When businesses do wrong in the current climate of regulatory enforcement, they often find themselves under scrutiny from federal, state and local agencies. In this eventuality, one can take some steps (and avoid others) to mitigate the impact.
All companies dread the idea of a federal, state or local regulator investigating their business practices. These days, instead of a single investigation, a company can expect that an initial investigation will spark concurrent and future investigations by other regulators. These seemingly endless investigations require substantial time, effort and energy better spent elsewhere. These resources are put to the test when the company faces investigation after investigation and is forced to make decisions that do not affect just one regulator.
Review benchmark goals in obtaining a global release of all potential liability associated with the business practice at issue and learn about solutions to some of the numerous pitfalls that often occur during an investigation. By following these steps and planning for the unplanned, a company can navigate the complexities of a multifront regulatory investigation.
The End Goal: Ensuring Peace with Investigating Regulator, Vertical–Sister Regulators and Horizontal Regulators
Ensuring Peace with Investigating Regulator
As the federal government’s role of lead enforcer waned during the Trump administration, state and local regulators expanded their capacities and statutory reach. For instance, state attorneys general – who historically investigated state matters separately and joined in multistate settlements on national issues – now separately seek to hold companies accountable, for example, for allegedly hiding early knowledge of climate change from investors and consumers, allowing U.S. Customs & Border Protection to conduct immigration sweeps on Greyhound buses, and alleged workplace safety deficiencies arising during the pandemic. At the local level, large municipalities have increasingly adopted ordinances that provide for independent enforcement of state deceptive practices laws and their own False Claims Act ordinances. If a settlement is contemplated, the foremost goal is to ensure that this same conduct is not investigated further by the same regulator based upon a different statute the regulator is able to enforce.
— AG TJ Donovan (@TJforVermont) September 14, 2021
Ensuring ‘Horizontal’ Peace with Sister Regulators
Federal and state governments consist of a web of interconnected agencies. Today, it is not uncommon for multiple agencies within a federal or state government to initiate investigations against the same corporate target. Each of these agencies will declare that they lack the authority to release the claims of their sister agencies. Thus, an investigation by one agency does not preclude another agency from initiating its own investigation. On some occasions, one competitive sister agency will initiate an action after other agencies have resolved their own investigations, especially if the media has implied that a certain agency neglected or underenforced its regulatory directive.
The same is true on the state level where state agencies share concurrent authority with the state attorney general. An example occurred late last year when 50 state attorneys general and bank regulators from 53 jurisdictions reached separate settlements with Nationstar Mortgage regarding its servicing practices. Because the public announcement of a resolution will spark additional scrutiny, a company should fully assess its regulatory exposure before making any such announcement. A company often benefits from delaying a resolution announcement to gain additional intelligence about the potential for follow-on investigations.
Ensuring ‘Vertical’ Peace with Appropriate Federal, State and Local Regulators
Over the past decade, state attorneys general and localities have taken action to expand their staffs and pushed for expanded statutory enforcement authority based upon a perceived lack of federal enforcement. While our experience has already demonstrated that the Biden administration has resulted in stronger regulatory enforcement, companies should not expect states and localities to walk away from this three-tier regulatory system. For example, Equifax’s data breach resulted in a resolution with the Federal Trade Commission, a multistate settlement with 48 states, the District of Columbia and Puerto Rico, separate settlements with Indiana and Massachusetts and a resolution with the city of Chicago, along with pending lawsuits by other localities.
Regulators have taken specific precautions not to encroach on the authority of others. For example, West Virginia’s recent $10 million resolution with McKinsey & Co. in February 2020 (occurring separately from a $573 million multistate settlement with 49 states), included an express provision that upon proper notice McKinsey waived its right to argue that West Virginia’s localities were included within the release. This provision notes the regulator’s limited authority and ensures that the company is on notice that other regulators are not barred from bringing subsequent actions for the same business practice.
Additionally, the city of Chicago was also able to reach a $1.5 million settlement with Equifax in addition to the amount paid to the Illinois Attorney General under the multistate settlement. Chicago’s press release declared that the settlement “complemented settlements reached with Equifax by the federal government, state governments and private plaintiffs.”
Corporate Strategy: Navigating the Pitfalls
Before an investigation even begins or in the early stages of an investigation, a company must create a corporate strategy that envisions and prospectively combats concurrent and future investigations by federal, state and local regulators. Best-case scenario, when a company decides to settle a federal, state or local investigation, the company will obtain a release from the entire scope of the regulator’s enforcement authority and resolve other investigations simultaneously. However, like anything, all perfect plans will run into a series of hiccups throughout the investigatory process. Corporate entities need to create an initial plan as well as a series of responses to potential changes in the approach to multijurisdictional investigations. Due to the uncertainty of multijurisdictional investigations, it is critical that a company’s corporate strategy is adaptable and able to triage potential pitfalls.
Pitfall #1: Release Provisions
As the statutory directives of regulators expand, it is critical that a company’s resolution release every potential claim that a regulator could bring related to the conduct at issue. This requires insight to ensure not only that the “Covered Conduct” investigated by the regulator is released but also is mindful of other statutory authority and ensures that the release covers these activities as well. For example, if a company is being investigated for misleading communications to consumers, the state attorney general’s investigation may only be based upon consumer protection violations; however, many states are able to stand in the shoes of state citizens through their “parens patriae” authority and bring product liability claims where the covered conduct would be the product defect not the consumer communication.
Pitfall #2: Risk Exposure Assessment
Even with an appropriate release, a resolution with one regulator does not occur in a vacuum, and a company must evaluate whether a public resolution will lead other regulators to inquire about the specific practices at issue. Because the public announcement of a resolution will spark additional scrutiny, a company should fully assess its regulatory exposure before making any such announcement. A company needs to determine if its risk exposure assessment is scoped and analyzed correctly to prepare for current, pending and future investigations. This assessment should allow the company to create a strategic approach to current and pending litigation as well as prepare in advance for future investigations. The risk exposure assessment should identify the business practice in question, decide which regulators may initiate an investigation, evaluate investigation risks, decide on risk control measures and update the assessment as necessary. A correct risk exposure assessment allows the company to gain insight into which regulators, if any, may initiate a regulatory investigation. A thorough and comprehensive risk exposure assessment allows a corporate entity to fully internalize the regulatory exposure risks, especially those arising from the public announcement of a resolution to make a clear decision on how to approach sister regulators that have yet to take any action.
Pitfall #3: Identifying Possible or Pending Investigations
So, how do companies identify possible or pending regulatory investigations? One of the best ways is to ask the resolving regulator whether he or she had discussed the matter with other regulators. Traditionally, if a cordial line of communication has been maintained during the negotiation process, the regulator will readily provide this information on the eve of a resolution. At the state level, some state attorneys general have agreed to commit within the agreement terms that the office is unaware of any pending state agency investigation. That said, no state attorney general will provide the same level of peace for other state attorneys general.
If possible, a company should seek to resolve its investigation through a concurrent settlement because this enables a company to move forward in quick succession after a settlement, instead of having multiple settlements occurring over an elongated period of time. A continuing drip of settlement results in prolonged stress on a company’s legal team and utilizes time and energy from company executives trying to move forward from the business practice at issue.
Pitfall #4: Failure to Get Advance Warning About Other Potential Agencies Investigations
Although a company may receive an early warning about upcoming investigations, it is unlikely that a company will receive adequate warning for every investigation and may be unable to completely ensure that a regulator will not take action in the future. As a result, when entering into a settlement, a company should prepare a risk matrix of all regulators that could take follow on action. This risk matrix should analyze the relevant statutes of limitation and historical instances where that regulator has entered into a subsequent settlement that post-dates an initial settlement from another regulatory body.
Moreover, because it is almost impossible — and financially imprudent — to ensure that all regulators with statutory authority will not take future action, the company should develop and implement a corporate strategy that is responsive to numerous potential investigations. This strategy should include a detailed explanation of why the company’s previous settlement achieved the newly investigating regulators goals, including providing for consumer restitution and changing the company’s business practices mitigating the risks of the similar conduct.
Pitfall #5: Ensure Control Over Information Produced During Discovery
In light of the complex landscape of cooperating regulatory officials, it is critical that a company ensure control over information produced during discovery. The best way to ensure control over information is a confidentiality agreement. In order to prevent regulators from sharing information with one another without a company’s knowledge, the company must negotiate confidentiality agreements with each regulator. If no confidentiality agreement is in place, the corporate target should assume that the information provided to one regulator will be shared with other regulators at both the state and federal level because statutes often dictate that a regulator may share information at its discretion.
Further, a company cannot use a standard confidentiality agreement for each regulator. Instead, it is imperative that a company negotiating confidentiality agreements has a full understanding of how each regulatory body reads its own statutory confidentiality obligations.
In addition to ensuring control over information produced during discovery, confidentiality agreements also provide the company an opportunity to tease out whether other investigations are occurring under the surface. When negotiating a confidentiality agreement, companies should consider the possibility that this information may be shared with other regulators and, in turn, used to facilitate additional investigations without the company’s knowledge.
Pitfall #6: Negotiating Consistent Injunctive Terms Across Multijurisdictional Investigations
When already aware of other pending investigations, a company should utilize this time to reach agreements that include overlapping and consistent injunctive terms. This minimizes the burden on the company after the settlement has been finalized. Overlapping and consistent injunctive terms decrease the burden on the company long after the investigation has concluded.
When a settlement has been finalized and another investigation arises, a company should try to negotiate similar injunctive terms with the new investigating regulator that correspond with the terms in the finalized settlement. Even more, a concurrent settlement provides multiple regulators with the ability to take credit for the same programs, including business changes or consumer restitution, while a company can seek to leverage these changes across multiple negotiations. Thus, coordinated investigations create a win-win situation for both regulators and the corporate target.
Companies benefit by taking action now to establish a structure to navigate the pitfalls that often arise during a single regulatory investigation or (increasingly common) multi-tiered regulatory action. This plan also provides a holistic framework to respond to unanticipated problems and determine before an investigation is initiated how a company will treat the possibility of additional regulatory inquiries.