< Return to Blog

COVID-19: Legal Considerations for Startups and Fintech Companies

Josh Garcia

Contributions to this article made by Ross Barbash, James Blakemore, Zach Fallon, and Lara Romansic.

The current global pandemic raises a number of potential legal issues for businesses of all sizes. We list below the most relevant concerns we expect to see for startups and financial technology companies, to help isolate issues during the crisis so companies can resolve them one by one. We also outline special concerns for companies facing consumers and those offering regulated financial services in New York State.

Emergency Loan Relief

To provide immediate relief to businesses affected by COVID-19, Congress has passed the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, which became law on March 27. Among other measures, the CARES Act allocates $349 billion to aid to small businesses. Under its Paycheck Protection Program, qualifying small business will be eligible for federally guaranteed loans aimed at keeping workers employed through the pandemic. Importantly, the CARES Act includes generous loan-forgiveness provisions.

Eligibility under the program extends generally to small businesses with fewer than 500 employees or that otherwise meet size standards set by the Small Business Administration, non-profits, tribal business concerns, or veteran organizations with fewer than 500 employees, and individuals who operate as sole proprietors, independent contractors, or who are self-employed and regularly carry on any trade or business. To be eligible for a loan, among other things, a borrower will need to have been in operation before February 15, 2020 and will have to make a good faith certification regarding the necessity of the loan and that borrower will use the loan proceeds to retain workers or make mortgage, lease, and utility payments.

Under the program, small businesses will be able to borrow up to 2.5 times their average monthly payroll costs, not to exceed $10 million. (Compensation of an individual employee in excess of an annual salary of $100,000 is excluded from “payroll costs.”) The loans themselves will have a maximum maturity of 10 years from the date the borrower applies for loan forgiveness and a maximum interest rate of 4%.A borrower will be eligible for loan forgiveness equal to the amount spent by the borrower over eight weeks (beginning with the start of the loan) on payroll, mortgage interest, rent, and utilities, up to the amount of loan principal.

Further details regarding implementation are forthcoming from the administration, but interested small businesses should contact counsel now, and should begin compiling relevant materials, including payroll documentation, tax and unemployment insurance filings, proof of payment of payroll taxes, and mortgage documentation. Applications can be viewed on Treasury’s website.

Contract Disputes

The pandemic raises an immediate question of whether it triggers any so-called “force majeure” clauses contained in existing contracts. Typically, a force majeure clause excuses performance of a contract if one of an enumerated list of events or conditions occurs that was unanticipated by the parties. While such clauses vary widely, they often include “acts of God” or “government actions” that are “beyond the control of the parties” among the list of events or conditions that excuse a party’s contractual performance. As just one example from the pandemic, the recent state-ordered business closures, enacted to slow the spread of coronavirus, could arguably fall into both of these categories and excuse a party’s performance.

The burden of proving that a specific condition or event qualifies as a force majeure event is generally on the party seeking to invoke it to excuse performance. Such clauses tend to be interpreted quite narrowly based on the precise language of the contract at issue, and those interpretations can vary from state to state.

Moreover, if the parties disagree as to whether an event triggers their contract’s force majeure clause, that question will need to be resolved either in court or in arbitration, depending on the forum specified by the contract. Accordingly, to the extent a party believes it may need to rely on a force majeure clause, it should take care to document both the events and conditions as they occur and the effect on the contract (including the parties’ efforts to perform despite conditions). Parties should attempt to take a consistent approach to the extent more than one contract is affected.

In the event a contract affected by the pandemic does not contain a force majeure clause, and a company seeks a remedy because of economic harm arising from the pandemic, all is not lost. Contractual parties may also look to the common law doctrine of frustration of purpose, which has a similar effect of excusing contractual performance where an event or condition unforeseen by both parties frustrates the entire objective of the contract.

Employment Issues

Many companies anticipate or have experienced a contraction in sales, revenue, and growth. In response, many may downsize to address immediate cash flow concerns. The Worker Adjustment and Retraining Notification (“WARN”) Act imposes written notice requirements that must be complied with by companies undertaking a reduction in force. Complying with the WARN Act and other relevant regulations, such as the Older Workers Benefit Protection Act and Age Discrimination in Employment Act, requires careful analysis of applicable federal and state statutes.

Securities Law Issues

The U.S. Securities and Exchange Commission (“SEC”) has issued a number of market-focused actions, guidance, and targeted regulatory relief in response to COVID-19. Public, and to a limited extent, private companies should take this guidance into account when considering the implications that COVID-19 may have on their respective business and securities laws-related obligations. In particular, the Commission has stated it would grant conditional filing relief for certain ongoing reports, and has already exercised its enforcement authority in connection with COVID-19-related misconduct.

The SEC will host a video conference on April 2nd, 2020 to help address challenges small business may be facing related to the pandemic.

The SEC also reminded issuers in securities transactions that how a company responds to COVID-19 and how the pandemic affects the company’s business may be material information that would need to be disclosed to investors. SEC staff has already provided guidance and assistance regarding such disclosures and has reminded companies and persons with access to material nonpublic information not to trade on the basis of such information, especially as the impact of the pandemic has unexpected results on businesses that may not be visible to the public.

The SEC has also extended deadlines for proposed actions with comment periods ending in March and may look to extend the notice and comment periods in other contemplated rulemakings or regulatory actions. Any company seeking to raise capital or to raise a fund should take note of the extension of the proposal to amend the “accredited investor” definition. The SEC has stated it will not take final action on this proposal before April 24th, 2020.

Company Compliance Plans and Policies

Many businesses possess one of the three following documents: Incident Response Plan (“IRP”), Business Continuity and Disaster Recovery (“BCDR”) Plan, or an Information and Data Security Policy (“Cybersecurity Policy”). Often, regulated financial services entities must have these policies in place prior to serving customers. It is paramount that companies review these plans and policies and take them seriously — they may become relevant as the crisis continues.

Reduced staff capacity or on-site presence as a result of illness may trigger provisions in a company’s BCDR Plan, a document not often reviewed by any third-party auditor. In addition, the risk of hacking has increased, ironically, as the pandemic has worsened. Businesses may need to enforce their Cybersecurity Policies to ensure all employees make use of protective security measures or install required software. Employees working from unsecured home networks may access files on non-work-issued laptops or may otherwise present an additional vector of attack for hackers. Privacy protocols might be of renewed relevance where companies make use of video conferencing applications. In addition, companies may find themselves relying on often-overlooked protocols in their IRPs to respond to data breaches as they occur.

Consumer-Facing Businesses

TCPA’s “Emergency Purpose” Exception

The Telephone Consumer Protection Act (“TCPA”) carries severe potential punishments for companies that engage in robocalling or text messaging without “prior express written consent” of the consumer. However, the law contains an “emergency purpose” exception useful for some businesses facing the need to send emergency text messages. For example, educational institutions can make use of the exception where the health and safety of students are at issue; pharmacies have made use of it for prescription reminder messages (although, see this case); grocery stores have used it to alert people to salmonella-tainted beef. The legislative history of the TCPA “indicates a congressional intent to interpret the term ‘emergency’ broadly.

We expect airlines, other common carriers, rideshare companies, public venues, or other companies may wish to make use of the emergency purpose exception, or understand its boundary-lines, as they decide how to alert consumers of potential coronavirus exposure.

CAN-SPAM Communications

Most businesses already comply with the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act of 2003 and its implementing rules. This law is to email communications what the TCPA is to telemarketing and text communications. It carries severe penalties where companies do not allow consumers to opt-out of commercial communications. CAN-SPAM does not have an “emergency purpose” exception to its rules, although it is likely that emergency communications will be considered “transactional or relationship content” subject to less stringent standards than purely “commercial” content under the rule.

UDAP/UDAAP Protections and Prohibitions against Unfair Business Practices

At the federal and state level, prohibitions exist against “unfair, deceptive, or abusive acts or practices” in the consumer financial services context (“UDAAP”), against “unfair or deceptive acts or practices” in the context of commerce more generally (“UDAP”), or broadly (at the state level) against unfair business practices. Whichever law applies, practices such as price gouging in the face of emergencies, excessive fees that seek to take advantage of consumers of a crisis, or locking consumers into unfair or abusive lending arrangements will not be taken lightly by regulators. Businesses will certainly struggle during a time of reduced economic activity. Before they take desperate measures in response to desperate times, they should have a lawyer review whether such measures risk violation of UDAAP, UDAP, or unfair business practices laws.

NYDFS-Regulated Financial Institutions

New York’s Department of Financial Services (“NYDFS”), the state regulator for financial institutions doing business in New York State, has issued industry letters to banks, credit unions, licensed lenders, insurers, and virtual currency businesses regarding the COVID-19 outbreak. NYDFS has asked insurance and virtual currency businesses to prepare and provide to the regulator by April 9th, 2020 an explanation of how a company’s preparedness plan and risk management plan cover its response to the outbreak. For virtual currency companies already undertaking their transaction monitoring certification (due April 15th, 2020), many of the requests from the industry letter may overlap with requests from NYDFS during the certification process.