Maryland Enacts Law Exempting Passive Trusts from Mortgage and Installment Loan Licensing Requirements

In January 2025, the Maryland Office of Financial Regulation (the “OFR”) issued a guidance stating that assignees of residential mortgage loans, including certain passive trusts, were required to hold a Maryland mortgage lender license and, in certain circumstances, an installment loan license (previously discussed here). In response to this, the Maryland House and Senate passed separate but identical bills known as the Maryland Secondary Market Stability Act of 2025 (the “Act”). The Act was signed into law by Maryland Governor Wes Moore on April 22, and became effective immediately. 
The Act addressed the OFR guidance on licensing for secondary market assignees by enacting an exemption from both the Maryland Mortgage Lender Law and the Maryland Installment Loan Law for “passive trusts.” The Act defines a “passive trust” as a trust that acquires or is assigned a mortgage loan but does not (i) make mortgage loans, (ii) act as a mortgage broker or a mortgage servicer, or (iii) engage in the servicing of mortgage loans. The original bills introduced in response to the OFR guidance would have exempted any assignee of mortgage loans or installment loans from licensing, including a trust, but the final Act more narrowly exempts only passive trusts. 
Putting It Into Practice: The OFR’s guidance can now be considered abrogated, at least to the extent that it applied to passive trusts. However, secondary market purchasers of loans that do not use passive trusts to acquire or take assignment of residential mortgage loans in Maryland must become licensed as Maryland mortgage lenders by July 6, 2025. In addition, it is worth noting that the Act does not apply to loans made under the Maryland Consumer Loan Law, which provides that an assignee of a loan made under that law must hold a consumer loan license in order to enforce the loan.
Listen to this post 

National Security Commission on Emerging Biotechnology’s Final Report Includes Recommendations to Boost Economy and Protect National Security

The National Security Commission on Emerging Biotechnology (NSCEB) announced on April 8, 2025, the availability of its final report and action plan, “urging Congressional action to bring the full weight of American innovation to improve and maintain U.S. global leadership in biotechnology.” After an extensive study that included “more than 1,800 stakeholder consultations, a holistic review of unclassified and classified material, site visits across the United States, and meetings with foreign government and technology leaders,” NSCEB developed a set of top-priority recommendations to ensure that the United States “outrun[s] and slow[s] down Beijing in the biotechnology race.” The principles for action include:

Promote U.S. biotechnology innovation;
Be the biotechnology partner of choice for the world;
Use national security tools to protect innovation and industrial base in biotechnology; and
Work with the international community, including China where prudent, to develop best practices and standards for biosafety and biosecurity to prevent against misuse, whether deliberate or accidental.

The report states that after an extensive study, “including more than 1,800 stakeholder consultations, a holistic review of unclassified and classified material, site visits across the United States, and meetings with foreign government and technology leaders,” NSCEB developed the following set of top-priority recommendations:

Pillar 1: Prioritize biotechnology at the national level:
 

1.1a Congress must establish a National Biotechnology Coordination Office (NBCO) within the Executive Office of the President with a director, appointed by the President, who would coordinate interagency actions on biotechnology competition and regulation.
 

Pillar 2: Mobilize the private sector to get U.S. products to scale:
 

2.1a Congress must direct federal regulatory agencies to create simple pathways to market and exempt familiar products from unnecessary regulation;
 
2.2a Congress must establish and fund an Independence Investment Fund, led by a non-governmental manager, that would invest in technology startups that strengthen U.S. national and economic security;
 
2.3a Congress must authorize and fund the U.S. Department of Energy (DOE) and the U.S. Department of Commerce to develop a network of manufacturing facilities across the country for precommercial bioindustrial product scale-up;
 
2.4a Congress must direct the Department of Homeland Security (DHS) to ensure that biotechnology infrastructure and data are covered under “critical infrastructure”;
 
2.5a Congress must require public companies to disclose single points of supply chain vulnerability located in foreign countries of concern; and
 
2.5b Congress must prohibit companies that work with U.S. national security agencies and the U.S. Department of Health and Human Services (DHHS) from using certain Chinese biotechnology suppliers that are deemed to pose a national security threat.
 

Pillar 3: Maximize the benefits of biotechnology for defense:
 

3.1a Congress must direct the U.S. Department of Defense (DOD) to consult with stakeholders to define principles for ethical use of biotechnology for the U.S. military;
 
3.2a Congress must direct the DOD to work with private companies to build commercial facilities across the country to biomanufacture products that are critical for DOD needs; and
 
3.3a Congress must require outbound investment rules to ensure that U.S. capital does not support Chinese development of certain biotechnologies that could pose a national security risk.
 

Pillar 4: Out-innovate our strategic competitors:
 

4.1a Congress must authorize the DOE to create a Web of Biological Data (WOBD), a single point of entry for researchers to access high-quality data;
 
4.2a Congress must conduct oversight of existing policies, and add new ones where warranted, to ensure that China cannot obtain bulk and sensitive biological data from the United States;
 
4.3a Congress must establish Centers for Biotechnology within the existing National Laboratory network to support grand research challenges; and
 
4.4a Congress must direct the executive branch to advance safe, secure, and responsible biotechnology research and innovation.
 

Pillar 5: Build the biotechnology workforce of the future:
 

5.1a Congress must direct the Office of Personnel Management (OPM) to provide workforce training in biotechnology across the interagency;
 
5.1b Congress must ensure that federal agencies have the necessary expertise across national security and emerging biotechnology issues; and
 
5.2a Congress must maximize the impact of domestic biomanufacturing workforce training programs.
 

Pillar 6: Mobilize the collective strengths of our allies and partners:
 

6.1a Congress must include biotechnology in the scope of the U.S. Department of State’s International Technology Security and Innovation Fund to fund appropriately international biotechnology policy, research and development (R&D), and secure supply chains.

Fourth Circuit Rejects Rehearing in ACH Fraud Suit Alleging Violations of KYC Rules and NACHA Operating Standards

On April 22, the Fourth Circuit declined to reconsider a panel ruling that found a credit union could not be held liable for a scam in which fraudsters diverted over $560,000 from a metal fabricator through unauthorized ACH transfers. The denial leaves intact a March 2025 decision overturning the district court’s earlier ruling in favor of the plaintiff.
The dispute stems from a 2018 incident in which the company received a spoof email claiming to be from a supplier and directing the company to reroute payments to a new bank account. Relying on the instructions, the company made four ACH transfers to an account at the credit union, identifying the supplier as the beneficiary. However, the funds were deposited into an account belonging to another individual who had also been unknowingly involved in the fraud.
In its original complaint, the plaintiff alleged that the credit union failed to comply with Know Your Customer (KYC) regulations and anti-money laundering (AML) procedures by not verifying the identity or eligibility of the account holder. The complaint also asserted that the credit union violated the NACHA Operating Rules by accepting commercial ACH transfers—coded for business transactions—into a personal account. These claims were framed as failures to implement basic security protocols and to recognize clear mismatches in the payment data.
The panel held that the credit union lacked actual knowledge that the account was being used for fraudulent purposes and therefore could not be held liable under applicable law. In a concurring opinion, however, one judge noted that the record may contain evidence suggesting the credit union obtained actual knowledge of the misdescription before the final two transfers.
Putting It Into Practice: Even though the credit union ultimately avoided liability, the action is a good example of the lengths plaintiffs’ attorneys are going to hold banks liable for fraud related to spoofing. Unfortunately, Regulation E provides no avenue for relief for consumers where they are tricked into transferring money knowingly to another account. And the CFPB’s lawsuit against major banks related to similar conduct, where claims under the CFPA were alleged, was dropped earlier this year. 

CFPB Shifts Supervision and Enforcement Priorities; Staff Reduction Stayed by Court

On April 16, the CFPB released an internal memo outlining major shifts in its supervision and enforcement priorities, signaling a retreat from several areas of regulatory activity. The next day, the Bureau issued formal reduction-in-force (RIF) notices to numerous employees, notifying them of termination effective June 16.
The supervision memo directs a significant reallocation of the Bureau’s focus and resources. Examinations are to be reduced by 50%, with an emphasis on collaborative resolutions, consumer remediation, and avoiding duplicative oversight. The CFPB will shift attention back to depository institutions, moving away from nonbanks that have increasingly been subject to Bureau exams in recent years. Enforcement will prioritize matters involving tangible consumer harm, particularly in areas of mortgage servicing, data furnishing under the FCRA, and debt collection under the FDCPA. The memo explicitly deprioritizes supervision of student lending, digital payments, remittances, and peer-to-peer platforms, and restricts the Bureau’s use of statistical evidence to support fair lending cases, limiting such actions to those involving intentional discrimination and identifiable victims.
The RIF notices cite structural realignment and policy shifts as the basis for the cuts and inform employees that the decision does not reflect performance or conduct. Following the issuance of the RIF notices, plaintiffs in ongoing litigation against the CFPB filed an emergency motion, arguing that the RIF appeared to violate an existing preliminary injunction. After an emergency hearing on April 18, Judge Amy Berman Jackson of the D.C. District Court ordered the CFPB to suspend its reduction-in-force and maintain employees’ access to the agency’s systems while legal proceedings continue, raising concerns that allowing the layoffs to move forward could permanently damage the Bureau’s ability to meet its legal obligations. The court set a follow-up hearing for April 28.
Putting It Into Practice: The current administration’s push to downsize the CFPB continues. While paused for the moment, a Bureau of only 200 employees will have a dramatic impact on the enforcement of the country’s federal financial services laws.
Listen to this post 

Federal Judge Blocks Key DEI Executive Order Provisions

On April 14, 2025, the U.S. District Court for the Northern District of Illinois issued a preliminary injunction preventing the U.S. Department of Labor (“DOL”) from enforcing a certification provision and termination clause included in the executive orders titled Ending Illegal Discrimination and Restoring Merit-Based Opportunity (“EO 14173”) and Ending Radical and Wasteful Government DEI Programs and Preferencing (“EO 14151”).
The ruling prevents the DOL from enforcing the provision in EO 14173 requiring federal contractors and grantees to certify that they do not operate “illegal” DEI programs that violate any federal anti-discrimination laws. The ruling also enjoins the DOL from terminating a federal grant issued to the plaintiff based on language in EO 14151, which requires agencies to terminate all “equity-related” grants.
Background
Plaintiff, Chicago Women in Trades (“CWIT”), provides programming and training to prepare women across the country for jobs in skilled trades such as electric work, plumbing and carpentry. CWIT receives approximately 40% of its annual budget from federal funding and specifically, a Women in Apprenticeship and Nontraditional Occupations (“WANTO”) grant from the DOL Women’s Bureau. On February 26, 2025, CWIT sued President Trump, the DOL, and several other federal agencies and agency heads, claiming the following provisions of EOs 14173 and 14151 violate the First Amendment, Fifth Amendment, constitutional spending powers held by Congress and the separation of powers principle:

The “Certification Provision” (EO 14173 § 3(b)(iv)), which orders each agency to include certifications in every contract or grant award that the contractor or grantee does not operate illegal DEI programs and that compliance with federal anti-discrimination laws is “material to the government’s payment decisions for purposes of” the False Claims Act;
The “Termination Provision” (EO 14151 § 2(b)(i)), which orders each “agency, department, or commission head” to “terminate, to the maximum extent allowed by law, all ‘equity-related’ grants or contracts.”

CWIT sought a declaration that the Certification Provision and Termination Provision are unlawful and unconstitutional, and preliminary and permanent injunctions enjoining the Defendants, other than President Trump, from enforcing those sections of the EOs that are found to be unlawful and unconstitutional.
Court’s Opinion and Reasoning
District Judge Matthew F. Kennelly issued a nationwide injunction enjoining the DOL’s use of the Certification Provision and enjoining the DOL from terminating the WANTO grant based on the Termination Provision in EO 14151.
As to the Certification Provision, the Court found the government’s argument that the certification is permissible because it simply requires the grantee to certify that it is not breaking the law, unavailing. The Court instead found that the language was unclear and left the meaning of illegal DEI programs up “to the grantee’s imagination” by not defining what DEI is or what makes a DEI program “violate Federal anti-discrimination laws.” The Court noted that the Certification Provision applies to all federal grantees and contractors and that there is a critical urgency to protect grantees and contractors from irreparable injury to their free-speech rights.
The ruling therefore held that CWIT is likely to succeed on the merits in showing that the Certification Provision violates First Amendment rights. The Court also found that the nature of the First Amendment right at stake supported a broad preliminary injunction, not only limited to CWIT, as every contract and grant offered by an agency would likely contain the provision. The Court did, however, limit the injunction to the DOL, noting that CWIT had “demonstrated a risk of imminent harm with regards only to DOL,” and “it is hard to see – and CWIT does not suggest – a basis upon which it would seek grants from agencies other than DOL.”
On the issue of the Termination Provision, the Court similarly found that CWIT showed sufficiently imminent injury as CWIT’s grants were directly targeted by the provision. However, the Court found that, unlike the Certification Provision, “there is likely a low risk that other grantees who risk termination or are terminated will not challenge enforcement of this provision against them.” Therefore, the Court declined to extend the injunction and limited its reach to enjoining the DOJ from terminating CWIT’s WANTO grant.
On April 16, 2025, the DOJ filed a Preliminary Injunction Compliance Status Report confirming its compliance with the Court’s preliminary injunction order and attaching an email that was sent to agency heads in the DOJ and other relevant parties including the Court’s order.
Other cases involving challenges to the EOs discussed in this article include: Nat’l Ass’n of Diversity Offs. in Higher Educ. v. Trump, F. Supp. 3d, No. 25 C 333 ABA, 2025 WL 573764 (D. Md. Feb. 21, 2025); Nat’l Urban League v. Trump, No. 25 C 471 (D.D.C.); and S.F. AIDS Found. v. Trump, No. 25 C 1824 (N.D. Cal.). Other Proskauer articles on this topic include: Federal Court Issues Partial Preliminary Injunction Halting Enforcement of DEI-Related EOs, Fourth Circuit Temporarily Allows DEI-Related EOs to Continue, EEOC and DOJ Release Guidance on DEI and Workplace Discrimination, President Trump Issues Sweeping Executive Orders Aimed at DEI.

CFPB Drops Suit Against Credit Card Company Alleging TILA Violations and Deceptive Marketing Practices

On April 23, the CFPB voluntarily dismissed with prejudice its lawsuit, filed in September 2024, against a Pennsylvania-based credit card company that had been accused of unlawfully marketing a high-cost, limited-use membership program to subprime consumers.
The complaint alleged that the company violated the Consumer Financial Protection Act (CFPA) and the Truth in Lending Act (TILA) and its implementing Regulation Z. The Agency asserted the following violations:

Misleading marketing of a “general-purpose” credit card. The company allegedly represented that it offered a standard credit card when the product could only be used at the company’s own online store.
Excessive fees in violation of TILA and Regulation Z. The card carried annual charges amounting to roughly 60% of the card’s credit limit, exceeding the 25% cap permitted during the first year of account opening.
Limited consumer use and value. Despite charging substantial fees, the program offered minimal utility—only 6% of customers used the card and just 1–3% used any ancillary benefits.
Deceptive cancellation and refund process. The company claimed cancellations could be completed in under a minute but instead subjected consumers to extended calls and repeated sales pitches before granting partial refunds.
Unreasonable barriers to exit constituted abusive conduct. The CFPB alleged the company exploited consumers’ inability to easily exit the program or secure refunds, thereby taking unreasonable advantage of financially vulnerable individuals.

Putting It Into Practice: The dismissal is the latest in a series of reversals by the CFPB under its current leadership (previously discussed here and here). While the agency appears to be retreating from certain nonbank UDAAP cases, the statutory obligations under the CFPA and TILA remain unchanged. Companies marketing credit products to subprime consumers should closely review how their offerings are presented, how fees are structured, and how cancellation processes are administered.
Listen to this post

Sunsetting of COVID-19 Paid Emergency Leave Law

Beginning July 31, 2025, New York employers will no longer be required to provide separate leave for COVID-19 quarantines and isolations. This marks a significant shift in pandemic-related employment policies for businesses in the Empire State.
New York’s COVID-19 Paid Emergency Leave (“PEL”) was originally enacted in March 2020, during the height of the COVID-19 outbreak. PEL requires employers provide up to fourteen (14) days of protected, paid leave to employees who are subject to a mandatory or precautionary order of isolation or quarantine due to COVID-19, and who cannot work remotely. PEL is limited exclusively to COVID-19, and its paid leave benefits are separate from and additional to other paid sick and safe leave benefits—including New York State’s Paid Sick and Safe Leave law, New York City’s Earned Sick and Safe Time law, and New York’s Paid Family Leave law.
When enacted, PEL did not contain an expiration date; nor was one provided in subsequent guidance. But on April 24, 2024, Governor Hochul signed the 2024-2025 New York State Budget. This Budget includes a provision sunsetting PEL—a measure many employers and legislators believed was long overdue. Indeed, while numerous other jurisdictions passed similar COVID-19 leave laws, New York’s PEL is the last such statute remaining in effect.
With the impending repeal of PEL, employers are reminded to remain compliant with other paid sick and safe leave benefits. Serious COVID-19 cases or other illnesses may still trigger obligations under various protected leave and medical accommodation laws, such as the federal Family and Medical Leave Act, the Americans with Disabilities Act, the New York Human Rights Law, and the New York City Human Rights Law.
Listen to this post 

Court Slams Lawyers for AI-Generated Fake Citations

A federal judge in Colorado has issued a scathing order that should serve as a wake-up call for attorneys who use frontier generative artificial intelligence (Gen AI) models in legal research. On April 23, federal Judge Nina Y. Wang of the District of Colorado issued an Order to Show Cause in Coomer v. Lindell that exposes the dangers of unverified AI use in litigation.
The Case and the Famous Defendant
The defamation lawsuit involves plaintiff Eric Coomer, a former Dominion Voting Systems executive, and defendant Mike Lindell, the well-known CEO of MyPillow. The case has gained significant attention not only for the high-profile parties involved but also for becoming a neon-red-blinking cautionary tale of consequential Gen AI misuse.
“Cases That Simply Do Not Exist”
Judge Wang identified “nearly thirty defective citations” in a brief submitted by Lindell’s attorneys, and they weren’t mere minor errors. The court found:

Citations to cases that “do not exist”
Legal principles attributed to decisions that contain no such language
Cases from one jurisdiction falsely labeled as being from another
Misquotes of actual legal authorities

One particularly egregious example involved a citation to “Perkins v. Fed. Fruit & Produce Co., 945 F.3d 1242, 1251 (10th Cir. 2019)”—a completely fabricated case. The court noted that while a similar-named case exists in a different form, the Gen AI tool had essentially cobbled together a fictional citation by merging elements from entirely different cases.
The Reluctant Admission
When confronted about these errors at a hearing, the defense attorney initially deflected, suggesting it was a “draft pleading” or blaming a colleague for failing to perform citation checking. Only when directly asked by Judge Wang whether AI had generated the content did Kachouroff admit to using Gen AI.
Even more damning, Kachouroff “admitted that he failed to cite check the authority in the Opposition after such use before filing it with the Court—despite understanding his obligations under Rule 11.” The court expressed open skepticism about his claim that he had personally drafted the brief before using AI, noting “the pervasiveness of the errors.”
Lessons for Legal Practice
AI verification isn’t optional—it’s a professional obligation. While AI tools can enhance efficiency, they require human oversight. The ethical foundations of legal practice remain unchanged: attorneys must verify information presented to the court, regardless of its source.
As GenAI continues to integrate into legal practice rapidly, the Coomer case serves as a stark reminder that technology cannot replace professional judgment. Case citations must be verified, quotations must be confirmed, and legal principles must be substantiated against primary sources. While the legal profession has always adapted to new technologies, core professional responsibilities have not changed significantly. In the AI era, these obligations require vigilance more than ever.
Not until this Court asked Mr. Kachouroff directly whether the Opposition was the product of generative artificial intelligence did Mr. Kachouroff admit that he did, in fact, use generative artificial intelligence.

DOJ’s Data Security Program Final Rules Effective – Implications for Telecom Providers

On January 8, 2025, the U.S. Department of Justice (DOJ) issued its final rule to implement Executive Order 14117 aimed at preventing access to Americans’ bulk sensitive personal data and government-related data by countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela (Data Security Program or DSP). The regulations took effect on April 8, 2025, with additional compliance requirements for U.S. persons taking effect by October 6, 2025.
While the DSP includes an exemption for “telecommunications services” (as specifically defined in the rule), telecommunications providers must closely review their services involving data transactions with countries of concern or covered persons associated with those countries to ensure the particular service provided or transaction falls within the exemption. Non-compliance with the DSP can result in significant civil and criminal penalties, underscoring the importance for telecommunications providers to thoroughly understand and adhere to these rules, where applicable.
Scope and Applicability
The DSP sets forth prohibitions and restrictions on certain data transactions that pose national security risks. The rules are designed to be national security regulations to address identified risks to U.S. national security, rather than privacy regulations designed to protect privacy or other individual interests.
The DSP applies to U.S. persons and entities engaging in transactions that provide access to Covered Data to Countries of Concern or Covered Persons associated with those countries in specified ways. Countries of Concern currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, but this list is subject to future change. The DSP defines Covered Persons as entities or individuals associated with a Country of Concern, based on the following criteria:

An entity that is 50% or more owned by a Country of Concern
An entity that is organized or chartered under the laws of a Country of Concern
An entity that has its primary place of business in a Country of Concern
An entity that is 50% or more owned by a Covered Person
A foreign person, as an individual, who is an employee or contractor of a Country of Concern 
A foreign person, as an individual, who is primarily a resident in the territorial jurisdiction of a country of concern
Any entity or individual that the Attorney General designates as a Covered Person subject to broad discretion set forth in the DSP

Covered Data involves two primary categories of data: U.S. sensitive personal data and U.S. government-related data. At a high level, the new rules prohibit, restrict, or exempt certain data transactions involving Covered Data that could give countries of concern or Covered Persons access to such data, and are triggered by bulk data transfers, which can include individual transfers that over time trigger specified volume thresholds. The rules also include specified record keeping and reporting requirements, as well as a process for obtaining approval of otherwise prohibited transfers. The rules also include enforcement mechanisms with the potential for civil and criminal penalties for non-compliance.
On April 11, 2025, DOJ issued a compliance guide, along with a list of Frequently Asked Questions (FAQs) to assist entities with understanding and implementing the DSP. DOJ also announced a 90-day limited enforcement period from April 8 to July 8, 2025, focusing on facilitating compliance rather than enforcement, provided that entities are making good faith efforts as outlined in the 90-day policy.By July 8, 2025, entities must be fully compliant with the DSP, as the DOJ will begin enforcing the provisions more rigorously. By October 6, 2025, compliance with all aspects of the DSP, including due diligence, audit requirements, and specific reporting obligations, will be mandatory.
For a more detailed discussion of the persons and transactions covered under the DSP and its applicability, including definitions, see our recent alert on Navigating the New DOJ Data Security Program Compliance.
Telecommunications Services Exemption
Of note for telecommunications providers is that the DSP, Rule Section 202.509, includes a “telecommunications services” exemption. This exemption for telecommunications services states that the DSP rules: “…do not apply to data transactions, other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of telecommunications services,” as that term is defined under the rule. Specifically, Rule Section 202.252, the new DOJ rule definition of “telecommunications service” means:
the provision of voice and data communications services regardless of format or mode of delivery, including communications services delivered over cable, Internet Protocol, wireless, fiber, or other transmission mechanisms, as well as arrangements for network interconnection, transport, messaging, routing, or international voice, text, and data roaming.1

Of note, this exemption specifically applies to activities directly related to the technical and operational aspects of delivering telecommunications services and does not extend to ancillary services like marketing or data analytics. The Department also declined to expand the exemption to include data transactions related to IP addresses or cybersecurity services.
Importantly, the DOJ made clear the definition of telecommunications services for purposes of the DSP is unique to the DSP and is without reference to the definition in Section 153(53) of the Communications Act. The import of this is that the definition is apparently without reference to whether the service is a common carrier offering.
Examples of Exempt and Non-Exempt Transactions
Rule Section 202.509 provides examples of bulk data transfers incident to telecommunications services that fall within the exemption, and an example of a bulk data transfer by a telecommunications service provider that falls outside the exemption:
(1) Example 1. A U.S. telecommunications service provider collects covered personal identifiers from its U.S. subscribers. Some of those subscribers travel to a country of concern and use their mobile phone service under an international roaming agreement. The local telecommunications service provider in the country of concern shares these covered personal identifiers with the U.S. service provider for the purposes of either helping provision service to the U.S. subscriber or receiving payment for the U.S. subscriber’s use of the country of concern service provider’s network under that international roaming agreement. The U.S. service provider provides the country of concern service provider with network or device information for the purpose of provisioning services and obtaining payment for its subscribers’ use of the local telecommunications service provider’s network. Over the course of 12 months, the volume of network or device information shared by the U.S. service provider with the country of concern service provider for the purpose of provisioning services exceeds the applicable bulk threshold. These transfers of bulk U.S. sensitive personal data are ordinarily incident to and part of the provision of telecommunications services and are thus exempt transactions.
This example illustrates where the data sharing is integral to the core function of providing telecommunications services and facilitating international roaming, aligning with the exemption criteria.
(2) Example 2. A U.S. telecommunications service provider collects precise geolocation data on its U.S. subscribers. The U.S. telecommunications service provider sells this precise geolocation data in bulk to a covered person for the purpose of targeted advertising. This sale is not ordinarily incident to and part of the provision of telecommunications services and remains a prohibited transaction.
Here, the sale of geolocation data for advertising purposes is not directly related to the telecommunications service itself, placing it outside the scope of the exemption.
(3) Example 7. A U.S. company owns or operates a submarine telecommunications cable with one landing point in a foreign country that is not a country of concern and one landing point in a country of concern. The U.S. company leases capacity on the cable to U.S. customers that transmit bulk U.S. sensitive personal data to the landing point in the country of concern, including transmissions as part of prohibited transactions. The U.S. company’s ownership or operation of the cable does not constitute knowingly directing a prohibited transaction, and its ownership or operation of the cable would not be prohibited (although the U.S. customers’ covered data transactions would be prohibited). See 28 CFR § 202.305.
This example illustrates that while the infrastructure operation itself is not a prohibited transaction, the data transfers by customers using the international submarine cable are prohibited if they involve countries of concern. This would likely be a direct issue for the underlying customer rather than the telecommunications service provider, though providers might still consider whether it would make sense to ensure that their customer agreements include provisions insulating them from any potential exposure from such customer non-compliance.

The examples above focus on whether a particular bulk data transfer is “ordinarily incident to and part of the provision of” an exempt telecommunications service. So, for example, arrangements outside the actual provision of the service, such as the sale or sharing of customer data for marketing purposes or with application providers, would appear to be outside the scope of the exemption.
As one example, a number of major mobile carriers had location-based service programs, which were the subject of a series of FCC enforcement actions, that facilitated, through third party “location aggregators”, the sharing of user location data with application providers to enable location-based services.2 Example No. 2, above, would suggest that this type of service would not be “ordinarily incident to and part of the provision of” a carrier’s mobile data services (the telecommunications service under the DSP definition) and hence outside the exemption.
Challenges and Considerations
The harder question, however, and one that will undoubtedly be initially vexing for providers without further clarification from DOJ, is the actual scope of the “telecommunications services” definition in the rule. This is particularly true for integrated offerings by providers that clearly include telecommunications services, but also include integrated components which include bulk transfers, that standing alone might be outside the scope of the telecommunications services definition. Of significance, in adopting this definition, the DOJ stated that the definition is limited to the listed telecommunications services and does not reach services like cloud computing.
The recently issued FAQs also reinforce this point, stating the definition is “limited to communications services and does not include all internet-based services like cloud computing.” See Question 77. This begs the question of an offering by a telecommunications services provider that includes both cloud computing and associated transport services. Similarly, the provision of integrated applications offered by telecommunications services providers in conjunction with their telecommunications service offerings, would raise similar questions, particularly, as noted above, in connection with Example No. 2.
Providers should note that any data transaction not essential to the core function of telecommunications—such as partnerships involving user data for non-service-related purposes—may fall outside the exemption. Providers must differentiate between core telecommunications functions and ancillary services, ensuring that services like data analytics or marketing, which are not ordinarily incident to the core telecommunications services, are carefully evaluated for compliance.
Implications of Limitation to Telecommunications Service Exemption
While DOJ’s final rule appears to provide three straightforward examples, the issues arise about integrated service offerings such as telecommunications services that include a cloud computing or a data center component. While the telecommunications service aspect appears to be exempt, the data storage or cloud computing aspect would not be, at least if offered on a standalone basis. The same may be true for integrated application offerings in connection with application providers, most obviously, under Example No. 2 in connection with sharing location data. This necessitates a thorough review of service offerings, particularly those bundled with non-telecommunications services like cloud computing, data center services, and applications, to determine compliance with DSP regulations. Accordingly, telecommunications providers must closely examine the integrated services they provide, along with their data sharing arrangements with third parties, to determine whether the transaction may trigger prohibited or restricted data transactions involving countries of concern or Covered Persons.

1In adopting this definition, DOJ noted that commenters suggested that the definition of telecommunications services be expanded to include voice and data communications over the internet. DOJ agreed and instead of limiting the scope of “telecommunications services” to the definition in Communications Act, 47 U.S.C. 153(53) (which would have applied only to common carriers) the DOJ adopted its own definition of the term to cover present day communications for the purposes of the exemption. Under the Communications Act, telecommunications service means the offering of telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used.2See FCC Fines AT&T, Sprint, T-Mobile and Verizon Nearly $200 Million for Illegally Sharing Access to Customers’ Location Data (FCC News Release, Apr. 29, 2024); see also AT&T, File No. EB-TCD-18-00027704, Forfeiture Order at ¶¶ 8-10 (FCC 24-40, Apr. 29, 2024), vacated, AT&T v. FCC, No. 24-60223, Slip Op. at 5-6 (5th Cir. Apr. 17, 2025). 

White House Executive Order Eliminates Disparate-Impact Liability Enforcement

On April 23, the White House issued an Executive Order entitled Restoring Equality of Opportunity and Meritocracy, directing federal agencies to “eliminate the use of disparate-impact liability in all contexts to the maximum degree possible.” The Executive Order marks a potential shift in how federal fair lending laws will be enforced across the financial services sector.
Federal agencies have historically used disparate-impact liability to evaluate facially neutral policies that may result in unequal outcomes for protected classes. The Executive Order now instructs agencies to reassess their enforcement strategies and deprioritize claims rooted in disparate impact, including under the Equal Credit Opportunity Act, the Fair Housing Act, and other fair lending statutes. 
Specifically, the Executive Order directs the Attorney General to identify and initiate repeal or amendment of regulations, guidance, or rules that impose disparate-impact liability. It also calls on federal agencies, including the CFPB, to review all pending investigations, litigation, and consent orders based on disparate-impact claims. Additionally, the Attorney General must evaluate whether federal law preempts state-level disparate-impact regimes and recommend further action where such state laws may conflict with federal policy.
Putting It Into Practice: The Executive Order reflects a broader policy shift on how discriminatory conduct is litigated. (previously discussed here). The Executive Order will certainly impact federal fair lending and anti-discrimination oversight, particularly in areas where enforcement has traditionally relied on statistical disparities rather than explicit intent. Market participants should also prepare for potential divergence between federal and state priorities in some jurisdictions.

CFPB to Revoke Medical Debt Collection Advisory Opinion

On April 11, the CFPB filed a joint motion in the U.S. District Court for the District of Columbia indicating its intent to revoke an advisory opinion on medical debt collection. The Bureau requested a stay of litigation while it moves to formally withdraw the opinion and committed to providing a status update by July 14 and every 30 days thereafter.
The October 2024 advisory opinion interpreted the Fair Debt Collection Practices Act (FDCPA) and Regulation F to restrict certain medical debt collection practices, including those involving allegedly deceptive or unfair statements about the validity or scope of consumer obligations. The opinion’s issuance triggered multiple lawsuits challenging the CFPB’s statutory authority and legal basis, arguing that the Bureau exceeded its rulemaking powers by issuing substantive policy through an advisory opinion without following the Administrative Procedure Act’s notice-and-comment requirements.
The parties explained that revoking the advisory opinion would resolve the plaintiff’s legal claims, eliminating the need for further litigation. The CFPB stated that it was actively evaluating next steps and that maintaining the litigation would be inefficient and unnecessary.
Putting It Into Practice: The CFPB’s decision to revoke its medical debt advisory opinion continues a broader rollback of policies issued under prior leadership (previously discussed here and here). As the Bureau reconsiders its approach, states may increasingly step in to fill the regulatory gap—particularly those active in applying and enforcing UDAAP laws.

Trump Administration Issues Executive Order Aimed at Eliminating Disparate Impact Liability Under Anti-Discrimination Laws

On April 23, 2025, the White House issued an Executive Order (“EO”) entitled “Restoring Equality of Opportunity and Meritocracy,” which aims to “eliminate the use of disparate-impact liability in all contexts to the maximum degree possible.” 
First recognized under Title VII of the Civil Rights Act of 1964 (“Title VII”) by the U.S. Supreme Court in Griggs v. Duke Power Co. (1971), disparate impact liability provides that a policy or practice that is facially neutral and applied without discriminatory intent may nevertheless give rise to a claim of discrimination if it has an adverse effect on a protected class, such as a particular race or gender. Disparate impact liability has also been recognized under fair housing laws and in other contexts.
The EO characterizes disparate impact liability as creating “a near insurmountable presumption of unlawful discrimination . . . where there are any differences in outcomes in certain circumstances among different races, sexes, or similar groups, even if there is no facially discriminatory policy or practice or discriminatory intent involved, and even if everyone has an equal opportunity to succeed.” The EO further states that disparate impact liability “all but requires individuals and businesses to consider race and engage in racial balancing to avoid potentially crippling legal liability” and “is wholly inconsistent with the Constitution.”
To that end, the EO, among other things:

directs all executive departments and agencies to “deprioritize enforcement of all statutes and regulations to the extent they include disparate-impact liability,” including but not limited to Title VII;
orders the Attorney General, within 30 days of the EO, to report to the President “(i) all existing regulations, guidance, rules, or orders that impose disparate-impact liability or similar requirements, and detail agency steps for their amendment or repeal, as appropriate under applicable law; and (ii) other laws or decisions, including at the State level, that impose disparate-impact liability and any appropriate measures to address any constitutional or other legal infirmities”;
orders the Attorney General and the Chair of the EEOC, within 45 days, to “assess all pending investigations, civil suits, or positions taken in ongoing matters under every Federal civil rights law within their respective jurisdictions . . . that rely on a theory of disparate-impact liability, and [] take appropriate action” consistent with the EO;
orders all agencies, within 90 days, to “evaluate existing consent judgments and permanent injunctions that rely on theories of disparate-impact liability and take appropriate action” consistent with the EO;
orders the Attorney General, in coordination with other agencies, to “determine whether any Federal authorities preempt State laws, regulations, policies, or practices that impose disparate-impact liability based on a federally protected characteristic such as race, sex, or age, or whether such laws, regulations, policies, or practices have constitutional infirmities that warrant Federal action, and [] take appropriate measures” consistent with the EO; and
orders the Attorney General to initiate action to repeal or amend regulations contemplating disparate impact liability under Title VI of the Civil Rights Act of 1964, which prohibits race, color, and national origin discrimination in programs and activities receiving federal financial assistance.

The EO also orders the Attorney General and the Chair of the EEOC to “jointly formulate and issue guidance or technical assistance to employers regarding appropriate methods to promote equal access to employment regardless of whether an applicant has a college education, where appropriate.”
Takeaways
This EO is the latest evidence of shifting enforcement priorities by the federal agencies tasked with enforcing civil rights laws, including the EEOC. The ultimate scope of the EO’s impact remains to be seen, particularly as it relates to the potential for preemption of disparate impact liability under state or local anti-discrimination laws. Congress has the authority to amend any federal statutes to specifically address a disparate impact theory of liability, and the courts will continue to have the ultimate say on whether and to what extent such a theory is cognizable under particular statutes. We anticipate further updates in this area and will continue to monitor and report on these updates.