Whistleblowing plays a crucial role in uncovering corporate misconduct, fraud, and violations of law and regulations. As organizations become increasingly complex and global, the importance of robust whistleblower protection and compliance frameworks has grown significantly, but different countries approach encouraging and protecting whistleblowers in different ways.

Examining whistleblower protection and compliance frameworks in the United States and Japan reveals both similarities and significant differences. While Japan has recently made strides in strengthening its whistleblower protection laws, the United States maintains a more established and comprehensive system. Both countries recognize the importance of internal reporting systems, confidentiality protections and anti-retaliation measures. However, the U.S. system generally offers broader protections, more varied reporting channels and unique financial incentives that are absent in the Japanese framework. At the same time, Japan’s protections are centralized and cohesive, where the U.S. system is characterized by a complex web of federal and state laws.

This article compares whistleblower protection and compliance landscapes in the United States and Japan, two of the world’s largest economies, with distinct legal and cultural contexts. By analyzing recent developments, legal frameworks and practical implications in both countries, we aim to provide insights into the evolving nature of whistleblower protection and its impact on corporate governance and compliance by highlighting similarities, differences and potential areas for improvement in both systems, offering valuable perspectives for policymakers, corporate leaders and compliance professionals operating in these jurisdictions or managing cross-border compliance programs.

See “Japanese Companies Face Growing Anti-Corruption Enforcement Risk” (Jan. 27, 2016).

Patchwork of Whistleblower Protections in the U.S.

Over the years, the United States has developed a complex system of whistleblower protection laws and regulations across various sectors and industries. While the protections are comprehensive, some lacunae remain, and navigating the system can be confusing for whistleblowers.

Legal Framework

The legal framework for whistleblower protection in the United States is characterized by a patchwork of federal and state laws, each offering varying levels of protection and covering different types of disclosures. Key federal laws include the Occupational Safety and Health Act of 1970, which protects employees who report workplace safety issues; the Whistleblower Protection Act of 1989, which addresses fraud against the government; the Sarbanes-Oxley Act of 2002, which is applicable to employees of publicly traded companies; the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank), which is the foundation of the SEC’s successful and lucrative whistleblower reward program; and the Anti-Money Laundering Act of 2021 (AMLA), which encourages whistleblowers to report suspected money-laundering activities and other violations of the Bank Secrecy Act. Numerous state laws complement these federal statutes, often providing broader protections for whistleblowers.

Scope of Protection

In the United States, whistleblower laws offer broad protection to various individuals, encompassing current and former employees, job applicants, contractors, subcontractors and occasionally third parties knowledgeable about misconduct. The extent of protection provided under these laws varies according to their specific provisions. Typically, they cover disclosures related to violations of laws and regulations; instances of fraud, waste and abuse; risks to public health and safety; and misconduct involving financial practices and securities violations.

Reporting Channels

The U.S. system offers various avenues for whistleblowers to voice their concerns. While some laws encourage employees to initially report issues internally within their organizations, whistleblowers also have the option – and, in some cases, are even encouraged (as discussed in the next section) – to report directly to relevant government agencies. Additionally, some laws permit whistleblowers to report their concerns directly to members of Congress. Whistleblowers may also choose to disclose information to the media or the public.

Anti-Retaliation Provisions

U.S. whistleblower laws generally include strong anti-retaliation provisions. Employers are prohibited from taking adverse actions against whistleblowers, such as termination, demotion or harassment. If a whistleblower faces retaliation, they may be entitled to remedies including reinstatement, back pay and compensatory damages. In many cases, while whistleblowers may not avoid the responsibility of showing that the adverse employment action occurred because of their whistleblowing activity, the major burden of proof lies with the employer, which must demonstrate that the adverse actions were not retaliatory.

To be eligible for protection under the anti-retaliation provisions, whistleblowers must choose the appropriate reporting channels based on their specific claims. For example, the AMLA protects whistleblowers who report violations to the AG, Secretary of the Treasury, other regulators or members of Congress, or internally to their employer. In contrast, the Supreme Court determined in Digital Realty Trust, Inc. v. Somers that, in order to qualify for protection under the anti-retaliation provision of Dodd-Frank, an individual must meet the act’s definition of a whistleblower, which includes reporting suspected violations to the SEC. Thus, employees who only make internal reports might not receive anti-retaliation protection under Dodd-Frank.

See “What the Digital Realty Trust Decision Means for FCPA Compliance” (Mar. 7, 2018).

Whistleblower Incentives

A unique feature of some U.S. whistleblower laws is the provision of financial incentives. For instance, the SEC’s whistleblower program offers awards ranging from 10 percent to 30 percent of monetary sanctions for information that leads to successful enforcement actions. The AMLA whistleblower program boosted financial incentives by eliminating the previous $150,000 cap on payments and mandating that the Secretary of the Treasury must issue awards to whistleblowers whose disclosures lead to successful enforcement. While the size of these awards remains discretionary, there is a statutory minimum of 10 percent of the sanctions.

These incentives have been widely acknowledged for their role in boosting both the quantity and quality of whistleblower tips, thereby enhancing regulatory oversight and corporate accountability. As a result, other U.S. agencies are looking to get in on the action: the DOJ’s Fraud Section recently announced that it is developing its own whistleblower incentive program, and several U.S. Attorneys’ offices have done similarly.

See the Anti-Corruption Report’s two-part series on the DOJ’s intention to launch a whistleblower program: “What Will It Look Like?” (Mar. 27, 2024), and “What Does It Mean for Whistleblowers?” (Apr. 10, 2024).

Challenges

Despite the comprehensive legal framework for whistleblower protection in the United States, several challenges persist.

One major issue is the complexity stemming from the multitude of laws and regulations governing whistleblowing. These complexities can often confuse both whistleblowers and employers alike, making it challenging to navigate the appropriate channels and understand the full extent of rights and obligations under the law for both companies and whistleblowers.

Inconsistencies across different laws and jurisdictions further complicate matters, as protections and procedural requirements can vary depending on the specific statute invoked or the state in which the whistleblower resides or works. Addressing these challenges requires a nuanced understanding of the legal landscape and careful consideration of best practices to ensure effective protection and support for whistleblowers across all sectors and industries.

See “Government Enforcers Explain Their Approach to Whistleblowers and VSD” (Jul. 17, 2024).

Japan’s Centralized Protections

While U.S. whistleblower protections are an often-confusing patchwork, Japan’s system of whistleblower protections are more centralized. Indeed, Japan has recently taken steps to strengthen its whistleblower protection framework, primarily through amendments to the Whistleblower Protection Act (WPA) that came into effect in June 2022. These changes reflect a growing recognition of the importance of whistleblowing in promoting corporate transparency and accountability in Japanese business culture.

Legal Framework

The cornerstone of Japan’s whistleblower protection system is the WPA, first enacted in 2004 and amended in 2020 (effective 2022). The WPA aims to protect whistleblowers from unfair treatment and encourage the reporting of wrongdoing in both the public and private sectors. Key features of the amended WPA include mandatory internal reporting systems for large organizations, an expanded scope of protected individuals, a broader definition of reportable matters, enhanced confidentiality requirements and stricter anti-retaliation provisions.

Mandatory Internal Reporting Channels

One of the most significant changes introduced in the WPA’s 2022 amendments is the requirement for organizations with more than 300 employees to establish and maintain internal reporting systems. This mandate aims to ensure that employees have accessible and reliable channels to report concerns without fear of reprisal. For organizations with 300 or fewer employees, while not strictly mandatory, there is a strong recommendation to implement such systems.

Expanded Scope of Protection

The amended WPA has broadened the range of individuals eligible for whistleblower protection. In addition to current employees, the WPA now extends protection to retired employees within one year of retirement; corporate officers, including directors and executives; and temporary workers and contractors. This expansion acknowledges that valuable information about misconduct may come from various sources within an organization’s ecosystem, not just from current full-time employees.

Reportable Matters

The scope of reportable matters has been expanded under the amended WPA. Previously focused primarily on criminal activities, the WPA now covers violations of laws and regulations, administrative violations and matters that pose significant risks to public health, safety or the environment. This broader scope allows for the reporting of a wider range of misconduct, potentially uncovering issues before they escalate to criminal activities.

Confidentiality and Anti-Retaliation Measures

The amended WPA places emphasis on protecting whistleblowers’ identities and preventing retaliation. It includes provisions to ensure these protections. First, there are confidentiality requirements, mandating that organizations must maintain the confidentiality of any information that could identify the whistleblower. Breaches of this confidentiality can result in criminal fines. Second, the WPA explicitly prohibits any form of retaliation against whistleblowers, including dismissal, demotion, pay reduction or other adverse treatment. Lastly, any retaliatory action taken against a whistleblower is punishable under the law.

Reporting Channels and Processes

The WPA outlines a three-tiered reporting system that begins with internal reporting, where employees are encouraged to report concerns through their organization’s internal channels. If internal reporting proves ineffective or inappropriate, individuals can then report directly to relevant government agencies. In cases of serious violations or imminent danger, whistleblowers may disclose information to the media or other public channels. Additionally, organizations are required to designate responsible persons to handle reports impartially and ensure the effective functioning of the reporting system.

Challenges

While the WPA represents a certain step forward, several challenges remain in implementing effective whistleblower protection and compliance programs in Japan.

Excludes Foreign Employees and Entities

The WPA primarily aims to protect national “citizens” (i.e., Japanese citizens), and its application is limited to “workers” subject to Japan’s labor standards, employed by Japanese entities and engaged in Japanese operations. Therefore, whistleblowers employed at overseas locations and engaged in foreign operations generally fall outside the scope of this law. While the WPA might apply to their whistleblowing if their employment contract stipulates Japanese law as applicable, it covers only facts related to violations of Japanese law. Furthermore, it is important to note that the local laws typically apply by default once corporations begin conducting business in those jurisdictions. This principle can complicate whistleblower protection, as different countries have varying standards and regulations regarding whistleblowing. In some jurisdictions, the laws may offer more comprehensive protection than the WPA, while in others, the protections may be weaker or nonexistent. This inconsistency can create challenges for multinational companies trying to implement uniform whistleblower policies across their global operations.

Does Not Cover Small Companies

The mandatory requirement to establish and maintain internal reporting systems does not apply to companies with 300 or fewer employees. Additionally, even for companies with more than 300 employees, the establishment of external reporting channels is not mandatory. The absence of external reporting channels does not necessarily create a neutral environment where employees can report without feeling internal biases or pressures. This lack of neutrality could undermine whistleblowers’ confidence and compromise the reliability and effectiveness of internal reporting systems.

Difficult to Show Retaliation

Under the current WPA, whistleblowers must demand that businesses correct adverse treatment and, if necessary, file a lawsuit to prove that the adverse treatment was due to their whistleblowing.^[1] However, businesses usually possess more evidence and information regarding the motives behind actions such as dismissal, demotion or pay reduction. Unless the burden of proof shifts to the employer’s side, this imbalance makes it challenging for whistleblowers to provide sufficient evidence, thereby discouraging them from reporting misconduct.

A Culture Issue Remains

Traditional Japanese business culture, which values harmony and loyalty, may discourage employees from speaking up about workplace issues.^[2] This cultural emphasis on maintaining group cohesion and avoiding conflict can create an environment where individuals feel hesitant to report problems or unethical behavior. Moreover, unlike the U.S. system, the Japanese system does not hold out the prospect of financial reward to whistleblowers who report corporate misconduct to Japanese regulators.

How Companies Can Encourage Whistleblowing in Japan

To encourage whistleblowing, Japanese companies need to ensure the confidentiality and security of whistleblower reports. Robust data protection measures, including local data hosting and encryption, are essential.

Additionally, comprehensive training programs are necessary to educate employees about their rights, reporting options and the importance of speaking up. For organizations that operate overseas subsidiaries or hire non-Japanese-speaking employees, providing multilingual reporting channels is crucial to accommodate their diverse workforces.

Furthermore, promoting a speak-up culture and offering internal incentives for reporting can further encourage employees to report misconduct. Independent reporting channels managed by third parties can ensure impartiality and protect whistleblowers from internal pressures. Regular monitoring and evaluation of whistleblowing systems are also crucial for maintaining their effectiveness and reliability.

See the Anti-Corruption Report’s two-part series taking a fresh look at hotlines: “Responding to a Global Focus on Whistleblowers” (Sep. 2, 2020), and “Fostering a Speak-Up Culture and Leveraging Data” (Sep. 16, 2020).

What to Expect Going Forward

As global business practices continue to evolve and corporate misconduct becomes increasingly sophisticated, both the United States and Japan face ongoing challenges in refining their whistleblower protection systems. Future developments in both countries are likely to focus on enhancing the effectiveness of reporting mechanisms, strengthening enforcement and adapting to emerging risks in areas such as cybersecurity and ESG. For multinational organizations operating in both jurisdictions, navigating these different systems requires careful attention to local legal requirements and cultural nuances. Developing comprehensive, globally consistent, yet locally compliant, whistleblower programs will be crucial for effective risk management and ethical business practices in the years to come.

 

Robert A. Johnston Jr. is a partner in the investment management & white collar defense group at Lowenstein Sandler. He specializes in the FCPA, anti-money laundering (AML), trade sanctions compliance, regulatory counseling, due diligence, investigations and compliance monitoring. Johnston also investigates alleged violations of various federal laws including AML, FCPA, Office of Foreign Assets Control, Racketeer Influenced and Corrupt Organizations, accounting fraud, securities fraud, procurement fraud, illegal gratuities, tax evasion, and employee embezzlement and misconduct.

Kei Komuro is an associate in the global trade & national security group at Lowenstein Sandler. He advises both domestic and foreign clients on a wide range of trade issues, including export and import controls, economic sanctions on foreign countries, secondary sanctions on third-country entities, and CFIUS reviews and filings.

Companies doing business in Chile need to prepare for more expansive, and more aggressively enforced, liability provisions for white-collar crimes, as well as heightened compliance expectations, that are due to come into effect in the fall of 2024.

Chile’s 2023 Economic Crimes Law, Law No. 21,595 (ECL), signed into law by President Gabriel Boric in August 2023, updates and tightens the stipulations of the country’s 2009 Corporate Criminal Liability Law, or Law No. 20,393. However, individuals and entities were given a year to prepare for changes in the Corporate Criminal Liability Law, with those provisions only coming into effect on September 1, 2024. For individuals (referred to as “natural persons” in the ECL to distinguish “legal entities” and “legal persons”), the law is already in effect.

“Effectively, this law expands the catalogue of offenses for which the legal entity may be criminally liable,” Jorge Bofill, a partner with the law firm Bofill Escobar Silva, based in Santiago, Chile, told the Anti-Corruption Report.

Ahead of the ECL’s passage by the Legislature, Chile’s executive government issued a press release describing it as part of its “anti-abuse agenda,” which imposes punishment on corruption, collusion and insider trading. “[I]t is probably the most significant reform to the Penal Code of 1874 that we have had to date,” Justice and Human Rights Minister Luis Cordero said in the press release.

See “Conducting Effective Third-Party Due Diligence in Latin America” (Mar. 1, 2023).

Part of a Broader Strategy

Chile is a leader among Latin American countries in enacting anti-corruption laws. The 2009 Corporate Criminal Liability Law was the first such law in the region and made legal entities answerable for certain criminal acts when committed by individuals linked to them. Chile’s proactive approach to addressing corruption has positioned it as a potential model for other countries in the region seeking to enhance their anti-corruption measures, according to Franco Acchiardo, managing partner of Clyde & Co’s Chile office.

More recently, the ECL comes against the backdrop of Chile’s new National Public Integrity Strategy (Estrategia Nacional de Integridad Pública or ENIP), announced in 2023. This has wide-reaching ambitions affecting matters including beneficial ownership transparency and public procurement integrity.

All told, the ENIP involves a total of 210 legislative and administrative measures aimed at improving transparency, integrity and anti-corruption standards in the country, Bofill Escobar Silva partner César Ramos said. “It is important for companies to be aware of the progress of this initiative, as it contains proposals that may affect them,” he noted.

The ENIP is aligned with the broader goals of enhancing corporate governance, reducing corruption risks and promoting transparency in business practices, Acchiardo explained.

Now, the ECL is a decisive step in the internalization of the prevention of these risks to companies, Bofill added. “In this regard, Chile has been at the forefront in the region,” he said.

Wider Range of Entities Affected

The ECL applies for almost any type of legal entity, said Acchiardo. A range of entities that were not affected by Law No. 20,393 on Criminal Liability of Legal Entities are now bound by the regulations of Law 21,595, he said. “This law extends to a broad scope of legal entities, such as those created under private law, public law entities, state-owned companies, universities, political parties, and religious entities, among others,” he noted.

The law makes no distinction between whether entities are Chilean or foreign, Bofill stressed. They will be subject to the criminal liability of the law “regardless of their country of incorporation or operation,” he said.

The criminal law has effect within the territory of Chile, applying equally to Chileans and foreigners, Bofill continued. However, there is a notable exception to that territoriality principle, he cautioned. Bribery of a foreign public official committed by a Chilean or by a person with habitual residence in Chile is an offense that can be pursued and punished in Chile, regardless of where the act took place.

Categorizing Economic Crimes

An important aspect of the ECL is that it treats economic crime differently from common crime, according to the government’s press release. The harmful effects that such crimes can inflict on society “are sometimes infinitely greater than those linked to common crime,” Cordero noted in the press release. Thus, it is critical that this type of crime is “assessed differently due to the social consequences it causes,” he said.

The ECL classifies crimes that impact the socioeconomic order and/or the environment as economic crimes going forward. Arranging these crimes in four categories, the law makes legal entities potentially liable for over 200 crimes. Many were offenses under existing Chilean law, but the ECL establishes more severe penalty calculations.

Category 1

The first category contains crimes that will be considered economic crimes regardless of the circumstances. They include crimes imperiling the securities market, the financial sector or market competition. Collusion, providing false information to financial authorities, concealing information from competition authorities and insider trading are among such offenses.

Category 2

The second category consists of crimes committed while carrying out a company role or acting for a legal entity’s benefit. Environmental crimes are in this category. It also includes bankruptcy fraud, political campaign financing violations, and offenses related to customs, tax and intellectual property.

Category 3

The third category encompasses crimes committed by public officials that also include the intervention of a company member, or that lead to benefits for some company. These can include forging public instruments, bribing public officials and tax fraud.

Category 4

The fourth category includes crimes related to the proceeds of an economic crime, such as money laundering, embezzlement or acting as a fence.

See “Evolving Anti-Corruption Laws in Latin America” (Jan. 31, 2024).

A Compliance Defense

Under the ECL, companies can avoid liability if they have a compliance program – referred to as a Modelo de Prevención de Delitos or crime prevention model (CPM) – in place that meets certain criteria.

The concept of a CPM was introduced in the earlier Corporate Criminal Liability Law, but the ECL modifies the requirements, Florencia Fuentealba, an associate at Albagli Zaliasnik, told the Anti-Corruption Report. Specifically, the ECL updates the elements that a CPM should have in order to be considered “effective.”

CPMs are not mandatory or required under the ECL. However, “only a company that has implemented a crime prevention model can eventually exempt itself from corporate criminal liability,” Fuentealba clarified.

Essential Elements

Under the ECL’s requirements, a CPM must take into account the company’s business model, size, complexity, resources and the activities it carries out, said Ramos.

The ECL requires that a CPM identify risky company activities and establish protocols and procedures to prevent and detect criminal conduct in those activities, including safe complaint channels and internal sanctions for non-compliance, Ramos said. Those protocols, procedures and sanctions need to “be communicated to all employees,” he stressed. Additionally, the internal regulations must be incorporated in employment and service contracts.

Another essential element is the assignment – to one or more people – of responsibility for applying the protocols, Ramos continued. They should enjoy adequate independence and have effective direction and supervision powers, as well as direct access to company leadership. The company must ensure that these people have “the material and immaterial resources and means necessary to adequately perform their tasks, in consideration of the size and economic capacity of the legal entity,” he noted.

On top of all this, it is crucial that companies are prepared for periodic evaluations by independent third parties and have mechanisms in place for improving or updating, should the result of those evaluations so require, Ramos said. “CPMs should be subject to regular independent audits to ensure effectiveness,” Acchiardo agreed.

Judges Can Opt for Supervision

If a company lacks an effective CPM, a court can impose “supervision” by a court-appointed supervisor (similar to a compliance monitor in the U.S.) responsible for ensuring that the company develops, implements or improves its CPM, as appropriate, Ramos explained. The supervisor may monitor that process for anywhere between six months and two years.

There is only one precedent for this type of supervision in Chile’s bankruptcy law, Fuentealba noted. Judges can order supervision if they deem it necessary to prevent new crimes, she said.

“This is a drastic change in Chilean law,” Guillermo Jorge, a partner at Bruchou & Funes de Rioja, told the Anti-Corruption Report.

Chilean companies previously would “certify” their compliance programs. “Those certifications were used as a shield in prior years, until the prosecutors started to challenge the quality of certifications,” Jorge said. The ECL moves from these ex‑ante certifications to ex‑post monitorships, he commented. This “may be a game changer in the compliance market in the years to come,” he predicted.

See “DOJ, Private Practitioners and Past Monitors Discuss Best Practices and Trends in Corporate Monitorships” (Nov. 9, 2022).

Company Can Be Held Liable for Third Party’s Wrongdoing

Companies can be liable under the ECL when the relevant offenses are committed by company officers, employees or directors – or even their third parties.

Companies should monitor their third parties, particularly those working on the company’s behalf, Acchiardo suggested, “especially for actions of contractors performing tasks that are central to the company’s main line of business.”

The new law does not differentiate between third parties acting with or without formal representation of the company, Fuentealba cautioned.

This might be particularly important to companies operating with contractors, Fuentealba pointed out, because the ECL includes employment-related crimes and health and safety obligations. Also worthy of close monitoring are third parties that interact with government officials, Fuentealba said.

Implementing solid due diligence processes for third-party relationships can help mitigate risks, Acchiardo suggested. It is also helpful to ensure that contracts include compliance obligations, for example, by having an acknowledgment of the company’s CPM baked into contracts with third parties.

Introducing third-party liability “is an important change in Chilean law,” Jorge noted. Under the current law, companies are liable for the conduct of third parties only “in certain exceptional scenarios.”

See our three‑part series on in‑house perspectives on third‑party due diligence: “Right‑Sizing and Risk Ranking” (May 24, 2017), “Information Gathering” (Jun. 7, 2017), and “Red Flags and Follow‑Up” (Jun. 21, 2017).

Senior Company Figures Under More Pressure

The ECL introduces personal liability for corporate directors and executives – a significant change.

The ECL “imposes greater obligations on those who hold executive and managerial positions in companies,” Cordero observed in the press release.

By increasing liability for people in senior positions in companies, the ECL could influence hiring and compensation. “Companies may prioritize candidates with strong compliance backgrounds and offer competitive compensation packages to attract experienced professionals capable of navigating the complexities of the law,” Acchiardo predicted. Company leaders will need to be well versed and trained in the internal protocols that their company puts in place, she said.

See “How to Mitigate Corruption Risk When Investing in Latin America” (Jul. 25, 2018).

Watch Out for Environmental Offenses

The ECL zeroes in on environmental risks, defining new offenses to be considered crimes in this area.

“It is now an economic crime to extract resources in environmentally sensitive areas and cause damage to protected ecosystems,” Acchiardo said. Moreover, a new felony description was added to Chilean law: ecocide, which means causing serious damage to the environment. “Adhering to environmental regulations and implementing sustainable practices are crucial to avoid legal liabilities.”

The catalogue of crimes contained in the ECL also includes non-compliance with water regulations. “In a country with an extended drought like Chile, this is a sensitive issue, so industries exposed to the use of water, such as agriculture, should pay special attention to this,” Acchiardo stressed.

The ECL provides for aggravated penalties “if the serious impact causes irreversible damage to an ecosystem,” Ramos explained.

Companies will run into legal problems if they do not have necessary environmental licenses, conceal information during environmental evaluations or obstruct environmental audits, Acchiardo observed.

See “ABC Trends in 2023 Include ESG” (Feb. 15, 2023).

Strict Penalties

The ECL lays down new rules for deciding on penalties for those guilty of white-collar crimes, increasing the likelihood of prison time.

“When the crime has a theoretical prison sentence, it is much more likely that it must be carried out with deprivation of liberty in order to avoid impunity for committing economic crimes,” the government press release states.

In the event of pecuniary fines on individual perpetrators, the ECL establishes a new way of determining fines. They will be subject to a “days-fine,” meaning a penalty calculated as a multiple of the convicted person’s average daily income.

See “No Longer a Slap on the Wrist: SEC Penalties and Sentences on the Rise” (Jan. 18, 2023).

DOJ enforcers sometimes apply a generous definition of what counts as a U.S.-related situation when choosing to prosecute international corruption and fraud cases. And this is likely to continue as financial crime increasingly takes on international dimensions.

The extraterritorial nature of some criminal cases pursued by the DOJ is a rising tendency, according to participants at a recent New York City Bar Association panel discussion. The foreign location of defendants, witnesses or the acts that are the focus of a case do not impede the DOJ from claiming that a case comes under its purview, according to comments in the conversation, which formed part of the White Collar Crime Institute in May 2024.

The trend has been noted in cases involving the FCPA and the Foreign Extortion Prevention Act (FEPA), wire fraud, bank fraud, securities fraud and commodities fraud. In part, it is a reflection of the DOJ enforcers building ever-stronger cooperative relationships with their foreign counterparts.

This article summarizes some of the insights into the matter from both private-sector lawyers and the government side.

See “DOJ’s Long Arm Over Latin America: Recent Trends and Future Risks From Extraterritorial Application of U.S. Laws” (Sep. 30, 2020).

The Morrison Case Asserts Presumption Against Extraterritoriality

The 2010 U.S. Supreme Court decision in Morrison v. National Australia Bank highlighted the issue of U.S. laws’ extraterritoriality. “That is the civil case that reasserted the presumption against the extraterritorial application of U.S. law,” Jones Day partner James Loonam remarked.

In theory, unless a statute explicitly states that it has extraterritorial application, U.S. law only applies to conduct that takes place within the borders of the U.S., Loonam commented. However, in practice, conduct that takes place outside the U.S. often becomes the subject of cases brought by U.S. prosecutors.

“The reality is that limited contacts to the U.S. can bring related conduct that takes place outside the U.S. within the domestic purview of U.S. law,” Loonam explained.

Inconsistencies Cause Confusion

Inconsistencies between how different U.S. courts have interpreted the extraterritoriality of the FCPA create confusion, Sullivan & Cromwell partner Nicolas Bourtin highlighted.

The FCPA delineates those people and parties who are subject to U.S. criminal prosecution or civil liability under the statute, specifying that it applies to U.S. persons, issuers and domestic concerns and their agents, Bourtin said.

Contrasting Lessons From TSKJ and Hoskins

Regarding how the DOJ has dealt with parties who are involved in an FCPA violation, but who are not U.S. persons, issuers, or domestic concerns and their agents, the DOJ’s settlements with the joint venture TSKJ are enlightening, Bourtin added.

The joint venture was formed by an international array of companies – Technip, Snamprogetti Netherlands, Kellogg Brown & Root and JGC Corporation – to secure contracts from a natural gas company part-owned by the Nigerian government. U.S. regulators stated that the joint venture paid bribes to Nigerian officials in order to secure business. The case was an example of how liability for the misconduct of a joint venture can arise under the FCPA’s anti-bribery provisions.

It is notable that, although only one of the four companies involved in that joint venture was American, the DOJ pursued settlements with all of them, Bourtin highlighted in his discussion of the case. “Those companies all ended up paying hundreds of millions of dollars,” he recalled.

As a counterexample, Bourtin offered the situation of Lawrence Hoskins, whom the Second Circuit found to be beyond the scope of the FCPA despite his association with a bribery case in his work for a foreign subsidiary of U.S. company Alstom. The Second Circuit decisions concerning Hoskins indicate that a strict standard applies to a non-U.S. party being considered an agency of a U.S. party for FCPA purposes, and that secondary liability also does not work for FCPA prosecution purposes, he said.

See “Hoskins II Decision Claws Back DOJ Prosecutions Overseas” (Sep. 28, 2022).

Not All Courts Agree

However, courts in different parts of the U.S. have taken a different interpretation from that of the Second Circuit.

“Not all courts have agreed,” Bourtin observed, noting that elsewhere in the country, extraterritorial application of the FCPA has prevailed. For example, in U.S. v. Dmitry Firtash, the Northern District of Illinois asserted an extraterritorial application of the FCPA pursuant to secondary liability, he added.

“The end result is that the law right now is a bit of a muddle. Outside of the Second Circuit, it is hard to know what the right standard would be,” Bourtin said. There will continue to be cases that raise doubts over whether a non-U.S. individual or corporation might be found liable under the FCPA, he predicted. “Particularly persons, but sometimes also foreign companies, who are not within the statute’s plain scope are still wondering whether they can be prosecuted extraterritorially based on conspiracy or aiding and abetting.”

FEPA Adds to the Confusion

The enactment in late 2023 of the FEPA will add to the confusion, Bourtin warned. The FEPA fills “a perceived gap” left by the FCPA, with the U.S. able to prosecute bribers but unable to prosecute foreign officials who receive bribes, he explained. The FEPA criminalizes the receipt of bribe payments by foreign officials.

The law was arguably unnecessary because “the DOJ had repeatedly charged foreign officials with money laundering in situations where they had been bribe recipients,” Bourtin noted. The scope of the FEPA will not apply to anything that was already covered by the FCPA. Given the DOJ’s broad view of the FCPA, there is a risk that the it might be constricted in its interpretation of the FEPA, he cautioned.

Moreover, the FEPA brings about “an interesting mismatch question,” Bourtin suggested. In a situation in which a foreign person acts as a bribe intermediary and pays a foreign government official, the official can now be prosecuted in the U.S. under the FEPA. However, it is unclear whether the middleman can be secondarily liable for violating the FCPA, or aiding and abetting the government official. “We are going to continue to have these gray areas,” Bourtin predicted, but there is “no doubt the DOJ will look to push the outer boundaries of the statute.”

See “Newly Signed Foreign Extortion Prevention Act Complements FCPA” (Jan. 3, 2024).

Wire Fraud As a Workaround

Wire fraud, too, is an area in which the DOJ seems to be pursuing cases extraterritorially, according to Loonam, despite the plain language in the statute. “There is nothing in the wire fraud statute regarding extraterritorial application,” he said.

Is It the Wire or the Fraud?

There are differing views on how to determine whether a wire fraud has enough of a U.S. connection to be subject to the statute on wire fraud, 18 U.S. Code § 1343, or on conspiracy to commit wire fraud, 18 U.S. Code § 1349, Willkie Farr partner Casey Donnelly said. The key question is not where money was wired but, rather, where the fraudulent scheme took place, she emphasized. “That is the focus, because the wire, in most cases, is a throwaway.” This is not merely her own interpretation, she stressed, saying it would likely be the view of many people “who have been defense lawyers.”

However, this view did not prevail in 2020 when the Second Circuit heard U.S. v. Napout, a § 1349 case associated with the soccer federation FIFA, Donnelly noted. “The Second Circuit said the focus of the wire fraud statute and the wire fraud conspiracy statute is the wire,” she explained. This means that, to prove domestic application in such cases, all the fraudulent conduct can occur overseas, and the conspirators can be non-U.S. people as long as there had been a U.S. wire.

This interpretation comes with the caveat that the U.S. wire cannot be incidental, but needs to be essential to the matter, Donnelly acknowledged. “What constitutes an essential wire versus an incidental wire? I think that we will see over the next few years as the case law starts to filter in.” Rather than “essential” meaning “absolutely necessary,” prosecutors will argue that it means something more akin to “meaningful,” she predicted. “It will be very interesting to see how, especially at the lower courts, it gets interpreted.”

Even a Correspondent Bank Will Do

The use of U.S.-based correspondent banks to process transactions can suffice, in some public prosecutors’ view, to bring a case under U.S. jurisdiction, Donnelly noted. Correspondent banks are used when two people anywhere in the world conduct a transaction in U.S. dollars, which “has become the de facto world currency,” Donnelly said. In U.S. v. Boustani, a case from 2019, Donnelly’s client, a Lebanese salesman, was charged with wire fraud conspiracy in connection with selling ships on behalf of a United Arab Emirates shipbuilder to Mozambique, she explained. Prosecutors asserted that the U.S. court had jurisdiction based on the purchase being processed through a correspondent bank. However, a U.S. dollar sum passing through a correspondent bank “is an instantaneous transaction,” and the defense argued that “this is an impermissible extraterritorial application of the wire fraud statute,” she said. Though the defense won the case, it was not thanks to this point. “The idea that you need to show something beyond a wire was not an argument that prevailed,” she noted.

See “Piling On? Examining the Reality of Multi-Jurisdictional FCPA Resolutions” (Jul. 11, 2018).

Bank Fraud Brings Contradictory Arguments

Bank fraud is an area in which a federal court’s claims that a case is under its jurisdiction can invite controversy.

Is Withholding Information Fraud?

In 2022, Danske Bank pleaded guilty in what, if it had been a U.S.-based entity, might have been a Bank Secrecy Act case, according to Bourtin. “How do you prosecute a foreign bank for failure of anti-money laundering controls when that bank is not subject to U.S. anti-money laundering rules? The solution, using the federal fraud statute, was to charge Danske Bank with bank fraud,” he said.

Prosecutors argued that Danske Bank defrauded U.S. correspondent banks, which it used merely to process dollar payments for its customers. “The DOJ’s theory suggested that what the U.S. banks were being defrauded of was the knowledge that Danske Bank had a wholly inadequate anti-money laundering program,” Bourtin remarked.

The DOJ claimed that the U.S. banks were defrauded by being deprived of a “right to control,” as they were not given relevant information on which to base their business judgment, Bourtin noted.

Must Fraud Involve Real Property?

That sits uneasily, according to Bourtin, with a 2023 decision in Ciminelli v. U.S., the case of construction company owner Louis Ciminelli. The Second Circuit approved a charging theory that revolved around a contracting company being deprived of knowledge that a bidding scheme had been set up so that only one bidder could meet the specifications. The Supreme Court reversed this, he said.

“When the federal fraud statutes talk about fraud, what they mean is depriving someone of money or property, not intangible things like a right to know or a right to control; property means property,” Bourtin clarified, summing up the Supreme Court’s interpretation in that case.

That interpretation arouses doubt regarding the Danske Bank case, Bourtin argued. The correspondent banks are “simply processing a series of credits and debits as the money moves through those institutions. If anything, they are making money on wire fees from those transactions,” he pointed out.

The DOJ Remains Unphased

The Ciminelli decision did not significantly limit the DOJ’s ability to bring cases, stated David Pitluck, Assistant U.S. Attorney in the Eastern District of New York. Not many DOJ cases are based on such a “right to control” argument. It is “not a super-attractive charging theory for us,” he stated.

However, going forward, prosecutors are “very attuned to how it is going to be perceived, to what the allegations look like, to make sure that we are charging something that looks like money or property,” Pitluck said. This applies particularly in cases tied to the wire fraud statute, but also the bank fraud statute, he noted.

See “Fifth Circuit’s Rafoi Bleuler Decision Underscores Extraterritorial Reach of FCPA and Money Laundering Law” (Apr. 26, 2023).

Securities and Commodities Create Complex Territorial Questions

Securities fraud and commodities fraud come with their own special challenges when it comes to demonstrating that a U.S. court has jurisdiction. Commodities and securities fraud are two areas where “courts have had a bit of a hard time applying the domestic application test,” according to Loonam.

A “real dearth of precedent” means lawyers need to look at numerous motions to dismiss in private litigation and other civil litigation contexts, said Jenna Dabbs, a partner at Kaplan, Hecker and Fink.

Where Does a Non-Traded Transaction Happen?

Morrison, which was a securities case, lays down a rule about listed securities traded on an exchange with a specific location. The holding of the case was that Section 10(b) of the Securities Exchange Act of 1934, prohibiting deception in buying or selling securities, “applies only to transactions in securities that are listed on domestic exchanges and domestic transactions in other securities,” Dabbs reported. However, transactions involving unlisted securities are more difficult to pin down in terms of location, she noted.

“The Second Circuit has applied an irrevocable liability test,” Dabbs said. Transactions involving securities that are not traded on a clearly domestic exchange can be considered domestic if the U.S. is the country in which “irrevocable liability is incurred or title passes,” she explained.

A number of other circuits have adopted that portion of the Second Circuit’s test, Dabbs added. The test involves considerations of the location where an agreement is signed, or where the parties become bound, she noted. “The Second Circuit has held that liability can become irrevocable in more than one place and in more than one time.”

Moreover, Dabbs continued, there are cases where there might be a transaction that can be considered domestic, but “the whole complex of facts around the conduct may make it feel like it is so largely or significantly foreign that the notion of bringing that case in the U.S. feels like it is not proper or appropriate.”

For example, in Parkcentral v. Porsche, the Second Circuit dismissed the case on the grounds that the transaction was predominantly foreign and thus extraterritorial.

On the other hand, the Williams v. Binance case, also in the Second Circuit, showed “Congress trying to preserve some reach of U.S. jurisdiction” in light of the Morrison decision, Dabbs said. Faced with a decentralized electronic exchange without a single physical location, not under the jurisdiction of any one nation, the Second Circuit held that the transactions were domestic because they became irrevocable in the U.S. This was based on transactions allegedly matching on servers located in the U.S., she explained.

With numerous cases now emerging from the cryptocurrency space, “much of the case law is going to come from this new market dynamic of decentralized and disaggregated markets,” Dabbs predicted.

Binance’s boast to have no physical location ended up harming the defendants in the case, according to Dabbs. It meant that the U.S. felt emboldened to pursue the matter without fear of stepping onto other countries’ jurisdictions, she argued.

Commodities Deals Raise Conflicting Arguments

When it comes to prosecuting cases under the Commodity Exchange Act (CEA), there are two prongs of the statute to consider, Dabbs suggested. “Jurisdiction can lie either where there is a legitimate domestic application of the CEA or there is a permissible extraterritorial application of the CEA.”

Ascertaining whether a transaction occurred in the U.S., Dabbs explained, often comes down to irrevocable liability – where contracts were formed, where orders were placed, where title passed or where money was exchanged. As for a permissible extraterritorial application, she continued, this can hinge on non-U.S. activities by the defendant and whether they directly and significantly connect with activities or commerce within the country. “There is not a lot of precedent as to how those different terms should be applied,” she noted.

The 2023 case of CFTC v. Gorman can be instructive when it comes to the extraterritorial question in commodities cases, Dabbs said. There, a motion to dismiss was partially granted, including on a challenge to extraterritorial application, in a decision by Judge Victor Marrero of the U.S. District Court for the Southern District of New York (SDNY). The case pertained to a U.S. citizen working for a financial institution located in Japan, and the core conduct was participation in pricing calls for swap spreads that affected a Japanese issuer.

Judge Marrero found that certain of the claims were impermissibly extraterritorial, according to Dabbs. “The lion’s share of the conduct was appropriately viewed as having occurred overseas, and was foreign and did not have an appreciable impact more broadly in the U.S.,” she said.

Another illustrative case is that of U.S. v. Phillips, with a decision by Judge Lewis Liman of the U.S. District Court for the SDNY. “The core scheme that was alleged happened while the defendant was In South Africa, talking to a Singapore-based salesperson of a Japanese-headquartered bank,” Dabbs noted.

Again, discussion revolved around whether there was a domestic application of the CEA, or whether the CEA’s second prong applied as it was a permissible extraterritorial application of the statute, Dabbs explained. Liman concluded that there was no proper domestic application, but “that there was a direct and significant connection to activities in U.S. commerce by virtue of the fact that the hedge fund used a U.S.-headquartered prime broker.”

See “Binance’s $4.3‑Billion Criminal Resolution Raises Questions on Crypto Guidance” (Jan. 31, 2024).

DOJ’s Foreign Cooperation Increases

The DOJ’s pursuit of cases with international dimensions has been aided by its growing network of connections with foreign authorities. In the last 10 years, Pitluck observed, more and more of the cases being charged involve some perpetrator, witness or victim that is overseas. “More than half of the cases that even come in our door now have some significant international component,” he said.

Something that has facilitated the pursuit of these cases, Pitluck pointed out, is “a real increase in partnership” with foreign law enforcement counterparts.

While the DOJ has a long-standing partnership with the U.K.’s SFO, and has collaborated with Brazilian authorities in recent years, the expanding relationships have lately included France, Loonam noted. Cooperation in the case against French financial institution Société Générale, Pitluck confirmed, marked the first time the Parquet National Financier (PNF), France’s financial prosecutor’s office, had conducted its version of a deferred prosecution agreement with a then-new law.

“It led to a positive resolution that I think has been a sea change in terms of sharing of evidence and communication,” Pitluck suggested. This paved the way for another instance of cooperation between the DOJ and the PNF in 2022, he highlighted, involving building materials company Lafarge pleading guilty to conspiring to support terrorist organizations.

“The groundwork that we had set up in the initial relationship paid dividends in terms of communication, coordination and making sure we had the appropriate evidence that we needed,” Pitluck said of the cooperation with French authorities.

Switzerland and Mexico are also among “a lot of countries that we have not worked with before” with which the DOJ has recently been building such links, according to Pitluck.

See “SocGen Reaches Historic Deal With France and U.S., Legg Mason Tags Along” (Jun. 27, 2018).

On June 28, 2024, the Supreme Court reversed the long-standing Chevron deference principle in its landmark Loper Bright Enterprises v. Raimondo decision, which holds that courts are not required to defer to agencies’ interpretations when the enabling statute is either silent or ambiguous.

This two-part article series examines the implications of Loper Bright with insights shared with the Anti-Corruption Report by Baker & McKenzie partner Helena J. Engfeldt and Paul Hastings partner Nathaniel Edmonds, and commentary from K&L Gates partners Varu Chilakamarri, David R. Fine, Barry M. Hartman, Craig E. Leen and Mark Ruge made during the firm presentation. This second part addresses the decision’s impact on Congress, courts, regulatory agencies, FCPA compliance and enforcement, and companies. Part one discussed Chevron deference and examined the Loper Bright opinion and its effect on cybersecurity and privacy enforcement.

See “Supreme Court: District Courts Have Jurisdiction to Hear Constitutional Challenges to ALJ Regimes” (May 24, 2023).

More Work for Congress

“Congressional Silence Is Not Golden”

Under Loper Bright, “Congressional silence is not golden,” cautioned Ruge. Going forward, judicial analysis will begin with “fixing the boundaries of delegated authority” – i.e., what Congress told the agency it could do. Critically, however, “silence by Congress will generally not be read to constitute authority granted to an agency,” he stressed. This will make Congress’ job much more difficult, given the challenges of drafting legislation that is flexible enough to cover changing circumstances.

Broad Delegations Disfavored

Loper Bright concerned a regulation issued under the Magnuson-Stevens Fishery Conservation and Management Act (Magnusen Act), which imposed an observation requirement on several specific fisheries, but not the one covered by the regulation. The Magnusen Act, which governs ocean shipping within 200 miles of the U.S. coast, included a broad agency delegation to take steps necessary and appropriate for the conservation and management of the fishery, Ruge explained. Similar delegations pertaining to necessary and appropriate steps exist “pretty much everywhere” in the U.S. Code, but now Loper Bright has shrunk the boundaries of permissible delegation.

Going forward, broad delegations of authority to agencies will be disfavored, Ruge continued. Language like “necessary and appropriate” will no longer pass muster. Consequently, Congress will have to rethink how it delegates. Loper Bright also raises significant concerns over what Congress should do with respect to all the existing broad delegations, which are unlikely to pass muster in future challenges.

The Supreme Court majority, at pages 17 and 18 of the slip opinion and in footnotes 5 and 6, describes potential permissible delegations, noted Ruge. An agency may exercise “a degree of discretion” in places where the authority was very precise and specific. Consequently, “broad and silent is out when it comes to authorizing delegation; specific and precise is in – and that is a very big change from the congressional perspective,” he remarked.

Chevron covered both statutory silence and ambiguity, added Chilakamarri. To pass muster under Loper Bright, there will have to be a sufficiently express delegation. There are likely to be big fights premised on footnotes 5 and 6 and how specific a delegation must be.

The Supreme Court is looking for very specific delegation. Broader delegations will be “on thin ice.” The delegation will have to be moored to something substantive in the statute, according to Hartman. For example, the Magnusen Act said the agency could regulate three specific segments of the industry – but it did not mention the herring industry. Thus, the question was whether it was permissible to promulgate a rule regulating a part of the industry that Congress did not include in the statute.

More Work for Courts

Expect a Tsunami of Lawsuits

Justice Ketanji Brown Jackson, in her recent dissent in Corner Post, Inc. v. Board of Governors of the Federal Reserve System, anticipates “a tsunami of lawsuits” against agencies that could cripple the federal government, said Ruge. Chevron applied everywhere. Thus, agency actions that were okay a week ago might not be acceptable now. The underlying rules have changed.

Loper Bright will prompt a significant amount of new litigation, agreed Chilakamarri, adding that the decision will affect the entire policy and legislative lifecycle, not just how courts review regulations.

Loper Bright is a monumental decision that will totally reshape administrative law, according to Leen. With the exception of Supreme Court decisions that applied Chevron deference, “I think it’s open season [on federal regulations], to be honest,” he remarked. “It’s going to be open season on federal regulations in a whole host of areas,” Fine agreed.

Better Odds for Rule Challengers

Before Loper Bright, if an agency issued a reasonable interpretation of a statute, a company might not risk the resources to challenge it knowing that Chevron put “a thumb on the scale.” Now, regulations reflecting interpretations “at the margins” of Congress’ intent are more likely to be challenged. The universe of potentially winnable cases has just gotten much larger.

There will also be more litigation over existing regulations, Chilakamarri added. Although the Supreme Court indicated that its existing decisions under Chevron will be subject to stare decisis, that doctrine did not keep the Court from overturning Chevron. Consequently, litigants may argue that previous decisions should be reevaluated.

More Time to Challenge Regulations

Corner Post held that the six-year statute of limitations under the Administrative Procedures Act (APA) is triggered, not from the date of adoption of a rule, but from the date when the alleged harm to the regulated party occurred, said Chilakamarri. This opens the door to new challenges to old rules.

Back to Statutory Construction Basics

Loper Bright has made judges’ jobs much more complicated, added Chilakamarri. Under Chevron, a court could defer to an agency. Now, a court must show precisely how it applied all the tools of statutory construction and arrived at a statutory interpretation. This will be especially challenging in cases calling for significant expertise.

Although a court is supposed to exercise independent judgment, if it does not have a sufficient understanding of the relevant area, it may end up deferring to an agency without necessarily saying so, Fine observed. Courts also have the authority to appoint experts and may solicit amicus briefs. Challenges to rules are likely to take a long time to resolve. They could also lead to some “really bum decisions” in cases involving highly technical issues.

Loper Bright is now controlling in all pending cases, added Fine. For example, if a district court decided a case applying Chevron and the case is now being appealed, the Court of Appeals must apply Loper Bright. In that event, since questions of law are reviewed de novo, the Court of Appeals could decide the issue or remand to the district court.

Impact on FCPA Compliance and Enforcement

Given the limited role of agency interpretation of the FCPA, Loper Bright is unlikely to have a significant effect on FCPA enforcement, noted Edmonds. However, the Supreme Court’s recent decision in SEC v. Jarkesy shifts cases to federal court from in-house administrative tribunals, which may affect SEC enforcement against individuals.

“Overall, I would anticipate the SEC will more thoroughly examine the types of cases that it brings, as individuals are more likely to challenge actions in a federal court setting rather than the SEC’s in-house forum (which is viewed as far more favorable to the SEC),” continued Edmonds. “This shift in setting will also likely lead to greater legal challenges on a variety of different topics that have so far gone undefined in FCPA enforcement – simply because more individuals will be willing to bring up these legal challenges.”

“Given the leverage the SEC and DOJ have against companies, I would continue to expect that nearly all companies will continue to settle cases rather than take FCPA cases to court,” opined Edmonds. He expects more significant arguments aimed at shaping open areas of law, including increased non-public exchanges of legal white papers between companies and U.S. enforcement agencies. Moreover, individuals will continue to assert legal challenges both in discussions with enforcement agencies and in public proceedings, he added.

See “Government Enforcers Explain Their Approach to Whistleblowers and VSD” (Jul. 17, 2024).

New Challenges for Agencies

Empowerment at Agencies’ Expense

A theme running through several recent Supreme Court decisions is that the Court wants to limit agencies’ authority and empower the three branches of government, noted Leen. Consequently, the judiciary is getting involved in what would previously have been considered policy-making issues. The Court is saying that more needs to happen at the congressional level. Its decision in Trump v. United States appears to give additional power to the president. This new empowerment comes at the expense of the agencies, which sit within the executive branch but have elements of all three branches.

Harder to Reverse Existing Regulations

Chevron gave agencies a license to change positions, Hartman said. Consequently, one of the first actions agency heads under a new administration often took was reversing regulations issued under the prior administration with which they did not agree. “A statutory ambiguity [became] a license authorizing an agency to change positions as much as it likes with unexplained inconsistency,” he noted.

Under Loper Bright, an incoming administration cannot change a regulation simply because it wants to, continued Hartman. An ambiguity in a statute does not give the agency the authority to do what it thinks best, even if reasonable.

Resources Needed to Defend Litigation

Agencies will need significant new resources to handle the wave of litigation Loper Bright is likely to spark, continued Hartman. Still, there will be many disappointed litigants. Courts have many statutory interpretation tools – and may find existing regulations to be consistent with the relevant statute.

Fix the APA?

Loper Bright is, at heart, a statutory interpretation case. The Supreme Court reasoned that the Chevron court had “defied the commands of the APA and turned the APA statutory scheme upside down,” said Hartman. Thus, Federal agencies could try to work with Congress to revise the APA.

Focus on Fact-Finding

Congress may “endow an agency with the power to make findings of fact, which are conclusive and not reviewable by the court,” noted Hartman. Given that agency findings of fact receive greater deference than interpretations of law, agencies might attempt to accomplish their regulatory goals through fact-finding rather than regulation.

Impact on Administrative Tribunals

A defendant in an administrative proceeding may now raise a Loper Bright argument, which will provide an additional ground for appeal, Leen noted. A strong Loper Bright argument could change the agency’s settlement posture, especially if the agency believes the defendant will take the case all the way to federal court.

Considerations for Companies

Selection of Favorable Forums

Companies aggrieved by agency action could seek to litigate in districts where they think they will get a more favorable interpretation of a statute, Fine observed. In Loper Bright, the solicitor general argued that this possibility could lead to lack of uniformity. In response, the majority observed that courts already apply Chevron in different ways. Litigants may also seek to use Loper Bright to attack other deference doctrines.

Quality Advocacy

In the post-Loper Bright world, the quality of advocacy will be especially critical, said Fine. Judges will be making decisions that agencies previously made. Because judges tend to be generalists, counsel will have to educate them in “very clear ways.” Counsel with the ability to do that are likely to have an edge. Amicus briefs will be particularly important in cases involving highly technical areas of law.

Although Loper Bright deals only with the APA and federal agencies, creative lawyers might be able to argue that state courts that adopted a Chevron-like approach should reconsider. “Loper Bright doesn’t bind those state courts, but it may surely persuade them,” said Fine.

Exhaustion of Administrative Remedies

Regulations will remain on the books until rescinded or declared invalid, observed Chilakamarri. Agencies will continue to issue regulations and fill gaps in statutes, even if they are eventually challenged. Agencies’ statutory interpretations will continue to govern day-to-day, said Leen. Courts are unlikely to issue national injunctions and may come to different conclusions. Consequently, aggrieved parties will still have to work through the administrative system and exhaust their administrative remedies. If a litigant ultimately does get to court, however, it has a better chance of having its view prevail.

Continued Compliance Practices

Loper Bright should not have a significant impact on how companies handle their international anti-corruption compliance programs, observed Edmonds. “Given the vast discretion that DOJ and SEC have over enforcement, companies should continue to carefully examine the guidance that DOJ provides (SEC has yet to provide much) and continually enhance their programs as the best compliance practices continue to evolve.” When designing compliance policies, companies should not focus solely on the U.S. legal system. They should “consider guidance and lessons from enforcement actions around the world,” he advised.

Additionally, most municipalities are likely to continue following an agency’s direction, added Leen. They generally want to avoid litigation with agencies, but larger cities may decide to challenge regulations in court if they feel a position is unreasonable or pushing the boundaries of a statute.

See “Thoughts From DOJ Experts on Using Data Analytics to Strengthen Compliance Programs” (May 22, 2024).

With the deluge of new data privacy and security legislation, alongside rapid growth in innovation, enforcement continues unabated, though the focus has shifted in some cases.

“If you interact with consumers, they’re probably going to catch what’s going on. And they’re going to let us know,” said Stevie DeGroff, Assistant Attorney General for Data Privacy & Cybersecurity for the Colorado AG’s Office, at the Practising Law Institute’s 25^th Annual Institute on Privacy and Cybersecurity Law, which took place in May 2024.

This article distills insights from DeGroff and other privacy and data security regulators who spoke during the program on recent enforcement actions, trends and best practices. The panel was led by Freshfields Bruckhaus Deringer partner Christine Lyon.

See “Measures for Complying With 19 (and Counting) State Privacy Laws” (Jul. 17, 2024).

FTC Enforcement Focus

It is an “overall goal of the agency” to recognize the limitations of the current notice and consent regime and create substantive consumer privacy protections in Federal Trade Commission (FTC) orders, said Benjamin Wiseman, associate director of the FTC’s Division of Privacy and Identity Protection.

Health Privacy at the Forefront

Health privacy has been a “fairly significant” focus for the FTC over the last year, noted Wiseman.

The effort started with the GoodRx resolution, which emanated from unauthorized disclosures of health information for advertising purposes and became the first case brought under the Health Breach Notification Rule (HBNR). GoodRx was followed by similar enforcement actions against BetterHelp, PreMom, Cerebral and Monument, and then further amendments to the HBNR, all predicated on the injurious use of embedded code, or pixels, that social media and other platforms permissibly place on websites to track user behavior.

GoodRx and those that followed illustrate that the reigning health law, the Health Insurance Portability and Accountability Act is not the only axe in the arsenal of health data protections, Wiseman emphasized.

The orders also show a broadening definition of health information beyond medications or diagnoses to include, for example, a visit to a website that provides mental health treatment.

Geolocation Data

In 2022, the FTC filed a since-amended lawsuit against mobile app platform Kochava, Inc. for allegedly selling geolocation data related to sensitive locations, including houses of worship and reproductive health clinics.

Geolocation also was the focus in April 2024 when the FTC banned X‑Mode, a data broker, from selling precise geolocation data such as individuals’ visits to sensitive locations like domestic violence shelters, a first-of-its-kind prohibition on not only preventing the sale of sensitive location data as “an unfair trade practice,” but also mandating general informed consent approvals from users, Wiseman said.

Another case quickly followed against InMarket, a data aggregator that was collecting and using precise and sensitive geolocation information for targeted advertising purposes but misleading users by claiming it was in exchange for prizes and access to discounts. As part of the settlement with the FTC, the company was barred from selling any location to third parties.

The FTC is “very focused on” sensitive geolocation data, and “consumers or companies that disclose and share that type of information should take note of these actions,” advised Wiseman.

See “Complying With the FTC’s Amended Safeguards Rule’s New Reporting Requirement” (Jan. 31, 2024).

California Champions Choice

At the state level, notable enforcement actions have targeted opt-out features, said Stacey Schesser, Supervising Deputy Attorney General for the Privacy Unit in the Consumer Protection Section for the California AG.

In February 2024, Schesser’s office filed the second-ever enforcement action under the California Consumer Privacy Act (CCPA), which resulted in a stipulated judgment where Doordash agreed to pay $375,000 to resolve allegations that it sold personal information of customers without notice or an opt-out. When Doordash provided the customer information to a third-party marketing co‑op in exchange for cross-platform advertising, it was considered a sale covered under the privacy law, Schesser said. The sale took place in January 2020, concurrent with the enactment of the CCPA.

“Once [Doordash] contributed this data to the marketing co‑op, it shot everywhere. And it was very difficult to untoast that toast, as we sometimes say in the privacy community. Once data is sold, you can’t really get it back,” Schesser explained, adding that one of the buyers was a data broker that further re‑sold the data several times over.

The Doordash case highlighted the importance of not just offering the right to opt out, but effectuating the choice. Sharing is selling, under the California law, and clearly communicating this to customers, as well as making it easy for them to choose whether to take part, is critical.

Another California regulator is focused on connected cars. In July 2023, the California Privacy Protection Agency (CPPA) announced a public review of connected vehicles and related practices to better understand data usage and consumer privacy rights, an investigation that is still ongoing, said Michael S. Macko, Head of Enforcement for the CPPA.

See “Employee Data Under the CPRA: Rights Requests, Privacy Policies and Enforcement” (Sep. 14, 2022).

Colorado Looks to Educate and Focuses on Inferences

Since the Colorado Privacy Act went into effect in July 2023, it has become clear that the public eager to report privacy oversights such as missing opt-out buttons and lacking privacy disclosures, DeGroff reported.

Certain privacy compliance tasks might not be high on the radar of smaller companies or those not in the headlines, but they are the tip of the iceberg for investigators. It is typically a sign when “the low-hanging fruit hasn’t been covered that there are other issues within the company and how they are following the Colorado Privacy Act and handling consumers’ data,” DeGroff said.

Still, DeGroff continued, Attorney General Philip Weiser has been focused on “flagrant fouls” rather than “ticky tack line violations.”

Cure Period Intended to Support

For many U.S. companies, privacy laws are a new concept and their small compliance programs are not built up like a larger multinational that only has to make “tweaks” to adjust to a state privacy law, observed DeGroff.

She explained that enforcement led by a cure period, in place through 2025, is a “a way to both educate and support companies as they come into compliance.”

Those companies remain in violation of the law despite the 60‑day cure are getting less grace, though, she cautioned.

Focus on Inferences As Sensitive Data

Colorado is focused on inferences that could reveal sensitive data. An individual piece of data “may seem innocuous,” DeGroff said, but if “it’s used to make an inference that reveals the sensitive data we’ve been talking about – healthcare, race, religion, sexuality . . . then it’s sensitive under our law.” Such inferences would require express affirmative consent from a user prior to data being processed.

More AI Regulation

Transparency around artificial intelligence (AI) is a growing concern for state lawmakers, especially as it relates to discrimination.

Although the technology is new, DeGroff and other panelists emphasized that some existing jurisprudence, such as discrimination laws, is dynamic enough to remain applicable. “Laws that have already existed apply to new technology,” DeGroff stated.

In the AI space, “you’re going to start to see states moving similarly to how they did on privacy,” and regulators are thinking about what protections need to be put in place now to protect the consumers, DeGroff continued.

Regulations should be viewed as an incentive for businesses to be thoughtful about how AI is used, the speakers advised. Part of that process entails conducting due diligence on AI information that is purchased from third parties.

The FTC is increasingly concerned about AI’s ability “to supercharge fraud,” Wiseman said, such as through voice cloning. But he is confident that existing laws have the flexibility to address those issues.

See our three-part series on AI for anti-corruption compliance: “Foundations” (Oct. 28, 2020), “Building a Model” (Dec. 2, 2020), and “Five Workarounds for Asymmetric Data Sets” (Feb. 3, 2021).

Lessons in Coordination

Collaboration is a hallmark of regulators’ enforcement and investigations. The panelists confirmed they are all in regular contact and support one another in their efforts.

In California, the coordination is built into the law with financial fines/penalties and injunctive relief, remedies available to both the AG’s Office and the CPPA. The main difference is in the form and forum. The AG goes directly through the court system, whereas the CPPA has an administrative law judge and the agency's five-member board. Macko credited Schesser with describing it as the equivalent of having “more cops on the beat.”

The CPPA and California AG are both driven by the pursuit of justice, deterrence and “helping the maximum number of Californians possible,” Macko said, adding that this coordination is modeled on the federal level.

The CPPA has “breadth but we have depth,” Schesser said, explaining that AGs have the ability to consider all possible laws, including state and federal privacy laws, and unfair competition law. “We have a pretty expansive lens when we’re looking at business practices in terms of how they’re protecting people’s privacy,” she added.

And while the $7,500 legislated limit per violation by the CCPA may sound inconsequential, “[d]o the math. Because of the number of violations and how that can quickly add up, it becomes quite substantial” and can serve to deter companies, Macko said.

Problems With Growth Over Governance

Across industries, smaller companies are prioritizing growth, “or at least the appearance of growth,” observed Macko, over long-term strategy and compliance in an effort to get acquired by larger firms. As a result, they are acquiring companies with liability, cautioned Macko, “because they didn’t know exactly what they were buying.”

Macko, who was previously in roles with the DOJ and the SEC, said he has watched this storyline play out in securities and fraud investigations and is now seeing it replicated in tech. “Perhaps [the scenario] is even magnified now, where there’s even more pressure to appear like a solid business and to grow and less incentive to comply,” he remarked.

Acquiring companies should look at privacy and compliance and follow the data to understand its destination, Macko urged.

Importance of Candid Conversations With Regulators

As more states pass privacy laws, more companies should expect to hear from regulators. If companies are cooperative, curious and responsive, even if it seems uncomfortable, it could work in their favor, the panelists agreed.

As a litigator, Macko said he understands the reluctance that some lawyers might have around sharing information with a regulator, especially when they do not know if the regulator will use it against their client, he said. Not all investigations lead to the worst-case scenario, however. If a company and its legal team are confident in the compliance program and practices, they can have a “more candid conversation” with a regulator, he suggested.

When a more candid exchange occurs between a company and regulator, it “usually leads to a much better result for a business. And it is a more efficient result usually for the government. So it tends to benefit all,” Macko added.

In the event of an FTC inquiry, companies should take the opportunity to contact the staff member listed on the letter and ask critical questions and even present pertinent facts, Wiseman advised. “Having some of those initial conversations early on can really set the stage for a smoother process for the investigation process.”

When consulting internal investigations, businesses need to make a judgement decision about how much information from those investigations they want to reveal to a regulator versus how much they want to protect as privileged, Macko acknowledged. In some cases, it may be helpful to bring in a nonprivileged internal investigation that can be revealed to a regulator to help build credibility in the business’s case, he suggested, cautioning that, though he has used this tactic, it is highly fact-specific and there is a lot of legal judgement that goes into structuring the approach.

Ultimately, the panelists emphasized, the regulators are looking to be in a position of service to both companies and consumers. The goal of an investigation is not to win a “big public splashy settlement,” DeGross said. It is to help a company achieve compliance with the law and transparency with the public.

“You would be surprised how often businesses think they can hide things,” DeGroff noted, sharing that her agency has already completed considerable research before an inquiry takes place. “We’re your friendly neighborhood regulator. We’re not necessarily the bad guy right away.”

See “How the FTC Non‑Compete Ban Could Impact CCOs and Other Top Executives” (May 22, 2024).

Kristin Mace, the former Chief of the Criminal Division in the U.S. Attorney’s Office for the Eastern District of New York (EDNY), has joined Covington’s white collar defense and investigations practice in New York as a partner.

Mace represents entities and individuals before domestic and foreign law enforcement agencies and regulators, as well as in court. Having spent more than 13 years as a federal prosecutor, she counsels companies, executives and boards of directors in investigations and litigation.

Mace specializes in matters involving anti-corruption and the FCPA, export controls and sanctions compliance, healthcare fraud, securities fraud, anti-money laundering and the Foreign Agents Registration Act (FARA). She also advises businesses and financial institutions on maintaining compliance with U.S. and international regulations, helping them operate effectively in global markets governed by complex laws and multiple oversight regimes.

Mace most recently served as Chief of the EDNY’s Criminal Division, where she supervised more than 115 Assistant U.S. Attorneys. She oversaw the investigation, prosecution and trial of high-profile white-collar cases involving issues such as foreign and domestic bribery, healthcare fraud, securities fraud, mail and wire fraud, money laundering, public corruption, material support to terrorist organizations, cyber crime and FARA violations.

For insights from Covington, see “Measures for Complying With 19 (and Counting) State Privacy Laws” (Jul. 17, 2024); and “Gartner’s Settlement for FCPA Violations in South Africa Raises Important Issues” (Jun. 21, 2023).