FERC, CFTC, and State Energy Law Developments

FERC issued an order on May 16 rescinding its 2009 policy[1] of issuing Notices of Alleged Violations (NAVs) after the subject of an investigation is given an opportunity to respond to FERC Enforcement Staff’s preliminary findings (the NAV Policy).[2] NAVs typically identify FERC’s targets (by name), and set forth abbreviated information concerning the subject matter of FERC’s enforcement attention, the time frame, and the particular statutes relevant to the alleged violations. Since FERC began implementing the NAV Policy in 2011, it has been monitoring its implementation and has now determined that the potential adverse consequences that NAVs pose for the subjects of FERC investigations are no longer justified in light of the limited transparency that NAVs provide.

A few years after FERC received enhanced enforcement authority in 2005, it instituted the NAV Policy to increase the transparency of the nonpublic investigations that its Staff conducts under Part 1b of FERC’s regulations. When it issued the NAV Order, FERC explained that issuing the NAVs after the preliminary findings stage balances “the need to protect the subject’s confidentiality in the early stages of an investigation with the public interest of promoting additional transparency during investigations.”[3] FERC has since determined that NAVs provide only limited guidance and information to market participants and that the various orders on enforcement matters and the reports and white papers its Staff issues are more informative and provide more transparency.

FERC Staff issued a report on March 29 on Commission-led critical infrastructure protection (CIP) reliability audits completed for fiscal years 2016 through 2018. The report provides lessons learned from those audits, as well as voluntary recommendations on cybersecurity practices to enhance the protection of electric infrastructure from cyberattacks. Even though many of these recommendations go beyond what is necessary for compliance with the mandatory CIP reliability standards, FERC is likely to view implementation of these recommendations as evidence of a strong cybersecurity culture that proactively addresses best cybersecurity practices and evolving threats. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or the Regional Entities.

In its updated guidance issued on April 30, the US Department of Justice Criminal Division places effectiveness at the epicenter of its factors to be utilized when evaluating a company’s compliance program in the context of a criminal investigation. As corporate compliance programs continue to be closely scrutinized, companies and their boards, senior management, and legal and compliance departments should tailor their corporate compliance programs to issues and risk areas specific to the company’s business. Senior management plays a critical role in identifying these issues and risk areas and must serve as an example and enforcer of good compliance practices. Companies cannot let their compliance programs get stale and must continue to innovate, revamp, and enhance their corporate compliance practices based on lessons learned. DOJ emphasizes that “one hallmark of an effective compliance program is its capacity to improve and evolve.”

Read the full LawFlash.

A recent advisory published by the Commodity Futures Trading Commission’s Division of Enforcement and comments of the division director have highlighted the CFTC’s attention toward investigating potential violations of the Commodity Exchange Act (CEA) that involve foreign corrupt practices. On March 6, CFTC Director of Enforcement James M. McDonald addressed this very issue in remarks before the ABA National Institute on White Collar Crime. At the same time, the division issued an Enforcement Advisory providing guidance on how the CFTC will treat instances of self-reporting and cooperation concerning CEA violations that also involve foreign corrupt practices.

Read the full LawFlash.

The Federal Energy Regulatory Commission (FERC or the Commission) Office of Enforcement (OE) issued its 2018 Report on Enforcement on November 15. The report provides a review of OE’s activities during fiscal year 2018 (FY 2018), which begins October 1 and ends September 30 annually. Like last year, the report reveals likely areas of focus for FERC enforcement in the coming year, and provides guidance to the industry based on the wide variety of enforcement matters that are otherwise non-public by synthesizing some of the more disparate developments from audits, market surveillance, and other enforcement activities for the benefit of industry stakeholders.

The Commodity Futures Trading Commission (CFTC) announced on September 28 that it has created an Insider Trading & Information Protection Task Force. The new task force is responsible for identifying and charging those who engage in insider trading or otherwise improperly use confidential information in connection with any market regulated by the CFTC. The task force is composed of members from the CFTC’s offices in Chicago, Kansas City, New York, and Washington, DC.

Recent statements by the Antitrust Division at the US Department of Justice (DOJ) confirm that the DOJ is continuing to focus on “no-poaching” and wage-fixing agreements with more enforcement actions expected to be announced in the near future. Recent criminal investigations target the healthcare industry, but all employers should be aware of the application of antitrust laws to human-resource decisions.

Read the full Lawflash

The North American Electric Reliability Corporation (NERC) filed a Notice of Penalty summarizing an agreement by an unidentified electric utility to pay a $2.7 million penalty in connection with self-reported violations of the Critical Infrastructure Protection reliability standards related to sensitive data exposure by a vendor. Although the utility did not directly cause the improper data handling—and indeed the violation resulted from vendor noncompliance with utility policies—the Western Electricity Coordinating Council nevertheless concluded that the utility failed to adequately implement its information protection program by not preventing or immediately detecting the vendor’s actions and submitted the settlement to NERC. 

For more detail, read our LawFlash.

Under a notice of proposed rulemaking to be released today, December 21, the Federal Energy Regulatory Commission (FERC) is proposing to direct the North American Electric Reliability Corporation (NERC) to revise the Critical Infrastructure Protection (CIP) reliability standards to require electric utilities to report all cyberattacks on the electric security perimeters surrounding their key electric infrastructure as well as the associated electronic access control and monitoring devices that protect those perimeters.