Key Points and Practical Advice
- In February 2022, the U.S. Department of Justice (DOJ) announced that the China Initiative, launched in November 2018 to counter perceived threats to U.S. national security from China, was “not the right approach.”1 Nonetheless, the Biden administration continues to pursue China-related enforcement actions, including with respect to alleged trade secret theft as well as alleged sanctions and export controls violations.
- Facing investigation obstacles including several Chinese blocking statutes, the U.S. Securities and Exchange Commission (SEC) may change its enforcement strategy in China-related matters by pursuing charges that do not require it to establish fraud and/or by relying more on evidence it is able to collect from sources outside of China. Meanwhile, the SEC has listed more than 150 issuers that do not comply with the Holding Foreign Companies Accountable Act (HFCAA) and has strengthened disclosure requirements for China-based variable interest entity (VIE) structures.
- Recent People’s Republic of China (PRC) blocking statutes and laws on cyber and data security and privacy have made cross-border enforcement more challenging.
- Given the current state of U.S.-China relations and a number of complicated new laws in both countries, companies should establish transparent and credible internal compliance processes to help ensure that they meet U.S. and Chinese legal requirements. For example:
- When making strategic decisions, companies should be proactive in assessing legal and compliance risks and potential conflicts under both U.S. and Chinese regulatory regimes, instead of reacting to issues when they arise.
- To avoid being caught between conflicting regulatory regimes, companies may consider urging U.S. and Chinese regulators to talk among themselves, rather than serving as a go-between.
- Credibility and process matter. For example, if PRC blocking statutes inhibit the SEC’s ability to conduct its own investigations, it may seek to rely more heavily on reviews done by the company’s internal audit team or outside counsel and other sources of information. Companies should implement and maintain internal processes that the SEC can trust.
Both the U.S. and Chinese authorities recently have taken significant actions relating to cross-border enforcement involving China. On the U.S. side, the DOJ continues to investigate and prosecute alleged trade secret theft as well as alleged sanctions and export controls violations, while the SEC has focused on issues related to the HFCAA and VIE structures. On the Chinese side, the PRC government has passed various blocking statutes and data privacy laws that have made U.S. cross-border enforcement efforts more challenging. Companies that do business in both countries thus need a plan to navigate between these sometimes conflicting regulatory regimes.
Recent DOJ Enforcement Trends Regarding China
DOJ’s Shift Away From the China Initiative
In November 2018, the DOJ launched the China Initiative, an effort to identify and investigate economic espionage and trade secret theft intended to benefit the Chinese state. Under the Initiative’s umbrella, federal prosecutors also brought a number of cases charging academics and researchers with fraud and false statements to federal agencies for allegedly misrepresenting their ties to the Chinese government. In February 2022, Matthew G. Olsen, the assistant attorney general (AAG) in charge of the DOJ’s National Security Division (NSD), acknowledged that to many, the China Initiative “fueled a narrative of intolerance and bias,” suggesting “that the Justice Department treats people from China or of Chinese descent differently.”2 At the same time, Mr. Olsen asserted that the Chinese government continued to pose a national security threat to U.S. interests. He announced that, going forward, the Justice Department would apply the broader Strategy for Countering Nation-State Threats to potential threats from countries such as China, Russia, Iran and North Korea. During a July 28, 2022, hearing before the U.S. House Committee on the Judiciary, Mr. Olsen reiterated the department’s commitment to the Strategy for Countering Nation-State Threats, noting that the NSD is particularly focused on cyber-enabled attacks and other nation-state attacks and that the NSD is “most concerned of China and Russia, and also Iran and North Korea.”3
While some interpreted Mr. Olsen’s February 2022 speech as a repudiation of the China Initiative, the shift away from the China Initiative does not mean that the Biden administration is relaxing its enforcement of perceived threats from China. The DOJ has continued to pursue many cases originally brought under the China Initiative, including those involving alleged fraud and false statements. That said, future enforcement will likely prioritize alleged trade secret theft and export controls violations over alleged grant fraud and false statements. Other enforcement and regulatory authorities also will use all available tools, and existing mechanisms such as Committee on Foreign Investment in the United States (CFIUS) reviews will not be affected. Companies and individuals operating in China would be well-advised to stay vigilant and ensure compliance with all applicable laws and regulations.
PRC Talent Programs
The DOJ also has been active in bringing criminal charges against individuals who allegedly lie about receiving money from the PRC or about their affiliations with the PRC. Many of those cases involve defendants’ participation in PRC talent recruitment programs like the Thousand Talents Program, which is not itself illegal. However, the DOJ scrutinizes these programs closely because it views them as a way to recruit individuals with access to U.S. government-funded research for the PRC’s benefit.
Companies may face reputational risks and may find themselves having to incur substantial legal expenses in defending themselves against investigations if they are seen by the U.S. authorities as facilitating employee cooperation in PRC talent programs perceived to threaten U.S. national security interests. If companies lie about or omit information on this participation, they may face potential legal liability, including criminal liability. Companies should always comply with U.S. laws and regulations, maintain accurate books and records, and ensure that any responses to U.S. government inquiries are truthful and complete. At the same time, companies also may be well-advised to inform their employees of their right to seek counsel or remain silent when questioned under certain circumstances, such as at border crossings, and to decline to give consent for searches of their persons or possessions.
In addition, companies should assess what data they should store in the United States, as opposed to in the PRC, and vice versa, and be careful about data transfers between the two jurisdictions that may raise issues under PRC data and cybersecurity laws and the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Companies should also be mindful of the protections offered by attorney-client privilege to the extent that they are seeking advice from U.S. counsel.
Sanctions and Export Controls
Sanctions and export controls are top priorities for DOJ enforcement. On June 16, 2022, Deputy Attorney General Lisa Monaco publicly described sanctions as “the new FCPA” (the Foreign Corrupt Practices Act) and remarked that “[t]he growth of sanctions enforcement follows the path that the FCPA traveled before it,” thus implying that the DOJ expects sanctions enforcement to be very active in the future, as FCPA enforcement has been for some time.4 In addition, U.S. Treasury Secretary Janet Yellen recently called out Chinese companies perceived to be seeking to undermine sanctions with Russia and discussed working toward transitioning supply chains to trusted nations.5 Recent high-profile sanctions enforcement actions include an August 2021 case brought by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) against Bank of China’s U.K. subsidiary, resulting in a $2.3 million settlement regarding alleged violations of the Sudan sanctions program through processing payments.6
The U.S. Department of Commerce’s Bureau of Industry and Security recently announced a three-part strategy for enforcing export controls including fines, public disclosure and requiring settling companies to publicly admit to misconduct.7 In May 2022, U.S. Secretary of State Antony J. Blinken announced a collaboration with the Department of Commerce on strengthening export controls.8 Recent civil export controls actions include the Commerce Department’s issuance of a temporary denial order against three U.S. 3D printing companies, suspending their export privileges for 180 days.9 According to the Commerce Department, the companies had exported controlled technology from the United States to China for 3D printing purposes without the required authorization from the U.S. government or consent from the companies’ clients.
Recent SEC Enforcement Trends Regarding China
SEC Cross-Border Enforcement Strategy Post-Luckin Coffee
The SEC enforcement action against Luckin Coffee in December 2020 was viewed as groundbreaking for several reasons, including the size of the settlement related to a China-based issuer ($180 million in penalties), the swiftness of the investigation and the cooperation between the SEC and the China Securities Regulatory Commission (CSRC).10
Although the SEC has opened numerous investigations related to China-based issuers in the intervening years, the agency faces significant obstacles, including PRC blocking statutes that make it more difficult to obtain information from China and hamper its ability to conduct those investigations. These developments will continue to have a practical effect on the SEC’s cross-border enforcement strategy. The SEC likely will focus on collecting evidence from sources outside of China, such as third parties involved in initial public offerings, short-seller research firms and whistleblowers. In addition, the SEC may find it more expedient to pursue nonfraud charges against alleged wrongdoers, such as accounting or internal controls violations, rather than fraud cases, which typically depend on evidence of intent that are based on proof obtained through internal communications and witness testimony.
Holding Foreign Companies Accountable Act
In December 2020, Congress passed the HFCAA, which directs the SEC to prohibit securities of a registrant from being listed on a U.S. exchange if the Public Company Accounting Oversight Board (PCAOB) determines that it was unable to inspect the auditor of the registrant’s financial statements for three consecutive years. Legislation pending in the U.S. Congress could shorten this time frame to two years.11
The PCAOB has identified firms that it has not been able to inspect, and the SEC has listed on its website over 150 issuers that it views as potentially out of compliance with U.S. regulations as of July 29, 2022.12 Some media reports suggest that U.S. and PRC authorities may be attempting to resolve these problems, but YJ Fischer, director of the SEC’s Office of International Affairs, recently commented that “significant issues remain and time is quickly running out[.]”13 Additionally, the HFCAA has given rise to a great deal of uncertainty around the adequacy of the disclosures that companies have made and must continue to make.
Variable Interest Entities
PRC regulations prohibit or restrict foreign investment in Chinese companies operating in certain sensitive industries, including media and telecommunications. To comply with these regulations, many China-based issuers have formed foreign holding companies to enter into contractual arrangements with Chinese operating companies. Under the contractual arrangements, these China-based issuers control, and become the primary beneficiaries of, the Chinese operating companies.
The SEC views the VIE structure as potentially raising transparency issues. The SEC has instructed its staff to look through the VIE structure to assess true ownership and control, and to require disclosures for U.S. investors. In July 2021, SEC Chairman Gary Gensler raised concerns over China-based VIE structures’ impact on U.S. investors, and he asked the SEC staff to seek certain disclosures from such entities before the registration for the issuer is declared effective.14 Additionally, in December 2021, the SEC’s Division of Corporation Finance released a “sample letter” operationalizing some of Chairman Gensler’s concerns, including the areas of disclosure.15 The SEC will likely continue to dig under complex legal structures to require compliance with U.S. laws, including the HFCAA.
New Chinese Legal Regime for Cross-Border Enforcement
Recent PRC Laws Impacting Cross-Border Enforcement
A number of PRC laws that have made cross-border enforcement efforts more challenging recently came into force. These laws include two blocking statutes, which appear to have been passed largely in response to U.S. Congress’ enactment of the CLOUD Act requiring overseas companies registered in the U.S. to cooperate with law enforcement by sharing data: the International Criminal Judicial Assistance Law (ICJA Law), mostly affecting DOJ investigations; and Article 177 of the revised PRC Securities Law (Article 177), mostly affecting SEC investigations.
The ICJA Law, enacted in October 2018, prohibits individuals and organizations in China from providing any evidence or assistance to foreign criminal authorities without first receiving prior approval from the Chinese authorities. Enacted in December 2019, Article 177 stipulates that no Chinese entity or individual may transmit any securities-related documents or information outside of China without the approval of the relevant Chinese authorities.
There are also three PRC laws on cyber and data security and protecting personal information: the Cybersecurity Law, which establishes a comprehensive framework for data protection and network security; the Data Security Law (DSL), which sets up a framework to classify data collected and stored in China based on its potential impact on Chinese data security; and the Personal Information Protection Law (PIPL), which establishes strict requirements for data handlers operating in China collecting personal data on individuals.
Questions for Companies To Consider When Facing Conflicts Between US and PRC Legal Regimes
When does a foreign investigation become criminal or securities-related? The nature of the investigation, whether criminal or civil, determines which blocking statutes apply and which PRC government agencies U.S. authorities should inform. The distinction between a criminal investigation and a securities-related investigation is not always clear, however. For example, an initial investigation conducted by the SEC could be purely civil in nature, but criminal authorities, such as the DOJ, may become involved in the background with no indication to a company that there is an ongoing criminal investigation. In addition, Chinese companies may need to decide when and to which PRC authorities to report when they receive requests from self-regulatory organizations, such as the New York Stock Exchange, Nasdaq and the Financial Industry Regulatory Authority, which tend to work closely with the SEC.
Will self-reporting to U.S. regulators (to claim cooperation credit) violate PRC laws? The decision of whether to self-report violations to U.S. regulators is particularly complex for China-based companies given the PRC’s new laws concerning the protection of sensitive data. On the one hand, reporting infractions may risk running afoul of PRC prohibitions on transporting certain data under the DSL and the PIPL. On the other hand, companies that choose not to report may risk increased penalties from U.S. regulators. It may be more efficient and productive to try to put the onus on the regulators to talk among themselves, rather than having the company serve as a go-between.