1. Planning for Uncertainty at the Consumer Financial Protection Bureau Update
David Felt – Privacy and Consumer Regulatory
In recent years, the CFPB has struck fear into the C-suites of financial services companies. The agency was extraordinarily active in rulemaking that addresses every aspect of lending, prepaid cards and arbitration clauses in consumer contracts.
From title pawn shops to the largest banks in the country, companies worried that a civil investigative demand, or CID, would arrive at their doors. Simply responding could impose heavy costs on companies. A notice of charges brings a Hobson’s choice of years of litigation or consenting to large penalties and restrictive orders. These charges were often unprecedented because the agency often finds it easier to do its regulating through enforcement actions rather than issuing regulations.
The change in administrations has caused a major shift in how the CFPB will regulate the financial services industry. New Acting Director Mick Mulvaney has been one of the agency’s most prominent critics. He has curtailed the CFPB’s activities in almost every area and completely undone the CFPB’s actions in some:
- Hiring is frozen.
- A moratorium has been imposed on new regulations.
- Existing regulations are being modified or effective dates extended.
- Enforcement investigations are on hold and undergoing review.
- Collection of personal information is halted.
This is all good news, but it is not time to cut back on compliance resources.
- The CFPB will not stop bringing enforcement actions forever.
- In some areas, state regulators, rather than the CFPB, will bring cases.
- The Federal Trade Commission likewise continues its enforcement activities; its authorities overlap with the CFPB.
- Also, federal prudential bank regulators have authority to enforce consumer laws against banks and their service providers.
- Finally, private rights of action have not gone away.
- Financial Services
- Investment Management
- Capital Markets
2. What was Old is New Again: Wage and Hour Rules under a New Political Regime
Jennifer Shelfer – Litigation Practice
After a federal court enjoined the new Department of Labor (“DOL”) rule that would have raised the salary threshold for exempt employees from $23,660 to $47,892 per year, the DOL has undertaken a new rulemaking process and asked the Fifth Circuit Court of Appeals to stay its pending appeal. Public commentary on the latest new rule was final last fall, and commentators are expecting the new proposed salary level threshold to land in the low $30,000s.
In late 2017, the DOL proposed to rescind its regulation requiring employers to ensure that tipped employees retain and not share their tips among other tipped or “back-of-the-house” employees. The new rule would permit tip-pooling so long as the employer pays its employees minimum wage and does not rely on the “tip credit” to satisfy a portion of its minimum wage obligation.
On January 5, 2018, the DOL also walked back its previous guidance on unpaid internships and adopted a pro-employer test that had been adopted in several jurisdictions. Previously, the DOL placed the burden on employers to prove six factors to establish that an internship was properly unpaid. While under the new seven-factor balancing test, there must still be some link to the intern’s education and training, the economic reality of the relationship is examined to determine who enjoys the “primary benefit” of the internship—the intern or the employer?
- Staffing and Recruiting
3. The EU’s General Data Privacy Regulation—Its Global Reach and Corporate Impact
Andrew Flake – Litigation Practice
The European Union’s General Data Privacy Regulation, or GDPR, is a detailed new privacy regulation with global reach and steep financial penalties. It will take effect on May 25th and is mandatory for not only (i) any company doing business in the EU but also (ii) any company collecting personal data from an EU resident. And the regulation will cover many U.S.-based businesses, because the EU understands “personal data” to extend to a broad range of information relating to an individual, whether concerning private, professional or public life. Personal data can include even a photo, an email address, or a computer’s IP address.
Regulated U.S. companies will be required to have new privacy and security systems in place, taking a number of specific steps to exercise control over personal data, to safeguard and protect it, to provide for its erasure in certain circumstances, and to notify supervisory authorities of serious breaches on an accelerated timetable of 72 hours where feasible. Financial penalties for non-compliance with these requirements are set at the higher of 20 million Euros or 4% of a company’s total worldwide annual revenue/volume for the preceding financial year.
Essential will be a documented and ongoing compliance program. An individual or team should be tasked with ensuring the company understands the GDPR, and how to conduct a risk assessment; classifying the location, custodians, and regulated status of data; evaluating and adjusting system architecture, and incorporating data privacy into the design of products and into default settings. For U.S. companies less accustomed to the European concept of personal data rights, effective compliance will especially involve additional training of personnel and ongoing reinforcement of the GDPR’s privacy principles.
- Financial Services
- Real Estate
4. Health Information Privacy: Compliance is Key (And Not Just for Healthcare Providers)
Madison Pool – Healthcare Practice
Health information privacy has received significant attention from consumers, the media, and the government in recent years. It will remain an important concern in 2018 not just for healthcare providers and insurers, but also for companies that provide a health plan or wellness program to their employees, companies that provide products or services to healthcare providers, and, increasingly, companies developing innovations such as mobile health applications and wearable devices.
When thinking about health information privacy, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is the primary law that comes to mind. Even non-“healthcare” organizations frequently discover that they have access to HIPAA-protected health information, often via their health plan or when they more closely evaluate their customer relationships. In addition to HIPAA, employers should be mindful of general privacy requirements and best-practices from the Federal Trade Commission and the states.
Non-compliance with health information privacy protection requirements can result in substantial financial liability for employers. For example, in 2017, the average payment resulting from HIPAA enforcement actions announced by the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) was $1.9 million (with a range of $31,000 to $5.5 million). Despite headlines about hacking, ransomware, and stolen devices, most of the OCR enforcement actions cited violations that were largely accidental or easily preventable. Further, contractual indemnification provisions and data breach insurance often will not cover penalties that are assessed for broader compliance deficiencies identified following an investigation of a discrete breach or complaint. Accordingly, employers should identify if and how their organizations have access to health information and evaluate and solidify their privacy protections.
- Financial Services
- Electronic Manufacturing
5. Cybersecurity and Data Breaches: 2018 Brings Increased Challenges
Kevin Coy – Privacy and Consumer Regulatory
The challenges posed by cybersecurity and data breaches continue to intensify. In-house counsel have an important role to play in helping their organizations defend against data breaches, develop incident response plans and guide their companies should a breach occur. Cyber insurance also continues to evolve, making it important for a company to carefully consider its coverage.
Risks to personal and corporate data continue to proliferate and the scope can be staggering. In January 2018, for example, it was announced that flaws had been discovered in the security of multiple brands of computer processing chips dating as far back as 1995. These flaws—named Spectre and Meltdown—reportedly affect chips produced by Intel, AMD, and ARM to varying degrees, creating vulnerabilities potentially affecting billions of devices worldwide. The chip manufacturers, as well as Microsoft, Apple and other technology companies, have been working to develop and deploy patches intended to mitigate if not completely fix the vulnerability created by the flaws. The past year also has seen a continued proliferation of data breaches, some quite large. A breach suffered by Equifax potentially exposed the personal information of approximately 145.5 million individuals. Yahoo! reported that its data breaches were far larger than initially reported, increasing its estimate of affected accounts from 1 billion to 3 billion.
As breaches become larger and more complex, so too do the challenges for affected companies. States continued to revise and expand data breach notification obligations in 2017, with at least 30 states considering new breach requirements. New Mexico became the 48th state to adopt a data breach statute and others states, including Maryland, Delaware, Tennessee, and Virginia, joined the roster of states that have amended their data breach statutes in recent years to expand the types of personal data that can trigger notice obligations by private entities, shortened reporting timelines, revisited encryption safe harbors, or made other modifications. Pressure also continues to grow for companies to disclose potential data breaches more quickly. The European Union’s new General Data Protection Regulation, for example, sets a benchmark for notice to regulators within 72 hours of the data controller’s discovery of the breach.
- Financial Services
- Government Administration
6. Addressing Claims of Sexual Harassment After #MeToo
Ashley Kelly – Employment Practice
In recent months, the news has been rife with reports of public figures – including Harvey Weinstein, Matt Lauer, Kevin Spacey and Al Franken – being accused of sexual harassment. In the wake of these scandals, the #MeToo movement exploded on social media, with millions of women and men expressing that they too have been victims of some sort of sexual misconduct. Across the country and in virtually all industries, from water coolers to board rooms, issues of sexual harassment and gender discrimination more generally have risen to the forefront of our national consciousness.
As a result of these developments, employers should anticipate an increase in the number of sexual harassment claims and review their equal employment opportunity practices with a fresh eye. Certainly, businesses should ensure that their harassment policies are up-to-date and legally compliant, with clear statements of the types of behavior that are improper, adequate channels for employees to report concerns, and meaningful protections against retaliation. Furthermore, employers should train their workforce so that all employees understand their rights and responsibilities when confronted with behavior that is inappropriate or unlawful. When complaints are lodged, employers must perform thorough investigations and be committed to taking appropriate remedial action.
With that being said, these scandals have emphasized that the potential legal liability caused by harassment in the workplace, while substantial, is not the only risk that employers must address. Rather, they also must be mindful of significant business issues, including immense and immediate negative publicity, morale problems and employee retention difficulties, that may result from sexual harassment and other forms of gender discrimination. Thus, it has become clear that in 2018 and beyond, employers must not only strive for legal compliance, but must strengthen their commitment to fostering cultures of inclusion and respect at all levels of the organization.
7. Tax Reform Highlights
Damian Hovancik –Tax Practice
On December 22, 2017 the President signed into law the tax reform bill H.R.1 (known as the “Tax Cuts and Jobs Act”; the Act for purposes of this Article). The Act impacts virtually every business owner and corporation. It provides significant changes in how corporations and so called pass-through entity owners are taxed (owners of interest in partnerships, limited liability and S corporations). This Article will only cover a few significant changes impacting companies and their owners. Any changes to the international tax rules are significant and important but are beyond the scope of this Article.
New Corporate Tax Rate
The one significant benefit to corporations is the reduction in corporate tax rates. The highest marginal corporate tax rate was 35% under prior law and is reduced to a flat 21% rate. The corporate Alternative Minimum Tax was also repealed. The new corporate rate will make the U.S. corporate tax rate competitive with other developed country tax rates. Individual tax rates applicable to pass-through entity owners were also revised, but the individual rates, unlike the new corporate rate, are not permanent and return to prior law levels in 2026.
Expensing Of Investments In Property
Changes have been made to allow for a greater amount of full expensing of investments in certain tangible personal property and qualified real property (generally for certain improvements to nonresidential real property). The Act also increases a business’ ability to take “bonus” depreciation in the year of acquisition from 50% of the cost of property to 100% of the investment in certain new and used property. This change generally applies to property acquired between September 28, 2017 and December 31, 2022. The 100% bonus depreciation allowed with respect to the qualified property will then phase down each year by 20% per year until it is no longer available in 2028.
Limitation On Business Interest Deductions
The Act limits the ability to deduct business interest expense to the sum of (i) business interest income and (ii) 30% of “adjusted taxable income”. For tax years beginning after December 31, 2017 and before January 1, 2022, when determining adjusted taxable income a taxpayer must add-back interest, depreciation and amortization expenses. This add-back is not available in later tax years which may negatively impact highly leveraged businesses’ ability to deduct interest expense. Certain trades or businesses with average gross receipts of less than $25 million (for a specified three year period) are not subject to this limitation. Certain real property trades or businesses can elect out of the application of this limitation which provides a significant benefit to developers and investors in the real estate industry.
Deduction For Qualified Business Income
Under the Act, for tax years beginning after December 31, 2017 and before January 1, 2026, individual owners of pass-through entities (not corporate owners of such entities) will be allowed a deduction of 20% of the taxpayer’s qualified trade or business income passed-through from any entity. This deduction is limited to the greater of (i) 50% of the entity’s W-2 wages that are attributable to the trade or business or (ii) 25% of such wages plus 2.5% of the entity’s tax basis in its qualified property. The latter limit appears to be intended to provide a deduction for certain businesses which are capital intensive such as real property investments. If the taxpayer does not have taxable income in excess of certain thresholds ($157,500 in the case of an individual taxpayer and $315,000 for joint filers) the limits above do not apply. Above these thresholds, the W-2 limitation phases in over the next $50,000 of income for individual taxpayers and $100,000 in the case of joint filers. It is possible that this deduction could produce a top ordinary income tax rate of 29.6% for such income (assuming they are in the highest individual marginal bracket of 37%).
The deduction is generally (subject to availability at certain taxable income levels) not allowed to owners of trades or businesses engaged in certain specified service businesses, including where the “principal asset of such trade or business is the reputation or skill of 1 or more of its employees or owners…” The specified services includes, health, law, accounting, actuarial science, performing arts, athletics, brokerage services, financial services, brokerage or consulting. There is currently no guidance interpreting when a trade or business is one whose principal assets is based on reputation or skill. Owners of pass-through entities that produce specified service income can take the deduction if their taxable income is below the thresholds described above. The amount of the deduction is phased out in the case of taxable incomes of between $157,500 and $207,500 for individual taxpayers and between $315,000 and $415,000 for joint filers, so that such taxpayers receive no deduction after the top taxable income number.
For at least the last two administrations, as well as the current one, there have been proposals to repeal the so-called “carried interest” rules. These rules generally allow a developer or fund principals or managers to receive an interest in a partnership essentially for the services they will provide in developing real property or investing in portfolio companies (or other securities) and upon sale or liquidation of such partnership interest receive long term capital gain treatment for any gain recognized and apply the lower capital gain’s tax rate to such income (the “carried interest”). Any repeal would have treated such income as ordinary income or short term capital gain requiring the application of the much higher ordinary income tax rates. The Act, although it does not repeal this benefit, does require these service providers to hold the interest in the partnership for at least three years to receive such benefit. This change does not appear to apply to the executives or managers receiving a carried interest in the portfolio companies in which the funds invest. Also, the holding period requirement should not apply to capital interests in any fund or partnership to the extent such interest only provides a return commensurate with other capital contributed to the fund or partnership.
Limitations On Losses
The Act limits the use of net operating losses (“NOLs”) to 80% of taxable income, effective with respect to losses incurred in tax years beginning after December 31, 2017. The Act also eliminates the current NOL carryback rules. In addition to these changes to the NOL rules, the Act imposes a new limitation on “excess business losses” that prevents individual taxpayers from offsetting more than $ 250,000 of such losses in the case of individual filers and $500,000 in the case of joint filers, from other income of the taxpayer that is not from a trade or business. These so-called excess business losses can be carried forward to the following taxable year and then treated as an NOL subject to the limitation described above for NOLS.
This represents only an important fraction of the changes that the Act has made impacting corporations and business owners. There is much uncertainty that needs to be addressed because of the number of affected taxpayers, but without further Congressional funding for the IRS the guidance may not be forthcoming and will make the provisions of the Act challenging to implement and administer. Competent advice will be required to wade through the Act and provide practical solutions to clients.