Covington Releases Investigations Manual for House and Senate Chiefs of Staff

Today Covington released an updated version of its manual for Chiefs of Staff to Members of Congress concerning best practices for responding to government investigations of Members and their staff.  Titled “A How-To Guide for Chiefs of Staff,” the manual describes how government investigations of Members and staff unfold and the steps that Chiefs of Staff need to take during the initial stages of any investigation.

Brexit – The Consequences

With the Covid news from the UK (good – vaccine rollout; and bad – high cases and deaths), the impact of the Brexit Deal has been masked. This note summarises some of the most noticeable of those impacts.

Red Tape & Border Delays

Cross-Channel trade was slower than normal in the first two weeks of January, due to pre-Brext stockpiling. As those stockpiles unwind, the consequences of the new customs arrangements will become clear.

Pressures on the new customs system are exacerbated by a number of factors:

  • A shortage of trained customs agents.
  • New and complicated bureaucratic processes (the FT estimates that there will be 215 million new customs declarations per year).
  • Companies lack the correct data and paperwork needed for new export protocols.
  • New sanitary and phytosanitary certification requirements for food products (including for Northern Ireland).
  • Limited availability of vets for pre-departure and arrival certification of animals and veterinary goods.
  • Increased Covid tests by French Customs officials on lorry drivers arriving from the UK.
  • A change in UK VAT rules (foreign mail-order sellers must register UK VAT for all items sold to UK customers; collect the tax;and pay the money to HMRC (who are now checking more than 1,000,000 parcels a day for VAT compliance).

The post-Brexit system has disrupted freight movements and the circular movement of trucks and lorries. Mixed loads (where goods from different companies for different customers are grouped together on one lorry) are particularly impacted. Irish companies are using direct sea routes for export to the EU, rather than crossing the UK (Stena’s newest ferry, originally intended for the Belfast-GB run has been sent to Ireland instead; cargo traffic is six times higher on the Rosslare-Cherbourg route; 26 % lower on the Belfast-Liverpool route; 70 % down on the Dublin-Holyhead route; and freight rates across the English Channel are 39% above the third quarter average price).

Despite the three month ‘grace period’ for export health certificcates, the impact of the new system can be seen in empty fresh fruit, vegetables and chilled meat shelves in N Ireland. Asda, Iceland, Fortnum & Mason, Ocado, M & S, Sainsbury, Tesco and John Lewis have reported problems with their supply chains.  A number of other companies are no longer exporting to the UK or to the EU or have split their supply chains, treating the UK and EU as separate markets. Debenhams, for example, has suspended deliveries to Ireland.

Scottish seafood exporters are finding they can no longer export to the EU. Prices of some Scottish seafood are down between 40% – 80% since the fish cannot be transported to the EU market before rotting.  DFDS has stopped taking consignments of Scottish fish. A number of Scottish fishing boats are now landing their produce direct in Denmark – an arduous two day voyage – to avoid customs delays in UK ports.

N Ireland businesses may face tariffs on steel imports due to an oversight which omitted N Ireland from quota provisions when rolling over EU steel safeguards.

Parcel deliveries between the UK and the EU require additional customs information. DPD has suspended parcel deliveries to the EU (including Ireland). EU-based parcel couriers have warned ofdelays and increased costs linked with deliveries to the UK.

Continue Reading

The Byrd Rule and Its Impact on Reconciliation

Reconciliation is a process under the Congressional Budget Act of 1974 (CBA) that allows Congress to implement budget priorities affecting direct spending, revenues, and the debt limit using expedited procedures.  The principal benefit to using reconciliation is that a reconciliation bill cannot be filibustered in the Senate.  As a result, it takes only a simple majority to pass a reconciliation bill in the Senate, rather than the 60 votes needed to overcome a filibuster.

With the Senate evenly divided between Democrats and Republicans in the 117th Congress, it would take at least 10 Republicans joining all 50 Democrats to obtain the 60 votes necessary to break a filibuster.  This level of Republican support may be difficult to achieve.  Under reconciliation, however, only a simple majority of 51 votes is necessary.  In other words, Democrats would have the ability to pass a reconciliation bill with as few as one Republican supporting the effort.  Moreover, even if there is no Republican support, incoming Vice President Harris could vote with Senate Democrats to break a 50-50 tie.

The Byrd Rule

There are specific content restrictions on what can be included in reconciliation legislation.  The “Byrd Rule,” which is codified in section 313 of the CBA, is one example.  Its purpose is to ensure that the reconciliation legislation does not include provisions that are “extraneous” to implementing budgetary goals.

Under the Byrd Rule, a provision is considered to be extraneous if it meets one or more of the following tests:

  • The provision does not produce a change in outlays or revenues (that is, it does not “score” in the cost estimate by the Congressional Budget Office);
  • It increases outlays or decreases revenues when the committee reporting the title containing the provision does not achieve its reconciliation instructions;
  • It is outside the jurisdiction of the committee reporting it;
  • It produces a budgetary effect that is “merely incidental” to the non-budgetary components of the provision;
  • It causes an increase in the deficit in any year outside the budget window (usually ten years); or
  • It makes changes to Social Security.

There are various exceptions to the Byrd Rule.  For example, a provision is not “extraneous” if it causes a change in outlays that is equally offset by a change in revenues, even if the net budgetary effect is zero.

Byrd Rule Enforcement

The Byrd rule is not self-enforcing.  A senator must raise a point of order against a provision of a reconciliation bill on the Senate floor for the Byrd Rule to be invoked.  Following the debate on the point of order, the presiding officer rules on whether the provision subject to the point of order violates the Byrd Rule.  If the point of order is sustained, the offending provision is stricken, and consideration of the bill continues.

It should be noted that the Byrd Rule may be waived, or the ruling of the presiding officer be overturned, with 60 votes.  A motion to waive the Byrd Rule can be made before a point of order is raised.

The presiding officer historically has followed the guidance of the non-partisan Senate Parliamentarian on procedural matters, including questions on the Byrd Rule.  Before a reconciliation bill is considered on the Senate floor, the Parliamentarian reviews the bill in a process referred to as a “Byrd Bath” and issues guidance on Byrd Rule violations.  The Senate majority usually modifies the legislation in response to the Parliamentarian’s guidance, either striking provisions that are deemed to violate the Byrd Rule (sometimes referred to as “Byrd Droppings”) or amending them in an attempt to make them compliant.

The Senate Parliamentarian develops her guidance after consulting with the Congressional Budget Office (CBO).  CBO estimates the costs of each provision in a reconciliation bill. CBO estimates are in practice always adopted by the Senate Budget Committee Chair.  The costs are stated in terms of the change in federal outlays and revenues under current law if proposed legislation were enacted and fully implemented.  CBO scores typically include 5-year and 10-year estimates.

The Byrd Rule has had a significant impact on the reconciliation process.  According to a recent Congressional Research Service Report,

In total, 72 points of order were raised and disposed of under the Byrd rule. Points of order were generally raised successfully; 62 were sustained (in whole or in part), enabling Senators to strike extraneous matter from the legislation in 23 cases and to bar the consideration of extraneous amendments in 39 cases

A total of 59 motions to waive the Byrd rule, to permit the inclusion of extraneous matter, were offered and disposed of by the Senate. Waiver motions were generally not offered successfully; nine were approved and 50 were rejected.

But these statistics do not tell the whole story.  They do not take into account the deterrent effect of the rule—that is, they do not count the number of times that the Byrd Rule causes a committee not to include language in a reconciliation bill, or a senator not to offer a floor amendment, or the House not to include a provision in its reconciliation legislation, or a House-originated provision not to be included in a conference report.

The Byrd Rule in Practice

As Senate majorities often try to fit as much of their agenda as possible in reconciliation bills, the Byrd Rule is most frequently invoked to determine whether the budgetary effect of a provision is “merely incidental” to the policy objective.  This is a subjective analysis under which the Senate Parliamentarian reviews each provision on a case-by-case basis, first reviewing the provision for any non-budgetary components, then weighing that against the budgetary components to determine if the latter are “merely incidental” to the former.  The purpose of this test is to prohibit provisions in which policy changes overwhelm deficit changes.

Another frequent Byrd Rule point of order is that the provision does not produce a change in outlays or revenues.  Often, a provision that otherwise has a budgetary impact may include “terms and conditions” that do not have a budgetary impact, such as language prescribing how outlays are made or revenues are collected.  The Senate Parliamentarian will determine whether the “terms and conditions” are necessary to achieving the budgetary change.

Senate majorities spend significant effort drafting reconciliation legislation that accomplishes policy goals and complies with the Byrd Rule, and the Byrd Rule restriction often affects how reconciliation measures are structured.  For instance, the requirement that provisions of a reconciliation bill that increase the deficit in any year must fall within the budget window has caused reconciliation tax bills to sunset in the last year of the budget window.

The Week Ahead in the European Parliament – Friday, January 15, 2021

Next week will be plenary week in the European Parliament.  Members of the European Parliament (“MEPs”) will gather virtually and in person in Brussels.  Several interesting votes and debates are scheduled to take place.

On Monday, MEPs will debate and vote (Tuesday) on a report on strengthening the EU’s capabilities to enforce its rights under international trade agreements and within WTO context.  The report details the Parliament’s legislative position regarding the revision of Regulation (EU) 654/2014 that was proposed by the European Commission on December 12, 2020, the day after the WTO’s appellate body ceased to function.  Without judicial redress, the EU considers it vital to consolidate its credibility and deterrence by strengthening its capabilities to enforce its trade rights.  In her report, Rapporteur MEP Marie-Pierre Vedrenne (RE, FR) considers that the amendments to the Regulation should allow for trade policy measures in the field of services and intellectual property rights.  Furthermore, the process by which such measures would be adopted would be streamlined.  Also, the review of any revision should be brought forward.  The draft report is available here.

On Tuesday, MEPs will debate and likely adopt a resolution on the global dimension of the EU’s strategy on COVID-19 vaccines.  In the European Commission’s EU Strategy for COVID-19 vaccines, the Commission stated that it is committed to the principle of “universal, equitable and affordable access to vaccines, especially for the most vulnerable countries.”  However, some Member States argue that the EU has not helped as much as it could.  On January 6, 2021, 13 Member States sent a joint letter to the European Commission asking that it step up its assistance to the Eastern Partnership countries to facilitate access to the vaccine.  Vaccine distribution within the EU is not flawless either.  On January 11, 2021, Cyprus requested Israel for additional vaccine shots, who has been making headwinds with large-scale vaccination.  We furthermore expect that MEPs will reiterate their demands for greater clarity and transparency regarding the vaccine contracts and authorization process.

On Wednesday, the MEPs will have a debate in the context of the inauguration of Joe Biden as new President of the United States and the current political situation.  MEPs are expected to welcome the new Biden administration and call for a renewal of the transatlantic relationship.  On December 2, 2020, the European Commission put out a new forward-looking transatlantic agenda for global cooperation based on common values, interests and global influence.  The agenda lists many issues on which the EU and U.S. could work together, ranging from trade, technology, digital governance, and addressing climate change.  However, the recently agreed-in-principle Comprehensive Agreement on Investment (“CAI”) between the EU and China may become a divisive matter between the EU and the U.S.  Yet, the CAI’s political fate is not clear, as it faces an uphill battle in the European Parliament and also needs to be approved by the Member States.  The Commission’s new transatlantic agenda for global change is available here.  A press release regarding the CAI is available here.

For the complete agenda and overview of the meetings, please see here.

Key Changes to House Rules for the 117th Congress

On January 4, 2021, the narrowed Democratic majority in the House of Representatives passed, in a party-line vote, a set of rules governing the House for the 117th Congress.  While the House, unlike the Senate, has to approve its rules every Congress, the rules stay generally consistent from Congress-to-Congress, with more significant amendments often coming with changed majorities.  While Democrats maintain the majority this Congress, the rules package contains some relatively meaningful changes .  The revisions include a broad exemption to the pay-as-you-go (“PAYGO”) budgetary rules, less restrictive reconciliation authority, and a narrowed ability for the Republican minority to offer motions to recommit.

PAYGO Waivers

House PAYGO rules require that measures decreasing revenue or increasing mandatory spending be offset by cuts to spending or increases in revenue, that is, tax increases.  The rules for the 117th Congress give the House Budget Committee chair authority to waive PAYGO for measures responding to the COVID-19 pandemic or climate change.  The statutory PAYGO scheme is unaffected.  Even before the amendment to the House PAYGO rules, they could be waived by a House vote; contained several key exemptions, including for emergency spending; and did not apply to discretionary spending.  These exceptions to PAYGO in the House remain, and the added exemptions to the PAYGO rule simplify House consideration of  measures related to COVID-19 and climate change.

Reconciliation Flexibility

The Congressional Budget Act of 1974 sets out the “reconciliation” process, which provides for expedited procedures for consideration of certain measures affecting revenue or spending.  The benefit of reconciliation is in the Senate, where reconciliation measures cannot be filibustered, essentially reducing the threshold for passage from 60 votes to a simple majority.

House rules previously dictated that budget resolutions could not cause an increase net mandatory spending over the ten-year budget window.  The new rules allow budget resolutions to increase overall mandatory spending as long as the increased spending is offset with tax increases.

With the Democrats holding the Senate majority only by the future tie-breaking vote of the incoming vice president, reconciliation is expected to have a significant role this Congress.  Although the House rules change may increase flexibility for House consideration of reconciliation measures, those measures in the Senate are subject to the Byrd Rule, which, among other things, prohibits budget resolutions from increasing the deficit in fiscal years not covered by the resolution. 

Narrowed Motion to Recommit

The motion to recommit allows a member opposed to a bill to offer a motion before a vote on final passage to send the bill back to committee.  Since the 111th Congress, there have been two options for motions to recommit: a motion instructing a committee to report the bill forthwith with specified changes (essentially an immediate amendment) and a motion without instructions sending the bill back to committee (essentially forestalling the vote on final passage).  The motion to recommit is one of the few procedural tools available to the House minority, which usually uses the motion to force the majority to take politically difficult votes.  The new rules allow only motions to recommit without instructions, which essentially turns it into another up-or-down vote on passage.

House Operations

The rules extend the authorization for proxy voting on the House floor and remote committee proceedings in light of the continuing COVID-19 pandemic.  The new rules also add to procedural prerequisites for measures to be considered on the House floor, including by requiring that most bills considered under a rule have a hearing and markup first.

AI Update: The Council of Europe Publishes Feasibility Study on Developing a Legal Instrument for Ethical AI

On 17 December 2020, the Council of Europe’s* Ad hoc Committee on Artificial Intelligence (CAHAI) published a Feasibility Study (the “Study”) on Artificial Intelligence (AI) legal standards. The Study examines the feasibility and potential elements of a legal framework for the development and deployment of AI, based on the Council of Europe’s human rights standards. Its main conclusion is that current regulations do not suffice in creating the necessary legal certainty, trust, and level playing field needed to guide the development of AI. Accordingly, it proposes the development of a new legal framework for AI consisting of both binding and non-binding Council of Europe instruments.

The Study recognizes the major opportunities of AI systems to promote societal development and human rights. Alongside these opportunities, it also identifies the risks that AI could endanger rights protected by the European Convention on Human Rights (ECHR), as well as democracy and the rule of law. Examples of the risks to human rights cited in the Study include AI systems that undermine the right to equality and non-discrimination by perpetuating biases and stereotypes (e.g., in employment), and AI-driven surveillance and tracking applications that jeopardise individuals’ right to freedom of assembly and expression.

A wide range of legislative instruments applicable to AI are considered by the Study, including: (1) international legal instruments, such as the ECHR and EU Charter of Fundamental Rights; (2) AI ethics guidelines, including ones developed by private companies and public-sector organisations; and (3) national AI instruments and strategies. After weighing the advantages and disadvantages of these measures, the Study concludes that no international legal instrument specifically tailored to the challenges posed by AI systems exists, and that there are gaps in the current level of human rights protections. Such gaps include (amongst other factors) the need to ensure:

  • sufficient human control and oversight;
  • the technical robustness of AI applications; and
  • effective transparency and explainability.

To respond to the human rights challenges presented by AI, the Study sets out the principles, rights, and obligations that could act as the main elements of a future legal framework. The proposed framework seeks to translate existing human rights to the context of AI by specifying more concretely what falls under a broader human right; how it could be invoked by those subjected to AI systems; and the requirements that AI developers and deployers should meet to protect such right. The Study identifies nine principles that are essential to respect human rights in the context of AI:

  • Human Dignity: AI deployers should inform individuals that they are interacting with an AI system whenever confusion may arise, and individuals should be granted the right to refuse interaction with an AI system whenever this can adversely impact human dignity.
  • Prevention of Harm to Human Rights, Democracy, and the Rule of Law: AI systems should be developed and used in a sustainable manner, and AI developers and deployers should take adequate measures to minimise any physical or mental harm to individuals, society and the environment.
  • Human Freedom and Human Autonomy: Individuals should have the right to effectively contest and challenge decisions informed or made by an AI system and the right to decide freely to be excluded from AI-enabled manipulation, individualised profiling, and predictions.
  • Non-Discrimination, Gender Equality, Fairness and Diversity: Member States should impose requirements to effectively counter the potential discriminatory effects of AI systems deployed by both the public and private sectors, and to protect individuals from their negative consequences.
  • Principle of Transparency and Explainability of AI Systems: Individuals should have the right to a meaningful explanation of how an AI system functions, what optimisation logic it follows, what type of data it uses, and how it affects one’s interests, whenever it generates legal effects or has similar impacts on individuals’ lives. The explanation should be tailored to the particular context, and should be provided in a manner that is useful and comprehensible for an individual.
  • Data Protection and the Right to Privacy: Member States should take particular measures to effectively protect individuals from AI-driven surveillance, including remote biometric recognition technology and AI-enabled tracking technology, as this is not compatible with the Council of Europe’s standards on human rights, democracy and the rule of law.
  • Accountability and Responsibility: Developers and deployers of AI should identify, document, and report on potential negative impacts of AI systems on human rights, democracy and the rule of law, and put in place adequate mitigation measures to ensure responsibility and accountability for any harm caused. Member States should ensure that public authorities are able to audit AI systems, including those used by private actors.
  • Democracy: Member States should take adequate measures to counter the use or misuse of AI systems for unlawful interference in electoral processes, for personalised political targeting without adequate transparency mechanisms, and more generally for shaping voters’ political behaviours and manipulating public opinion.
  • Rule of Law: Member States should ensure that AI systems used in justice and law enforcement are in line with the essential requirements of the right to a fair trial. They should pay due regard to the need to ensure the quality, explainability, and security of judicial decisions and data, as well as the transparency, impartiality, and fairness of data processing methods.

The Study recommends that the Council of Europe establish a binding legal instrument (such as a convention) establishing the main principles for AI systems, which would provide the basis for relevant national legislation. It also suggests that the Council of Europe develop further binding or non-binding sectoral instruments with detailed requirements that address specific sectoral challenges of AI. The Study recommends that the proposed legal framework should pursue a risk-based approach by targeting specific AI application contexts, and acknowledging that not all AI systems pose an equally high level of risk.

Next Steps

The Study was adopted by CAHAI during its plenary meeting in December 2020. Next, it will be presented to the Committee of Ministers of the Council of Europe, who may instruct CAHAI to begin developing the specific elements of a legal framework for AI. This could include a binding legal instrument, as well as non-binding and sectoral instruments.

CAHAI’s work joins similar international initiatives looking to provide guidance and build a global consensus on the development and regulation of AI, including the OECD member states’ recent adoption of OECD Principles on AI — the first international AI standards agreed on by governments — and the establishment of the Global Partnership on Artificial Intelligence (GPAI) in June 2019. We anticipate further developments in this area in 2021, including the European Commission’s forthcoming proposals for AI legislation.

In particular, the principles and recommendations for further action set out in the Study share similar themes with ongoing EU initiatives on AI regulation, including the EU High-Level Working Group’s Ethics Guidelines for Trustworthy AI and the European Commission’s White Paper on AI. Like the Council of Europe’s Study, these initiatives propose a risk-based approach to regulating AI, centred on upholding fundamental human rights like non-discrimination, and ensuring that AI applications are developed and deployed in a trustworthy, transparent, and explainable manner

Stay tuned for further updates.

* The Council of Europe is an international organization that is distinct from the European Union.  Founded in 1949, the Council of Europe has a mandate to promote and safeguard the human rights enshrined in the European Convention on Human Rights. The organization brings together 47 countries, including all of the 27 EU member states.  Recommendations issued by the Council of Europe are not binding, but EU institutions often build on Council of Europe standards when drawing up legislation.

Governing Under an Equally Divided Senate

After the election of two Democratic Senate candidates in the Georgia runoff elections on January 5, 2021, the Senate this year will be equally divided between 50 Democratic Senators (and those caucusing with them) and 50 Republican Senators. Governing in an equally divided Senate presents several challenges regarding the internal rules of the Senate, the makeup and control of committees, and the control of Senate business, including both legislation and the consideration and approval of nominations. In a client alert yesterday, we looked at the applicable principles and historical precedents concerning an equally divided Senate, and consider the implications for governing in the coming congressional term.

Cybersecurity and Government Contracting: False Claims Act Considerations

As the recent SolarWinds Orion attack makes clear, cybersecurity will be a focus in the coming years for both governmental and non-governmental entities alike.  In the federal contracting community, it has long been predicted that the government’s increased cybersecurity requirements will eventually lead to a corresponding increase in False Claims Act (FCA) litigation involving cybersecurity compliance.  This prediction may soon be proven true, as a December 2020 speech from Deputy Assistant Attorney General Michael Granston specifically identified “cybersecurity related fraud” as an “area where we could see enhanced False Claims Act activity.”  This post discusses recent efforts to use the FCA to enforce cybersecurity compliance — and, based on those efforts, what government contractors may expect to see in the future.

In recent years, the government and qui tam plaintiffs have begun using the FCA to pursue alleged noncompliance with cybersecurity regulations, and some of these efforts have gained traction.  For instance, in May 2019, a federal district court in California declined to dismiss a case alleging that a government contractor had falsely asserted its compliance with cybersecurity standards when entering into Department of Defense contracts.  And in July 2019, the Department of Justice announced that another contractor had agreed to pay more than $8 million in connection with resolving a qui tam suit alleging failure to meet federal cybersecurity standards, marking the first settlement based on FCA allegations related to cybersecurity noncompliance.

More recently, however, at least one court rejected the attempt to build an FCA case out of alleged deviations from cybersecurity regulations.  In October 2020, a federal district court in the District of Columbia dismissed a qui tam suit alleging that a contractor had failed to disclose a security vulnerability in the computer systems that it sold to the United States.  United States ex rel. Adams v. Dell Computer Corp., 15-cv-608 (D.D.C. Oct. 8, 2020).The court’s dismissal was based on its conclusion that the whistleblower had failed to show that the noncompliance was “material.”  As the court noted, “the technology policies referenced . . . do not require defect-free products,” and that any applicable security policy could have instead been addressed by “providing the necessary assistance to eliminate or reduce vulnerabilities as they appear.”

Going forward, we expect the FCA’s strict materiality requirement will continue to present a significant  hurdle for plaintiffs in future cases alleging noncompliance with increasingly detailed cybersecurity regulations.  As Mr. Granston’s recent speech portends, however, the federal government and qui tam plaintiffs are poised to bring suits under the FCA predicated on allegations of cybersecurity noncompliance.  While these allegations could take myriad forms, there are two regulatory developments in particular that may provide ammunition to enterprising whistleblowers – and pose FCA risk for unwary contractors.

First, under the NIST 800-171 DoD Assessment Methodology, DoD is now requiring that  contractors complete a pre-award self-assessment (formally known as a “Basic Assessment”) of their compliance with the 110 security controls found in NIST 800-171.  That Basic Assessment results in a numerical score that is provided to the government and a date by which the contractor represents it will be in full compliance with all NIST 800-171 controls.  Following award, the DoD may decide to complete its own Medium Assessment (via a paper review) or High Assessment (via an in-person review) of a contractor’s compliance with the NIST 800-171 security requirements.This assessment process could give rise to disagreements between the contractor and the government over the extent to which the contractor is complying with the NIST 800-171 security controls.  In particular, a large discrepancy between the Basic Assessment’s numerical score and the Medium or High Assessment’s numerical score could lead to allegations that the contractor failed to accurately represent its cybersecurity requirements, thereby raising the specter of FCA risk.

Second, defense contractors will soon be asked to obtain and provide a Cybersecurity Maturity Model Certification (CMMC) from an accredited CMMC Third Party Assessment Organization.  As part of this certification process, contractors will be expected to show their ability to meet the NIST 800-171 security requirements as well as several additional security controls.  Allegations of inconsistencies between the self-assessment of compliance with 800-171 and the third party CMMC assessment, may also draw the attention of would-be qui tam plaintiffs.However, it may prove difficult for the government or qui tam plaintiffs to establish FCA liability based on allegations of cybersecurity noncompliance.  First, and as noted above, FCA liability can only be imposed where the requirement is “material,” meaning that the noncompliance would have a “natural tendency to influence, or be capable of influencing” the government’s decision to pay the contractor.  However, federal contracts often contain cybersecurity requirements among a list of dozens — if not hundreds — of other regulatory obligations.  In many cases it is unlikely that the government’s decision to pay a contractor would depend on  strict compliance with a particular cybersecurity control or set of controls, in which case noncompliance with that control would not be “material.”

Second, FCA liability requires a showing that a noncompliance was “knowing,” meaning that the contractor actually knew they were not in compliance with a requirement, acted with deliberate ignorance, or acted with reckless disregard.  However, many of the cybersecurity requirements are new, and drafted broadly, allowing reasonable differences in technical interpretation. There is substantial case law establishing that a contractor cannot be held liable under the FCA for a reasonable, good-faith reading of unclear regulatory requirements.

Thus, even if the predictions about an uptick in FCA cybersecurity cases come true, there are good reasons for thinking that many such matters will face significant headwinds.  Although all cases are different, the standard defenses in such matters will be fully available, including both substantive defenses like those outlined above, and procedural defenses such as the statute’s Public Disclosure bar.  Nonetheless, the likelihood of an increase in FCA cases underscores the importance of ensuring careful attention to cybersecurity compliance and associated representations.

The Week Ahead in the European Parliament – Friday, January 8, 2021

Next week, Members of the European Parliament (“MEPs”) will gather virtually and in person in Brussels for committee meetings.  Several interesting votes and debates are scheduled to take place.

On Monday, the Committee on International Trade (“INTA”) is the first Committee to debate on the merits of the EU-UK Trade and Cooperation Agreement (“TCA”), which was concluded on December 24, 2020.  The MEPs will exchange views on the free trade aspect of the TCA, which guarantees zero tariffs or quotas on all goods.  However, WTO rules regarding trade defense still apply and either party could impose “rebalancing tariffs” in event of a breach of the TCA.  While it is an ambitious free trade agreement, the TCA imposes many non-tariff barriers on EU-UK trade, and requires, for example, exporters to prove that their products comply with the product standards of the destination market.  To minimize this burden, for a limited number of products, the TCA aligns products standards with international standards to the greatest extent possible.  The TCA has been provisionally applicable since January 1, 2021.  For it to enter into force, the European Parliament and the Council of the EU still need to express their consent.  We expect MEPs will welcome the deal, but criticize the fact that it has been provisionally applied before the Parliament could scrutinize it.  In addition, the negotiators have previously ignored negotiation deadlines set by the European Parliament.  The text of the TCA is available here.

Also on Monday, the Committee on the Internal Market and Consumer Protection (“IMCO”) will debate on the Digital Services Act (“DSA”) and the Digital Markets Act (“DMA”).  The European Commission published proposals for the DSA and DMA on December 15, 2020.  The DSA is a general revision of the e-Commerce Directive 2000/31/EC and is aimed at enhancing online consumer protection and establishing an accountability framework for online services.  For example, the proposal requires “online platforms” to allow user to challenge content removal decisions, but also suspend users that frequently post “manifestly illegal content.”  The DMA, on the other hand, would impose new obligations and restrictions on online service providers that act as “designated gatekeepers,” such as large online retail platforms.  For example, these should compete on equal footing with businesses on their platform, so must refrain from using non-public data generated by businesses and end-consumer on the platform when offering similar goods/services.  Covington has published a blog on the DSA (available here) and on the DMA (available here).

On Tuesday, the Committee on the Environment, Public Health and Food Safety (“ENVI”) will grill Commission Director-General for Health and Food Safety Sandra Gallina.  The Director-General is in charge of negotiating COVID-19 vaccine contracts with the pharmaceutical industry.  We expect MEPs to focus on the stage of review of various vaccines and the delivery of the vaccines acquired by the European Commission.  On January 8, 2021, the European Commission secured an additional 300 million of Pfizer-BioNTech vaccines.  Moreover, The European Medical Agency approved Moderna’s COVID-19 vaccine on January 6, 2021.

For the complete agenda and overview of the meetings, please see here.

New Information Reporting on Beneficial Owners Included in 2021 NDAA

On Friday, January 1, 2021, the Senate voted to override President Trump’s veto of the 2021 National Defense Authorization Act (“2021 NDAA”) by a vote of 81 -13.  The Senate’s override follows the House of Representatives’ override on December 28, 2020, and the 2021 NDAA is now law.

Included in Title LXIV of the 2021 NDAA (Title 64 for those of us rusty on Roman numerals), are new information reporting requirements intended to identify individual beneficial owners of certain business entities.  Subject to a number of exceptions, the law requires certain U.S. and foreign entities to file annual reports with the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) that will disclose information regarding the beneficial owners of reporting companies.  Overall, the reporting will identify those individuals exercising “control,” as the term is defined, over those entities required to report.  According to the legislation, over two million corporations, LLCs, and similar entities are formed under state law in the United States each year, and many “malign actors seek to conceal their ownership” of various entities intended to facilitate illegal activity.  Accordingly, the reporting mandated by the law is intended to help protect national security interests and interstate and foreign commerce, as well as counter the financing of terrorism.

Reporting RequirementsThe reporting requirements are set forth under sections 6401 through 6403 of the 2021 NDAA.  The Act defines a “reporting company” as a corporation, limited liability company (“LLC”), or other similar entity that is created by the filing of a document with a secretary of state or similar State office under the State law (to include any U.S. State, D.C. or other U.S. commonwealth, territory, or possessions) or tribal law in the case of Indian Tribes.  Further, non-U.S. entities that register to do business in the United States by filing documents with similar State or tribal authorities are similarly included within the scope of a reporting company.  Each reporting company must disclose certain identifying information related to its beneficial owners.Specifically, information that must be reported to FinCEN includes the beneficial owner’s full legal name, date of birth, residential or business street address, and unique identifying number (e.g., passport, license, or FinCEN identifier).  A beneficial owner is an individual who directly or indirectly (i) exercises substantial control over the reporting company or (ii) owns or controls not less than 25% of the ownership interests of the reporting company.

Key Exceptions Curtail Reporting Requirements: Tax-exempt and political organizations are among the organizations that don’t have to report

The scope of the reporting is significantly curtailed based upon exceptions that generally include the following:

  • Companies that issue securities registered under section 12 of the Securities Exchange Act of 1934, or that are required to file supplementary and periodic information under section 15(d) of the Securities Exchange Act of 1934);
  • Entities established under the law of the United States, an Indian Tribe, a State, or a political subdivision of a State, or under an interstate compact between two or more States that are designated to exercise governmental authority on behalf of such governments;
  • Banks, federal or state credit unions, bank holding companies;
  • Money transmitting businesses registered with the Secretary of the Treasury;
  • Brokers or dealers as defined in section 3 of the Securities Exchange Act of 1934;
  • An exchange or clearing agency, as defined in section 3 of the Securities Exchange Act of 1934, that is registered under section 6 or 17A of the Securities Act of 1934;
  • Any other entity not otherwise described that is registered with the SEC under the 1934 Securities and Exchange Act;
  • An entity that is an investment company or investment adviser properly registered with the SEC;
  • An investment adviser described in section 203(l) of the Investment Advisors Act of 1940 that has filed designated schedules with the SEC;
  • An insurance company as defined in section 2 of the Investment Company Act of 1940;
  • An entity that is an insurance producer authorized by a State and subject to supervision by the state insurance commissioner or similar official and has an operating presence and physical office in the United States;
  • A registered entity or various other specified entities under the Commodity Exchange Act;
  • A public accounting firm registered in accordance with section 102 of the Sarbanes-Oxley Act of 2002;
  • A public utility;
  • A financial market utility;
  • Any pooled investment vehicle operated or advised by a bank, credit union, broker/dealer, entities acting as an investment company or investment adviser, or an investment adviser;
  • Any of the following —
    • An organization described in section 501(c) of the Internal Revenue Code (the “Code”) without regard to section 508(a) of the Code, and exempt from tax under section 501(a) of the Code;
    • A political organization under section 527(e)(1) of the Code that is exempt from tax under section 527(a) of the Code;
    • A trust described in section 4947(a)(1) or (2) of the Code;
  • An entity that operates exclusively to provide financial assistance to, or holds governance rights over, any entity described immediately above;
  • Any entity that (1) employs more than 20 full-time employees, (2) filed a federal income tax return reporting gross receipts exceeding $5 million, and (3) has an operating presence in the United States;
  • Any corporation, LLC, or similar entity that is owned or controlled, directly or indirectly, by certain entities described above; and
  • Any corporation, LLC, or similar entity that has existed for more than one year with very minimal activity (see language of bill).

The legislation also authorizes the Secretary of the Treasury, with the written concurrence of the Attorney General and Secretary of Homeland Security, to issue regulations identifying other entities or classes of entities that should be exempt from the reporting requirements.

FinCEN’s Role

The information reported to FinCEN will not be public information, although FinCEN may disclose information to the following:

  • A federal agency for national security, intelligence, or law enforcement activity;
  • A State, local, or tribal law enforcement agency, if a court authorized the agency to seek the information;
  • A foreign authority, pursuant to a treaty, agreement, etc.;
  • A financial institution, with consent of the reporting company and in the form provided by the regulations; and
  • A federal regulatory agency, including the IRS.

Reporting Penalties

The new reporting requirements include civil and criminal penalties for the willful failure to provide accurate beneficial owner information or to report such information.  Any person who willfully fails to provide accurate beneficial owner information or to report such information may be subject to civil penalties of  up to $500 per day for every day the violation continues.  In addition, a person may also be subject to criminal penalties that include a fine of up to $10,000, up to two years imprisonment, or both.  The statute provides a limited safe harbor that allows any person to avoid the imposition of the reporting penalties if the person voluntarily submits corrected information within 90 days after the date of submission, unless the person knowingly filed false beneficial owner information with the intent of evading the reporting requirements.

The imposition of civil penalties based upon a willfulness standard could make it difficult for FinCEN to enforce such penalties in certain cases, particularly when the reporting company is compliant with respect to its other compliance obligations.  The IRS has encountered difficulty enforcing intentional disregard penalties under section 6721(e) of the Internal Revenue Code when the evidence does not support that the underlying failures were intentional.  The government has had more success imposing willfulness penalties for Foreign Bank Account Report (“FBAR”) (FinCEN 114) failures, where courts have acquiesced to a willful blindness standard.  That success has been aided in part by the plain English certification of the existence of foreign bank accounts on Form 1040 Schedule B making it more difficult for taxpayers to argue they were unaware of the filing obligation.

Outstanding Issues

The law requires the Secretary of the Treasury to promulgate regulations within one year after the date of enactment of section 6403 of the 2021 NDAA.  The statutory language of the reporting requirements does not define several key terms and raises various questions.  For example, for purposes of the definition of “beneficial owner,” it is unclear what constitutes “substantial control” over an entity.  (One potentially similar concept that Treasury could look to is that of “controlling persons” under AML/KYC rules that were incorporated into FATCA intergovernmental agreements.)  In addition, the definition of “reporting company” includes “similar entities” to corporations and LLCs, but it is not clear where this line should be drawn.  For example, will it include limited partnerships, limited liability partnerships, etc.?  Moreover, although many tax-exempt entities are not required to report, it is not clear whether the law also excludes taxable nonprofits.  Accordingly, FinCEN’s regulations and any related guidance will be important to understanding the full scope of the 2021 NDAA’s reporting requirements.

Effective Date

As discussed above, the 2021 NDAA became law on January 1, 2021.

The effective date of the reporting requirements is tied to the effective date of the regulations, which may not be later than one year after the date of enactment of the statute.  Any reporting company formed or registered before the effective date of the regulations must file a report to FinCEN not later than two years after the effective date of the regulations.

We will provide further coverage of the new FinCEN reporting requirements when Treasury publishes regulations at some point over the next year.