State governments’ quest for revenue in the wake of the pandemic will only heighten their focus on unclaimed property. Our Unclaimed Property Team highlights the consumer protection and privacy risks facing companies when states use third-party auditors to obtain information on accounts with small balances.
- The top 6 challenges facing holders
- How these issues can affect your bottom line
- Steps the C-suite can take to prepare
State unclaimed property regulatory and enforcement challenges have multiplied in the past 10 years. With financial pressures on state governments having been exacerbated by the pandemic, 2021 will be a year when states increasingly look to unclaimed property “revenues” to provide a short-term salve to fiscal strains and a means to balance budgets. Hence, corporate finance executives need to not only be aware of these regulatory regimes and associated compliance obligations but also dedicate resources to meet these regulatory challenges and to manage risk.
According to a CNBC report, as of March 2016 the National Association of Unclaimed Property Administrators (NAUPA) noted that states held about $42 billion in unclaimed property, up from $32.8 billion in 2010, and studies show the vast majority is in cash, mostly from accounts worth less than $100, as well as lost 401(k)s, IRAs, taxable investment accounts, and other assets, such as life insurance benefits and even uncashed traveler’s checks. Unclaimed life insurance proceeds and annuities were the subject of a recent multibillion-dollar industry audit sweep, prompting coverage by 60 Minutes of the potential for substantial owner claims. Delaware relies on unclaimed property receipts as the third-largest source of operating funds, year over year.
This article briefly discusses the most significant regulatory and enforcement challenges facing corporate America in 2021 and steps that the C-suite can take now to prepare for them. Some of the challenges pose even greater risk to the increasingly broad array of financial services companies, but every business that custodies the property—i.e., funds—of another party or that bears financial obligations to other parties will be impacted by state unclaimed property regimes and these regulatory and enforcement dynamics.
Significant Regulatory and Enforcement Challenges
The top unclaimed property regulatory and enforcement issues facing holders in 2021 include:
- Change management / risk management in a non-uniform unclaimed property regulatory landscape
- Consumer protection
- Cybersecurity and data privacy
- Payments, financial crime, and fraud controls
- Potentially significant financial impacts of unclaimed property “missteps”
- Expanding enforcement authority and mechanisms
Each of these regulatory and enforcement challenges is described and briefly addressed below to stimulate analysis of their potential significance to your business.
1. Change Management / Risk Management in a Non-Uniform Unclaimed Property Regulatory Landscape
A flurry of state legislative bills and proposed regulations have been introduced that may eclipse prior years given that many state legislative sessions were cut short in 2020 due to the pandemic, not to mention the fact that the pandemic has had a substantial negative impact on state budgets. For example, within the first week of 2021, new Revised Uniform Unclaimed Property Act (RUUPA) bills have been filed in Indiana and North Dakota. This wave of legislation is fueled by not only state unclaimed property administrators and treasurers but also by legislators seeking new or expanded revenue sources and by NAUPA, which develops and promulgates model legislation for cross-state introduction.
When your company must comply with the laws of every state where an owner whose property your company holds is based, this is not a single-state or select-state change management challenge. Furthermore, companies must address the two faces of risk management that impact corporate operations, compliance, and risk teams when implementing unclaimed property policies and procedures: (1) the state-facing risk of failures to report or timely report unclaimed property; and (2) the owner-facing risk of premature escheatment of unclaimed property, particularly of investment assets.
The sweep of these laws—and the associated risk management challenges associated with them—cannot be overstated. Every customer asset that a company has in its possession or custody is subject to state UP laws, as well as obligations a company undertakes but that remain unsatisfied for a statutory dormancy period (usually 1–5 years from vesting of the obligation). The company must monitor the dormancy status of all obligations and property that it holds for owners (e.g., customers, shareholders, vendors, and other payees), and it must attempt to contact lost or dormant property owners. If contact is not made, the company must report and remit the unclaimed property to the state with jurisdiction.
How to manage these risks?
There is an obvious need for multistate legislative/regulatory monitoring in an environment where states are trying to “make up” for lost revenue due to the pandemic. Moreover, ensuring operational resilience in meeting compliance obligations is another aspect of this challenge. As the pandemic unfolded, states were changing filing deadlines (and being asked to do so) in order to permit effective conduct—in a work-from-home environment—of pre-escheat due diligence programs.
Further, the USPS announced that international mail to numerous countries was being suspended, which effectively placed a tremendous amount of risk on companies that hold investment assets that, if owned by foreign owners (and hence subject to the UP jurisdiction of the holder’s domicile state), could not be afforded the final due process safeguard of a pre-escheat owner outreach. Why is this such a critical risk management issue? Because the states liquidate investment assets that are remitted to them as unclaimed property, and the liquidation creates significant risk of the owner being denied the benefit of his/her/its market position in the asset, without the holder providing notice of this eventuality unless the owner reestablishes contact with the holder.
Even in a “normal” environment, which one hopes will be achieved sometime in 2021, the need to conduct a robust monitoring program of proposed and enacted/adopted changes in the regulatory regime is patent.
2. Consumer Protection
State unclaimed property laws are informed by consumer protection policies, given that they are designed to prevent property owners from loss of their property interests or to reunite owners with such property; further, these laws require the holder to remit such assets to the proper state if contact with the property owner is lost. Nevertheless, as the Uniform Law Commission states in the prefatory note to its 2016 RUUPA:
a secondary function is to take, hold, and use for the common good, property which has been lost or abandoned and for which there is no way to identify the owner nor ability to restore the property to its owner. In those situations the policy is that it is better that the state and its citizens enjoy the benefit of the windfall rather than the holder.
The accomplishment of these dual goals is achieved through a statutorily engineered diversion of such property to the state with the priority jurisdictional claim to the property, for the enjoyment of that state and its citizens, during the state’s custodianship of the property. (Texas v. New Jersey (first priority claim lies with state of the property owner’s last known address, as shown on the holder’s books and records; second priority claim lies with the holder’s state of domicile).)
Courts have also protected, and indeed expanded upon, owners’ rights through the application of doctrines such as the “private escheat” doctrine, which overrides contractual limitations placed on an owner’s right to claim property, such as expiration dates. This doctrine may enable an owner to claim property from the state in its custodial role when the owner’s contractual right to assert a claim has already lapsed. Companies need to understand the strong consumer protection interests that inform state audit programs and other enforcement efforts, including expanding enforcement authority and mechanisms.
3. Cybersecurity and Data Privacy
When states delegate their audit function to private third-party audit firms, those firms will request vast amounts of data on the audited company’s customers, transactional counterparties, employees, and shareholders. These firms’ information and document requests are frequently unlimited in scope—including these examples of recent data requests that holders have received:
- Provide your transfer agent files on every shareholder of the company, regardless of whether that shareholder resides in an audit-participating state, including complete address and social security number.
- Provide a file outlining your company’s multistate income tax apportionment data (i.e., sales, property, and payroll factors, plus apportionment percentages) for every state, regardless of whether the state is an audit participant.
- Provide a disbursements file that contains: (1) a list of all the company’s vendors for all subsidiaries; (2) all outstanding checks relating to vendor payments for all in-scope subsidiaries; (3) check detail for all in-scope companies dating back to 2000; and (4) bank reconciliations and bank statements for all the aforementioned items.
In light of general concerns with cybersecurity and data privacy, the entry into a third-party examination is fraught with risk management requirements specific to concerns with a company’s adherence to a variety of laws bearing on the safekeeping and nondisclosure of personally identifiable information (PII), nonpublic personal information (NPPI), and personal health information (PHI). These include federal laws (HIPAA and Gramm–Leach–Bliley), state laws (CCPA, etc.), and potentially international laws (e.g., GDPR).
The use of nondisclosure agreements with the audit firm and potentially also the auditing state may slightly mitigate certain concerns with the potential for (we believe, the inevitability of) breach incidents. However, these intersecting regulatory regimes and the undeniable risk associated with data breach incidents impacting a company’s customers, employees, and shareholders should prompt executives to ask whether, even if relevant laws would permit certain disclosures, the company would still agree to provide certain types of data to an audit firm. These questions take on added urgency when you understand that audit firms resort to using a number of external databases—i.e., outside the scope of your books and records—to establish presumptions that property owners are dead (the Social Security Administration’s Death Master File), no longer located where your business records demonstrate (the U.S. Postal Service’s National Change of Address (NCOA) and Accu-Zip databases), and so forth.
Nonprovision or redaction of data for owners located in non-audit states, per your books and records, is the simplest decision that you can make. However, the complexity of these determinations escalates rapidly in a live audit environment where the audit firms are advising their client states to threaten or even issue punitively scoped subpoenas in response to holder objections to requests for data. (Delaware Department of Finance v. AT&T Inc.)
4. Payments, Financial Crime, and Fraud Controls
Our clients are now scrutinizing payments business, transaction, and accounting models with an unclaimed property lens. Payments service providers are the most recent sector focus of multistate contract audits, but by taking a page out of other sectors’ compliance playbooks, they are also engaged in intentional self-review and escheat-informed business planning. The multiparty nature of many payments service arrangements further complicates the risk management considerations in this growing realm of commercial activity.
Anti-money laundering (AML) and Know Your Customer (KYC) regulatory regimes are top of mind not only for financial services companies but also for any business with payments, retail, and other customer bases. The question of fraud and financial crime arises constantly vis-à-vis restraints on accounts—both the placement of such restraints and the proper timing to review and potentially lift such restraints. When accounts remain in a permanent “limbo” of restricted status, the analysis of account dormancy for unclaimed property purposes can become complex and subject to dispute.
5. Potentially Significant Financial Impacts of Unclaimed Property “Missteps”
A mismanaged unclaimed property compliance program could face financial impacts such as:
- Financial statement reserves and disclosures pertaining to escheat matters are routinely the subject of M&A diligence because they serve as a guidepost to prior gaps in compliance.
- Unclaimed-property-related findings have resulted in the adjustment of purchase prices and the establishment of UP-specific reserves. Tax impacts of unclaimed property settlements must also be considered.
- Successor liability is always a topic of review in connection with unclaimed property audits and voluntary disclosure agreement (VDA) processes, including stock and asset purchase transactions.
6. Expanding Enforcement Authority and Mechanisms
State agencies other than the treasurer’s office or other agency imbued with direct authority to administer and enforce unclaimed property laws are getting into the game. For example, the number of state attorney general investigations and inquiries that have been initiated, separate and apart from the unclaimed property regulator, have dramatically increased in recent years. Our clients are being told that such investigations may have been started based on a resident’s complaint to the AG’s office that property was remitted to a state as unclaimed property despite the owner’s belief that they have maintained contact with the holder. Other investigations may bear on the company’s general policies and procedures for dealing with a specific type of property, but the scope of inquiry extends to the unclaimed property policies of the target. Whereas a holder may execute a nondisclosure agreement with a state’s third-party audit firm and sometimes also with the audit state, an AG will generally not agree to refrain from disclosure of the holder’s identity in connection with such investigations.
Some state unclaimed property administrators have initiated new types of outreach to companies, including “self-audit” and “questionnaire” forms that require a response within a stated period. Do not mistake these for casual inquiries because your company’s responses—or lack thereof—may trigger a follow-on audit notice. Delaware’s verified report process is a mechanism to conduct an abbreviated-scope compliance review in the mode of a “desk audit”—holders must address their most recently filed report, provide a set of policies and procedures, and confirm its accuracy. While this procedure is postured as an alternative to a comprehensive examination, the holder’s responses may trigger a “compliance review” (a more advanced review) and then refer the holder to receive a VDA invitation or full-blown audit notice (if the VDA invitation is ignored).
Last, the reach of private enforcement efforts has extended to unclaimed property, through actions initiated by employee and/or private third-party whistleblowers who bring suit alleging that companies are knowingly defrauding states by failing to escheat property that is subject to a state’s unclaimed property laws. Such False Claims Act lawsuits leverage the threat of treble damages to secure settlements from companies that may well believe their unclaimed property practices are compliant with state law. Delaware and New York have both become battlegrounds for whistleblower lawsuits, and the District of Columbia is but one example of a jurisdiction that has expanded the scope of its False Claims Act to reach unclaimed property matters. (See Overstock.com Inc. v. State of Delaware ex rel. French; State of New York ex rel. Raw Data Analytics LLC v. JP Morgan Chase & Co.)
The unclaimed property regulatory and enforcement challenges facing holders in 2021 are significant. Nevertheless, they can be managed effectively on an enterprise level through education, awareness, and intentionality of conduct, bolstered by collaboration between a holder’s compliance personnel and its business/operations teams.
Download PDF of Advisory