to all transactions that will close on or after February 27, 2020.


Under the updated thresholds, the lowest “size of transaction” notification threshold for any non-exempt acquisitions of voting securities, assets, or non-corporate interests will increase from USD 90 million to USD 94 million. For transactions valued above USD 94 million but below USD 376 million, an HSR filing may be triggered only if the below described “size of person” test is satisfied. Non-exempt transactions valued above USD 376 million will trigger an HSR filing obligation irrespective of the size of the parties involved.

The HSR Act “size of person” threshold, when applicable, generally will be satisfied if one party to the transaction has annual net sales or total assets of USD 188 million or more and the other party has USD 18.8 million or more in annual net sales or total assets. In each case, the operative “party” is the ultimate parent entity of the party to the potentially notifiable transaction.

The HSR Act filing amounts remain the same, but the relevant transaction values triggering the higher fee amounts have correspondingly increased.

  • USD 45,000 for transactions valued above USD 94 million but less than USD 188 million
  • USD 125,000 for transactions valued at USD 188 million or more but less than USD 940.1 million, and
  • USD 280,000 for transactions valued at USD 940.1 million or more.

Compliance with the HSR Act is imperative. The FTC previously announced the annual increase of the maximum civil penalty available for HSR Act violations from USD 42,530 to USD 43,280 per day. This new maximum penalty may be imposed for any enforcement action taken on or after 14 January 2020 even if the underlying violation preceded that date.

The Federal Register notice announcing the new HSR Act notification and filing-fee thresholds can be found here. The Federal Register notice on the increase to the maximum civil penalty is available here.

The post US: Federal Trade Commission Adjusts Hart-Scott-Rodino Premerger Notification and Filing-fee Thresholds appeared first on Global Compliance News.


View presentation

At the recent roundtable discussion, “SEC Regulatory and Enforcement Trends: How to Prepare for the SEC in 2020,” held at the Baker McKenzie Chicago office, our North America Financial Regulation & Enforcement team talked about what to expect from the Staff in 2020.

Drawing from their collective SEC regulatory and enforcement expertise and experience, the team focused on recent SEC releases, proposals and guidance concerning various topics, including:

  • conflicts of interest
  • proposed advertising and solicitation rules
  • Regulation Best Interest and cybersecurity
  • how best to prepare for expected SEC regulatory, examination and enforcement initiatives in the current environment
  • various state securities standards of care regulatory initiatives

The post US: SEC Regulatory and Enforcement Trends: How to Prepare for the SEC in 2020 appeared first on Global Compliance News.


On December 20, 2019, the Treasury and IRS released proposed regulations1 implementing the Tax Cuts and Jobs Act’s changes to section 162(m)’s $1,000,00 limit on the deductibility of “covered employee” compensation.2 In key part, the TCJA3 eliminated the exception from section 162(m) for performance-based compensation and expanded the covered employees and publicly held corporations subject to section 162(m). The Proposed Regulations build on this initial expansion of the 162(m) limit, dramatically increasing the extent to which the compensation of current and former executives will be non-deductible and introducing significant complexity into the identification and tracking of an ever-expanding pool of covered employees. In this summary, we address some of the most significant changes that taxpayers should note:

The particularly broad interpretation of the “predecessors” whose covered employees become covered employees of a publicly held corporation and its impact in corporate transactions.

  • The expansive definition of the “publicly held corporations” subject to 162(m) and elimination of the IPO transition period for newly public companies.
  • The new application of the 162(m) deduction limit to compensation paid by partnerships.
  • The ability to modify certain arrangements in view of the new 162(m) rules without violating section 409A, which may require action by December 31, 2020.
  • Clarifications of the grandfathering rule, including the impact of clawbacks and vesting acceleration and the treatment of severance.

1. Expansion of Covered Employees has a Significant Impact in Corporate Transactions

The Proposed Regulations confirm the guidance in Notice 2018-684 that the covered employees of a publicly held corporation include:

  • Its Principal Executive Officer and Principal Financial Officer at any time during a tax year,
  • Its three other most highly compensated executive officers for the tax year, regardless of whether the officer’s compensation is subject to disclosure for the last completed fiscal year under SEC rules or whether the officer is employed at the end of the tax year, and
  • Anyone who was a covered employee of the corporation or a predecessor for any tax year beginning after December 31, 2016.

The above rules generally apply for tax years ending on or after September 10, 2018, except with respect to two items not addressed by Notice 2018-68, both of which are addressed in the Proposed Regulations in a manner unfavorable to taxpayers.

First, the Proposed Regulations state that a company with a fiscal year and tax year which do not align (e.g., in the case of a short tax year due to a corporate transaction) must determine its three most highly compensated officers for the tax year based on the SEC summary compensation table rules, even if the corporation is not preparing a summary compensation table for the tax year. This rule applies to tax years beginning on or after December 20, 2019, i.e., effective for the 2020 calendar year in the case of calendar year taxpayers.

Second, the Proposed Regulations take what appears to be the broadest possible approach to the “predecessor” issue. Under this approach, a publicly held corporation’s covered employees will include the covered employees of any of the following “predecessor” entities, if such individuals perform services – whether as an employee or nonemployee – for the publicly held corporation:

Transaction Predecessor
Merger/Reorg. A publicly held target corporation that is acquired or is the transferor in a corporate reorganization under section 368(a)(1).
Spin-off A publicly held distributing corporation in a spin-off, to the extent that its covered employees commence services with the publicly held spun-off corporation within 12 months before or after the spin-off. (Such employees also remain covered employees of the distributing corporation.)
Stock-deal A publicly held target that, in a stock acquisition, becomes a member of a publicly held affiliated group (under newly expanded affiliated group rules).
Asset deal A publicly held target of which at least 80% of the operating assets are acquired over a period of 12 months, to the extent that its covered employees commence services with the publicly held acquirer within 12 months before or after the asset deal.
Private – Public Transition An acquired privately held corporation, if it was previously public and the acquisition occurs before the 3-year anniversary of the due date for the acquired private corporation’s federal tax return for the last tax year for which it was public.

The regulations also capture predecessors of predecessors, so any of the above predecessors of corporations that become part of a publicly held corporation’s affiliated group under section 162(m) are also covered employees of the publicly held corporation. The predecessor rule is proposed to apply to corporate transactions for which all events necessary for the transaction occur on or after the date of publication of the final rule in the federal register, or in the case of a private – public transition, to a private company that becomes public again on or after publication of the final rule. Until the final regulations are effective, taxpayers may rely on the definition of predecessor in the proposed rules or on a reasonable good faith interpretation of the term “predecessor.” However, the preamble states that it would not be a reasonable good faith interpretation to exclude as a predecessor a publicly held target corporation of which (i) the stock or assets are acquired in a transaction to which section 381(a) applies or (ii) at least 80% of the total voting power, and at least 80% of the total value of, the stock is acquired. Given the limited deference given to regulation preambles, and the fact that the Treasury could easily have interpreted a predecessor to include only an alter ego of the public company, taxpayers who acquire a public company before the effective date of the final regulations have a difficult decision as to how they reasonably interpret the statute before the final regulations become effective.

With these statutory interpretations, the Proposed Regulations introduce significant complexity to identifying and tracking the individuals who are permanently treated as covered employees. This is especially true in the context of corporate transactions, likely resulting in an ever-increasing amount of required diligence. Publicly held corporations that acquire predecessor corporations will have to maintain a full inventory of all individuals who were covered employees of each such predecessor (or of any predecessors to those predecessors) for any tax year after 2016. Given the complexities that arise and the fact that the Treasury has chosen the broadest possible approach to defining a predecessor, taxpayers and their trade organizations should consider commenting on this aspect of the Proposed Regulations in hopes of obtaining a more taxpayer favorable definition of the term predecessor, as well as a more lenient effective date.

2. Expansion of “Public” Companies subject to 162(m) and Elimination of IPO Transition Rule

The Proposed Regulations confirm that a “publicly held corporation” is a corporation (i) with any class of securities (including debt) that is required to be registered under Section 12 of the Exchange Act5 or (ii) that is required to file reports under Section 15(d) of the Exchange Act (even if not listed on any exchange). However, the Proposed Regulations expand the application of 162(m) to public partnerships that are treated as corporations under section 7704, companies that own publicly held disregarded entities and S corporations that own publicly held QSubs. The rules also expand the existing rules on affiliated groups, including to capture privately-held companies with a publicly held subsidiary.

The Proposed Regulations also confirm that foreign private issuers that meet the requirements of a “publicly held corporation” will be subject to 162(m). However, recognizing that foreign private issuers are not generally required to disclose executive compensation under the SEC’s disclosure rules, the IRS requests comments on whether it should design a safe harbor for such issuers to determine their three most highly compensated executive officers.

In one piece of good news, the Proposed Regulations clarify that the determination of a publicly held corporation is made as of the last day of the corporation’s taxable year, which means that companies whose filing obligation or registration is suspended as of such date are not subject to 162(m).

However, in less good news, the Proposed Regulations provide that a company that becomes publicly held after December 20, 2019 will immediately become subject to the section 162(m) limit, eliminating prior transition relief that generally afforded such companies more than three years of exemption from the 162(m) limit.

3. Expansion of Remuneration subject to 162(m), including Amounts Paid by Partnerships

The TCJA and Notice 2018-68 punted on the question of the application of the deduction limit to compensation paid by a partnership to a publicly held corporate partner’s executives, commonly occurring in the so-called “UP-C” or “UPREIT” partnership structure. However, the Proposed Regulations address this issue head-on. The Proposed Regulations clarify that the publicly held corporation must take into account its distributive share of the partnership’s deduction for compensation expense paid to the publicly held corporation’s covered employee and aggregate that distributive share and the corporation’s otherwise allowable deduction for compensation paid directly to that employee in determining the amount allowable to the corporation as a deduction for compensation under section 162(m).

For example, assume a publicly held Corporation T and a privately held Corporation S form a general partnership and, for 2021, a covered employee of Corporation T performs services for the partnership and receives $800,000 from the partnership for those services, $400,000 of which is allocated to Corporation T. Corporation T’s $400,000 share of the partnership’s deduction for the compensation expense is aggregated with Corporation T’s deduction for compensation paid directly to the covered employee by Corporation T, if any, in determining the amount allowable as a deduction to Corporation T for compensation paid to such covered employee for Corporation T’s taxable year 2021. Notably, the result is the same whether the covered employee performs services for the partnership as a common law employee, an independent contractor, or a partner, and whether the payment is a payment under section 707(a) or a guaranteed payment under section 707(c).

As this is a dramatic departure from the prior application of the 162(m) rules to compensation paid by partnerships, the Proposed Regulations provide transition relief for current compensation arrangements. Accordingly, the rule with respect to compensation paid by a partnership will apply to any deduction for compensation that is otherwise allowable for a taxable year ending on or after December 20, 2019 but will not apply to compensation paid pursuant to a written binding contract in effect on December 20, 2019 that is not materially modified after that date. Of course, this transition relief is subject to all the interpretive issues that have arisen with respect to the TCJA grandfather rule.

4. Coordination with Section 409A

The preamble to the Proposed Regulations indicates that the regulations under section 409A governing nonqualified deferred compensation arrangements will be modified in light of the changes to section 162(m). As a result, there may be planning opportunities that companies may wish to consider that would require action by December 31, 2020.

As background, a payment of compensation may be delayed past the originally designated payment date without violating section 409A to the extent the service recipient reasonably anticipates that, if the payment were made as scheduled, the service recipient’s deduction with respect to such payment would not be permitted due to the application of section 162(m).

Given that amounts that might previously have quickly become deductible under the former 162(m) (e.g., after termination of employment) now might never become so deductible (due to the new “once a covered employee, always a covered employee” rule), the preamble to the Proposed Regulations indicates that the section 409A regulations will be amended to permit companies to (i) delay scheduled payment of grandfathered amounts to qualify for deduction under section 162(m), without delaying payment of non-grandfathered amounts; and (ii) amend deferred compensation arrangements to eliminate provisions requiring the company to delay payments on account of the deduction limitation under section 162(m), provided the amendment is made by December 31, 2020. Further, the foregoing should not result in a violation of section 409A or a material modification that would negatively impact the grandfathered status of the compensation arrangement.

5. Confirmation and Clarification of Grandfathering Rules

Under the TCJA’s grandfathering rule, the new 162(m) rules do not apply to remuneration provided pursuant to a written binding contract in effect on November 2, 2017 which is not modified in any material respect after that date. To determine whether a written binding contract exists, taxpayers still need to apply the same ambiguous standard as to whether the corporation was obligated to pay the amounts under applicable law. However, in noteworthy clarifications, the Proposed Regulations confirm that:

  • The presence of a clawback provision will not prevent an arrangement from being grandfathered as a written binding contract provided that the corporation’s right to recoup the compensation is based on the occurrence of conditions that are objectively outside the corporation’s control (e.g., detrimental conduct on the part of an executive).
  • Acceleration of the vesting of equity awards or other unvested compensation is not considered a material modification that would cause the loss of any applicable grandfathering. (However, the regulations are silent on whether the extension of the term of an option is a material modification.)
  • In determining whether severance is grandfathered, each component of the severance formula must be analyzed separately to determine the amount of severance that is grandfathered. So if a severance payment is based on salary plus discretionary bonus, it is only the amount of the bonus that is required to be paid as of November 2, 2017 based on a prior exercise of discretion that could be grandfathered. Further, if severance includes a base salary-based payment, an increase in base salary that is more than a reasonable cost of living increase causes the loss of grandfathering for the entire severance amount.

Because the Proposed Regulations adopt the prior guidance in Notice 2018-68 on grandfathering and material modifications, these aspects of the regulations apply for tax years ending on or after September 10, 2018.

Closing Remarks

Given the unanticipated breadth of many aspects of the Proposed Regulations, taxpayers should consider whether to comment on areas of concern. Any such comments are due to the IRS by February 18, 2020.

1 REG–122180–18.
2 Section references are to sections of the Internal Revenue Code of 1986, as amended, unless otherwise stated.
3References to the TCJA mean the Tax Cuts and Jobs Act of 2017.
4 Notice 2018-68, issued on August 21, 2018, provided initial IRS and Treasury guidance on the changes made to section 162(m) by the TJCA, including the grandfather rule.
5“Exchange Act” means the Securities Exchange Act of 1934, as amended. 

The post US: Proposed Regulations Dramatically Expand Limit on Deductibility of Executive Compensation appeared first on Global Compliance News.


FRISCO, TEXAS, January 31 – The formation of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB) in partnership with the Department of Defense (DoD) is a landmark achievement and the next logical step in bringing the CMMC to reality with this release.

HITRUST has been actively involved with the DoD and in related industry efforts to finalize the CMMC standard and the associated CMMC Accreditation Body (AB). Leveraging our twelve years of experience as a leader in delivering the highest quality assurance reports, developing our framework, assurance program, academy, assessor network, assessment infrastructure and related programs, HITRUST has made and continues to make valuable contributions and share key insights with the DoD and the CMMC AB in order to help them determine how best to go about accrediting auditors, delivering training, and issuing certifications.

While the CMMC program is being brought to market, HITRUST customers can rest easy knowing that for every component of the CMMC program contemplated by the DoD, HITRUST has a program or service to support those seeking CMMC. The HITRUST CSF already integrates with and contains mappings to the baseline standards upon which the CMMC framework is based (i.e., NIST SP 80-53, DFARS/NIST SP 800-171, and FedRAMP) enabling organizations to understand the controls requirements and identify any gaps.

As the DoD and CMMC AB move forward with developing and implementing the requirements of the CMMC, HITRUST will be at the forefront, continuing to participate as a subject matter expert and thought leader while helping simplify the road to CMMC for organizations of all sizes, across all industries. HITRUST is poised and pleased to continue to share knowledge, technology and working solutions for securing the defense industrial base from industrial property theft, data breaches and compromises to national security intelligence.

To learn more about how HITRUST integrates with CMMC visit

To learn more about HITRUST Approach visit:

The post HITRUST Statement on Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) appeared first on HITRUST.


Ken Vander Wal Retiring; Jeremy Huval Named as New Chief Compliance Officer

FRISCO, TX, January 27, 2020 – HITRUST, a leading data protection standards development and certification organization, announced today that Jeremy Huval was promoted to Chief Compliance Officer, effective January 15, 2020. Huval served as Vice President of Compliance and Internal Audit for HITRUST since 2019 and will succeed Ken Vander Wal, who retired on January 1, 2020, after a successful ten-year career with the Company.

The promotion of Huval to the CCO role was a logical choice following the successful implementation of an enhanced quality monitoring and reporting initiative and successful launch of the Certified HITRUST Quality Professional (CHQP) course in 2019 that he and Vander Wal developed.

“It has been a privilege to work with a man of Ken’s intellect and insight in pursuit of the highest quality standards for organizations achieving the HITRUST CSF® Certification,” said Jeremy Huval. “Ken’s tremendous leadership advanced a comprehensive approach to reporting and assessing information risk, and compliance is more than just a framework, but a complete program tailored to an organization’s ecosystem. He leaves a strong legacy that I intend to build upon with continued innovation and a commitment to excellence for HITRUST.”

In September 2019, Vander Wal was voted by the Board to Chair the newly formed Quality Assurance Subcommittee, which provides additional governance and oversight of the HITRUST CSF Assurance Program. Vander Wal served as HITRUST’s Chief Compliance Officer since 2009. Under his leadership, the HITRUST CSF became recognized as an industry standard for the protection of healthcare data—the equivalent of the “Good Housekeeping Seal” of approval.

Vander Wal’s notable accomplishments include establishment of a formal review and approval process for creating authorized third-party assessors; enhancements to the HITRUST CSF Assurance program to ensure consistency, quality, and rely-ability™; collaboration with the AICPA to have the CSF framework recognized as acceptable criteria for SOC 2® + HITRUST CSF reports; and the launch of an interactive and highly successful customer hotline for users to anonymously report issues, concerns and suggestions to the CSF.

“My time at HITRUST has been an incredible journey, and I am humbled to know that my work has contributed to HITRUST’s mission of improving global security standards,” explained Vander Wal. “This is the perfect time to transition to the next generation knowing that the best is yet to come under Jeremy’s capable leadership. I look forward to continuing my involvement with HITRUST as Chair of the Board Quality Assurance Subcommittee and supporting the governance and oversight for our Assurance Program.”

“On behalf of HITRUST and the Board, I would like to express my appreciation to Ken for his invaluable leadership, drive, and focus, ensuring the integrity of our Assurance Program over the past ten years,” said Daniel Nutkis, CEO and Chairman of the Board. “Under Ken’s leadership, HITRUST has helped thousands of businesses transform their security protocols and processes while strengthening the Company’s standing as a global leader in a dynamic industry. Our company and leadership team has never been stronger, and we look forward to a seamless transition.”

Nutkis continued, “I am pleased to promote Jeremy to this new role and am confident that Jeremy’s keen understanding and knowledge of our business and commitment to delivering on the unique approach of the HITRUST Assurance Program will greatly contribute to the Company’s next level of success.”

Before his promotion, Huval served as the Vice President of Compliance and Internal Audit for HITRUST. His responsibilities included overseeing the integrity of the HITRUST CSF Assurance Program and leading an internal consulting and assurance function aimed at improving internal operations and controls within the organization. Huval has been an integral part of several initiatives since joining HITRUST that include automation of all reports issued and quality-check routines in Q&A processes; and implementation of new internal metrics to continuously monitor the quality and effectiveness of the CSF Assurance Program.

To learn more about the HITRUST CSF Assurance Program visit:

To learn more about the Certified HITRUST Quality Professional (CHQP) Course visit:

The post HITRUST® Chief Compliance Officer Retires; Successor Named appeared first on HITRUST.