Entities registered with the North American Electric Reliability Corporation (NERC) to comply with mandatory electric reliability standards (Reliability Standards) or face civil penalties should take note of an order issued by the Federal Energy Regulatory Commission (FERC) on January 23, 2020 in Docket No. RR19-7-000 (January 23 Order). In the January 23 Order, FERC, which oversees NERC in its role as the Electric Reliability Organization (ERO), ordered NERC to revise and refine its “NERC Sanctions Guidelines” that it uses to assess such penalties NERC must submit a compliance filing no later than July 21, 2020, proposing amendments to its NERC Rules of Procedure to amend the Sanctions Guidelines consistent with FERC’s directives.
NERC and it Regional Entities have assessed hundreds of penalties every year since the late 2000s when NERC (subject to FERC review) gained enforcement authority over Reliability Standards violations. And, the stakes are potentially high with recent cases including several multi-million dollar fines. From a policy perspective, the importance of NERC penalties has grown with the recent focus of these regulators on cyber-security of the grid and as the NERC “Critical Infrastructure Protection” (CIP) program has matured greatly. Preventing or mitigating the hacking of the grid is a major focus of both NERC and FERC.
In the July 23 Order, FERC accepted NERC’s “Five-Year Performance Assessment” and found that NERC continues to satisfy the statutory and regulatory requirements for certification as the ERO. Yet, according to the January 23 Order, the NERC Sanction Guidelines (which are now 14 years old) may not have kept pace with the growth of the overall NERC program. FERC noted that, while it still agrees the guidelines are not to be used as a straightjacket to setting penalties, the thrust of the order is that NERC must add more specificity in how it gets from a fact pattern to a penalty number. FERC directed NERC “to provide more transparency in th[e] guidelines as to how NERC and the Regional Entities apply the Base Penalty, Adjustment Factors and Non-Monetary Sanctions, and to submit for Commission review any ‘tools or formulae’ used to implement the Sanction Guidelines.” Specifically, NERC is directed to submit a compliance filing revising its Sanction Guidelines to explain how it addresses so-called “aggravating” factors such as:
- Reliability risk
- duration of violations
- size of the entity
- management involvement
- repetitive violations
- any other factors applied to increase a base penalty amount.
In its compliance filing, NERC also has to address how it applies factors that might reduce the penalty, such as:
- admission of a violation
- internal compliance programs
- any other credits used to decrease the base penalty amount.
Additionally, NERC must address whether and/or how non-monetary sanctions will be considered in reaching the final penalty amount; how to deal with multiple subsidiaries of a parent corporation that commit the same violations; how to calculate a single penalty for multiple violations by a single entity; and how NERC and the Regional Entities consider the violator’s financial ability to pay the penalty.
Although these sorts of factors have generally, and for years, been embraced by the existing Sanctions Guidelines, what has been missing up to now is any sort of explanation in NERC’s penalty cases as to how the various factors resulted in the actual penalty. Moreover, NERC has never explained in general guidance, in any detailed way, how these factors weigh in the determinations. This has left registered entities (and perhaps FERC itself – which must review and approve these penalties) somewhat mystified as to how various penalties in seemingly similar cases came out in seemingly different ways. Notably, the factors outlined above bear a striking similarity to the factors outlined in FERC’s own Penalty Guidelines through which FERC assesses penalties in its own enforcement cases. Indeed, this order may be the result of a judgment by FERC that NERC’s approach should more closely resemble the more formulaic approach used by FERC in assessing civil penalties.
As NERC proceeds with stakeholder processes to develop these new guidelines, registered entities should weigh in through their regular channels into NERC processes. And, when the process comes back to FERC for review in July of 2020, registered entities should monitor and consider participating in the docket and watch closely the developments thereafter. The outcome has the potential to affect NERC enforcement for years to come.
Other “areas for improvement” to be addressed in a separate compliance filing due no later than April 22, 2020 include: 1) information about whether and the extent to which NERC conducted audits of its Regional Entities during the five-year assessment period; 2) NERC’s process for developing and evaluating the success of guidance documents; 3) an explanation of NERC’s relationship with the Electric Information Sharing and Analysis Center (E-ISAC) and the use of E-ISAC metrics.