Exchange International
ISSUE 48 JULY 2022
UK US International Brazil In Focus
EXCHANGE INTERNATIONAL JUNE 2022
Introduction
Welcome DLA Piper's Financial Services International Regulatory team welcomes you to the 48th edition of Exchange International, our international newsletter designed to keep you informed of regulatory developments in the financial services sector.
This issue includes updates from the UK, the EU, as well as contributions from Belgium, Brazil and the US, plus international developments.
In Focus looks at the metaverse: how it will be regulated, employed and the potential changes that this could mean for businesses globally.
We also draw attention to developments in the United States, namely the proposal from the SEC to introduce mandatory climate-related disclosure and the issuance of an opinion from the US Court of Appeals to vacate a decision by the SEC that George Jarkesy, Jr. and his investment adviser Patriot28, L.L.C. had committed securities fraud.
In the UK we look at the Government's approach to Stablecoin regulation, which looks to bring more comprehensive and clear requirements for both issuers and payment services. We also reflect on the response to the HM Treasury consultation on proposals to reform the UK's wholesale markets regulatory framework. Further articles from our UK team include reflection on the joint statement from regulators on the future of Open Banking and a policy statement from the FCA on diversity and inclusion on company boards.
We sincerely hope that you find the contents of this edition of value and interest. If you have any comments or suggestions for future issues, we welcome your feedback.
The DLA Piper Financial Services Regulatory Team
Looking at international developments, we draw attention to the latest developments with regard to the Ukraine conflict and banned entities in the market, new guidance from the FDIC on crypto-assets and notification requirements, and the recent settlement of charges against BlockFi Lending LLC.
2
WWW.DLAPIPER.COM
Contents
Introduction 2 UK 4 US 14 International 31 Brazil 35 In Focus 38
EXCHANGE INTERNATIONAL JUNE 2022
UK
4
WWW.DLAPIPER.COM
UK Government publishes approach to the regulation of Stablecoins
On 4 April 2022, Her Majesty's Treasury (the Treasury) published its response (the Response) to its consultation and call for evidence on the UK's regulatory approach to cryptoassets, stablecoins and distributed ledger technology in financial markets (the Consultation).
UK Government's Approach to Stablecoins
The Response set out the UK Government's plans to undertake the following:
Bring certain stablecoins when used as means of payment into scope of the UK's payment services and electronic money regulatory perimeter to be supervised by the Financial Conduct Authority (FCA);
Subject stablecoin issuers and service providers to the prudential supervision of the Bank of England when the stablecoins are considered systemic payment systems; and
Ensure that stablecoin-based payment systems, whether systemic or not, are subject to appropriate competition regulation from the Payment Systems Regulator.
Ambition to make the UK a global hub for cryptoasset technology and investment
In making the announcement, the UK Government also announced its ambition to make the UK a global hub for cryptoasset technology and investment. In addition to the approach set out in the Response, the UK Government also announced that it would be:
1.introducing a financial market infrastructure sandbox to enable firms to experiment and innovate with new ways of settling transactions using digital ledger technology;
2.establishing a Cryptoasset Engagement Group to work more closely with the industry;
3.exploring ways of enhancing the competitiveness of the UK tax system to encourage further development of the cryptoasset market, in particular looking at the tax treatment of decentralised finance including the treatment of cryptoasset lending;
4.and working with the Royal Mint on issuing a NonFungible Token (NFT) in Summer 2022.
The industry reaction to the Treasury's Response has largely been positive. For example, Global Digital Finance welcomed the inclusion of stablecoins in the regulatory perimeter noting that this will "lead to greater consumer confidence and protections".
Amending legislation and new regulatory rules to effect these changes have yet to be published. The Response does not state when these changes will be publicised.
The change of tone coming from the UK Government is significant. Whereas recently the focus has been on warning consumers, putting in place anti-money laundering and counter-terrorism protections and distinguishing the cryptoasset ecosystem from the regulated financial services sector, now the UK Government is aiming to integrate a part of the cryptoasset ecosystem into the UK regulatory framework.
EXCHANGE INTERNATIONAL JUNE 2022
In announcing the changes, the Chancellor of the Exchequer Rishi Sunak stated:
"It's my ambition to make the UK a global hub for cryptoasset technology, and the measures we've outlined today will help to ensure firms can invest, innovate and scale up in this country.
We want to see the businesses of tomorrow and the jobs they create here in the UK, and by regulating effectively we can give them the confidence they need to think and invest longterm.
This is part of our plan to ensure the UK financial services industry is always at the forefront of technology and innovation."
The Treasury is also proposing to consult on a broader approach to cryptoassets (beyond stablecoins used as a means of payment) later in 2022. This consultation may address asset referenced tokens beyond the stablecoins being brought into scope of the UK regulatory framework as outlined in the Response. This consultation will also indicate whether the UK will be taking a similar approach as the EU to the regulation of cryptoassets broadly as seen under the Proposal for the Regulation of Markets in Cryptoassets (otherwise known as MiCA).
Stablecoin Market Development
The need for an appropriate UK regulatory response has largely been driven by the development of the market for stablecoins.
According to the Financial Stability Board's Progress Report on the implementation of highlevel recommendations on the regulation, supervision and oversight of global stablecoin arrangements, the total market capitalisation of stablecoins stood at around USD123 billion in September 2021.
The largest stablecoin is Tether, with a reported market capitalisation of USD68 billion. In the past year, other stablecoins like USD Coin and Binance USD have also reached significant market capitalisations.
Meta Platforms (formerly known as Facebook Inc.) had also planned on launching a stablecoin initially known as Libra but then subsequently rebranded as Diem. The launch did not proceed and the assets of the Diem Associate and intellectual property were subsequently sold.
Incorporating Stablecoin activities into Payment Services and Electronic Money Laws
In the Response, the UK Government details that it will include a new definition of a "payment cryptoasset" which will mean any cryptographically secure digital representation of monetary value which is, among other things, stabilised by reference to one or more fiat currencies and/or is issued and used as a means of making payment transactions.
This will encompass stablecoins that reference fiat currencies, including a single currency stablecoin or a stablecoin based on a basket of currencies. It would also include stablecoins that reference another stablecoin linked to fiat money or any instrument.
Notably, this definition would not include other stablecoin models which stabilise their value by reference to other such assets like commodities or by the use of algorithms. In the Treasury's view, these types of stablecoins do not offer sufficient price stability in order to be used for payments.
The Response acknowledged responses to the Consultation which noted this could create a regulatory arbitrage opportunity between regulated and unregulated stablecoins.
6
WWW.DLAPIPER.COM
Firms issuing these payment cryptoassets and/or providing services in connection with them such as providing custody wallets will be subject to the UK's Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs). The PSRs and EMRs transpose the requirements of the second Payment Services Directive (EU) 2015/2366 and second Electronic Money Directive 2009/110/EC in the UK and remain applicable post-Brexit.
Most respondents to the Consultation stated that the PSRs and EMRs offer a good basis for the regulation of stablecoins, particularly for those used in retail payments. Respondents also noted that there are risks in retrofitting existing legislation on the basis that it may be difficult to future-proof these laws to encompass new innovations in the market and the PSRs and EMRs may be inappropriate for tokens used in the wholesale market.
Nevertheless, the UK Government proposes to apply the requirements of the PSRs and EMRs to payment cryptoassets including obligations to obtain authorisation, orderly failure and insolvency requirements, safeguarding customer funds pound for pound, having regulatory capital in place and having appropriate systems, controls, risk management and governance.
The UK Government also proposes to update the definition of electronic money in the EMRs. In some stablecoin arrangements, the stablecoin issuer may not offer holders a legal claim on the issuer. This means that the right of a customer to redeem the value of the token may sit with a third party or not exist at all. This differs to the current definition of e-money which requires the holder to have a claim on the issuer.
Regulation by the Bank of England and the Payment Systems Regulator
Currently, the Bank of England regulates and supervises systemic payment systems and service providers for those systems, following the making of a recognition order by the Treasury under Part 5 of the Banking Act 2009. The criteria for recognition of being "systemic" include the ability of the payment system to disrupt the UK financial system as well as factors like volume and value of transactions. These payment systems include the major international card schemes like Mastercard and VISA as well as certain UK based payment systems like BACS and the Faster Payments Service.
Consistent with the UK Government's approach that systems with the same risks should be subject to the same regulatory framework, the UK Government has stated the Banking Act 2009 should be updated to allow the Treasury to designate stablecoin based payment systems that meet the criteria to be supervised by the Bank of England.
Whilst respondents to the Consultation stated that it is unlikely in the near-term that any such systems will become systemically important, the UK Government is pushing ahead with this change to future-proof the regulatory framework.
The UK Government is also amending the Financial Services (Banking Reform) Act to ensure that stablecoinbased systems (whether systemic or not) are supervised by the Payment Systems Regulator from a competition standpoint. The Payment Systems Regulator will be able to supervise not only the issuers of digital settlement assets but also wallets and other entities such as exchanges and those that manage stablecoin reserves.
In the Response, the UK Government states that it would be unacceptable for a holder not to have a legal claim so the UK Government will amend the definition to allow a customer to have a claim either against the stablecoin issuer or a consumer facing entity such as a wallet provider. To this end, the UK Government will introduce a new regulated custodial activity which would require providers to be authorised by the FCA. The FCA will set the regulatory rules applicable to these stablecoin custodians.
Systemic Stablecoin Failure
In the Response, the UK Government also states that it will make appropriate amendments to the financial market infrastructure special resolution regime and clarify that it, rather than the regime that applies to payments and electronic money, will apply in the event of a systemic stablecoin payment system failure.
7
EXCHANGE INTERNATIONAL JUNE 2022
HM Treasury Response to Wholesale Markets Review Consultation
On 1 July 2021, Her Majesty's Treasury (Treasury) launched a consultation on proposals to reform the UK's wholesale markets regulatory framework (Consultation).
For a summary of the proposals put forward in the Consultation, please see our earlier FinBrief.
On 1 March 2022, the Treasury published its response to the Consultation (Response).
Several key Treasury proposals (Proposals) include:
Commodity Dealer Exemption
While the Markets in Financial Instruments Directive 2004/39/EC (MiFID I) previously had an exemption for persons trading in commodity derivatives,1 this was not included in MiFID II.
On the basis that the Consultation and the proposed principles-based assessment of the AAT was supposed to mirror the pre-MiFID II approach, the Treasury has agreed to reintroduce the "commodity dealer exemption".
updating the ancillary activities test based on the Markets in Financial Instruments Directive 2014/65/EU, associated regulation and delegated EU legislation (MiFID II);
reintroducing a "commodity dealer exemption"; and
removing the annual notification requirements to the Financial Conduct Authority (FCA).
Updating the Ancillary Activities Test (AAT)
On the basis of the Consultation, the Treasury intends to go forward with its proposal to scrap the current quantitative form of the AAT, implemented as part of MiFID II, to a principles-based assessment (the approach that was in place prior to 2018).
While the Consultation proposed changing the basis of the AAT to take into account expected activity (rather than solely backward-looking activity), many respondents raised concerns with this proposed change, cautioning that firms may not be able to predict business models with any degree of certainty. However, the Treasury believes that the Proposals together should alleviate any concerns with using an expected activities test basis, rather than a historical test basis.
Removing the Annual Notification Requirements to the FCA
The Response set out that the FCA and respondents were generally supportive of removing the annual notification requirement on the basis that it provided limited value and placed a significant burden on both the firms producing the reports and the FCA.
Next Steps
The government intends to bring forward secondary legislation to enact the Proposals.
The Response acknowledges that while removing the energy market participant regime may have unintended consequences, the Treasury and the FCA will continue to review the regime, "will not be making any imminent amendments" and "any future changes will be considered alongside amendments to the regulatory perimeter".
Interim Changes
The government is yet to bring forward the secondary legislation to enact the Proposals.
In the interim, the FCA has published interim changes to amend the AAT in its March 2022 Quarterly Consultation No 35 (QC 35).
1 Article 2(1)(k) of MiFID I.
8
WWW.DLAPIPER.COM
The FCA proposes to make amendments so that persons relying on the AAT may meet either the market share test or the main business test but need not meet both to validly qualify for the AAT.
In addition, for the main business test, the FCA will allow firms to rely on information published by an EU institution or regulator for the last 3 annual calculation periods for which that information is available.
These technical clarifications will enable firms to gain certainty over the status of their activity and their ability to qualify for the AAT as an interim measure before more wholesale changes to the AAT come into force as a result of the Proposals.
9
EXCHANGE INTERNATIONAL JUNE 2022
Joint Statement by HM Treasury, the CMA, the FCA and the PSR on the future of Open Banking
On 25 March 2022 a joint statement on the future of Open Banking was published by HM Treasury, the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA) and the Payment Systems Regulator (PSR). In conjunction with this statement, the CMA also published their response to the consultation they undertook in March 2021 on the future oversight of the CMA>s open banking remedies.
This FinBrief will briefly explore the future of Open Banking by summarising the joint statement against the backdrop of the CMA's detailed response to its consultation.
Open Banking
The CMA's Retail Banking Market Investigation Order 2017 mandated the nine largest current account providers in the UK to set up, and fund, an Open Banking Implementation Entity (OBIE). In layman's terms the Open Banking initiative requires all UK regulated banks, at the request of their customers, to share financial data with authorised thirdparty payment providers.
The work of the OBIE implementing and maintaining open and common banking standards (the Open Banking remedy) has been coined a "UK success story". The UK's innovative approach to placing Open Banking upon a formal regulatory framework has not only benefitted consumers and businesses by increasing competition and innovation in UK retail banking, but it has also positioned the UK at the forefront of the global advancement of the Open Banking sector.
The OBIE has overseen the initial rollout of Open Banking but as the end of this preliminary stage approaches the time has come for an appropriate successor to replace the OBIE. According to the joint statement, the next chapter for Open Banking contemplates governance by a "Future Entity".
Cross Authority Work
According to the CMA's response to its consultation the "implementation phase" of the Open Banking remedy is due to end in 2022. The OBIE, as overseen by the CMA, has nearly achieved all the core elements set out in the "Roadmap" for initial implementation.
The joint statement summarises the staged transition of Open Banking as follows:
Current state: OBIE, under the continuing supervision of the CMA, deploys the remaining areas of the implementation stage of the Roadmap. This stage will end when the CMA confirms that the Roadmap is complete and consents to the transition of the OBIE's functions to a suitable successor. The CMA have specified that consent will not be given to the transition until they are satisfied that adequate preparations have been made to ensure that the successor is a financially stable and well governed entity. To ensure the least disruptive transition the CMA have suggested that the Future Entity ought to `shadow' the OBIE prior to the official transfer of functions.
Interim state: As successor, the Future Entity assumes responsibility for the Open Banking system upon a broader basis. Succession by the Future Entity is required to allow for the evolution of the OBIE's role beyond those purposes set out in the 2017 Order. The supervisory role is then to be undertaken by a new cross-authority committee (see below).
Future state: Establishment of a long-term regulatory framework to provide a permanent basis upon which the Future Entity can continue the expansion and development of Open Banking.
According to the CMA there are certain characteristics which they believe are integral to the success of the Future Entity:
effective regulatory oversight there must be an external regulatory body with sufficient formal powers and legislative backing to enforce the governance of Open Banking;
10
WWW.DLAPIPER.COM
clear purpose the Future Entity should seek to maintain the current high standards while furthering the development and growth of Open Banking beyond its present scope;
independent and accountable leadership the Future Entity must establish a Board, within which the roles of Chair and CEO ought to be separated, and at all times best practice corporate governance principles should be adhered to;
adequate resourcing to ensure consistency and transparency the current funding arrangements should remain in place for the Future Entity, until, the Board are in a position to introduce a more broadbased long-term funding model;
According to the joint statement the FCA will authorise, regulate and supervise Open Banking and payment firms, while the PSR will act as the economic regulator for payment systems. Any outstanding Open Banking obligations under the 2017 Order will remain within the remit of the CMA.
The Committee has already pledged to solidify the place of Open Banking in the financial market and collaboration is underway between HM Treasury and the FCA and PSR to formulate the long-term regulatory framework. Ultimately, the future character and vision of Open Banking will be determined by the governance and legislative structures imposed by the Committee and interpreted by the Future Entity.
representation of consumers and small and medium sized enterprises (SMEs) the composition and roles of the Board of the Future Entity must effectively serve and reflect the interests of these stakeholders;
The main responsibilities which the joint statement outlines as being within the remit of the new Committee are summarised as:
sustainability and adaptability the long-term regulatory framework and funding model must allow the Future Entity to evolve to meet the future needs of the Open Banking ecosystem; and
Making recommendations for the design of the Future Entity and considering any necessary interim governance and funding arrangements with industry and other stakeholders;
monitoring prior to the introduction of the longterm regulations, the effective ongoing monitoring and enforcement of the Order shall be maintained by the Implementation Trustee. A monitoring team must then devise a comprehensive system for ensuring future compliance as Open Banking expands and the Future Entity should also consider undertaking wider monitoring of the ecosystem.
The practical realisation of the transition from OBIE to Future Entity is to be undertaken by cross authority work between all parties to the joint statement. They have highlighted their intention to play a central role in delivering new proposals, be independent and well governed, fairly and effectively take account of industry and stakeholder interests, ensure adequate resourcing and be responsive and adaptable to future Open Banking developments and initiatives.
Joint Regulatory Oversight Committee
While the Future Entity succeeds the OBIE, so too will the CMA be succeeded in its supervisory role by the newly formulated Joint Regulatory Oversight Committee (the Committee). The Committee shall consist of the FCA, the PSR, HM Treasury and the CMA but it is anticipated that the FCA and PSR will act as the joint lead authorities.
Advising the CMA on the transition from the OBIE to the Future Entity, and overseeing the transition to the future entity where provided for under any interim arrangements.
Considering the vision and strategic roadmap for further developing Open Banking beyond the scope of the CMA Order, working with industry and other stakeholders;
Providing appropriate input on the permanent future framework for Open Banking;
Overseeing and advising the Future Entity once established on an interim basis until the formal regulatory framework is in place; and
Guiding the transition from the interim arrangements to the permanent future framework.
By the end of 2022 the Committee have undertaken to convene their first meeting; draw up a plan for the design of the Future Entity; and establish priorities with relevant stakeholders.
The introduction of the OBIE saw the UK become a world leader in the development of Open Banking. It is hoped that with the correct and careful introduction of the Future Entity we will see the UK not only maintain its leadership but also expand the application of Open Banking so that it may realise its full potential and thereby benefit consumers, businesses and the wider economy.
11
EXCHANGE INTERNATIONAL JUNE 2022
Diversity and inclusion on company boards and executive management Policy Statement 22/3 by the FCA April 2022
On Wednesday 20 April 2022, the FCA published Policy Statement 22/3: Diversity and inclusion on company boards and executive management. This statement sets out the FCA's final policy decision based on their proposals originally outlined in Consultation Paper 21/4. The publication of PS 22/3 has come about as a result of the FCA's conscious efforts to raise the profile of diversity and inclusion (D&I) within the financial services sector. Our March 2021 FinBrief offers a useful background to the introduction of D&I within the financial regulatory sphere.
This articleconsiders how the reporting rules are going to change in light of PS 22/3, who these new rules are going to apply to and when these changes are going to come into force.
Overview
PS 22/3 summarises the responses of over 500 stakeholders to the proposals outlined in the FCA's earlier consultation paper. The stated aims of PS 22/3 are to "improve transparency on the diversity of company boards and their executive management for investors and other market participants, increasing engagement on this area and informing investment decisions". As discussed below, the regulatory changes proposed by the FCA in this publication are a timely response to the political, business and societal spotlight now being shone directly onto the diversity and inclusivity of regulated businesses.
What is changing as a result of PS 22/3?
Firstly, the FCA Handbook is being updated with the addition of two new Listing Rules, namely LR 9.8 6R(9) and LR 14.3.33R(1). These rules impose "an ongoing listing obligation upon those `in-scope' companies to include a statement in their annual financial report setting out whether they have
met specific board diversity targets on a `comply or explain' basis, as at a chosen reference date within their accounting period and, if they have not met the targets, why not".
The specific board diversity targets are as follows:
At least 40% of the board are women;
At least one of the senior board positions (Chair, Chief Executive Officer (CEO), Senior Independent Director (SID) or Chief Financial Officer (CFO)) is a woman; and
At least one member of the board is from a minority ethnic background.2
Companies will also have to set out in their statement:
the reference date used, and where this is different from the reference date used in respect of the previous accounting period, an explanation of why; and
any changes to the board that have occurred between the reference date and the date on which the annual financial report is approved that have affected the company's ability to meet one or more of the targets.
The `comply or explain' approach grants companies the necessary flexibility to provide an accurate and contextspecific account of their board composition and diversity framework. There may be various justifiable reasons these targets are not met but companies will now be held to account and must actively engage with the FCA as regulator to explain these reasons.
Secondly, new Listing Rules LR 9.8.6R (10) and LR 14.3.33R(2) will now also mandate that in-scope companies publish numerical data on the sex or gender identity and ethnic diversity of their board, senior board positions (Chair, CEO, SID and CFO) and executive
2 M inority ethnic background defined as per the following criteria: Asian/Asian British; Black/African/Caribbean/Black British; Mixed/Multiple Ethnic Groups; or Other ethnic group, including Arab.
12
WWW.DLAPIPER.COM
management. This information is to be reported in a standardised table format which can be found at Annex 2 of PS 22/3.
Once again, regulated companies are afforded a degree of flexibility in their method of data collection providing they can explain their approach and demonstrate consistency in criteria and process across both the individuals being reported on and for reporting against the targets and numerical disclosures.3
To provide extra context when making their compulsory reports companies are encouraged to include the following additional information:
a brief summary of any key policies, procedures and processes, and any wider context that it considers contributes to improving the diversity of its board and executive management;
any mitigating factors or circumstances which make achieving diversity on its board more challenging (for example, the size of the board or the country where its main operations are located); and
any risks it foresees in being able to meet or continue to meet the board diversity targets in the next accounting period, or any plans to improve the diversity of its board.
Finally, in the context of corporate governance, Disclosure Guidance and Transparency Rule DTR 7.2.8AR, is also to be amended by the FCA following the publication of PS 22/3. The diversity reporting requirements in corporate governance statements are to be expanded to incorporate a broader range of diversity characteristics into existing board diversity policy disclosures (e.g. to include sexual orientation, socio-economic background and disability). Thereafter, it is proposed that the general diversity policy disclosure requirement is extended to other key board committees such as audit, remuneration and nominations.
Who will these measures apply to?
The additional reporting requirements contained in the new listing rules will apply to UK and overseas issuers with equity shares, or certificates representing equity shares, admitted to the premium or standard segment of the FCA's Official List.
Closed-ended investment funds and sovereign controlled companies will fall within the scope of this definition. However, it is important to note that due to their corporate form the following types of entity are out-with the scope of the new Listing Rules:
Open-ended investment companies;
"Shell companies" (defined as per LR 6.5AR); and
Issuers of listed debt and debt like securities, securitised derivatives or miscellaneous securities.
The amendments to the corporate governance rules will apply to certain UK issuers admitted to UK regulated markets and, via the Listing Rules, also encompass certain overseas listed companies (subject to the existing exemption for small and medium companies (DTR 1B.1.7R)).
Timescales
Regulated companies will be required to make these new D&I disclosures in their annual reports for financial years starting on or after 1 April 2022. Despite this official start date, the FCA is actively encouraging those companies whose financial years began before April 2022 (i.e. from January 2022) to consider reporting on the targets and making numerical disclosures in relation to their current accounting period on a voluntary basis. In practical terms, this means that the new disclosure requirements will begin to appear in annual financial reports published from around quarter two in 2023 onwards.
The FCA have stated that the new rules will be reviewed within 3 years to assess whether the nature and level of targets we are setting remain appropriate and sufficiently ambitious.
Conclusion
The publication of PS 22/3 is significant for all those operating within the financial services industry. It is the first definitive statement by the FCA on how regulated firms must tackle diversity and inclusion in the future. Ultimately, the statement demonstrates the evolution of the FCA's role as regulator, moving from pure financial services regulation to the broader regulation of social mobility within financial services. Clear targets, timescales and metrics for measuring and increasing diversity have now been set and the FCA is responsible for the monitoring and supervision which will ensure that the pledges made in this policy statement are delivered into practical change within the industry. The next chapter for D&I within financial services regulation is now under way.
3 Guidance in LR 9.8.6IG and LR 14.3.36G.
13
EXCHANGE INTERNATIONAL JUNE 2022
US
14
WWW.DLAPIPER.COM
SEC proposes mandatory climaterelated disclosure and governance rules
On 21 March 2022, at an open meeting, the Securities and Exchange Commission (SEC) proposed, by a 3-1 vote, rules to significantly expand and standardize registrants' climate-related disclosures for investors. The proposed rules would utilize mandatory, prescriptive disclosures in periodic reports and registration statements to address a myriad of topics related to greenhouse gas (GHG) emissions and global climate change. These proposed rules represent the SEC's latest effort to advance the climate agenda of the Biden Administration, which describes climate change as "a systemic risk to our economy and financial system."
Details regarding any climate-related targets and goals, climate transition plans, scenario analysis, or internal carbon price used by the registrant in connection with its climate-related risk management, including data on the registrant's progress against publicly stated goals and on carbon offsets used as part of those plans.
The proposed rules would include a phase-in period with compliance dates dependent on the registrant's filer status as follows:
Large Accelerated Filers:
The proposed rules would require registered domestic and foreign issuers to disclose:
The registrant's oversight and governance of climaterelated risks and risk management process;
The registrant's climate-related risks and their actual or likely material impacts on the registrant's business, strategy and outlook and on the registrant's financial statements over the short, medium and long terms;
Fiscal year 2023 (filed in 2024) for all proposed disclosures excluding scope 3 GHG emissions
Fiscal year 2024 (filed in 2025) for (i) scope 3 GHG emissions disclosures (if required) and (ii) limited assurance attestation of scope 1 and scope 2 GHG emissions disclosures and
Fiscal year 2026 (filed in 2027) for reasonable assurance attestation of scope 1 and scope 2 GHG emissions disclosures.
The impact of climate-related events, such as severe weather events, and climate transition activities on the registrant's audited consolidated financial statements at a line-item level, as well as the climaterelated estimates and assumptions used in the financial statements;
The registrant's scope 1 (direct) and scope 2 (indirect from production of energy used in business) GHG emissions, with accelerated and large accelerated filers required to obtain, after phase-in periods, independent attestation, at a reasonable assurance level, of the accuracy of such emission disclosures;
If material, or if the registrant has adopted a GHG emissions target or goal that includes scope 3 GHG emissions, the registrant's indirect scope 3 GHG emissions from upstream and downstream activities in the registrant's value chain (the proposed rules include a safe harbor for liability in connection with disclosures regarding scope 3 GHG emissions and exempt smaller reporting companies from this requirement); and
Accelerated and Non-Accelerated Filers:
Fiscal year 2024 (filed in 2025) for all proposed disclosures excluding scope 3 GHG emissions
Fiscal year 2025 (filed in 2026) for (i) scope 3 GHG emissions disclosures (if required) and (ii) for accelerated filers only, limited assurance attestation of GHG emissions disclosures (nonaccelerated filers would be exempt from the attestation requirements) and
For accelerated filers only, fiscal year 2027 (filed in 2028) for reasonable assurance attestation of GHG emissions disclosures.
Smaller Reporting Companies:
Fiscal year 2025 (filed in 2026) for all proposed disclosures other than scope 3 GHG emissions disclosures (smaller reporting companies would be exempt from the requirements to provide scope 3 GHG emissions disclosures or independent attestation).
15
EXCHANGE INTERNATIONAL JUNE 2022
A look at the FTC's Green Guides for US marketers of emissions reduction credits
As the demand for emissions reductions credits grows, so does the secondary markets in emission reduction credits. Those who traditionally offer commodities in secondary commodities markets are increasingly stepping into the role of marketers for the purchase and sale of emission reduction credits in the secondary markets.
Notably, in these secondary markets for emission reduction credits unlike traditional commodities markets there is a greater possibility that emission reduction credits may end up in the hands of consumers.
One major aspect of a well-functioning, efficient and transparent secondary market in emission reduction credits is the transmission of truthful and reliable information. This is why it is important for emission reduction credit marketers to be aware of the FTC's Green Guides.
The role of the FTC is to protect American consumers and business competition. Its Green Guides were created to help marketers avoid making environmental claims that mislead consumers. The Guides lay out the FTC's enforcement approach for environmental claims, including claims involving emission reduction credits.
A bit of background
When the Wall Street Reform and Consumer Protection Act (popularly known as the DoddFrank Act) was enacted it 2010, it established an interagency working group made up of designees from the Commodities Futures Trading Commission (CFTC), the Secretary of Agriculture, the Secretary of Treasury, the Chairman of the Securities and Exchange Commission (SEC), the Administrator of the Environmental Protection Agency (EPA), the Chairman of the Federal Energy Regulatory Commission (FERC), the Administrator of the Energy Information Administration (EIA) and the Chairman of the FTC, and tasked them with studying the emissions reduction markets, to ensure they are efficient, secure and transparent.
The emissions reduction credits markets can be broken into a primary market and a secondary market. The primary market is where the emission reduction credit is introduced to the marketplace from either a government entity or registry. The secondary market occurs after the emission reduction credit is introduced to the market through the primary market; it allows market participants to trade emission reduction credit freely based on supply and demand.
Requirements set out in the Green Guides
Here are the most important requirements of the Green Guides as applied to emission reduction credit marketing:
Emission reduction claims must be supported by "competent and reliable" scientific evidence, which the FTC defines as "evidence based on the expertise of professionals in the relevant area, that have been conducted and evaluated in an objective manner by persons qualified to do so, using procedures generally accepted in the profession to yield accurate and reliable results." Typically, claims consistent with governmental and industry certifications will satisfy this standard, but those claims should be reviewed to ensure that they don't overstate or misrepresent those certifications.
To the extent that any emission reduction credit marketing relies on accounting, that accounting must be based on appropriate, professional accounting methods.
The marketer should not market benefits from the emission reduction if those reductions are otherwise required by law in other words, the marketing materials cannot claim a beneficial result for such emissions reductions if that beneficial result would need to happen anyway, without the marketer's efforts.
16
WWW.DLAPIPER.COM
The marketer should make appropriate disclosures in its marketing of any material qualifications or limitations to the emission reduction claims. In particular, the marketer is to be sure to disclose whether the environmental benefits it claims may not be realized for two years or longer the Green Guides specifically call out such claims as problematic if they lack clear disclosures.
Also with respect to disclosures, note that the FTC requires disclosures in advertising to be "clear and conspicuous." If disclosures are made in a footnote or in small "mouse print" at the bottom of the page, the FTC may likely find that they are not sufficient to warn consumers about qualifications of the emission reduction claims. Often, it is preferable to include qualifying language in the body of the marketing materials, rather than in a fine print disclaimer, and with a bit of care these qualifications can be accomplished without diminishing the effectiveness of your advertising.
Change is in the air
Finally, marketers need to watch this space the FTC has indicated that it will review and update the Green Guides this year. DLA Piper expects that these revisions will provide important additional guidance for emission reductions credit and environmental marketing, including the FTC's strategy to combat "greenwashing" marketing and public relations activities that falsely portray a company or organization as environmentally friendly.
EXCHANGE INTERNATIONAL JUNE 2022
Jarkesy v SEC: Fifth Circuit vacates SEC decision latest case questioning constitutionality of the ALJ process
On May 18, 2022, the United States Court of Appeals for the Fifth Circuit issued an opinion vacating a decision by the Securities and Exchange Commission (SEC) that George Jarkesy, Jr. and his investment adviser Patriot28, L.L.C. (collectively, the petitioners) had committed securities fraud.
The court held that "(1) Petitioners were deprived of their constitutional right to a jury trial; (2) Congress unconstitutionally delegated legislative power to the SEC by failing to provide it with an intelligible principle by which to exercise the delegated power; and (3) statutory removal restrictions on SEC ALJs violate Article II." See Jarkesy v. Sec. & Exch. Comm'n, 34 F. 4th 446 (5th Cir. 2022).
This decision is the latest in a series of cases questioning the constitutionality of the SEC's administrative process and the agency's use of Administrative Law Judges.
Background
Jarkesy created two hedge funds and appointed Patriot28 as the investment adviser. The funds secured over 100 investors and managed over USD20 million in assets.
In 2011, the SEC launched an investigation into the hedge funds, eventually bringing an administrative action against the petitioners. The SEC alleged that the petitioners had committed securities fraud and sought both monetary and equitable relief.
Before the trial started, the petitioners sued to enjoin the proceedings, claiming violations of several constitutional rights. The US District Court for the District of Columbia and the US Court of Appeals for the DC Circuit decided that no jurisdiction existed, and the petitioners were required to continue the administrative process and then appeal.
After an evidentiary hearing, an SEC Administrative Law Judge (ALJ) found that the petitioners were liable, and the SEC affirmed. The ALJ and the SEC rejected the petitioners' constitutional arguments. The Commission ordered that the petitioners cease and desist from committing further violations and
that they pay disgorgement and a civil penalty. Additionally, Jarkesy was barred from various industry activities. The petitioners appealed.
The decision
The Fifth Circuit vacated the SEC's decision and remanded for further proceedings consistent with its opinion.
THE RIGHT TO A JURY TRIAL As a preliminary matter, the court held that the SEC's use of an ALJ to adjudicate the claims deprived the petitioners of their Seventh Amendment right to a jury trial because the SEC's enforcement proceeding was similar to traditional actions at law to which the right to a jury trial attaches. The court noted that while Congress has the power to assign certain proceedings involving public rights to administrative adjudication, eliminating the right to a jury, it cannot assign adjudication of claims that are similar to traditional actions at law to an agency because such claims do not only concern public rights.
Relying on Supreme Court precedent, the Fifth Circuit examined the SEC's enforcement action using a twostage analysis:
whether the claims in the action "arise `at common law' under the Seventh Amendment" and
if so, whether Congress was permitted to assign the claims to agency adjudication without a jury trial.
Key factors in the analysis include whether Congress created a new cause of action and remedies that were previously unknown under common law and whether a jury trial would effectively dismantle the statutory scheme or impede swift resolution of the claims created by the statute.
In evaluating the SEC's enforcement action, the Fifth Circuit determined that fraud claims existed under common law and that a civil penalty was a type of remedy under common law that could be enforced in the courts. Consequently, the right to a jury trial applied to the penalties action brought by the SEC against the petitioners. Even though the SEC's action had equitable components, those components did not invalidate the right to a jury trial that attaches to the civil penalties that the SEC was seeking.
18
WWW.DLAPIPER.COM
Further, the court concluded that the SEC's claims were not the type of claims that could be properly assigned to agency adjudication under the public-rights doctrine. Securities fraud claims are not new; such claims existed at common law. In addition, jury trials would not dismantle the statutory scheme or impede swift resolution of such claims. As the Fifth Circuit pointed out, the statutory scheme allows the SEC to bring claims either administratively or in Article III courts where the right to a jury trial applies.
The court rejected the SEC's argument that a government enforcement action is automatically transformed into a public rights claim suitable for administrative adjudication. The court explained that, traditionally, securities and fraud claims were resolved in the federal courts. The SEC's presence as a party did not necessitate an administrative proceeding. The court also noted that "Congress cannot change the nature of a right, thereby circumventing the Seventh Amendment, by simply giving the keys to the SEC to do the vindicating."
UNCONSTITUTIONAL CONGRESSIONAL DELEGATION OF LEGISLATIVE POWER Next, the court held that Congress unconstitutionally delegated legislative power to the SEC when it gave it full discretion to choose whether to bring actions in an Article III court or before an ALJ.
The court explained that the power to determine which cases are decided by an administrative tribunal versus an Article III court is legislative in nature. When Congress delegates such legislative power, it must offer an intelligible principle for exercising such power. Here, the court determined that Congress had "offered no guidance whatsoever" as to that principle. Therefore, the delegation was unconstitutional.
UNCONSTITUTIONAL ALJ REMOVAL RESTRICTIONS Last, the court held that statutory restrictions on the removal of the SEC's ALJs were unconstitutional. Resolving an issue left open by the Supreme Court in Lucia v. SEC, the Fifth Circuit found that the statutory removal protections provided to SEC ALJs are unconstitutional.
SEC ALJs can only be removed for good cause by the Merits System Protection Board, whose members in turn can only be removed for cause by the president. This two-layer for-cause removal standard has been found unconstitutional by the Supreme Court. Consequently, SEC ALJs, the Fifth Circuit held, are unconstitutionally shielded from removal.
What's next?
The Fifth Circuit's opinion in Jarkesy was issued just two days after the Supreme Court's May 16, 2022, grant of certiorari in SEC v. Cochran, a case where the Fifth Circuit, sitting en banc, ruled that defendant Michelle Cochran could challenge the constitutionality of the SEC's ALJs in district court before her case was heard administratively. The DC Circuit Court of Appeals had rejected Jarsky's similar challenge.
The Supreme Court accepted certiorari in Cochran despite the SEC's request that the lower court delay review of Cochran until it decided a case raising similar issues, Axon Enterprise, Inc. v. FTC.
These cases tee up several important issues for those facing SEC administrative enforcement proceedings:
Can constitutional challenges to administrative agency processes be brought in federal court before the conclusion of the administrative hearings?
Does congressional delegation to the SEC of the power to decide whether to sue administratively or in an Article III court satisfy constitutional principles?
Do the removal restrictions on the SEC's ALJs violate the Constitution?
Does the Constitution permit the SEC to deprive respondents of a jury trial right in cases seeking civil penalties and other claims in which a right to a jury trial is attached at common law?
Notably, the Supreme Court's decision to accept certiorari in Cochran is not likely to resolve the substantive issues raised in Jarkesy. Cochran will likely only determine whether challenges to the constitutionality of the ALJ removal process may be brought in district courts prior to resolution of the case in the administrative forum. Nonetheless, the decision in Cochran may signal the Supreme Court's views on the removal arguments and on the insular nature of the SEC's administrative forum.
As these issues continue to work their way through the courts, those facing SEC administrative enforcement actions should carefully consider their strategy for preserving these constitutional claims as the cases proceed. In the interim, those facing enforcement actions should expect the SEC to litigate cases in federal court, given the uncertainties surrounding the use of the administrative forum.
19
EXCHANGE INTERNATIONAL JUNE 2022
CFPB and FDIC issue Supervisory Highlights that address compliance issues for the Electronic Fund Transfer Act and Regulation E
In May 2022, the CFPB issued its Spring 2022 Supervisory Highlights, in which it, in part, highlights violations related to prepaid accounts and remittance transfers.
For prepaid accounts, the CPFB stated that examiners found violations of the Electronic Fund Transfer Act (EFTA) and Regulation E related to receipt of valid stop payment requests from prepaid account users and violations related to the notice provided to consumers after an institution determined that no error or a different error than that which the consumer alleged occurred.
Regarding remittances, the CFPB stated that examiners found violations of the EFTA and Regulation E as well as a deceptive act or practice regarding the following:
Deceptive claims on transfer speeds for remittance transfers;
Remittance transfer service agreements containing provisions that violate the EFTAs prohibition on waivers of rights conferred or causes of action created by the EFTA;
Disclosure and timing requirements on receipts for remittance transfers;
Disclosure, timing and refund issues relating to error investigations.
In March 2022, the Federal Deposit Insurance Corporation (FDIC) issued its Consumer Compliance Supervisory Highlights, in which it highlighted violations of Regulation E related to liability protections for a
consumer deceived into giving authorization credentials. The FDIC noted that the financial institution disclosed in its agreements that neither it nor its service provider would ever ask for a two-factor authentication code. At the same time, Regulation E's liability protections for unauthorized transfers apply even when a consumer is deceived into giving another person their authorization credentials. The FDIC stated that account disclosures cannot limit protections provided in the regulation.
The FDIC also noted that there were instances where a consumer provided his or her account credentials for fraudulent electronic fund transfers through a money payment platform (MPP). The FDIC noted that, when an MPP entered into an agreement with a consumer, that agreement extended to the financial institution holding the consumer's account. Under Regulation E, both the account-holding institution and the MPP would be "financial institutions," and both have investigative and error-resolution obligations.
In addition, FDIC stated that Regulation E applies to peer-to-peer payments made through MPPs, even where the MPP does not have a specific agreement with the other MPP regarding the financial institution holding the consumer's account, if the transmitter issues an access device and agrees to provide electronic fund transfer services that enable the consumer to access the account. A mobile phone and an MPP Electronic Fund Transfers Act (EFT) application constitute an "access device." Therefore, an MPP must comply with Regulation E for transactions connected to a consumer's debit card or account.
20
WWW.DLAPIPER.COM
FDIC issues new crypto-asset guidance and notification requirements
On April 7, the Federal Deposit Insurance Corporation (FDIC) issued a financial institution letter, Notification of Engaging in Crypto-Related Activities FIL-16-2022 (FIL), applicable to all FDIC-supervised institutions.
The FIL requires all such covered institutions that intend to engage in, or that are currently engaged in, any activities involving or related to crypto-assets to notify the FDIC and provide certain required information. The FDIC will review the information and provide relevant supervisory feedback. Covered institutions will need to evaluate their crypto-asset and digital asset activities and provide notice of such activities to the FDIC.
Pursuant to Section 39 of the Federal Deposit Insurance Act (FDI Act), the FDIC has established in Part 364 (including Appendices A and B) safety and soundness standards for all FDIC-supervised institutions. An FDICsupervised institution that engages, or intends to engage, in any crypto-related activities should notify the FDIC and provide any information requested by the FDIC that will allow the agency to assess the safety and soundness, consumer protection, and financial stability implications of such activities. Institutions notifying the FDIC are also encouraged to notify their state regulator.
Definitions
For purposes of the FIL, "crypto assets" and "cryptorelated activities" are defined as follows:
"[C]rypto asset"...refers generally to any digital asset implemented using cryptographic techniques. The term of "crypto-related activities" ... includes acting as cryptoasset custodians; maintaining stablecoin reserves; issuing crypto and other digital assets; acting as market makers or exchange or redemption agents; participating in blockchain and distributed ledger-based settlement or payment systems, including performing node functions; as well as related activities such as finder activities and lending.
The FIL acknowledges that the listing of crypto-related activities "is based on known existing or proposed crypto-related activities engaged in by FDIC-supervised institutions, but given the changing nature of this area, other activities may emerge that fall within the scope of this FIL. The inclusion of an activity within this listing should not be interpreted to mean that the activity is permissible for FDIC-supervised institutions."
Timing
With respect to the required FDIC notification, the FIL requires an FDIC-supervised institution, before it engages in, or if it currently engages in, a cryptorelated activity, to notify the appropriate FDIC Regional Director and provide "information necessary to allow the agency to assess the safety and soundness, consumer protection, and financial stability implications of such activities." The notice "should describe the activity in detail and provide the institution's proposed timeline for engaging in the activity." The FDIC may request additional information, which may vary on a case-specific basis, depending on the type of cryptorelated activity being performed.
Upon receipt of the notice, the FDIC will review it, request additional information as needed, and consider the safety and soundness, financial stability, and consumer protection aspects of the proposed activity. The FDIC will provide relevant supervisory feedback to the FDIC-supervised institution, as appropriate, in a timely manner.
SEC proposes sweeping new public company cybersecurity disclosure and governance rules.
Cybersecurity risk governance and disclosure has been the subject of a number of recent cyber-focused proposals. As Congress considers imposing broad federal cyber incident notification requirements, the Securities and Exchange Commission (SEC), on March 9, 2022, voted 3-1 to issue proposed new rules that would require publicly traded companies to disclose "cybersecurity incidents" (defined below) in current reports on Form 8-K or Form 6-K for foreign
21
EXCHANGE INTERNATIONAL JUNE 2022
private issuers within four business days of determining that an incident is material and, thereafter, correct prior disclosures when new or additional material information becomes available.
In addition, registrants would be required to include in quarterly and annual reports a list and updates of past incidents as well as extensive information regarding cybersecurity risk management, strategy, governance practices and board and management expertise.
This rule proposal follows on the heels of several SEC enforcement actions against public companies related to cybersecurity disclosures as well as SEC Chair Gary Gensler's January 2022 speech previewing potential rules (discussed here) and the SEC's February 2022 proposed new rules related to cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies (discussed here).
Executive summary
The proposed rules would require companies to:
Disclose, within 4 business days, material cybersecurity incidents on Form 8-K and correct such disclosure by filing an amended Form 8-K where the initial disclosure becomes inaccurate or materially misleading as a result of subsequent developments regarding the incident.
Include disclosures in periodic filings regarding, among other things:
A company's policies and procedures to identify and manage cybersecurity risks;
Whether the company has engaged third-party service providers in connection with its risk assessment program;
Management's role in implementing cybersecurity policies and procedures, including whether the company has a chief information security officer or other management positions responsible for managing cybersecurity risk, and the expertise of such persons;
The board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk, including the processes by and frequency with which the board of directors is informed about cybersecurity risks; and
Updates about previously reported material cybersecurity incidents.
Present cybersecurity disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).
As proposed, there are no exemptions or phasein periods for smaller reporting companies, emerging growth companies or foreign private issuers. The SEC will be accepting comments on the proposed rules for the longer of 60 days following publication of the proposing release on the SEC's website (which occurred on March 9, 2022) or 30 days following publication of the proposing release in the Federal Register.
Background and current requirements
Under SEC Chair Gensler, cybersecurity has become an increasingly important focus area within the SEC, both through enforcement actions and proposed rulemaking.
In 2011, the Division of Corporate Finance issued interpretive guidance (the 2011 Guidance) to public companies regarding the Staff's view on public companies' existing disclosure obligations relating to cybersecurity risks and incidents. In 2018, the Commission issued interpretive guidance (the 2018 Guidance) to reinforce and expand upon the 2011 Guidance, identifying several areas of potential disclosures in a company's SEC filings with respect to cybersecurity risks and incidents, such as the Risk Factors, Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A), Description of Business, Legal Proceedings, Financial Statements and Subsequent Events, and Disclosure Controls and Procedures and Certifications sections in ongoing periodic filings and proxy statements.
The 2018 Guidance further made clear that while Form 8-K did not include any specific requirements to disclose cybersecurity incidents, voluntary disclosure may be advisable if a company determines that the incident is material or if disclosure becomes necessary under Regulation FD.
While the SEC's regulations did not explicitly address cybersecurity, the 2011 Guidance and 2018 Guidance encouraged companies to use the existing disclosure framework and requirements to determine whether a cyber-related incident is material and should result in public disclosure, balancing the potential materiality of any incident or risk with the importance of not compromising the company's ongoing cybersecurity efforts. The 2018 Guidance also emphasized the
22
WWW.DLAPIPER.COM
importance of disclosure controls and procedures that enable the company to appropriately record, process, summarize and report to investors material information related to cybersecurity risks and incidents.
In proposing the new rules, the SEC recognized that disclosures by public companies of material cybersecurity incidents and cybersecurity risk management and governance have improved since the issuance of the 2011 Guidance and 2018 Guidance but expressed concern that the nature of cybersecurity incident disclosure varies widely and current reporting may contain insufficient detail. In the proposing release, the SEC reminded public companies that the 2011 and 2018 Guidance would remain in place if the SEC adopts these new rules.
may still be considered material. A company's materiality analysis will require a careful assessment of whether the incident is "material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor's perspective based on the total mix of information." [Proposing Release at 23-24]
REPORTING CYBER INCIDENTS ON FORM 8-K The proposed rules would amend Form 8-K to add Item 1.05 to require public companies to disclose information about a material cybersecurity incident within four business days after the company determines that the incident is material. The SEC would require companies to disclose the following information to the extent known at the time of filing:
The proposed rules
DEFINITION OF "CYBERSECURITY INCIDENTS" The proposed rules define a cybersecurity incident as "an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity or availability of a registrant's information systems or any information residing therein." The SEC notes that what constitutes a cybersecurity incident should be construed broadly and would include third-party systems, not just companyowned systems. The proposed rules also include a non-exclusive list of examples of cybersecurity incidents, including an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, a ransom demand or other demand by a malicious actor who has stolen or altered data, or other system compromises or data breaches.
EVALUATION OF THE MATERIALITY OF CYBERSECURITY INCIDENTS The proposed rules do not define materiality. Rather, they refer to the definition set out in numerous securities laws cases, including TSC Industries, Inc. v. Northway, Inc., which defines information as material if "there is a substantial likelihood that a reasonable shareholder would consider it important" or if it would have "significantly altered the `total mix' of information made available."
The SEC further notes that analysis of a cybersecurity incident's materiality would need to include both quantitative and qualitative factors, such that even if the probability of an adverse consequence is relatively low, if the magnitude of loss or liability is high, the incident
When the incident was discovered and whether it is ongoing
A brief description of the nature and scope of the incident
Whether any data was stolen, altered, accessed or used for any other unauthorized purpose
The effect of the incident on the company's operations and
Whether the company is currently remediating the incident.
Under Instruction 1 to the proposed new Item 1.05, companies would be required to make a materiality determination "as soon as reasonably practicable after discovery of the incident." Similar amendments are proposed to Form 6-K to add "cybersecurity incidents" as a reporting topic for foreign private issuers. Of course, four business days after this materiality determination, a company's investigation may still be ongoing, and the proposed rules specifically would not allow for any delay pending such investigations. While disclosure would only be required to the extent the information is known at the time of filing, companies in this situation may have to make challenging disclosure decisions in light of incomplete that is, only partially known information.
While the SEC notes that the Staff of the Division of Corporation Finance (the Staff) would not expect a company to publicly disclose specific, technical information about its planned response to an incident or a potential system vulnerabilities in such detail as would impede the company's response or remediation of an incident, the absence of any
23
EXCHANGE INTERNATIONAL JUNE 2022
grace period for completing an investigation and the requirement to disclose the nature of incident, if it is ongoing, and if it is (still) being remediated may attract malicious actors.
As proposed, the rules would require US public companies to file rather than furnish an Item 1.05 Form 8-K disclosure, making those companies subject to liability under Section 18 of the Securities Exchange Act of 1934 for materially false or misleading statements or omissions in disclosures regarding cybersecurity incidents. Untimely filing under new Item 1.05 of Form 8-K would not, however, result in a loss of Form S-3 or Form SF-3 eligibility.
Further, the SEC noted that there may be situations where an amended Form 8-K would need to be filed, including where a company becomes aware of subsequent developments regarding a cyber incident that has been reported on Form 8-K such that the previous disclosure has become inaccurate or materially misleading.
DISCLOSURE OF RISK MANAGEMENT, STRATEGY AND GOVERNANCE REGARDING CYBERSECURITY RISKS In addition to incident reporting, the proposed rules also would require enhanced and standardized disclosure of public companies' cybersecurity risk management, strategy and governance. New Item 106 of Regulation S-K would require the following disclosures in companies' periodic reports on Forms 10-K and 10-Q:
A description of the company's policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the company considers cybersecurity as part of its business strategy, financial planning and capital allocation.
Disclosure of whether the company engages assessors, consultants or other third parties in connection with any cybersecurity risk assessment program and any policies and procedures to oversee and identify cybersecurity risks associated with its use of any third-party service providers.
The proposed 4-business day material cybersecurity incident reporting trigger will require companies to have in place protocols and controls for prompt escalation and assessment of cybersecurity incidents.
UPDATING DISCLOSURES ABOUT CYBERSECURITY INCIDENTS IN PERIODIC REPORTS The proposed rules also would amend Forms 10-K and 10-Q (and provide for similar amendments to Form 20-F for foreign private issuers) to require updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
New Item 106(d) of Regulation S-K would require public companies to provide updates in periodic reports about previously reported cybersecurity incidents. A nonexclusive list of required types of disclosures suggested by the SEC includes:
Any material impact of the incident on the company's operations and financial condition including any potential material future impacts
Disclosure about the company's cybersecurity governance, including the board of directors' oversight role regarding cybersecurity risk, the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on the topic.
Disclosure about management's role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures and strategies, including whether the company has a chief information security officer or other management positions responsible for managing cybersecurity risk, and the relevant expertise of such persons, as well as the processes by which such persons are informed about and monitor cybersecurity risks and incidents and whether and how frequently such persons report to the board of directors on cybersecurity risks and incidents.
As proposed, a company that has not established any cybersecurity policies or procedures would not have to explicitly state that this is the case.
Whether the company has remediated or is currently remediating the incident and
Any changes in the company's policies and procedures as a result of the cybersecurity incident.
24
WWW.DLAPIPER.COM
DISCLOSURE REGARDING THE BOARD OF DIRECTORS' CYBERSECURITY EXPERTISE The proposed rules also would amend Item 407 of Regulation S-K to require disclosure in certain annual reports or proxy statements if any member of the board of directors has cybersecurity expertise and include enough detail "as necessary to fully describe the nature of the expertise," which is a higher threshold than currently exists for other experience-related disclosures, such as the requirement to name an "audit committee financial expert."
While the rules do not define what would constitute "cybersecurity expertise," an instruction to the proposed rules provides guidance that "expertise" would include prior work experience in cybersecurity, any relevant degrees or certifications, and any other knowledge, skills or background in cybersecurity.
The rules as proposed also include a safe harbor for any person who is designated as having cybersecurity expertise and would not impose additional duties, obligations or liability on such persons, including for purposes of Section 11 of the Securities Act of 1933. Companies are not required to have a board member with cybersecurity expertise and If a company does not have a person with cybersecurity expertise on its board of directors, it would not be required to make an explicit statement that this is the case.
INLINE XBRL FOR CYBERSECURITY DISCLOSURES To better inform investors about cybersecurity incidents and a company's risk management, strategy and governance surrounding cybersecurity, the proposed rules also would require companies to tag the information required to be disclosed under Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL. This would include block text tagging of the narrative disclosures as well as tagging of quantitative amounts disclosed.
Commissioners' statements on the proposed rules
Multiple SEC commissioners have provided formal statements on the proposed rules, both in support of, and against, the proposal. SEC Chair Gensler supports the proposed rules and amendments, stating that, if adopted, the proposed rules wouldprovide benefits to companies and investors by requiring cybersecurity risks and incidents to be disclosed "in a consistent, comparable and decisionuseful manner" which would "strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting." Similarly, Commissioner Caroline A.
Crenshaw issued a statement supporting the proposed rules, citing concerns that "disclosures relating to cybersecurity incidents are inconsistent in level of detail, time of disclosure, and placement" and stating that she was in support of the proposed rules as "an important step forward in addressing this growing and everpresent risk."
In contrast, Commissioner Hester M. Peirce dissented, voicing concern about regulatory overreach and stated that the proposed rules casts the SEC as "the nation's cybersecurity command center, a role Congress did not give" the SEC. Commissioner Peirce took issue with the "unprecedented micromanagement" of public companies embodied in the governance disclosure requirements and stated her view that this type of corporate decision-making "should be left to business not SEC judgment." Commissioner Peirce also noted that the level of detail and prescriptive nature of the disclosures enumerated in the new disclosure requirements "look more like a list of expectations about what issuers' cybersecurity programs should look like and how they should operate." She is concerned that the rules "will have the undeniable effect of incentivizing companies to take specific actions to avoid appearing as if they do not take cybersecurity as seriously as other companies."
Potential implications
While the proposed rules may ultimately change, and as noted above, the SEC commissioners are not unified in their views, if the rules were to go into effect as proposed, there would be a number of potentially significant implications for public companies, including:
DISCLOSURE IMPLICATIONS 1.Prompt materiality assessments will become
essential. As proposed, companies would need to begin assessing materiality "as soon as reasonably practicable after discovery of the incident" and would need to disclose the incident within four business days of determining that the incident has become material. In practice, this would require companies to have robust internal controls and procedures to ensure that these materiality determinations are timely made, properly documented, and then revisited throughout the duration and investigation of an incident. For large companies that may be subjected to frequent and persistent cyberattacks, this process of assessing materiality, both on an individual incident basis and in the aggregate, could become a significant exercise. Moreover, in practice, the full scope and potential materiality of a cyber incident is often not known at the time a company first becomes
25
EXCHANGE INTERNATIONAL JUNE 2022
aware of the issue and what may seem like a material incident in hindsight may not be so apparent in real time as a situation develops. As the SEC has shown in recent enforcement actions, a failure to make fulsome and timely disclosures also may be viewed as a deficiency in internal controls, making the process by which companies assess materiality and document such determination of critical importance.
2.Companies should expect to balance differing regulatory and law enforcement requirements. The SEC proposes to mandate disclosure of material cybersecurity incidents in 4 business days. State cybersecurity requirements are different. Similarly, the content of proposed SEC and state law disclosures will likely differ. Further, the timing and content of public disclosure might impact ongoing law enforcement investigations or efforts to recover stolen funds or to detect wrongdoers or threat actions. The proposed SEC rules will add yet another layer to the already complex balancing act companies face when addressing material cybersecurity incidents.
3.With cybersecurity incidents, the SEC proposes to create an explicit, affirmative duty to update. The proposed rules create two paths that might require updating disclosure. First, the rules would create an affirmative duty to update previously disclosed cybersecurity incident disclosures in future periodic reports.In addition, by creating a Form 8-K disclosure obligation upon determination of materiality, the rules would compel companies to include public disclosure of incidents at a time when the incident may still be developing or under investigation. The SEC noted in a footnote to the proposed rules that waiting until the next periodic report to update prior disclosures may not be sufficient. For example, the SEC noted that if the impact of an incident is determined to be "significantly more severe than previously disclosed" an amended Form 8-K may be required even before an update on the incident is due in the next periodic report. Companies would therefore need to assess not just what updates might be required in future periodic reports but also whether the nature of those updates gives rise to an interim Form 8-K disclosure obligation.
GOVERNANCE IMPLICATIONS 1.Cybersecurity expertise will become a board
imperative. While the proposed rules do not mandate that boards have cybersecurity expertise, by requiring disclosure of the names of directors with that experience, as well as detail regarding how that determination was made, the proposed rules may effectively prompt public companies to seek out directors with a greater degree of cybersecurity knowledge. By highlighting a board's knowledge on cybersecurity, the proposed rules may potentially expose companies without board members that have that depth of specific knowledge to greater risk of investor activism, shareholder advisory criticism and potentially shareholder litigation in the event of a material cybersecurity incident. As more and more companies disclose detailed board cybersecurity expertise, companies lacking such expertise may face increased challenges that they are not acting with reasonable care.
2.The SEC would be expanding the use of disclosure regime to influence operational decisions. In addition to director expertise disclosure, the proposed rules would also require disclosure of whether a company has a chief information security officer, including his or her expertise and authority within the organization, and detailed information regarding a board's and management's role in implementing and discussing cybersecurity. By requiring such specific and expansive disclosure which will likely have the impact of leading companies to make personnel decisions related to that disclosure, the SEC's rule proposal has the effect of using disclosure rules to expand its influence into what has historically been a topic of ordinary course business operations and judgment.
3.Additional policies, procedures and internal controls would be required. Cybersecurity disclosure controls and procedures have been a key area of focus by the SEC, and the various disclosure requirements in the proposed rules would increase the need to develop and assess the effectiveness of such controls. The proposed rules reinforce the SEC's expectation set forth in its 2018 Guidance that a company's financial reporting and control systems must be designed to provide reasonable assurance that information about the range and magnitude of cybersecurity incidents will be incorporated in its financial statements on a timely basis as information
26
WWW.DLAPIPER.COM
becomes available. Companies looking to fully comply with the proposed rules (if adopted), would need to thoroughly consider how they create appropriate disclosure controls and procedures to comply with the rules, how they document those controls and procedures, and how they assess their effectiveness.
4.Companies would need to consider risks associated with third-party service providers. The SEC's proposed definition of a company's "information systems" includes "information resources owned or used by the registrant." As proposed, there would be no safe harbor for information about cybersecurity incidents affecting third-party information resources that are used but not owned by a public company. In addition, the proposed rules would require disclosure concerning a company's selection and oversight of third-party entities. If adopted, the proposed rules would likely create a greater focus on a company's selection processes and controls related to third parties, including controls designed to ensure timely and fulsome disclosure of third-party originated incidents so that companies can adequately comply with their own disclosure obligations.
Next steps
The proposal contains several groups of questions on which the SEC has requested comment. The public comment period for the proposed rules will be open for 60 days following publication of the release on the SEC's website, or 30 days following the publication of the proposing release in the Federal Register (whichever period is longer). As of the date of this alert, the proposed rules have not yet been published in the Federal Register.
Public companies and other market participants should also expect more rules related to cybersecurity. In his statement on the proposed rules, Chair Gensler commented that this is the third rulemaking project the SEC has proposed on cybersecurity, and that he had asked the SEC staff to make recommendations for the SEC's consideration with respect to broker-dealers, Regulation Systems Compliance and Integrity and Regulation S-P (related to customer notices).
27
EXCHANGE INTERNATIONAL JUNE 2022
SEC settles with BlockFi crypto lending platform
The SEC announced a settlement of charges against BlockFi Lending LLC (BlockFi) with respect to its BlockFi Interest Account (BIA) product.
According to the SEC:
investors lent crypto assets to BlockFi through the BIAs
BlockFi used investors' crypto assets to make investments, including loans to institutional investors and
investors received interest paid monthly in crypto assets.
The SEC's order found that the BIAs were unregistered securities and charged BlockFi with failing to register its offering, violations of negligence-based antifraud provisions of the securities laws and violating the Investment Company Act by operating as an unregistered investment company.
In settling this matter with the SEC, BlockFi agreed to stop offering BIAs to new investors or accepting additional assets in the BIAs by current investors, and to not violate these securities laws in the future. BlockFi also agreed to pay USD100 million in penalties and pursue registration of its BIA crypto lending product. USD50 million of those penalties are fines to be paid to 32 states to settle similar charges, including Texas and Alabama.
BlockFi's parent company, BlockFi Inc., has also publicly announced that it intends to register under the Securities Act the offer and sale of a new investment product, BlockFi Yield, with the SEC (or take steps such that it is no longer required to register.)
This case provides insight into how the SEC evaluates crypto lending platforms, and how the agency will scrutinize crypto platforms engaging in similar activities. Notably, this case says nothing about any particular token or crypto asset; BlockFi is an exchange and does not have a native token.
At issue in this case was the structure of the BIAs. BIA investors received interest at variable rates from the exchange in payment for lending their crypto assets to BlockFi. BlockFi generated returns by deploying those crypto assets in loans, lending money to investors and investing in equities and futures. The SEC based its fraud allegations that BlockFi made false and misleading website statements on these collateral practices and risks related to BlockFi's lending activity.
Instead of using only the Howey test that has permeated its actions against ICOs and other offerings of tokens, the SEC concluded that the BIAs were notes that fell under the definition of securities using the Supreme Court's analysis in Reves v. Ernst & Young and were an investment contract under the Howey test. Therefore, the BIA securities should been, but were not, registered.
Commissioner Peirce's dissent raises some interesting points on whether the securities regulatory framework is the appropriate framework for getting customers transparency around the terms and risks of crypto lending products, particularly forcing this platform to register the securities and register as an investment company. She also emphasizes that while the SEC wants crypto companies to come talk to them, it still hasn't committed to working with such companies "to craft sensible, timely and achievable regulatory paths."
This is the first case of its kind brought against a crypto lending platform although it follows the rationale of the SEC's much earlier case against Prosper Lending.
The SEC is investigating other similar crypto platforms so we anticipate more similar cases to come. This decision has important implications for other DeFi platforms.
Central Bank of Ireland Consultation Paper on Irish Regulated Property Funds
28
WWW.DLAPIPER.COM
On 25 November 2021, the Central Bank of Ireland (Central Bank) issued consultation paper 145 (Consultation Paper) to industry in relation to a proposal to introduce macroprudential limits on leverage and provide regulatory guidance to reduce the potential for liquidity mis-matches in AIFMD1 compliant property funds that are Irish-authorized and investing over 50% directly or indirectly in Irish property.
As part of its analysis of the Irish property sector, the Central Bank has identified in the Consultation Paper that:
there is significant variation in leverage levels across Irish property funds;
a cohort of property funds have elevated levels of leverage; and
Background
Following a period of analysis of the impact of the Irish real estate sector, including property funds, on the overall financial stability of the Irish economy, the Central Bank issued a Financial Stability Note in February 2021 in which it was noted "that property funds' investment in Irish commercial real estate has brought risks as well as benefits, which supports the need to explore possible macroprudential policy interventions."
In recent years, there has been significant growth in the use of Irish authorized investment funds for the purposes of investing in Irish commercial real estate (CRE). The Central Bank has noted that, given its systemic importance, any unexpected or significant instability in the Irish CRE market has the potential to create adverse consequences and macroeconomic effects for the wider Irish economy.
With the aim of addressing potential financial stability risks in the longer term and to ensure that the sector is better able to absorb, rather than amplify, adverse shocks in future times of stress, the Central Bank has now issued the Consultation Paper with its proposals around the introduction of macroprudential policy interventions in this sector. The Central Bank is of the view that this "in turn will better equip the sector to continue to serve its purpose as a valuable and sustainable source of funding for economic activity." In particular, the Central Bank has identified and focused on two key potential sources of financial vulnerability namely, leverage and liquidity mismatch in Irish-authorized property funds, which it believes will complement existing regulatory requirements.
Proposed measures to address leverage in certain Irish Property Funds
the average value of total loans to the value of total assets in Irish property funds is approximately 46% however, there are significant differences across the sector in Ireland and the Irish average exceeds the whole property fund sector across Europe.
These factors create the risk that highly-leveraged property funds may breach their loan covenants (including leverage thresholds), resulting in voluntary or compulsory asset sales in an illiquid market, amplifying stress in the CRE market and creating wider market instability.
AFFECTED IRISH PROPERTY FUNDS The Leverage Limit (defined below) would apply to all authorized property alternative investment funds (AIFs) in Ireland that invest over 50% directly or indirectly in Irish property assets (Property Funds).
New Property Funds will be required to adhere to the Leverage Limit on authorization, while the Central Bank proposes to provide a three-year transition period for existing Property Funds with leverage levels above the proposed Leverage Limit to ensure that those funds have appropriate time to adjust their portfolio in a gradual and orderly manner.
PROPOSED LEVERAGE LIMIT As detailed in the Consultation Paper, and similar to leverage limits for Property Funds in place in other countries, the Central Bank now proposes to introduce a 50% limit on the ratio of Property Funds' total loans to their total assets (or its equivalent applying the AIFMD gross or commitment methodologies) (the Leverage Limit).
The Leverage Limit will apply to all types of loans, including loans from affiliated parties and shareholders, with a view to reducing the potential for regulatory arbitrage by increasing leverage through unregulated affiliated entities.
1 Directive 2011/61/EU.
29
EXCHANGE INTERNATIONAL JUNE 2022
Leverage Limits will be determined by the Central Bank based on each Property Fund's regular regulatory reporting of asset and liability values. Property Funds with levels of leverage close to, or above the Leverage Limit would be issued with a Leverage Limit by the Central Bank, which would also be notified to ESMA2.
Given the significant variation in leverage levels in Property Funds, the Central Bank states that it will consider feedback from stakeholders "on the proposed calibration of the limit carefully." In addition, it is proposed that the Central Bank will have the power to temporarily remove or tighten the Leverage Limits, where it deems appropriate.
Proposed measures to address liquidity mismatch in certain Irish Property Funds
Following its analysis of Irish property funds, the Central Bank has "observed significant variation in the redemption terms of Irish property funds, which cannot be explained fully by differences in the liquidity of their assets." The Central Bank is of the view that liquidity mismatch is evident for a significant subset of Irish property funds and that additional regulatory guidance (the Guidance) is required, which will be specific to Property Funds, but which may have more general value to other types of AIFs when interpreting regulatory requirements on liquidity risk management.
PROPOSED GUIDANCE ON LIQUIDITY MANAGEMENT Despite existing regulatory requirement for Irish authorized AIFs, including Property Funds, to align their redemption policies with their investment policies and strategies and the liquidity profile of their investments, the Central Bank is of the view that it is appropriate to introduce the additional regulatory Guidance for Property Funds on aligning their redemption terms with the liquidity of their assets.
Details of the draft Guidance is set out in Annex 1 to the Consultation Paper and includes the following key proposals:
for the Property Fund, taking into consideration the asset class(es), the availability of a secondary market and whether redemptions could be satisfied without the need to dispose of large portions of the portfolio held by the Property Fund.
Redemption policies should be reviewed to ensure they align with the liquidity profile of the assets for open-ended with limited liquidity Property Funds.
AIFMs must take into account the liquidity of real estate assets under both normal and stressed market conditions when considering redemption terms for Property Funds.
Liquidity management tools (LMTs), which are complementary to the redemption policy and align with the liquidity profile of a Property Fund's assets, should be available to the AIFM to permit it to manage liquidity risk, where appropriate. LMTs should, however, not be excessively relied upon. Please also refer to our publication on the European Commission's proposed reforms of AIFMD, which include new proposals around the use of LMTs in AIFs.
In relation to liquidity timeframes for open-ended funds, the Guidance proposes that:
Property Funds should have appropriately balanced liquidity timeframes which include lengthened notification periods for redemption requests and settlement periods for the payment of redemption monies to investors.
Property Funds should provide for a liquidity timeframe of at least 12 months, taking into account the nature of the assets held. The Central Bank notes that this will "assist in ensuring that the redemption terms of the property fund align with the liquidity of the assets held in both normal and exceptional circumstances, and in a manner consistent with the fair treatment of investors".
Property Funds that cannot dispose of assets within the minimum liquidity timeframe should consider having longer liquidity timeframes in place.
Irish Property Funds should typically be authorized as either closed-ended or open-ended with limited liquidity.
The board of the alternative investment fund manager (AIFM) (and also the board of the Property Fund, where appropriate) should consider and document the structure/liquidity status that is most appropriate
2 European Securities and Markets Authority
WWW.DLAPIPER.COM
International
SWIFT and the Ukraine conflict: Latest developments
On 26 February 2022, the EU, UK, Canada and the US published a Joint Statement on further restrictive measures in light of the Ukraine conflict. These nations committed to ensuring selected Russian banks are removed from the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system.
Seven Russian Banks were banned from SWIFT on 12 March 2022 with three Belarusian entities then also being banned from the system on 20 March 2022. On 4 May 2022 Ursula von der Leyen, the President of the European Commission, announced the ban would be extended still further with Russia's largest bank, Sberbank, plus Credit Bank of Moscow and the Russian Agricultural Bank also to be excluded from the SWIFT system.
SWIFT is a Belgian-based financial messaging services cooperative supporting 11,000 banking and securities organisations, market infrastructures and corporate customers in more than 200 countries. As a result of the ban, these selected Russian banks will be unable to initiate payment instructions in eligible payment systems or receive inbound payments in those same systems.
Banned Russian banks and Belarusian entities may seek alternatives to SWIFT, such as routing payments via countries that have not imposed sanctions, such as China, which has its own payments system called the Cross-Border Interbank Payment System (CIPS). Russia has a SWIFT alternative known as the System for Transfer of Financial Messages (SPFS) which may also be used as may cryptoasset payments platforms.
Alternatives to SWIFT have critical interoperability, cost, security and speed constraints.
31
EXCHANGE INTERNATIONAL JUNE 2022
Banned Russian Banks
On 2 March 2022, the EU published European Council Regulation (EU) 2022/345 and European Council Decision (CFSP) 2022/346 in the official journal of the European Union. This Regulation and Decision identified the selected Russian banks that are subject to the SWIFT ban.
These banks are: VTB Bank (being Russia's second largest bank), Vnesheconombank (VEB), Rossiya Bank, Sovcombank, Bank Otkritie, Novikombank and Promsvyazbank.
The ban took effect on 12 March 2022.
SWIFT sends more than 40 million messages a day, 1% of which involve Russian payments.
SWIFT is jointly owned by 2,000 banks and financial institutions. SWIFT's board of directors comprises 25 independent directors appointed by its shareholders. According to Article 17 of the SWIFT By-laws, nations with more member institutions of SWIFT have additional rights to appoint directors.
SWIFT is overseen by the National Bank of Belgium, in partnership with major central banks around the world, including the US Federal Reserve and the Bank of England.
The official journal also applies the measure to "any legal person, entity or body, established in Russia whose proprietary rights are directly or indirectly owned for more than 50%" by these Russian banks.
This list does not include Sberbank, Russia's biggest lender by assets, or Gazprombank, which is heavily involved in its energy sector. According to the EU press release, the European Commission "is prepared to add further Russian banks [to the list] at short notice."
On 1 March 2022, SWIFT published a press release noting the Joint Statement and stating that SWIFT is engaging with these authorities to understand which entities will be subject to these new measures. SWIFT states that it will disconnect them when it has received a legal instruction to do so.
How are members removed from SWIFT?
Article 16(c) of the SWIFT By-laws state that:
Alexei Kudrin, Russia's former finance minister, suggested all Russian financial institutions being cut off from SWIFT could shrink Russia's economy by 5%.
"c. The Board of Directors may suspend or expel a Shareholder from the Company if it establishes in its opinion that such Shareholder:
Banned Belarusian Entities
On 12 March 2022, SWIFT published a statement noting that it had disconnected the selected Russian banks and would also disconnect the following three Belarusian entities (and their designated Belarusbased subsidiaries) on 20 March 2022 in accordance with a further Regulation, being Council Regulation (EU) 2022/398: Belagroprombank, Bank Dabrabyt and the Development Bank of the Republic of Belarus.
What is SWIFT?
SWIFT acts as the carrier of messages containing payment instructions between financial institutions involved a transaction.
does not observe the By-laws of the Company and/or the Corporate Rules or any undertaking towards the Company;
makes any arrangement or composition with or concerning its creditors;
is subject to regulations impacting its shareholding in the Company;
commits an act of negligence which may be prejudicial to the interest of the Company provided that the Board of Directors informs the Shareholder in writing of the reasons underlying its decision and that the relevant mandatory provisions under Belgian law are complied with."
The SWIFT organisation itself does not manage accounts for institutions, holds no institution funds and does not perform clearing or settlement functions. After a payment has been initiated using a SWIFT message, it must be settled through a payment system such as the Trans-European Automated Real-time Gross Settlement Express Transfer System (TARGET2).
Part 3 of the SWIFT Corporate Rules also provides that the board of directors should be provided a written report from SWIFT management for the termination of an existing shareholder. Termination (expulsion) is subject to section 7.3 on dispute resolution in the SWIFT Corporate Rules.
32
WWW.DLAPIPER.COM
SWIFT has not published the minutes of the meeting of its board of directors in which the decision to ban the selected Russian banks and Belarusian entities was made in accordance with the Regulation (EU) 2022/345, Counsel Decision (CFSP) 2022/346 and Council Regulation (EU) 2022/398.
Cross-Border Interbank Payment System
The CIPS is a payment system offering clearing
and settlement services for its participants in
crossborder RMB payments. It is a significant payment
infrastructure in China.
All relations between SWIFT and each member, as well as the SWIFT by-laws and SWIFT Corporate Rules, are governed by the laws of Belgium.
On 14 March 2022, the Financial Times reported that various bankers and financial regulators (not named) are concerned about the prospect of a cyberattack (or attacks) against SWIFT. SWIFT provided a statement to the Financial Times noting that it takes "security very seriously" and has "a strong control environment in place for physical and cyber security."
Alternatives to SWIFT
In advocating for Russia not to be banned from SWIFT, Austrian Chancellor Karl Nehammer said "the suspension of SWIFT would affect the Russian Federation less than the European Union," and argued Russia could use its "own payment system, and secondly, it would immediately switch to Chinese payment systems."
The identity of participants is not in the public domain. But according to the CIPS Participants Announcement No 73, in January 2022 CIPS has 75 direct participants and 1205 indirect participants. Russian banks likely will be both direct and indirect participants of CIPS.
SPFS
As part of the Crimea-related sanctions of 2014, Russia was threatened with expulsion from SWIFT. Western countries did not proceed with this action, but this did prompt Russia to begin the development of its own cross-border transfer system, SPFS.
At the end of 2020, there are 23 foreign banks connected to the SPFS from Armenia, Belarus, Germany, Kazakhstan, Kyrgyzstan and Switzerland. There are also plans to link SPFS to payment systems in China, India and Iran. These plans may be accelerated to the extent that a significant number of Russian banks are banned from SWIFT.
SPFS is not seen as a viable alternative to SWIFT, given that the system currently works only within Russia and is subject to high transaction costs.
Bank-to-bank connections
Russian banks may choose to deal directly with nonRussian banks to process payments using traditional payments channels such as fax, email, and any available bilateral messaging systems. This would likely add delays and additional costs to the payments process which may be passed on to the payer/payee.
Cryptoasset payment networks
Banning Russian banks from SWIFT may result in Russian payment being processed in decentralised networks such as bitcoin.
According to Banco Santander, Russia's import/export flows total around USD570 billion annually, a volume that could be accommodated on the bitcoin network. Bitcoin processes USD20 billion in on-chain transactions per day, or more than USD7 trillion per year.
Impact of the ban
For counterparties to contractual relations, the removal of Russian and Belarusian institutions and the from SWIFT due to European Commission Decisions may provide grounds for recission due to illegality.
DLA Piper expects that counterparties may seek to rely on illegality, including as an event of default, in a variety of commercial and financial arrangements.
There remains considerable uncertainty as to the status of in-flight transactions at the time that SWIFT access is banned. These payments will be subject to their respective payment systems' contingency, liquidity management and resolution mechanisms.
It may also lead to payments business transferring to non-sanctioned Russian banks that are not subject to the SWIFT ban.
33
EXCHANGE INTERNATIONAL JUNE 2022
The impact of the SWIFT ban has been largely overshadowed to date by the sanctioning of Russian persons and firms; and the actions of some card schemes and corporates to cease operating in Russia. Russian banks not subject to the SWIFT ban, such as Sberbank, are facing significant liquidity challenges as deposits are withdrawn and liabilities are drawn down. Sberbank closed its European legal entities in compliance with an order by the European Central Bank as a result of EU sanctions.
The Bank of Russia has lowered reserve requirements for Russian banks and continued to increase interest rates to over 20%, given the liquidity gap in the Russian banking system, which is reported to be USD68 billion. On the day of the announcement of the SWIFT ban on the initial 7 Russian banks, Russian citizens withdrew close to a trillion Roubles, which represented 6.5% of the monetary base.
The SWIFT ban, as well as sanctions and other corporate actions, could contribute to a default on Russian obligations abroad. This may result in a liquidity shock to Western markets, given that Russian entities owe more than USD100 billion in the next financial year, according to IMF estimates. Both Russian banks' and Russian government instruments have been subject to credit rating agency downgrades.
Despite continuing concerns in the market around the Russian Government perhaps not being able to make payment of interest and principal on its US Dollar denominated debt, it has, so far, avoided default and succeeded in making payments on its overdue debt in US dollars from those of its USD reserves which are not frozen in the US and elsewhere. However, with sanctions continuing to bite and substantial bond payments continuing to fall due by the Russian Government, both before and after the current US Office of Foreign Assets Control's current special licence, which allows for "the receipt of interest, dividend or maturity payments" on debt or equity liabilities, terminating on 25 May 2022, those concerns around Russia's ability to continue to pay remain. While the effects of such a Russian default cannot be predicted, it is notable that Kristalina Georgieva of the IMF stated in March 2022 that while such a Russian government default is no longer an improbable event, she discounted the idea of a wider shock to the global financial system should this default occur.
34
WWW.DLAPIPER.COM
Brazil
35
EXCHANGE INTERNATIONAL JUNE 2022
Digital banking is booming across Latin America, disrupting the sector and enhancing service delivery
The importance of fintechs neobanks and digital wallets across Latin America is rising. Recent research by Bank of America demonstrates that, in Brazil alone, in 2021 fintechs such as Nubank, PagBank, Mercado Pago, Ame Digital and Banco Pan had more than 95 million monthly active users, surpassing traditional Brazilian banks, such as Caixa, Ita, Bradesco and Santander, by more than 15 million active users a month.
In Brazil, fintechs, such as the companies mentioned above as well as PicPay, C6 and Inter, reached over 21 million downloads per month in 2021 a growth of around 33 percent over 2020.
Notably, however, traditional banks are also engaging in this new digital approach to banking and finance. The digital divisions of traditional banks, which normally operate as a subsidiary or joint venture among them Bitz and Next from Bradesco, iti from Itau and Superdigital from Santander were responsible for at least 19 percent of visits to bank websites in 2021.
DEFINING THE TERMINOLOGY Fintechs can be regarded as companies that use technology (software, algorithms, and applications for mobile or computer structures) to support banking and financial services, such as online banking or payment apps.
In this sense, neobanks, sometimes referred as "challenger banks," may be defined as fintechs that offer a platform, application, software, algorithm, or technological process to enable online banking for their users without having a single physical branch. Neobanks do not have a bank charter. They may operate only within the restrictions and limits of their legal structure, depending on their jurisdiction.
Digital wallets, in contrast, are online services that enable transactions electronically for individuals or businesses by storing their payment information in order to connect with the payment scheme and conclude a purchase or transfer. Thus, the expression "digital bank" embraces all the definitions above and will be used as a general definition for the purpose of this article.
Overall, such digital banks (neobanks, digital wallets and fintechs in general) focus on innovating banking and financial services by improving user experience (UX) and banking as a service (BaaS) solutions, in which technology allows a bank to offer its clients an integrated range of banking services under the umbrella of a single brand.
THE MOST VALUABLE BANK IN LATIN AMERICA Nubank's initial public offer on NASDAQ in December 2021 demonstrated that digital banks can be, and are, disruptive on their own. In the aftermath of the IPO, Nubank was valued at USD41.5 billion that is, it was regarded as the most valuable bank in Latin America, overtaking even Banco Ita, with its vast market share and massive annual profit.
Nubank is only one example of how digital banks are changing the banking industry. In Argentina, Brubank a 100 percent digital bank already authorized to operate by Argentina's Central Bank had already reached over 1.5 million users in 2021. It is currently planning expansion into Colombia and Peru. In August 2021, Ual became one of the first unicorns in Argentina, valued at USD2.45 billion. Argentina, Colombia and Peru also have digital banks, such as Ligo, a Peruvian digital wallet; B89, one of the first Peruvian fintechs; Rappi, a Colombian superapp with several services, including banking; and Nequi, the first digital-only bank in Colombia.
36
WWW.DLAPIPER.COM
Other Latin America countries, as among them Uruguay and Chile, are following the same path, and certain companies, as expected, are seeking to innovate in this market. Mach in Chile and Prex in Uruguay are two examples.
POTENTIAL RISKS Even though these innovations are overall regarded as positive, there are associated risks. Among these are the potential for fraud and even Ponzi schemes taking advantage of consumers; bankruptcy is another risk.
Among Latin America countries, Brazil and Mexico are considered the countries with the largest number of fintechs, digital banks and similar institutions, and with the most competitive digital banking markets. Cuenca, Albo, Klar, Fondeadora and several other Mexican fintechs are particularly relevant in the Mexican banking market as they strive to continuously innovate in the Mexican banking space.
Countries are striving to regulate and define limits and restrictions for fintechs and digital banks, to protect clients' money, data and, consequently, their national economies. However, as so often happens in a time of rapid change, companies are also constantly innovating, and regulations may not keep pace.
EXCHANGE INTERNATIONAL JUNE 2022
In Focus
Exploring the metaverse: What laws will apply?
During the last decade, virtual interactions have become an increasingly important part of life for consumers and businesses. This trend has accelerated during the COVID-19 pandemic, with both consumers and businesses gravitating towards video-conferencing and other forms of virtual interactions. Recently, interest in virtual interactions has focused on the "metaverse," with major companies, among them Facebook, announcing metaverse initiatives. In fact, Facebook, predicting the metaverse as the next wave in technology, has gone so far as incorporating the term into its new name, Meta.
What is the metaverse?
Despite widespread discussion of the metaverse as if it were already an existing, finished construct, the metaverse is currently not much more than a rapidly evolving idea. Discussing the metaverse in 2022 may be a bit like discussing the Internet in the 1960s. In both cases, even computer scientists can only imagine what the future might hold. Modern-day authors and filmmakers such as Ernest Cline and Steven Spielberg who collaborated on Ready Player One have given us just a small glimpse of what they envision one aspect of the metaverse to look like.
However, like any new foundational technology, the metaverse remains confusing and unknown to many. So, what precisely is the metaverse? What metaverse use cases currently exist, and which do we expect to emerge? What laws will apply to the metaverse? In this article originally published in Chambers TMT 2022, we explore these and other questions in more detail.
The metaverse is not a new concept, and efforts at building a metaverse have been afoot for decades. For example, in 2003 San Francisco-based firm Linden Lab released Second Life, an online multimedia platform in which users create an avatar and build a "second life" in an online world. And as is often the case, science fiction precedes and predicts reality.
38
WWW.DLAPIPER.COM
In 1992, writer Neal Stephenson published the novel Snow Crash, a dystopian story featuring a "Metaverse" urban environment complete with virtual real estate accessible through VR goggles. In the 2018 film (and book of the same name), Ready Player One, much of humanity interacts using the fictional OASIS virtual reality simulation. In real life, during the COVID-19 pandemic, humanity has already taken its first step in this direction with education migrating online and video meetings supplanting business travel around the world at a magnitude never before imagined.
Many people also view the development of the metaverse as the natural evolution of the Internet from Web 2.0 to Web 3.0. For context, Web 1.0 is described by many as the first stage of Internet evolution, whereby users primarily consumed content. In Web 2.0 (the currently dominant paradigm), users also interact with the Internet to create and share content. Web 3.0 adds disintermediation (gradual removal of intermediaries) and decentralization, giving users tremendous control over their experience on the Internet.
Loosely defined, the concept of a metaverse refers to the migration of various parts of the human experience from the physical world to an increasingly immersive virtual world. At its core, the metaverse is a pronounced intersection of technology and content. For example, video games such as Fortnite and Roblox allow players to enter a complex, extensive virtual world and engage in a wide variety of virtual experiences and interactions including with other players from around the world. Platforms such as Sensorium allow users to create their own alter egos and enter a shared virtual space where top DJs play virtual shows, complete with a massive crowd of fellow users. Facebook recently announced Horizon World, a "mixed reality" meeting space that allows users to participate in meetings in a virtual world, complete with avatars, virtual meeting rooms and tables, and even virtual chalkboards.
Some platforms, such as Pokmon Go and Illust Space, allow users to explore the physical world which has been supplemented with digital characters and other artifacts. Many of these platforms can be made more immersive with the use of VR headsets, and future developments in technology such as haptic feedback suits (which facilitate 3D touch) and omnidirectional treadmills promise to add to the experience.
Thus, despite reference to "The Metaverse," there is at present no unitary metaverse experience. Rather, "The Metaverse" refers to an idea likely to be embodied in numerous virtual worlds, where technology has the opportunity to bring content to those worlds in ways never before imagined and, with it, legal issues and challenges never before contemplated.
Present and future uses of the metaverse
As noted above, several aspects of the present versions of the metaverse are already in use and/or in the late stages of development. The need for mankind to continue to advance its experiences in commerce, entertainment and education, particularly in a world where personal interaction is forbidden or discouraged due to health risks, has fuelled rapid advances in the development of the metaverse in a number of key areas discussed more fully below.
COMMERCE The fully immersive metaverse is being built on a foundation of Web 3.0 technologies, including blockchain, cryptocurrencies, and non-fungible tokens (NFTs). We have already seen major companies accept cryptocurrencies as a form of payment for goods and services, and El Salvador recently became the first country to adopt the cryptocurrency Bitcoin as a second legal tender. In a fully immersive metaverse, commerce may use cryptocurrencies as consideration. Digital goods, ownership of which is often recorded with NFTs, have recently found great success, further evidencing the commercial possibilities in the metaverse.
The metaverse also offers a significant opportunity for virtual occupational training. Companies will likely continue to develop and build upon the virtual and augmented reality occupational training modules currently employed. The metaverse may offer significant opportunities for candidates to gain experience in occupational skills and display such skills to prospective employers.
The metaverse has and will continue to revolutionize the marketing and advertising of products and services by creating brand experiences that are more engaging and exciting and give the consumer a bespoke experience. Many major brands have already embraced the medium in numerous ways, and their brand engagement and awareness has already yielded meaningful results. Virtual events, virtual storefronts, and digital collectibles are and will continue to be just some of the ways that brands and products will reach virtual consumers.
39
EXCHANGE INTERNATIONAL JUNE 2022
ENTERTAINMENT Technological advances relating to online video games have been a major driver in the necessary technology for the metaverse. From the early pioneers such as Second Life to the leading interactive online video games of today, these games have resulted in rapid evolution of an interactive virtual world for competitive play and have opened the door for new virtual experiences, from concerts to movie premieres to NFTs of all types. For example, musical artists such as Lil Nas X, Travis Scott, and Ariana Grande have each held successful virtual concerts within online game platforms Roblox and Fortnite, attracting millions of viewers worldwide. As the metaverse becomes a part of popular culture, virtual concerts and sporting events can provide artists and athletes with a new platform to interact with fans on a global scale. Similarly, game play will also continue to evolve with opportunities for interconnectivity among different metaverse platforms.
Sports and entertainment memorabilia and collectibles in both the traditional form and virtual form will also find growing adoption in the metaverse, in the form of conventional NFTs or NFTs with real-world components. For example, the NFL has created virtual commemorative NFT tickets for its games. Other leagues and events have sold NFTs that provide access to realworld experiences and perks. The metaverse has also spawned interest in sports memorabilia and collectibles that exist solely in the virtual world. ZED RUN, for instance, combines NFTs, cryptocurrency and blockchain technology to create digital horse racing, allowing its users to buy, trade, breed and race their digital horses.
EDUCATION Until a few years ago, distance learning was viewed as a viable yet occasional means of attaining a postsecondary degree. During the pandemic, that changed, with interactive distance learning being put into action for many students from primary school to universities. The COVID-19 era has opened the gates to this form of learning, with its potential to create learning experiences that are rich and meaningful.
Virtual classrooms are only the beginning of what may evolve into an educational experience that allows educators and students together to visit, for example, archaeological ruins, the surface of a planet in our solar system, or the DNA of person. Educators will also be able to incorporate aspects of the metaverse into class projects. For example, using Roblox's "learn and
explore" experiences, students can build virtual theme parks to demonstrate their knowledge of angles and math concepts. As the metaverse expands and develops, so too will the ways in which educators and students can talk, learn, plan and exist together in a virtual environment.
LAW IN THE METAVERSE Much of the application of existing laws, as well as potential creation of new laws, in the metaverse remains unknown. In some cases, existing legal schemes may clearly apply. In other cases, existing laws make an awkward fit, and courts may be tasked with novel issues of application to new technology. In still other cases, existing laws may prove insufficient to address problematic conduct, which might trigger passage of new laws and regulation. The scope of all laws and regulations that can or might be implicated in a metaverse is practically unbounded and might generate innumerable legal issues.
INTELLECTUAL PROPERTY Intellectual property disputes will almost certainly feature prominently among these legal issues and, indeed, metaverse and other Web 3.0 projects have already seen a number of intellectual property disputes arise. In June 2021, record label Roc-A-Fella sued one of its co-founders, Damon Dash, seeking to enjoin him from auctioning a NFT of the cover of the Jay-Z album Reasonable Doubt. Roc-A-Fella claims it owns the copyright in the album cover and that Dash has no rights to sell the album cover as an NFT.
In another example, back in 2018, several well-known figures and celebrities filed lawsuits against Fortnite developer Epic Games, alleging that the game implemented each plaintiff's trademarked dance moves without permission. Tracking and pursuing intellectual property enforcement in the virtual world has generally proved to be a difficult game of whack-a-mole, and we can expect similar challenges in the metaverse.
The creation of new types of digital assets, such as digital collectibles documented via NFT, has already raised novel intellectual property issues, among them the scope of the right to use the content held by the NFT owner. NFT creators and content licensors are developing a number of different licensing models. For example, the holder of an NBA Top Shot Moment NFT receives a limited license to use, copy and display the underlying content for personal, noncommercial use.
40
WWW.DLAPIPER.COM
Use and exploitation of previously licensed or acquired intellectual property rights in the metaverse raise novel questions for licensees and acquirors around the breadth and scope of rights they have obtained under agreements that may have long predated the Internet, much less the metaverse. These important issues around the scope of rights licensed or granted many of which have previously led to disputes between parties with the advents of new content exploitation methods over the past decades (eg, CDs, DVDs, digital copies, streaming) have and will arise in the context of the metaverse and may pose new legal questions and challenges which are unique due to the way the metaverse operates.
While the scope of intellectual property protection in the metaverse is not clear, the new NFT market has already seen a number of intellectual property disputes. The possibility of disputes in the metaverse is even greater. Companies and developers need to carefully consider whether they have the necessary intellectual property rights for the proposed use within a metaverse, and traditional approaches on enforcement of intellectual rights may be revisited or significantly challenged, as we have seen in recent years with intellectual property incorporated into usergenerated content.
REGULATION OF VIRTUAL ASSETS Virtual assets in the metaverse, such as NFTs, may be subject to traditional financial regulatory regimes such as securities, banking, money transmission, and commodities laws. The manner in which some blockchain-based assets are developed and sold might render them "investment contracts" and, thus, subject to securities laws. Application of securities laws would trigger a complex set of regulations on sales, trading and other activities.
The metaverse will undoubtedly use cryptocurrencies and tokens, which may be subject to these regulatory regimes. The SEC is already struggling with the appropriate application of securities laws to cryptocurrencies and tokens, and one SEC commissioner recently stated that securities laws might apply to certain NFT projects, particularly NFT projects that offer fractionalization or entitle the holder to a revenue stream. In addition to securities laws, the issuance, trading, exchange, lending and other activities concerning in-world currencies may trigger certain regulatory regimes for example, those concerning banking, money transmission and other financial activities.
TAX Similarly, when such assets are purchased and sold, they may be subject to various taxes, including income and sales taxes. The US Internal Revenue Service (IRS) has issued guidance clarifying that cryptocurrencies constitute property, the profit from which is taxable. NFTs are understood to receive similar treatment. Indeed, the IRS has already issued myriad subpoenas to cryptocurrency exchanges seeking information that could lead to the identification and collection of income taxes, and it would not be surprising to see taxing authorities targeting metaverse projects in similar fashion.
Whether NFT and other metaverse asset sales are subject to state sales tax presents another open issue. While many states have guidance on sales tax as applied to digital assets, to date no state has issued guidance specifically on whether sales tax applies to NFTs.
REGULATION OF CONDUCT IN THE METAVERSE Another major issue concerns the legal limits of conduct in a metaverse and who will police them. Roblox recently filed a lawsuit against content creator Benjamin Robert Simon, alleging that Simon has been engaging in a variety of harassing behavior against other users in violation of the Roblox terms of service, as well as federal and state computer fraud and abuse statutes. A beta tester of Facebook's VR platform Horizon World recently made allegations that she had been virtually groped in a virtual Horizon World meeting space called the Plaza. Facebook has thus far responded by noting that users can block each other, but did not address the potential legal consequences of such actions, which may require novel application of laws designed to address misconduct in the physical world.
On this front, many metaverse projects have terms of service that purport to govern user conduct contractually, allowing remedies for violation such as banning from the platform and confiscation of inworld assets. For example, the virtual worlds Fortnite and Roblox both require users to accept terms of service before entering the game. These terms typically address an array of conduct, from restriction of various behaviors to measures taken to achieve platform security to methods for dispute resolution. The enforceability of such contractual provisions may raise novel issues, particularly with respect to enforceability between users and for individuals who purchase in-world assets outside of the metaverse who may not have viewed or agreed to such terms of service.
41
EXCHANGE INTERNATIONAL JUNE 2022
GAMBLING AND LOTTERY LAWS Gambling and lottery laws, which typically regulate certain activities concerning games of chance with prize awards, may also be implicated in metaverse projects that feature chance-based opportunities to win prizes. For example, some metaverse games feature "loot boxes," virtual unopened treasure chests that users can discover or purchase and open to receive a randomized selection of various virtual assets. The regulation of loot boxes as a form of gambling has already triggered scrutiny in several jurisdictions.
PRIVACY AND CYBERSECURITY Two other emerging issues concerning metaverse projects involve privacy and cybersecurity. Privacy impacts activities concerning personal data, including processing activities such as the collection, use, and transmission of personal data. Metaverse projects may collect a variety of personal data from users, which can range from basic identifying information, to information about movement and activities in the metaverse.
To address these, metaverse creators should consider implementing privacy policies and internal compliance programs. That said, the application of existing privacy laws to the metaverse poses new issues. This challenge will only grow as more jurisdictions continue to pass new comprehensive privacy laws for example, California, Virginia and Colorado's laws.
STRATEGIES FOR METAVERSE PROJECTS The opportunities in the metaverse are new and are likely to evolve over time as the technology evolves. Creators building metaverse projects should consider at least the following.
BE PREPARED TO EXPERIMENT WITH DIFFERENT STRATEGIES AND METAVERSE PLATFORMS Metaverse technology is new and evolving. The companies building metaverse platforms are taking different approaches, including different functions that may evolve over time. Some existing and future metaverse platforms may fail over time, and a company should be prepared for this risk. Companies should thus be prepared to experiment with multiple metaverse platforms as well as different strategies, adjusting the strategy as needed.
CONSIDER THE CONSUMER EXPERIENCE A metaverse strategy should consider the desired consumer experience and the cost to the consumer of hardware or other technology needed to access the metaverse platform. For example, the current cost of VR headsets is still relatively high and may limit mass consumer adoption of metaverse platforms requiring such headsets. The metaverse strategy should also be coordinated with other components of the company's digital strategy such as the use of NFTs, social media and communication channels (eg, Discord or Telegram) as well as with real-world events.
Cybersecurity also presents unique issues in the metaverse. Cybersecurity relates to how a company protects itself from an attack by a third party that could impact data, whether personal or not, as well as information systems. There are a number of emerging issues regarding cybersecurity, including new guidance regarding disclosure and controls.
Both privacy and cybersecurity have legal implications, as well as other implications, including under governance.
As mentioned above, these are just a few of the many legal areas that may be triggered by metaverse projects. Others may include sanctions and export control laws, employment laws, criminal laws, and many others. Furthermore, metaverse projects are generally global, allowing use and interaction by participants across the world. Companies using the metaverse must consider the risk of complying with the laws and regulations in multiple jurisdictions.
ENSURE THAT THE COMPANY HAS THE NECESSARY INTELLECTUAL PROPERTY RIGHTS FOR ITS EXISTING CONTENT Companies will probably wish to use existing content to implement their metaverse strategies, but they should be sure that they have the necessary rights to use any content developed by third parties. For example, the rights to music in television advertisements are generally licensed for use solely in a single commercial. Indeed, disputes have already arisen in the NFT market about the rights to using existing content: Miramax Pictures has sued director Quentin Tarantino over the right to sell copies of scripts and other material relating to the film, Pulp Fiction.
If the rights in the content are owned by third parties, a company creating a virtual experience on a metaverse platform should ensure that its license from the intellectual property owner or licensor is sufficiently broad to cover the development and licensing of the content for virtual experiences on metaverse
42
WWW.DLAPIPER.COM
platforms. Even if the company owns the intellectual property in the content, it may have already licensed the intellectual property rights relevant to metaverse use to third parties.
For example, National Geographic was in litigation for years with its authors over the right of National Geographic to publish a CD-ROM collection of its magazines. Content, such as pictures, videos and music, can involve complex rights that require special expertise to assess the scope of embedded intellectual property and obtain the rights to use it. Videos, for instance, may include copyright-protected moving images, still images, music and background scene features (such as street art), as well as other forms of property such as trademarks and rights of publicity, all of which might need to be cleared for the specific use.
FUTURE-PROOF YOUR STRATEGY The use of the metaverse is likely to continue to expand in importance in the future, and companies should ensure that licenses to third-party content in the future include rights to exploit such content for virtual experiences on metaverse platforms. The company can learn from the experience of the entertainment industry through the technology changes from films to television to videocassette and DVD to streaming. Companies should also protect their brands in the new categories represented by the metaverse by registering their trademarks in the appropriate new classes.
MONITOR METAVERSE PLATFORMS FOR INFRINGEMENT OF IP OWNED BY YOUR COMPANY The metaverse is in its infancy, and many participants are casual about intellectual property rights (and some participants are willing to misappropriate the rights of other parties to make a quick dollar). To give just one example: a digital artist, Mason Rothschild, created "MetaBirkens," which were NFT versions of Hermes' famous Birken bags. Hermes has sent him a cease-and-desist letter. However, at the time of writing, the MetaBirken NFTs are still available on some platforms. As the metaverse provides new opportunities for misappropriation of intellectual property, content owners and licensors should consider the appropriate scope of monitoring such platforms and enforcing their rights.
Conclusion
Mankind is only beginning to arrive at the event horizon of the metaverse. As we delve deeper into the metaverse, organizations and individuals will increasingly embrace its use and incorporate this foundational technology into their real-world existence. As the metaverse evolves and expands, so too will the number of legal and regulatory issues which will arise that legal counsel must help their clients navigate. If the metaverse evolves into the ultimate convergence of technology, content and the human experience as it is expected to anticipating and addressing the legal and regulatory issues the metaverse presents will be critical to its successful adoption by mankind.
This article was originally published in Chambers TMT 2022 on February 22, 2022.
EXCHANGE INTERNATIONAL JUNE 2022
Contact us
For further information, please contact:
AUSTRALIA
Samantha O'Brien Partner +61 7 3246 4122 [email protected]
CHINA HONG KONG
Harris Chan Partner +852 2103 0763 [email protected]
Martin Jamieson Partner +612 9286 8059 [email protected]
Paul Lee Partner +852 2103 0886 [email protected]
AUSTRIA
CZECH REPUBLIC
Jasna Zwitter-Tehovnik Partner +43 1 531 78 1025 [email protected]
Miroslav Dubovsk Country Managing Partner +420 222 817 500 [email protected]
BELGIUM
Pierre Berger Partner +32 (0) 3 287 2828 [email protected]
DENMARK
Martin Christian Kruhl Partner +45 33 34 08 42 [email protected]
44
GERMANY
Dr. Gunne W. Bhr Partner +49 221 277 277 283 [email protected]
WWW.DLAPIPER.COM
LUXEMBOURG
Catherine Pogorzelski Partner +352 26 29 04 20 53 [email protected]
HUNGARY ITALY
Andrs Nemescsi Partner +36 1 510 1180 [email protected]
Agostino Papa Partner +39 06 68 880 513 [email protected]
Vincenzo La Malfa Partner +39 06 68 88 01 [email protected]
Laurent Massinon Partner +352 26 29 04 2021 [email protected]
Xavier Guzman Partner +352 26 29 04 2052 [email protected]
MIDDLE EAST
Paul McViety Partner, Head of Islamic Finance +971 4 438 6260 [email protected]
Paul Latto Partner +966 11 201 8900 [email protected]
45
EXCHANGE INTERNATIONAL JUNE 2022
MOROCCO
Fabrice Armand Partner +33 1 40 15 24 43 [email protected]
SWEDEN
Alf-Peter Svensson Partner +46 8 701 78 00 [email protected]
NETHERLANDS
Paul Hopman Partner +31 20 541 9952 [email protected]
UK
Michael McKee Partner +44 20 7153 7468 [email protected]
NORWAY
Camilla Wollan Partner +47 2413 1659 [email protected]
PORTUGAL
Joo Costa Quinta Partner +351 21 358 36 20 [email protected]
ROMANIA
Andreea Badea Managing Associate +40 372 155 827 [email protected]
Tony Katz Partner +44 20 7153 7835 [email protected]
Sam Millar Partner +44 20 7153 7714 [email protected]
Sophie Lessar Partner +44 20 7796 6187 [email protected]
SLOVAKIA
Eva Skottke Legal Director +421 2 592 021 11 [email protected]
46
US Sidney Burke Partner +1 212 335 4509 [email protected]
John Reiss Partner +1 212 335 4680 [email protected]
Jeffrey Hare Partner +1 202 799 4375 [email protected]
Bradley Phipps Associate +1 215 656 2472 [email protected]
WWW.DLAPIPER.COM
Christopher Steelman Partner +1 202 799 4366 [email protected]
Deborah Meshulam Partner +1 202 799 4511 [email protected]
Isabelle Ord Partner +1 415 836 2536 [email protected]
Mary Dunbar Partner +1 202 799 4255 [email protected]
47
EXCHANGE INTERNATIONAL JUNE 2022 48
WWW.DLAPIPER.COM
Financial services team
DLA Piper's Financial Services team offers dedicated legal know-how and practical advice on a wide range of contentious and advisory issues. The team can assist clients on contentious legal matters including internal and regulatory investigations, enforcement actions and court proceedings in the financial services sector. We also have an experienced advisory practice which gives practical advice on all aspects of financial regulation, including the need for authorization, regulatory capital, preparation for supervision and thematic visits, conduct of business issues and financial promotions.
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper UK LLP and DLA Piper SCOTLAND LLP will accept no responsibility for any actions taken or not taken on the basis of this publication.
Please note that neither DLA Piper UK LLP or DLA Piper SCOTLAND LLP nor the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments.
IMPORTANT NOTE TO RECIPIENTS: We may supply your personal data to other members of the DLA Piper international legal practice (which may be situated outside the European Economic Area (EEA) so that we or they may contact you with information about legal services and events offered by us or them subject to your consent.
It is our policy not to pass any of your personal data outside of the DLA Piper international legal practice or use your personal data for any purposes other than those indicated above.
DLA Piper UK LLP is a limited liability partnership registered in England and Wales (registered number OC307848) which provides services from offices in England, Belgium, Germany, France, and the People's Republic of China. A list of members is open for inspection at its registered office and principal place of business, 160 Aldersgate Street, London, EC1A 4HT. DLA Piper Scotland is a limited liability partnership registered in Scotland (registered number SO300365) which provides services from offices in Scotland. A list of members is open for inspection at its registered office and principal place of business, Rutland Square, Edinburgh, EH1 2AA.
If you no longer wish to receive information from DLA Piper UK LLP and/or any of the DLA Piper members, please contact [email protected].
The email is from DLA Piper UK LLP and DLA Piper SCOTLAND LLP.
Partner denotes member of a limited liability partnership.
DLA Piper UK LLP is a law firm regulated by the Solicitors Regulation Authority. DLA Piper SCOTLAND LLP is a law firm regulated by the Law Society of Scotland. Both are part of DLA Piper, an international legal practice, the members of which are separate and distinct legal entities.
49
DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at dlapiper.com. This publication is intended as a general overview and discussion of the subjects dealt with, and does not create a lawyer-client relationship. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication. This may qualify as "Lawyer Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. Copyright 2022 DLA Piper. All rights reserved. | Jul22 | A14416-2
