Does Your Company Discourage Employees from Being Whistleblowers? The SEC May Think So!
The Dodd-Frank Wall Street Reform and Consumer Protection Act, which was enacted in 2010 in response to the 2008 financial crisis, added protections for whistleblower activity to the Securities Exchange Act of 1934 (“Exchange Act”). Specifically, Section 21F of the Exchange Act and the related Securities and Exchange Commission (SEC) rules (collectively, “Section 21F”), provide protections to employees and other persons who report possible violations of securities laws to the SEC. Section 21F created a bounty program whereby, if a whistleblower’s tip leads to an enforcement action, then, in some cases, the whistleblower can receive a percentage of the sanctions collected by the SEC. Section 21F also prohibits any action that could “impede an individual from communicating directly with the [SEC] staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…with respect to such communications.”[1]
SEC Enforcement Activity
The SEC has brought over 32 enforcement actions against both public and private companies for violations of Section 21F, with many actions alleging that provisions in certain agreements between the companies and their employees impeded the employees from reporting possible violations to the SEC. For example:
In June 2022, the SEC settled with The Brink’s Company regarding the terms of its confidentiality agreements entered into as a part of the company’s onboarding process, which prohibited employees from sharing the company’s confidential information with any third party without the prior written authorization the company. The SEC found that this language violated Section 21F because it did not include a carveout that would permit confidential information to be shared with the SEC without the prior approval of the Company, which could impede an employee’s ability to report potential violations to the SEC.[2]
In September 2023, the SEC settled with privately-held Monolith Resources LLC regarding the terms of its separation agreements with former employees that required them to “waive their rights to monetary whistleblower awards in connection with filing claims with or participating in investigations by government agencies.” These agreements explicitly stated that the agreement was not intended to in any way prevent or limit the former employee from participating in any investigation, but the SEC found that the language still impeded employees from participating in the SEC’s whistleblower program “by having employees forego important financial incentives that are intended to encourage people to communicate directly with SEC staff about possible securities law violations.”[3]
In September 2024, the SEC settled Section 21F charges with seven public companies, including a charge against Acadia Healthcare Company Inc. over language in its employee separation agreements that required employees to represent that they had not filed any complaints or charges with any agency or court, and agree they would not file any complaints with an agency or court relating to events prior to the date of the agreement. The SEC found that this could be interpreted as preventing former employees from reporting suspected securities law violations to the SEC.[4]
An important note worth highlighting is that, in all of the above cases, the SEC did not find that any whistleblower had actually been (or even claimed to have been) deterred from making a report to the SEC by the language in question or that the company had ever tried to enforce such language – rather, the enforcement action was brought merely because the language existed.
What You Should Do Now
As evidenced by the seven settlements that the SEC entered into on a single day in September 2024, whistleblower language continues to be a focus of SEC enforcement actions. Additionally, a number of publicly-traded companies have received demand letters from shareholders requesting revisions to publicly-filed agreements that the shareholders assert violate Section 21F and seeking access to books and records to investigate whether other agreements or policies exist that would violate Section 21F.
Because of the SEC’s increased focus on whistleblower language and the rise of demand letters, all companies, but particularly public companies, should review their employment, separation, and similar agreements with employees and contractors, as well as equity incentive and severance plans and award or participation agreements, to ensure they do not contain any language that could potentially be interpreted as impeding whistleblower activity. While the SEC enforcement actions appear currently to be focused on employee agreements, we note that Section 21F applies to any person, not just employees, so companies may also wish to consider reviewing their customer, supplier, investor, and other agreements for similar problematic language.
Whether any specific language in an agreement violates Section 21F will depend on the specific scope and substance of the provision. However, a non-exhaustive list of potentially problematic provisions include those that:
Prohibit the use of the company’s confidential information for any reason without appropriate carveouts or limitations;
Prohibit an individual from making any potentially disparaging remarks to any third party without appropriate carveouts or limitations;
Prohibit an individual from filing a report or complaint about the company with the SEC;
Require an employee to provide notice (advance or otherwise) to the company before or after contacting, meeting with, or disclosing confidential information to, the SEC; or
Require an individual to waive the individual’s right to recover a monetary award for participating in an SEC investigation relating to a securities law violation.
[1] 17 CFR § 240.21F-17(a).
[2] The Brink’s Company, Securities Exchange Act Rel. No. 95138 (June 22, 2022).
[3] Monith Resources, LLC, Exchange Act Rel. No. 98322 (September 8, 2023).
[4] Acadia Healthcare Company, Inc., Exchange Act. Rel. No. 100970 (September 4, 2024).
FTC Secures $5.68M HSR Gun-Jumping Penalty From 2021 Deal
Go-To Guide
FTC announced a $5.68 million penalty against Verdun Oil Company II LLC, XCL Resources Holdings, LLC, and EP Energy LLC for premature control of EP Energy during their 2021 transaction.
FTC took issue with the exercise of certain consent rights and coordination of sales and strategic planning with EP Energy before the deal closed.
The settlement also requires that for the next decade, the companies appoint an antitrust compliance officer, conduct annual antitrust training, and use a “clean team” agreement in future transactions.
The case highlights that maintaining independent operations pre-close is critical, regardless of the merits review of a transaction by the antitrust authorities.
On Jan. 7, 2025, the Federal Trade Commission, in conjunction with the Department of Justice Antitrust Division (DOJ), settled allegations that sister companies Verdun Oil Company II LLC (Verdun) and XCL Resources Holdings, LLC (XCL) exercised unlawful, premature control of EP Energy LLC (EP) while acquiring EP in 2021. This alleged “gun-jumping” HSR Act violation involved Verdun and XCL exercising various consent rights under the merger agreement and coordinating sales and strategic planning with EP during the interim period before closing.
In settling, the parties agreed to pay a total civil penalty of $5.68 million, appoint or retain an antitrust compliance officer, provide annual antitrust trainings, use a “clean team” agreement in future transactions involving a competing product, and be subject to compliance reporting for a decade.
Background
Under the HSR Act,1 an acquiror cannot take beneficial ownership of a target prior to observing a waiting-period, which allows the DOJ and FTC to investigate the transaction’s potential impact on competition in advance of any integration. During the pre-close period, parties to a proposed transaction must remain separate, independent entities and act accordingly. Penalties for HSR Act violations are assessed daily, currently at a rate of $51,744 for each day a party is in violation (amount adjusted annually for inflation).
In July 2021, Verdun and XCL agreed to acquire EP’s oil production operations in Utah and Texas for $1.4 billion. The transaction was subject to the HSR Act’s notification and waiting-period requirements. The transaction closed in March 2022 after an FTC investigation, with a consent decree settlement that required divesting EP’s entire Utah operation (an area where XCL also operated as an oil producer).
The FTC’s current complaint asserts that immediately after signing, Verdun and XCL unlawfully began to assume operational control over significant aspects of EP’s day-to-day business during the HSR Act review period. The complaint alleged Verdun and XCL
required EP to delay certain production activities in return for an early deposit of a portion of the purchase price;
exercised consent rights to discontinue new wells EP was developing;
agreed to assume financial risk of production shortfalls arising from EP’s commitments to customers, and then began coordinating sales and production activity with EP, which included receiving detailed information on EP’s pricing, volume forecasts, and daily operational activity;
required changes to EP’s site design plans and vendor selection;
exercised consent rights for expenditures above $250,000, which the complaint alleged inhibited EP’s ability to conduct ordinary course activities, such as purchasing drilling supplies or extending contracts for drilling rigs; and
exercised consent rights for lower-level hiring decisions, such as for field-level employees and contractors for drilling and production operations.
The complaint also criticized EP for taking “no meaningful steps to resist” XCL and Verdun’s requests for competitively sensitive information and “making no effort” to limit XCL and Verdun employees’ access or use of information, including data room information.
The alleged gun-jumping conduct occurred for 94 days, from July to October 2021, when an amendment to the agreement allowed EP to resume independent operations.
Takeaways
Gun-Jumping Enforcement is a Bright-Line Issue. The FTC’s action against Verdun, XCL, and EP is consistent with the conduct and “bright-line” enforcement approach in past gun-jumping cases—meaning the agencies will bring an action regardless of the magnitude of the impact on commerce. For example, in 2024, the DOJ brought an action against a buyer involving pre-closing bid coordination;2 in 2015, the DOJ brought an action involving the closing of a target’s mill and transferring customers to the buyer pre-close;3 and in 2010, the DOJ brought an action involving the exercise of merger agreement consent rights with respect to three ordinary course input contracts, one of which represented less than 1% of capacity.4
Significant Penalties May Ensue Regardless of Closing. Even though the parties resolved substantive concerns about the merger with a divestiture, they will have to pay a significant penalty for the gun-jumping violation. Though parties settled for an estimated 40% discount off the statutory maximum penalty, the FTC assessed the penalty to both the buy-side and the sell-side, which, since the deal has closed, leaves the buyer with the full obligation. In the past, both sides have also been assessed in abandoned deals and the authorities also have sought disgorgement when there are financial gains because of the violation.5
Consider Covenants that Allow for Ordinary Course Activities. Sellers should ensure they retain the freedom to operate in the ordinary course of business in purchase agreement interim covenants, which in turn maintains the competitive status quo remains while the deal is pending. As illustrated by this case, parties should be concerned with both the conduct that is allowed—e.g., entering into ordinary contracts, maintaining relationships with customers, or making regular hiring or investment decisions—and the dollar thresholds for any consent rights (ensuring they are sufficiently high).
Clean Team Process Needed Pre- and Post-Signing with Overlap. The FTC criticized EP as the seller for failing to impose restraints on the information it provided for diligence and post-close integration planning. The consent decree settlement obligates the parties to use a “clean team” process for future transactions with product or service overlap that antitrust counsel supervises. It also specifies that information shared must be “necessary” for diligence or integration planning, and where competitively sensitive, not be accessible by those with “direct[] responsibil[ity] for the marketing, pricing, or sales” of the competitive product.
Consult Antitrust Counsel Before Exercising Consent Rights. Even where the parties have agreed to certain interim covenants to protect the acquired assets’ value, the facts and circumstances at the time of exercise should be carefully considered for their impact on the seller’s competitive activities. Accordingly, parties are best served to seek the advice of antitrust counsel prior to either seeking consent or responding to a request for consent. A proactive approach may help avoid delays to closing and penalties.
1 15 U.S.C. § 18a.
2 U.S. v. Legends Hospitality Parent Holdings, LLC.
3 U.S. v. Flakeboard America Limited, et al.
4 U.S. v. Smithfield Foods, Inc. and Premium Standard Farms, LLC.
5 See U.S. v. Flakeboard America Limited, et al.
Key Legal Developments on Enforcement of the Corporate Transparency Act
In recent weeks, significant developments have unfolded regarding the implementation of the Corporate Transparency Act (CTA) and its beneficial ownership information (BOI) reporting requirements to the Financial Crimes Enforcement Network (FinCEN), which remain subject to a nationwide injunction.
As discussed in our previous Alert, on December 3, 2024, the U.S. District Court for the Eastern District of Texas granted a nationwide preliminary injunction in Texas Top Cop Shop, Inc., et al. v. Garland, et al., temporarily halting enforcement of the CTA and its BOI reporting requirements, including the January 1, 2025, filing deadline. The U.S. Department of Justice (DOJ) appealed, requesting a stay of the injunction or, alternatively, a narrowing of the injunction to apply only to the named plaintiffs and members of the National Federation of Independent Business.
In a flurry of year-end decisions, a panel of the Fifth Circuit Court of Appeals granted DOJ’s emergency motion on December 23, 2024, lifting the injunction. Three days later, a separate Fifth Circuit panel reversed the earlier decision, vacating the stay and reinstating the nationwide injunction. As a result, FinCEN again updated its guidance, stating that reporting companies may voluntarily submit BOI filings but are not required to do so during the pendency of the injunction.
On December 31, 2024, DOJ filed an emergency “Application for a Stay of the Injunction” with the U.S. Supreme Court, seeking to stay the injunction pending the Fifth Circuit’s review of the matter. Alternatively, DOJ invited the Court to “treat this application as a petition for a writ of certiorari before judgment presenting the question whether the district court erred in entering preliminary relief on a universal basis.”
The ongoing legal challenges have left the status of the BOI reporting requirement in flux. For the time being, unless the Supreme Court intervenes, the nationwide injunction is likely to remain in place through at least March 25, 2025, the scheduled date for oral arguments before the Fifth Circuit. Businesses that have not yet complied with the reporting requirements should remain alert to any changes. If the injunction is lifted, or if the Supreme Court grants a stay, reporting companies may be required to submit their beneficial ownership information promptly, subject to any deadline extensions provided by FinCEN. In the meantime, voluntary submissions of BOI reports to FinCEN are still accepted, but companies should be prepared to meet any new deadlines should the situation change. The next few months could prove critical for the future of the CTA and its enforcement.
Keeping Fraud Out of Research: Government Grant Whistleblower Awarded Over $200,000
A whistleblower recently played a pivotal role in exposing research misconduct, leading to a $4 million settlement from Athira Pharma Inc. under the False Claims Act. This case highlights the importance of safeguarding government-funded research and enforcing transparency in scientific investigations. Whistleblowers contribute to protecting taxpayer dollars, and under the qui tam provision of the False Claims Act, they may be entitled to 15-25% of the government’s recovery.
The Case Against Athira Pharma Inc.
The Bothwell, Washington-based biotechnology company allegedly failed to disclose research misconduct to the National Institutes of Health (NIH) and the Department of Health and Human Services (HHS) Office of Research Integrity. Athira’s former CEO, Leen Kawas, allegedly manipulated scientific images in her dissertation and published works. These publications were then referenced in multiple grant applications submitted to the NIH, one of which led to a successful grant award in 2019. The timeline of the alleged misconduct spans from January 1, 2016, to June 20, 2021, during which Athira violated its regulatory obligations to disclose these concerns.
The Role of the Whistleblower in Exposing Fraud
Whistleblower Andrew P. Mallon, Ph.D. filed the case under the qui tam provisions of the False Claims Act. The False Claims Act allows private individuals to act on behalf of the U.S. government and bring attention to fraudulent claims submitted to government programs. For his role in uncovering the misconduct, Dr. Mallon is set to receive $203,434 as part of the settlement.
Taxpayer Dollars and the Impact of Research Misconduct
This case underscores the need for ethical conduct in government-funded research programs. When federal agencies such as the NIH distribute grants, they trust recipients to provide accurate and truthful information. Any form of fraud, including the manipulation of research data, not only undermines the scientific process but also wastes public funds. As the Principal Deputy Assistant Attorney General said about the case, “The partnership between the scientific community and the federal government is built on trust and shared values of ethical scientific conduct.”
Why the False Claims Act Matters
The False Claims Act remains one of the U.S. government’s most effective tools for recovering taxpayer funds lost to fraud. Originally enacted to combat fraud against military supplies during the Civil War, the False Claims Act has since evolved to encompass broader areas of misconduct, including government research grants, healthcare programs, and other federally funded activities.
The CTA Is Dealt Another Blow
As has been widely reported, U.S. District Court Judge Amos L. Mazzant in early December of last year preliminarily enjoined the CTA and its implementing regulations. Texas Top Cop Shop, Inc. v. Garland, 2024 WL 5049220 (E.D. Tex. Dec. 5, 2024). This led to an off again/on again series of decisions from the Fifth Circuit Court of Appeals and a pending application for a stay of the injunction to the U.S. Supreme Court. See Seriously, The CTA Imposes Only “Minimal Burdens”? A response was filed with the Supreme Court last Friday as well as a plethora of amicus briefs.
In a further wrinkle, U.S. District Court Judge Jeremy D. Kernodle in the Easter District of Texas has also issued an injunction, finding with respect to the risk of irreparable harm:
Compelling individuals to comply with a law that is unconstitutional is irreparable harm. BST Holdings, LLC v. OSHA, 17 F.4th 604, 618 (5th Cir. 2021) (“For individual petitioners, the loss of constitutional freedoms ‘for even minimal periods of time … unquestionably constitutes irreparable injury.’ ” (quoting Elrod v. Burns, 427 U.S. 347, 373, 96 S.Ct. 2673, 49 L.Ed.2d 547 (1976))); Carroll Indep. Sch. Dist. v. U.S. Dep’t of Educ., ––– F.Supp.3d ––––, ––––, 2024 WL 3381901, at *6 (N.D. Tex. July 11, 2024) (noting that “the potential to infringe on constitutional rights” is “per se irreparable injury”); Top Cop Shop, ––– F.Supp.3d at ––––, 2024 WL 5049220, at *15 (“[I]f Plaintiffs must comply with an unconstitutional law, the bell [of irreparable harm] has been rung.”). And, as noted above, Plaintiffs have demonstrated that the CTA is likely unconstitutional.
Additionally, incurring unrecoverable costs of compliance with federal law constitutes irreparable harm. Wages & White Lion Invs., LLC v. FDA, 16 F.4th 1130, 1142 (5th Cir. 2021). And, here, Plaintiffs must expend money to comply with the reporting requirements of the CTA, which is unlikely to be recovered since “federal agencies generally enjoy sovereign immunity for any monetary damages.” Id.; Docket No. 7-1 at 3–4; Docket No. 7-2 at 3–4. Compliance with the CTA also requires Plaintiffs to provide private information to FinCEN that they otherwise would not disclose. Docket No. 7-1 at 4; Docket No. 7-2 at 4. The disclosure of such information is a type of harm that “cannot be undone through monetary remedies.” See Dennis Melancon, Inc. v. City of New Orleans, 703 F.3d 262, 279 (5th Cir. 2012); Top Cop, ––– F.Supp.3d at ––––, 2024 WL 5049220, at *15 (“Absent injunctive relief, come January 2, 2025, Plaintiffs would have disclosed the information they seek to keep private …. That harm is irreparable.”).
Smith v. United States Dep’t of the Treasury, 2025 WL 41924, at *13 (E.D. Tex. Jan. 7, 2025). Stay tuned.
Government Outlines Qui Tam’s Constitutionality in Detailed Brief to Eleventh Circuit
On January 6, the U.S. federal government filed a brief in U.S. ex rel. Zafirov v. Florida Medical Associates urging the U.S. Court of Appeals for the Eleventh Circuit to reverse a district judge’s ruling in a qui tam whistleblower case. In September, the U.S. District Court for the Middle District of Florida ruled that the False Claims Act’s qui tam provisions are unconstitutional, threatening to undermine the United States’ number one anti-fraud law.
The district court ruling found that the qui tam provisions were unconstitutional because they violated the Appointments Clause of Article II. The court ruled that by filing a qui tam lawsuit alleging Medicare fraud, whistleblower Clarissa Zafirov was granted “core executive power” without any “proper appointment under the Constitution.”
In its brief, the government claims that “other than the district court here, every court to have addressed the constitutionality of the False Claims Act’s qui tam provisions has upheld them.” It therefore urges the Eleventh Circuit to “join that consensus and reverse the district court’s outlier ruling.”
The government points to the Supreme Court decision in the 2000 case Vermont Agency of Natural Resources v. United States ex rel. Stevens, which held that the False Claims Act’s qui tam provisions are consistent with Article III. This decision “makes clear that relators do not exercise Executive power when they sue under the Act,” the brief states. “Rather, they are pursuing a private interest in the money they will obtain if their suit prevails. As private litigants pursuing private interests, relators are not enforcing federal law in a manner inconsistent with the Vesting and Take Care Clauses and need not be appointed in the manner required by the Appointments Clause.”
The brief further clarifies that while a relator’s qui tam suit “may also vindicate a federal interest in remedying and deterring fraud on the United States” “they are distinct from the government’s enforcement efforts even though they can supplement those efforts.”
The government additionally argues that qui tam relators are not government officers; do not exercise significant government authority due in part to the numerous statutory constraints which allow the government to “ensure that qui tam actions are consistent with its own priorities for the enforcement of federal law;” and do not occupy a continuing position since their role “is limited in time and scope, confined to a particular case, and fundamentally personal in nature.’
Further referencing Stevens and the Supreme Court’s emphasis on the long history of qui tam statutes in that decision, the government details “the prevalence of early qui tam statutes and the body of evidence that such statutes were understood to be constitutional.”
“The historical record.. suggests that all three branches of the early American government accepted qui tam statutes as an established feature of the legal system,” the brief states.
Overall, the government provides a detailed and comprehensive overview of the constitutionality of the False Claims Act’s qui tam provisions, rooted in both prior court precedent and the historical record.
NYDFS Urges Companies to Exercise Caution Due to Threats Posed by Remote Workers with Ties to North Korea
The New York Department of Financial Services (“NYDFS”) recently cautioned regulated entities to be aware of individuals applying for remote technology-related positions due to an increase in reported threats from North Korea. Threat actors have repeatedly attempted to access company systems and illegally generate revenue for North Korea under the guise of seeking remote Information Technology jobs at U.S. companies.
According to the NYDFS, these applicants often pose as individuals from the U.S. and other countries, using false and stolen identities and proxy accounts that belong to U.S.-based individuals, some of whom may knowingly sell their identities, assist with account creation, and participate in required pre-employment drug screening tests. Applicants use a variety of other tactics to hide their location and/or identity, such as using virtual private networks (“VPNs”) to make it appear that they originate and reside in U.S.-based locations when applying for telework positions, avoiding video or in-person conferencing, and asking for devices to be shipped to different locations pre-employment.
The NYDFS urged companies to take several steps to protect their systems from threat actors, including:
Raising awareness of this threat among senior executives, information security personnel third-party service providers, and human resources through targeted training;
Conducting due diligence during the hiring process by implementing stringent background checks and identity verification procedures;
Utilizing technical and monitoring controls, including procedures to track and locate corporate laptops and cellphones to ensure that they are delivered and remain at the initially reported residence, and flagging events related to location (e.g., change of address);
Limiting remote employees’ access to systems and data necessary to perform their jobs; and
Notifying the FBI’s Internal Crime Complaint Center if the company suspects that a remote worker is engaging in a fraudulent remote work scheme.
The NYDFS guidance provides additional detail and examples for implementing each of these steps. Federal agencies are also pursuing the IT worker threat, including the U.S. Departments of State and Treasury, and the Federal Bureau of Investigation.
NHTSA Adopts Final Rule to Formalize its Whistleblower Program under the Motor Vehicle Safety Whistleblower Act
On December 17, 2024, the National Highway Traffic Safety Administration (“NHTSA” or “Agency”) adopted a final rule to formalize its whistleblower program under the Motor Vehicle Safety Whistleblower Act (Whistleblower Act).[1] Under the final rule, which adopts the April 14, 2023[2] proposed rule without significant changes, whistleblowers who share original information related to violations of NHTSA’s regulations could receive an award between 10% and 30% of any civil penalties over $1 million paid by the violating entity.
To qualify for this bounty, the whistleblower must provide original information – information that is derived from independent knowledge or analysis that is not already known to the U.S. Department of Transportation (U.S. DOT) or NHTSA. The information cannot be exclusively derived from an allegation made in a judicial or administrative proceeding or other outside source (such as a government report or investigation, or a media report). Whistleblowers must also first report the information through internal channels, except in limited circumstances, such as for good cause shown.
Therefore, manufacturers should act now to ensure they have internal policies in place that, among other things, provide reporting processes that include clear protections against retaliation for whistleblower actions. Fostering a culture of vehicle safety throughout the manufacturing process further reduces the risk of civil penalties and bounties for whistleblowers.
“Original Information”
Under the final rule, a whistleblower who submits “original information” to NHTSA related to violations of NHTSA’s regulations may receive a monetary award in the form of a percentage of any civil penalties over $1 million paid by the violating entity. NHTSA’s final rule clarified that any restitution required of the violating entity is not considered a “civil penalty” for purposes of determining the amount of civil penalties assessed against the violating entity.
Under the Whistleblower Act, Congress defined “original information” as information:
derived from the independent knowledge or analysis of an individual;
that is not known to NHTSA from any other source (unless the whistleblower is the original source); and
that is not exclusively derived from an allegation made in a judicial or an administrative action, in a governmental report, a hearing, an audit, or an investigation, or from the news media, unless the whistleblower is a source of the information.
However, whistleblowers are not required by the final rule to “have direct, first-hand knowledge of potential violations.” Rather, whistleblowers “may have ‘independent knowledge’ of information even if that knowledge derives from facts or other information that has been conveyed by third parties.”
NHTSA excludes from consideration certain categories of information submitted by whistleblowers, including information:
Derived solely from attorney-client privileged communications;
Derived solely from attorney work product; or
Obtained in violation of Federal or State criminal law, as determined by a court.
Therefore, manufacturers should properly mark all attorney-client privileged communications and any attorney work product to prevent them from forming the basis for whistleblower reporting.
Whistleblower Reporting Requirements
To be eligible for the bounty, a potential whistleblower must file a claim for a whistleblower award by completing the WB-AWARD form and submitting it to NHTSA no later than 90 calendar days from the date NHTSA publishes a “Notice of Covered Action,” which notifies the public of its intent to assess civil penalties against a violating entity.
The potential whistleblower must also first report original information through the violating entity’s internal procedures, when such procedures are in place, unless[3]:
The whistleblower reasonably believed that such an internal report would have resulted in retaliation, notwithstanding 49 U.S.C. 30171(a);
The whistleblower reasonably believed that the information: (A) was already internally reported; (B) was already subject to or part of an internal inquiry or investigation; or (C) was otherwise already known to the motor vehicle manufacturer, part supplier, or dealership; or
The Agency has good cause to waive this requirement.
Thus, manufacturers should take steps now to implement internal reporting procedures and foster a culture of vehicle safety to increase the likelihood that they will first receive reports of suspected violations and have an opportunity to act, reducing the potential for civil penalties assessments and whistleblower fees.
Next Steps for Manufacturers
Manufacturers should remember that the best defense against Safety Act violations and civil penalties is to foster a culture of vehicle safety throughout their organizations. Consistent and clear messages that vehicle safety is a priority, coupled with robust internal processes and procedures that encourage reporting and proper evaluation of potential safety issues, can mitigate a manufacturer’s risk on multiple fronts, including the emergent risk associated with NHTSA’s whistleblower program and the risk of civil penalties assessments.
Manufacturers should also ensure that they have internal policies that provide clear protections against retaliation (including protections for whistleblowers, such as an anonymous reporting option) for anyone that reports a potential violation, as well as an appropriate level of transparency for the reporter (such as confirming an issue is being investigated by the relevant safety team). These policies and messages are important steps for fostering a safety culture and should be part of the manufacturer’s regular training programs. Finally, all documents that are subject to the attorney-client privilege or protected under the work product doctrine should be properly marked and stored.
[1] The Whistleblower Act is part of the Fixing America’s Surface Transportation (FAST) Act, signed into law by President Obama in 2015.
[2] See NHTSA Publishes Proposed Rule to Formalize its Whistleblower Program under the Motor Vehicle Safety Whistleblower Act for a discussion of the proposed rule.
[3] See 49 C.F.R. 513.7(g)
FDIC Enforcement Spotlights Deficiencies in Kansas Bank’s Anti-Money Laundering Program
On December 27, 2024, the Federal Deposit Insurance Corporation (FDIC) announced a notice of assessment of a civil money penalty against a Kansas-based bank. The action, originally brought in November, imposed a $20.4 million civil money penalty against the bank and alleged violations of the Bank Secrecy Act (BSA), 31 U.S.C. § 5311 et seq., for its failure to implement an adequate anti-money laundering and counter-terrorism program.
The FDIC asserts that between December 2018 and August 2020, the Bank’s AML/CFT compliance program failed to address risks associated with its high-volume international banking operations. These operations included processing $27 billion in wire transfers for foreign banks in 2018 alone and facilitating bulk cash shipments from Mexico. Specific deficiencies cited by the FDIC include:
Inadequate Internal Controls. The bank’s reliance on flawed AML monitoring software and manual reviews failed to detect red flags, such as large, suspicious transactions and activity linked to high-risk jurisdictions. Although the banks employed external auditors to analyze its BSA compliance, the complaint claims the testing was too limited and lacked sufficient data.
Customer Due Diligence Failures. The bank failed to establish and maintain an effective customer due diligence program, as the BSA Officer’s ongoing due diligence for the bulk cash business was limited to comparing actual to expected cash deposits without conducting denomination analysis or monitoring outgoing wire activity, resulting in missed data indicative of money laundering and terrorist financing risk.
Deficient Reporting. The bank failed to file hundreds of suspicious activity reports (SARs) required by federal law, and did not implement sufficient customer due diligence or foreign correspondent account monitoring. The FDIC also found that the bank’s BSA Officer was not properly empowered to make SAR filings, SAR filing decisions were instead made collectively by a committee consisting of various C-suite executives of the bank.
Unqualified Oversight. The appointed BSA officer during the relevant period lacked necessary experience and authority to manage the bank’s AML compliance program effectively, pointing to deficiencies in the bank’s BSA/AML training program.
The FDIC described the alleged violations as part of a “pattern of misconduct” and noted that the bank benefited financially from these failures, generating significant fee income.
Putting It Into Practice: The FDIC’s action was swiftly challenged by the bank. On November 19, it filed a complaint in the U.S. District Court for the District of Kansas challenging the FDIC’s findings, emphasizing that the bank ceased the operations in question in 2020 and took swift corrective actions. In its complaint, the bank also argues that the fine penalizes “years-old conduct” and disregards the bank’s current compliance improvements.
Listen to this post
Second Circuit Adopts “At Least One Purpose” Rule for False Claims Act Cases Premised on Anti-Kickback Statute Violations
On December 27, 2024, the U.S. Court of Appeals for the Second Circuit held in U.S. ex rel. Camburn v. Novartis Pharmaceuticals Corporation that a relator adequately pleads a False Claims Act (“FCA”) cause of action premised on violation of the Anti-Kickback Statute (“AKS”) by alleging, with sufficient particularity under Federal Rule of Civil Procedure 9(b) (“Rule 9(b)”), that at least one purpose (rather than the sole or primary purpose) of the alleged kickback scheme was to induce the purchase of federally reimbursable health care products or services.[1]
In doing so, the Second Circuit joins seven other Circuit Courts—the First, Third, Fourth, Fifth, Seventh, Ninth, and Tenth Circuits—in adopting the “at least one purpose” rule. This ruling lowers the bar in the Second Circuit for relators pleading AKS-based FCA claims.
Interplay Between FCA and AKS Violations
Under the AKS, “a claim that includes items or services resulting from a violation [of the AKS] … constitutes a false or fraudulent claim” under the FCA.[2]
The AKS prohibits persons from, among other things, “knowingly and willfully” soliciting or receiving “any remuneration (including any kickback, bribe, or rebate) directly or indirectly, overtly or covertly, in cash or in kind—
in return for referring an individual to a person for the furnishing or arranging for the furnishing of any item or service for which payment may be made in whole or in part under a federal health care program, or
in return for purchasing, leasing, ordering, or arranging for or recommending purchasing, leasing, or ordering any good, facility, service, or item for which payment may be made in whole or in part under a Federal health care program[.]”[3]
Alleged “Sham” Speaker Events & Excessive Compensation
In U.S. ex rel. Camburn, the relator, a former Novartis sales representative, filed a qui tam action in the U.S. District Court for the Southern District of New York alleging violations of the FCA premised on violations of the AKS. The relator alleged that Novartis operated a kickback scheme with the intent of bribing providers to prescribe Gilenya, a multiple sclerosis drug. Specifically, the relator alleged that Novartis operated a sham peer-to-peer speaker program that served as a mechanism for the company to offer remuneration to physicians in exchange for prescribing Gilenya. The relator alleged that the payments made to providers under the guise of this speaker program “caused pharmacies and physicians to submit false claims to the government and to the states for healthcare reimbursement under programs including Medicare Part D, Medicaid, and TRICARE.”[4]
U.S. District Court’s Dismissal with Prejudice
The federal government, as well as 29 states and the District of Columbia, among other parties, declined to intervene in the lawsuit. After granting the relator multiple opportunities to amend his complaint to plead factual allegations with sufficient particularity required by Rule 9(b), the district court held that the relator still failed to adequately plead the existence of a kickback scheme. Because the relator’s FCA claim was based on violations of the AKS, the district court dismissed the relator’s Third Amended Complaint with prejudice and did not address whether the relator sufficiently pled the remaining elements of his FCA claim.
Second Circuit’s Adoption of “At Least One Purpose” Rule
On appeal, the Second Circuit adopted the “at least one purpose” rule and found that, to survive dismissal, the relator “needed only to allege that at least one purpose of the remuneration was to induce prescriptions, without alleging a cause-and-effect relationship (a quid pro quo) between the payments and the physicians’ prescribing habits.”[5] Applying this standard, the Second Circuit concluded that the relator adequately pleaded an AKS violation with respect to the following three categories of allegations: (1) holding “sham” speaker events with no legitimate attendees, (2) excessively compensating physician speakers for canceled events, and (3) deliberately selecting and retaining certain speakers to induce a higher volume of prescriptions of Gilenya.
Specifically, the Second Circuit found that the relator’s “illustrative examples” of physician-speakers presenting solely to other Novartis speakers or to members of their own practice over lavish restaurant meals supported a strong inference that at least one purpose of the speaker program was to provide kickbacks to prescribers. The panel also found that the relator’s allegations that the compensation paid to physician speakers for canceled events ($20,000 to $22,500 to each speaker) over a two-year period in comparison to the dollar value of the allegedly fraudulent claims submitted to the government for reimbursement (between to $1 to $1.7 million) during that same period gave rise “to a strong inference that the payments constituted, at least in part, unlawful remuneration.”[6] Likewise, the relator’s inclusion of testimony from two Novartis sales representatives regarding the company’s alleged practice of offering speaking engagements to physicians to incentivize them to prescribe Gilenya suggested that these engagements were organized to induce providers to prescribe the drug.
The Second Circuit held that these allegations, accepted as true for purposes of the motion to dismiss, “plausibly and ‘strongly’ suggest Novartis operated its speaker program at least in part to remunerate certain physicians to prescribe Gilenya.”[7] Accordingly, the Second Circuit remanded the case to the district court to determine whether the relator sufficiently pleaded the remaining elements of his FCA claim and to weigh the adequacy of the claims under state and municipal law.
The Second Circuit affirmed, however, the district court’s conclusion that the relator “failed to link Novartis’s DVD initiative, ‘entertainment rooms,’ visual aids for billing codes, and one-on-one physician dinners with a strong inference that Novartis used these tools, at least in part, to induce higher prescription-writing,” with the caveat that another FCA claim predicated on an AKS violation may in fact survive dismissal if similar facts were pleaded with greater particularity.[8]
Practical Takeaways
This case highlights the importance of drug manufacturers and other regulated entities’ duty to implement robust and ongoing health care compliance programs in order to continuously and thoroughly evaluate enforcement and whistleblower risk relative to marketing and other business activities.
This decision’s adoption of the “at least one purpose” rule lowers the bar for relators in the Second Circuit to plead FCA violations premised on noncompliance with the AKS. Indeed, the Second Circuit rejected arguments that remuneration is unlawful under the AKS only if the “sole purpose” or “primary purpose” of the payment is to induce health care purchases. As eight circuits across the country have now held, allegations involving a single improper purpose can allow a case to survive dismissal. In these circuits, a relator merely needs to allege that at least one purpose of the remuneration was to induce the purchase of federally reimbursable health care products or services.
The heightened Rule 9(b) pleading standard fully applies in FCA cases premised on AKS violations. While the “at least one purpose” rule broadens liability, the district court and Second Circuit made clear that FCA allegations will be scrutinized to ensure they comport with the heightened Rule 9(b) pleading requirements.
Epstein Becker Green Attorney Ann W. Parks contributed to the preparation of this post.
ENDNOTES
[1] 2024 WL 5230128 (2d Cir. Dec. 27, 2024).
[2] 42 U.S.C. § 1320a-7b(g).
[3] Id. at § 1320a-7b.
[4] Camburn, 2024 WL 5230128, at *2.
[5] Id. at *4.
[6] Id. at *6.
[7] Id. at *6 (cleaned up) (quoting Hart, 96 F.4th 145, 153 (2d Cir. 2024)).
[8] Id. at *19.
Federal Government Urges Court of Appeals to Uphold Constitutionality of FCA Qui Tam Provisions
Headlines that Matter for Companies and Executives in Regulated Industries
Federal Government Urges Court of Appeals to Uphold Constitutionality of FCA Qui Tam Provisions
In a brief filed earlier this week, the US federal government has urged the Eleventh Circuit Court of Appeals to uphold the constitutionality of the False Claims Act’s (FCA) qui tam provisions, challenging a Florida district court’s ruling that found them to be unconstitutional.
The appeal stems from an underlying case with relator Clarissa Zafirov, who filed a qui tam action in 2019 against several health care entities, accusing them of misrepresenting patient conditions to Medicare. While the government initially declined to intervene, it later elected to defend the constitutionality of the FCA’s provisions.
At the district court level, the court found that whistleblowers are officers of the United States and must be appointed according to the appointments clause, leading to the dismissal of Zafirov’s suit. Per the government’s appellate brief, the district court decision is an “outlier ruling” that contradicts US Supreme Court precedent. The government specifically pointed to the decision in Vermont Agency of Natural Resources v. United States ex rel. Stevens, 529 US 765 (2000), in which the Supreme Court held that the FCA’s qui tam provisions are consistent with Article III and argued that this makes clear that relators do not exercise executive power when they sue under the Act. Instead, relators are “pursuing a private interest in the money they will obtain if their suit prevails.” As such, they do not exercise executive power and do not require appointment under the appointments clause.
The government further emphasized that qui tam actions are subject to government oversight and cannot proceed without the government’s decision on intervention. Accordingly, the federal government now seeks to reverse the district court’s decision and has urged the Eleventh Circuit Court of Appeals to maintain the established legal framework supporting whistleblower actions under the FCA.
The case is Clarissa Zafirov v. Florida Medical Associates LLC et al., Nos. 24-13581 and 24-13583, in the US Court of Appeals for the Eleventh Circuit. The government’s appellate brief is available here.
Community Health Network Reaches Third FCA Settlement in 10 Years, Agreeing to Pay $135 Million to Resolve Outstanding Claims
In a deal reached two years after the Indiana health care system agreed to pay $345 million to settle FCA allegations with the federal government, Community Health Network has now agreed to pay $135 million to resolve federal health care fraud claims brought by its former chief financial officer.
Over 10 years ago, in 2014, Community Health CFO and COO Thomas Fischer filed a lawsuit under the FCA’s qui tam provisions, alleging that Community Health overpaid physicians to secure referrals in violation of state and federal laws, including the federal Stark Law and Anti-Kickback Statute (AKS). Per the complaint, Community Health utilized an “aggressive strategy” to grow its physician network and garner referrals, including the recruitment of doctors by providing payment in excess of the market rate through large base salaries and sizable bonuses, among other means.
The US Department of Justice (DOJ) elected to intervene in the case. The $345 million settlement addressed some of Fischer’s claims, leaving others unresolved. In 2020, the district court allowed Fischer to file an amended complaint that asserted additional FCA claims separate from those pursued by the government. This latest settlement with Community Health resolves those remaining claims. Among other things, the deal resolves claims that (1) Community Health paid above fair-market value rent to a physician-owned real estate partnership to induce those doctors to refer patients to a Community Health-owned ambulatory surgical center in violation of the AKS, and (2) Community Health overpaid physicians employed by the organization and also by an independent oncology group that contracted exclusively with the health nonprofit.
Notably, Community Health additionally reached a $20.3 million settlement with the DOJ in 2015 to resolve civil allegations that the health nonprofit submitted false claims to Medicare and Medicaid programs. All told, Community Health has now paid more than half a billion dollars to resolve three FCA matters over the past 10 years. Nonetheless, Community Health has emphasized that all claims were resolved with no finding of wrongdoing, and the issues were unrelated to the quality or appropriateness of the health care provided by Community Health to its patients.
The case is US and State of Indiana ex rel Fischer v. Community Health Network, Inc., et al., Case No. 1:14-cv-1215, in the US District Court for the Southern District of Indiana.
The DOJ’s press release on the 2015 $20.3 million settlement is available here. The DOJ’s press release on the 2023 $345 million settlement is available here.
Athira Pharma Inc. Agrees to Pay Over $4 Million to Settle FCA Allegations
Athira Pharma Inc., based in Bothwell, Washington, has agreed to pay $4,068,698 to settle allegations that it violated the FCA.
Per the DOJ, this settlement will resolve allegations that, between January 1, 2016, and June 20, 2021, Athira failed to report allegations of research misconduct regarding grant applications and grant award progress reports and assurances to both the National Institutes of Health (NIH) and the US Department of Health and Human Services (HHS) Office of Research Integrity. The alleged misconduct included that Athira’s former CEO, Leen Kawas, falsified and manipulated scientific images in her doctoral dissertation and in published research papers that were referenced in several grant applications submitted to NIH, including in a grant that NIH funded in 2019.
Notably, Athira immediately notified NIH of the research misconduct after the full board of directors learned of it. Underscoring the significance of cooperation credit, the DOJ noted specifically that “the company’s transparency significantly helped Athira mitigate its damages and demonstrated its resolve towards coming into compliance with the relevant law and regulations.”
The settlement additionally resolves claims brought under the FCA’s qui tam provisions, with whistleblower Andrew P. Mallon, Ph.D., receiving $203,434.
The DOJ’s press release is available here.
Iron Man 2 Actor Sentenced for COVID-19 Scam
Earlier this week, Keith Lawrence Middlebrook, a bodybuilder and actor known for his role in Iron Man 2, was sentenced to over eight years in prison for attempting to defraud investors by falsely claiming he had discovered a cure for COVID-19 and that National Basketball Association legend Magic Johnson was a major investor.
Middlebrook was arrested in March 2020, becoming the first person in the United States charged with a COVID-19-related scam. The case included recorded calls with an undercover FBI agent where Middlebrook claimed his treatments could generate significant profits. Middlebrook’s scheme involved promoting fake COVID-19 treatments and soliciting investments through social media and other channels, falsely claiming Johnson’s involvement to lend credibility.
The recent sentencing follows a guilty verdict on all 11 counts of wire fraud faced by Middlebrook, rendered by a 12-person jury after a three-day trial. During sentencing, and among other things, Middlebrook denied any wrongdoing and claimed to have a relationship with Johnson, who testified that he did not recall meeting Middlebrook. While video evidence showed Middlebrook and Johnson at the same event, the court was unmoved by the defense counsel’s suggestion at trial that Johnson gave false testimony. Specifically, the court noted that it was “inconceivable” that Johnson would have forgotten some of the lengthy interactions that Middlebrook had alleged occurred between them.
In the end, the court’s sentence of 98 months aligned with the sentence sought by the prosecutors.
The case is USA v. Keith Middlebrook, No. 2:20-cr-00229, in the US District Court for the Central District of California.
AI Versus MFA
Ask any chief information security officer (CISO), cyber underwriter or risk manager, or cybersecurity attorney about what controls are critical for protecting an organization’s information systems, you’ll likely find multifactor authentication (MFA) at or near the top of every list. Government agencies responsible for helping to protect the U.S. and its information systems and assets (e.g., CISA, FBI, Secret Service) send the same message. But that message may be evolving a bit as criminal threat actors have started to exploit weaknesses in MFA.
According to a recent report in Forbes, for example, threat actors are harnessing AI to break though multifactor authentication strategies designed to prevent new account fraud. “Know Your Customer” procedures are critical in certain industries for validating the identity of customers, such as financial services, telecommunications, etc. Employers increasingly face similar issues with recruiting employees, when they find, after making the hiring decision, that the person doing the work may not be the person interviewed for the position.
Threat actors have leveraged a new AI deepfake tool that can be acquired on the dark web to bypass the biometric systems that been used to stop new account fraud. According to the Forbes article, the process goes something like this:
“1. Bad actors use one of the many generative AI websites to create and download a fake image of a person.
2. Next, they use the tool to synthesize a fake passport or a government-issued ID by inserting the fake photograph…
3. Malicious actors then generate a deepfake video (using the same photo) where the synthetic identity pans their head from left to right. This movement is specifically designed to match the requirements of facial recognition systems. If you pay close attention, you can certainly spot some defects. However, these are likely ignored by facial recognition because videos are prone to have distortions due to internet latency issues, buffering or just poor video conditions.
4. Threat actors then initiate a new account fraud attack where they connect a cryptocurrency exchange and proceed to upload the forged document. The account verification system then asks to perform facial recognition where the tool enables attackers to connect the video to the camera’s input.
5. Following these steps, the verification process is completed, and the attackers are notified that their account has been verified.”
Sophisticated AI tools are not the only MFA vulnerability. In December 2024, the Cybersecurity & Infrastructure Security Agency (CISA) issued best practices for mobile communications. Among its recommendations, CISA advised mobile phone users, in particular highly-targeted individuals,
Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals.
In a 2023 FBI Internet Crime Report, the FBI reported more than 1,000 “SIM swapping” investigations. A SIM swap is just another technique by threat actors involving the “use of unsophisticated social engineering techniques against mobile service providers to transfer a victim’s phone service to a mobile device in the criminal’s possession.
In December, Infosecurity Magazine reported on another vulnerability in MFA. In fact, there are many reports about various vulnerabilities with MFA.
Are we recommending against the use of MFA. Certainly not. Our point is simply to offer a reminder that there are no silver bullets to achieving security of information systems and that AI is not only used by the good guys. An information security program, preferably one that is written (a WISP), requires continuous vigilance, and not just from the IT department, as new technologies are leveraged to bypass older technologies.