In a Compliance Process Bulletin issued yesterday, the North American Electric Reliability Corporation (NERC) provided guidance to entities registered for compliance with the mandatory and enforceable Reliability Standards on delegating reliability tasks to third parties. In sum, NERC will hold a registered entity responsible for compliance with, and accountable for any violations of, the Reliability Standards, even if the registered entity has contractually assigned its performance obligations to a third party. The third-party assignee may have contractual liability to the registered entity for any penalties resulting from violations of the Reliability Standards, but the registered entity would bear the liability in the first instance. To ensure greater clarity in the allocation of responsibility and accountability, NERC offered guidance to registered entities seeking to assign their performance obligations to third parties.
In NERC Compliance Process Bulletin # 2010-004, “Guidance for Entities that Delegate Reliability Tasks to a Third Party Entity,” NERC explained by way of background that, under the NERC Rules of Procedure and relevant federal laws, an entity registered with NERC is responsible for compliance with all Reliability Standard requirements applicable to the functions for which the entity is registered. As a result, the entity is held accountable for any sanctions, including monetary penalties, for violations of those requirements. Notwithstanding this “compliance responsibility and violation accountability” assigned to the registered entity, the registered entity may contract with another entity to delegate the performance of some or all of the activities for which it is responsible. In the event of such a contractual delegation, the parties can agree that the registered entity “retains full compliance responsibility and violation accountability” or can agree that the third party accepts the compliance responsibility and violation accountability. Even where the third party accepts such responsibility and accountability, however, only the registered entity would be held responsible or accountable by NERC.
Because compliance responsibility and violation accountability turn in the first instance on the status of an entity’s registration, in the Process Bulletin NERC provided guidance on registration. Specifically, NERC noted that, under its “Statement of Compliance Registry Criteria,” Transmission Owners and Operators may be exempt from registration where they have transferred to third parties, via written agreement, responsibility for compliance with the Reliability Standard requirements. (NERC also could have mentioned that Generator Owners and Operators similarly may exempt themselves from registration by transferring compliance responsibility to third parties.) NERC also quoted at length from Order No. 693, issued by the Federal Energy Regulatory Commission (FERC) in approving NERC’s Reliability Standards, to emphasize that, while a registered entity may delegate the performance of a reliability task to a third party, the registered entity may not delegate its responsibility for ensuring that the task is completed. By focusing on registration, NERC and FERC would ensure that there are no gaps or unnecessary redundancies in compliance responsibility.
Performance Delegation Guidance
Consistent with the foregoing approach, in the Process Bulletin NERC restated its position that it and the Regional Entities, which have front-line enforcement responsibility, will hold the registered entity accountable for compliance responsibilities and violations. Although a registered entity may delegate the performance of a task to another entity, it may not delegate its responsibility “for ensuring the task is completed.” NERC also reiterated that an entity that might otherwise qualify to be a registered entity could contract with a third party to have the third party register and thereby assume compliance obligations and violation accountability – but “in all events” the registered entity has the compliance responsibility and violation accountability.
NERC emphasized that if a registered entity delegates tasks to a non-registered third party, the registered entity “remains solely responsible for compliance and is accountable for violations, even with respect to tasks performed by the non-registered third party on its behalf.” In such a case, the non-registered third party would not have responsibility as a registered entity – and thus could not be issued a penalty for a violation – but instead could have contractual responsibility to the registered entity. Such contractual responsibility could include an obligation to reimburse the registered entity for any penalties assessed against the registered entity for violations of the Reliability Standards. “To be clear, in all events, the registered entity will be responsible for compliance with NERC Reliability Standards and accountable for violations thereof.”
Accordingly, NERC concluded that a registered entity “must put mechanisms in place” that allow it to ensure that third parties with delegated performance obligations comply with all Reliability Standard requirements and provide evidence of such compliance (whether in an audit or otherwise, to the registered entity or to NERC or the Regional Entities), and to provide self-certifications, self-reports and other requested information to NERC or the Regional Entities concerning tasks performed by non-registered entities. Finally, NERC also stated that the registered entity should ensure that NERC and the Regional Entities are “aware of any registrations that involve a third party entity performing reliability tasks on its behalf.”
NERC’s conclusion that only the registered entity – and not a third party with delegated performance obligations – has compliance responsibility and violation accountability is not new. In that regard, much of the Process Bulletin is more reminder than guidance. What is perhaps surprising is NERC’s direction that the registered entity must take certain actions when it delegates reliability-related performance obligations. These actions include requiring the third party to provide evidence of compliance directly to NERC or the Regional Entities, and to allow on-site visits by NERC and the Regional Entities. NERC has thus notified registered entities what it expects them to include in their contracts with third parties where they delegate performance obligations to the third parties. The Process Bulletin also reminds parties allocating compliance responsibilities in their contracts to specify clearly which party is responsible for NERC compliance obligations and which party bears the liability for any violations.