On June 13, the final administrative rules implementing the MNvest intra-state crowdfunding exemption were adopted. The MNvest Rules were first proposed back in November of 2015. Today’s publication in the Minnesota State Register notes that the MNvest Rules were adopted as proposed, other than a few revisions that are shown in blackline format. The MNvest Rules become effective five working days after publication, meaning they will be available for use next Monday. You can see our prior coverage of the actual MNvest legislation here and here.

SUMMARY OF MNVEST RULES

Additional Pre-Offering Filing Requirements. Section 80A.461, Subd. 3(11) of the Minnesota Statutes requires that a MNvest issuer file the following information with the Minnesota Department of Commerce at least 10 days prior to the commencement of a MNvest offering: (i) a notice stating that the MNvest exemption is being relied upon, (ii) a copy of the disclosure document that will be provided to prospective investors, and (iii) a $300 filing fee. The MNvest Rules use this notice filing provision in the statute to impose additional disclosure requirements on MNvest issuers. The pre-offering notice must now include, in addition to the information required by statute:

  • “a written explanation of how the minimum offering amount will be used to implement the MNvest issuer’s business plan.”
  • a written affirmation that the issuer has “reviewed” the bad actor disqualification provisions in Section 80A.461, Subd. 9 and “undertaken the inquiries needed to establish, under [Section 80A.461, Subd. 9(b)(4)], that the issuer has no reason to know that a disqualification exists.” The disqualification provisions include within their scope the issuer and its affiliates, officers and directors, 20% beneficial owners, and promoters.
  • any other information the Commissioner of Commerce may “reasonably require to determine the MNvest issuer’s compliance” with MNvest.

Ongoing Reporting and Record Keeping. The MNvest Rules impose several ongoing reporting and recordkeeping requirements for issuers and portal operators.

Obligation to Update Filings/Registrations. As long as the offering is ongoing, the issuer is obligated to update the information it has filed with the Commissioner of Commerce “as necessary so that the issuer does not make any untrue statement of a material fact, or omit to state a material fact necessary in order to make the statement made, in light of the circumstances under which it is made, not misleading.” In other words, a Rule 10b-5 style disclosure regime applies to MNvest issuer disclosures to the Commissioner of Commerce. A similar requirement applies to portal operators with respect to the portal operator registration filed with the Department of Commerce (although the obligations persists as long as the portal operator is registered, as opposed to lapsing at the end of an offering).

Offering Reports. Issuers and portal operators are each required to provide to the Department of Commerce, upon request, offering reports containing basic information about MNvest offerings, including the offering minimum and the amount actually raised, the name, address, and amount invested by each investor, and confirmation as to whether investor funds were released from escrow or returned to purchasers. For portal operators, the offering report must also include the date the portal operator received the certification from each purchaser required by Section 80A.461, Subd. 5 (acknowledgment of risks and certification of Minnesota residency).

Five Year Record-Keeping Requirement. The MNvest Rules impose a five year record keeping requirement on MNvest issuers and prescribe the types of information that must be retained with respect to each MNvest offering, which include “records of all written communications sent to or received from purchasers in a MNvest offering,” as well as all records “used to establish compliance with” the bad actor disqualifications.

Portal Operator Registration Requirements. The MNvest Rules also add the following content to the portal operator’s registration with the Department of Commerce:

  • a written explanation of the portal operator’s “use of a third party’s software program or other services in developing, operating, or maintaining the MNvest portal.”
  • a written explanation of the steps taken by the portal operator to verify the Minnesota residency of each purchaser of securities through the portal.

Cybersecurity. The MNvest Rules require portal operators and MNvest issuers to take “reasonable steps” to maintain the security of financial and personal information of purchasers. The MNvest Rules note that this requires, at a minimum, that the issuer and the portal operator develop and implement written cybersecurity policies and publish the policies on their websites. In a change from the proposed rules, the final rules also specify that the cybersecurity policy must address cybersecurity attacks, data breaches, responses to cybersecurity attacks and data breaches. There is also apparently a requirement that the issuer demonstrate it implemented the policy, although the wording of the final rule is not a font of clarity on this point. Again, more on that below.

Disqualified Classes of Issuers. The MNvest Rules make MNvest unavailable for certain offerings on the theory that these offerings warrant more detailed disclosure of applicable risks than is appropriate for a securities registration exemption.” These disqualified offerings are comprised of:

  • offerings relating to oil exploration or production, mining activities, or other “extractive industries”
  • offerings relating to investments in digital or crypto currencies (like bitcoin);
  • offerings that are utilizing more than one MNvest portal concurrently;
  • offerings involving investment companies; and
  • offerings by blank check companies.

Restrictions on the Use of the Term “MNvest.” The MNvest rules contain some restrictions on how the term “MNvest” may be used in an effort to avoid investor confusion regarding whether a particular operation is officially-sanctioned in some way by the state of Minnesota. To that end, a portal operator cannot own a URL containing “MNvest.” No person can own a URL that contains “MNvest” if the URL automatically directs to a MNvest portal. In addition, no MNvest portal can purport to be the official or exclusive MNvest portal.

QUESTIONS AND CURIOSITIES

Issuer Bad Actor Affirmation: Not a Beacon of Clarity

Under the as-proposed MNvest Rules, an issuer’s pre-offering filing would have needed to include an affirmation that the issuer had “exercised reasonable care to confirm” that it was not disqualified from utilizing MNvest by reason of the bad actor disqualifications in Section 80A.461, Subd. 9. Presumably, exercising reasonable care would have required some level of due diligence – at least an inquiry of the covered persons as to whether they were subject to any of the disqualifying events. The reason this matters is because Section 80A.461, Subd. 9(b)(4) states that the MNvest issuer will not lose its exemption if it “establishes that it did not know and, in the exercise of reasonable care, could not have known that a disqualification existed.”

In the as-adopted MNvest Rules, the issuer is not required to affirm that it has actually exercised “reasonable care” to investigate its covered persons for purposes of the bad actor disqualifications. Instead the issuer must affirm that it has reviewed the bad actor disqualification provisions, and that it has “undertaken the inquiries needed to establish, under Minnesota Statutes, Section 80A.461, Subdivision 9, paragraph (b), clause (4), that the issuer has no reason to know that a disqualification exists.”

The language of the final rule is less than clear and raises some questions. What problem in the proposed rule does the changed language remedy? Like the proposed rule, the final rule requires an affirmation that the MNvest issuer has taken some action. Under the proposed rule, that action was the exercise of reasonable care. Under the final rule, that action is undertaking “the inquiries needed to establish . . . that the issuer has no reason to know that a disqualification exists.” Is the action described by the final rule representative of a standard of care that is lesser than reasonable care? It is tempting to read the final language as equivalent to “reasonable care,” but then, if that were the case, why would a confusing change be necessary in the first place? The original language would have been more accurate, precise, and understandable. Why does the MNvest Rule purport to refer to a standard included in the statute (by the cross reference) but then actually describe a slightly different standard? Who determines what inquiries are “needed” under the final MNvest Rules?

Cybersecurity Policy Jumble

The proposed MNvest Rules explained that “reasonable steps to ensure that purchasers’ financial information is properly secured” included, at a minimum, “the development and implementation of a written cybersecurity policy that outlines the MNvest issuer’s or portal operator’s policies and procedures for preventing and responding to cybersecurity attacks and data breaches resulting in the disclosure or potential disclosure of purchasers’ confidential or personally identifiable information.”

The as-adopted MNvest Rules alter this to state that reasonable steps must include “at a minimum, a written cyber-security policy that outlines the MNvest issuer’s or portal operator’s policies and procedures for: (1) preventing cybersecurity attacks that result in the disclosure, or potential disclosure, of purchasers’ confidential or personally identifiable information; (2) preventing data breaches that result in the disclosure, or potential disclosure, of purchasers’ confidential or personally identifiable information; (3) responding to a cybersecurity attack or data breach that occurs; and (4) demonstrating the issuer’s implementation of the written cybersecurity policy.”

First, from a drafting perspective, why not combine clauses (1) and (2) by making the single clause apply to both cybersecurity attacks and data breaches? That’s the approach that was taken with clause (3), after all.

Second, what does clause (4) even mean? If you excise clauses (1) through (3) for a moment, the rule reads: “at a minimum, a written cyber-security policy that outlines the MNvest issuer’s or portal operator’s policies and procedures for: (4) demonstrating the issuer’s implementation of the written cybersecurity policy.” So the written cybersecurity policy must somehow itself demonstrate the issuer’s implementation of that same policy? Wouldn’t it make more sense to ask the issuer to affirm or demonstrate to the Department of Commerce that it has implemented the written policy?

Third, why leave out portal operators from the scope of clause (4)? As written, a portal operator is required to have a cybersecurity policy, and that cybersecurity policy of the portal operator’s must demonstrate “the issuer’s implementation of the written cybersecurity policy” (my emphasis). Aren’t we missing something here? Don’t we need clause (4) to cover implementation of the policy by the portal operator or the issuer, as applicable?

We can only hope for clarifying amendments.