Since Kramer Levin issued its Corporate Governance: 2022 Midyear Review, a wave of enforcement actions by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) has underscored the continued importance of heightened attention to corporate governance issues, including maintaining and following adequate disclosure controls and procedures involving anti-money laundering (AML) and environmental, social, and governance (ESG) efforts. For example:
Additionally, Kramer Levin issued numerous alerts throughout the second half of 2022 on other major developments in the corporate governance space, including new SEC rules concerning insider trading, ESG investment policies and procedures, incentive-based compensation, and pay versus performance disclosures; disruption in cryptocurrency markets; DOJ policies on corporate criminal enforcement emphasizing the benefits of voluntary self-disclosure; Financial Crimes Enforcement Network (FinCEN) regulations on beneficial ownership information reporting; state and federal actions to protect consumer privacy and ensure adequate data security; and the increasing legal complexity surrounding ESG and its importance in M&A transactions. We briefly summarize these alerts below.
SEC Adopts New Conditions and Disclosures Regarding 10b5-1 Plans
On Dec. 14, the SEC adopted amendments to Rule 10b5-1 requirements for insider trading plans and related disclosures, generally in the form issued for comment in January 2022 (replacing the version initially published on Dec. 15, 2021). The amendments include new conditions to the affirmative defense under Rule 10b5-1, create new disclosure requirements regarding the use of 10b5-1 Plans in periodic reports, and update Form 4 and 5 beneficial ownership reports. The rules aim to enhance insider trading protections for investors and to help shareholders understand when and how insiders are trading in securities for which they may at times have material nonpublic information.
Widespread Disruption in Crypto Markets Prompts New SEC Disclosure Considerations
On Dec. 8, the SEC Division of Corporate Finance (the Division) posted a sample comment letter (the Letter) on its website that provides guidance to public companies regarding the “recent bankruptcies and financial distress among crypto asset market participants.” The Letter is one of the Division’s first public steps addressing market uncertainty after the sudden, high-profile collapse and Chapter 11 bankruptcy filing of crypto trading platform FTX. The Letter also marks the Division’s entrance into providing explicit guidance on disclosure considerations related to the crypto markets.
In its guidance, the Division generally advises public companies to account for any crypto market developments material to an understanding of the company’s business, financial condition, results of operations or share price. The Division also notes that public companies should consider disclosing risks related to counterparty exposure; the company’s liquidity and ability to obtain financing; and risks related to legal proceedings, investigations or regulatory impacts in the crypto markets.
Although the Letter does not formally introduce new disclosure requirements, it does signal that the SEC is likely to further scrutinize the crypto markets and public disclosures related to these markets. Companies preparing their public filings, particularly companies directly or indirectly affected by the recent developments in the crypto markets, should proactively consider updating disclosures based on the content of the Letter and latest developments in the crypto industry.
On Dec. 5, the SEC announced that AT&T agreed to a $6.25 million penalty, resolving charges brought against it under the securities rule known as Regulation Fair Disclosure (Regulation FD), the largest Regulation FD penalty exacted to date. Codified at 17 C.F.R. § 243.100(a), Regulation FD prohibits public companies from intentionally or recklessly disclosing “material nonpublic information” to select audiences without simultaneously making that information available to the rest of the market. The SEC’s complaint alleged that AT&T violated Regulation FD when its executives disclosed internal financial metrics on the company’s smartphone sales to approximately 20 investment firms without also disclosing that information publicly. The case is notable for producing one of the only judicial decisions to apply Regulation FD in adversarial litigation since its publication over 20 years ago, and offers guidance on how companies can ensure compliance with Regulation FD.
On Nov. 22, the SEC charged an investment adviser subsidiary of a major U.S. financial institution with violations of Section 206(4) of the Investment Advisers Act of 1940 (Advisers Act) and Rule 206(4)-7 thereunder relating to ESG investments. The SEC alleged that the adviser’s statements labeling certain investments as having been screened pursuant to its policies and procedures for ESG criteria were inaccurate because the policies and procedures the adviser used in selecting ESG-related investments were either nonexistent or ignored by employees. The adviser agreed to pay a $4 million penalty, to enter into a cease-and-desist order, and censure to resolve the charges.
This enforcement action, which follows similar actions by the SEC this year, highlights the SEC’s growing interest in ESG-related disclosures and alleged “greenwashing” by asset managers. The SEC’s focus on ESG disclosures underscores the need for issuers that market ESG products to accurately disclose their written policies and procedures when making investment decisions. Issuers should also be aware of the SEC’s proposed rulemaking regarding the naming, investment content and disclosure requirements for ESG-related funds.
The SEC Adopts Incentive-Based Compensation Clawback Rule
On Oct. 26, the SEC adopted a final rule addressing the obligations of publicy listed companies to recover incentive-based compensation paid to executive officers prior to an accounting restatement. The rule will require many issuers to (i) adopt more stringent written clawback policies than those currently in place and (ii) provide more extensive disclosures of these policies. The rule implements these new requirements by directing national securities exchanges to establish listing standards addressing the recovery of overpayments of incentive-based compensation. As a result, issuers will only be required to comply with the rule after the applicable updated listing standards are effective. The listing standards (and the rule) will apply to virtually all public companies or issuers of public debt, including foreign private issuers, controlled companies, smaller reporting companies and emerging growth companies.
On Oct. 24, the Federal Trade Commission (FTC) issued a proposed decision and order against Drizly LLC and its CEO regarding allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers in 2020. The order mandates that Drizly implement a wide range of data security and privacy protocols and requires Drizly’s CEO, James Cory Rellas, to personally ensure that any company he joins in an ownership or managerial capacity maintains an adequate information security program as stipulated by the terms of the order.
The action stresses the responsibility of businesses that collect consumer data to manage and protect that information from both internal and external threats. It is another example of the FTC’s use of its unfair trade practice authority to police privacy and data minimization all in the absence of a uniform federal privacy law. Importantly, the inclusion of requirements to report to the boards of directors or equivalent managing bodies, coupled with the direct penalties levied against Drizly’s CEO, underscores that the protection and privacy of consumer personal information should involve top-level employees. Senior executives and managers should take note that lax handling of consumer personal information could have both companywide and individual consequences.
The Increasing Legal Complexity Surrounding ESG
On Oct. 7, Kramer Levin reported on the increasing legal complexity surrounding ESG. Whether in response to stakeholders, market pressures, or legal requirements, many companies are choosing to incorporate ESG factors into their company missions, policies, and governance and management structures. In response to similar pressures, private equity funds and money managers are incorporating ESG factors into investment decisions. While responding to customer or limited partner demand for ESG investments, funds are also looking to ESG-screened investments to outperform other investments because they have identified and better managed macro risks such as climate change and social unrest. Indeed, analysts expect global ESG‑oriented assets to exceed $41 trillion by 2022 and $50 trillion by 2025 — representing one‑third of total assets under management globally.
Companies implementing ESG programs — whether in response to stakeholder requests or to comply with legal requirements — and are doing business with or in any of the states that have promulgated or are considering anti-ESG legislation, rules, or guidance should consult counsel to determine the nature and extent of their legal and business risk and develop effective strategies to mitigate that risk.
FinCEN Publishes Final Rule on Beneficial Ownership Reporting Requirements
On Sept. 30, FinCEN published final regulations on beneficial ownership information (BOI) reporting requirements intended to enhance the agency’s ability to protect the U.S. financial system from money laundering, terrorist financing, and other illicit activity. The rule will go into effect on Jan. 1, 2024. It describes who must file a BOI report, what information must be contained in the report and when the report is due. The final rule largely tracks the language of the corresponding Notice of Proposed Rulemaking released in December 2021.
These new regulations are intended to strengthen the integrity of the U.S. financial system by making it harder to use shell companies to launder money and hide assets, reflecting FinCEN’s concern that “[r]ecent geopolitical events have reinforced the point that abuse of corporate entities, including shell or front companies, by illicit actors and corrupt officials presents a direct threat to the U.S. national security and the U.S. and international financial systems.” FinCEN intends to use the information collected through this rule to create a national database to target money laundering and other financial crimes carried out through shell companies. Given the sensitivity of the information collected, FinCEN is subject to strict confidentiality, security and access restrictions on the data and is authorized to disclose reported BOI only in limited circumstances to certain governmental authorities and financial institutions. If the reporting company gives consent, FinCEN may also disclose the company’s BOI to financial institutions, to facilitate the institution’s compliance with customer due diligence requirements.
Deputy Attorney General Lisa Monaco Announces New Policies on Corporate Criminal Enforcement
On Sept. 15, Deputy Attorney General Lisa Monaco spoke at New York University Law School outlining the DOJ’s priorities and policies on corporate criminal enforcement.
Her speech built upon her October 2021 announcement of the DOJ’s broad priorities on corporate crimes, which emphasized the need for speedy and voluntary cooperation and detailed the benefits of voluntary disclosures. The speech was the culmination of a yearlong DOJ advisory group’s work reviewing corporate enforcement efforts and receiving feedback from academics, lawyers and compliance officers.
Diversity in the Boardroom: A Periodic Litigation and Governance Update
On Aug. 30, the National Center for Public Policy, a nonprofit interest group, sued Starbucks Corp. in a shareholder lawsuit in Washington state court, alleging that Starbucks’ directors and officers adopted several diversity policies that they knew constitute illegal racial discrimination. The plaintiff alleged that the directors and officers exposed Starbucks shareholders to material legal risk in order to “pose as virtuous advocates of ‘Inclusion, Diversity, and Equity’” and “buy[] themselves social-credit,” actions that the plaintiff says fall outside the defendants’ corporate authority. Prior shareholder derivative actions conversely accused companies of failing to meet their published diversity goals. This latest Starbucks lawsuit comes as part of a broader backlash to corporate diversity initiatives and ESG investing.
SEC Adopts Final Rule Requiring ‘Pay Versus Performance’ Disclosure
On Aug. 25, the SEC adopted a new rule requiring public companies (subject to some exceptions, described below) to disclose, in proxy statements and information statements that contain executive compensation disclosure, “pay versus performance” data for the chief executive officer and other named executive officers. The final rule, which is intended to enable investors to more readily assess executive compensation actually paid relative to the company’s financial performance, applies to disclosure for fiscal years ending on or after Dec. 16, 2022. In effect, this means that most proxy statements for 2023 annual meetings of stockholders are required to comply with the new rules. Emerging growth companies, registered investment companies and foreign private issuers are exempted from the disclosure requirements, and smaller reporting companies are entitled to provide alternative scaled disclosure.
CA Attorney General Announces First Public CCPA Fine
On Aug. 24, California Attorney General Rob Bonta (AG) announced the first public fine for failure to comply with the California Consumer Privacy Act (CCPA). Beauty products retailer Sephora Inc. agreed in a settlement to pay $1.2 million into California’s Consumer Privacy Fund, to make substantial changes to Sephora’s privacy programs and policies, and to submit annual reports regarding these changes to the AG for the next two years.
Like many retailers, Sephora installed (or allowed third parties to install) software on its website that monitored the actions of its online shoppers. Although these third parties did not pay Sephora for its shoppers’ data, in return Sephora received analytics regarding these shoppers and the option to purchase advertisements targeting them. The AG alleged that this use of Adtech constituted a sale of personal information under the CCPA, which the AG stated “broadly defines sales as the exchange of personal information for anything of value.”
The AG’s complaint against Sephora alleged three CCPA violations: (1) Sephora’s online privacy policy falsely stated “we do not sell personal information” despite the value it received for using Adtech software; (2) Sephora failed to include the required “Do Not Sell My Personal Information” link on its homepage; and (3) Sephora failed to respond to consumer requests to opt out of such sales via Global Privacy Controls (GPC), which are browser signals that users can set once to inform all websites that they do not want their information sold. The AG also alleged that these actions separately violated California’s Unfair Competition Law. Companies that deploy Adtech software on their websites should revisit their privacy programs and policies to ensure compliance with any applicable laws and regulations.
On July 25, Kramer Levin highlighted the importance of considering ESG in M&A transactions to mitigate risk and enhance value — not only for potential buyers, but also for potential sellers and their owners. Given their frequent role as a player on both the sell and buy sides of M&A deals, private equity firms are in a unique position to utilize effective ESG factors. ESG metrics measure sustainability and can be a good barometer of long-term success for a company. Private equity firms selecting targets are often looking for sustainable growth and for evidence that their targets will be in a position to remain attractive in a potential sale down the road. Furthermore, having a high-scoring ESG portfolio could increase the reputation of a private equity fund, particularly among younger demographics that are more conscious of ESG elements. All of this means that consideration of ESG factors is fundamental in an M&A deal, and that such consideration may require an increase in both the scope and the depth of due diligence done for a deal, which will allow parties to be aware of potential legal issues and technical, operational factors.
* * *
As we head into 2023, we will continue to monitor these and other corporate governance developments.