EPA and OSHA Sign MOU for Implementation of TSCA Section 6
The U.S. Environmental Protection Agency (EPA) announced on January 13, 2025, that it signed a long-awaited memorandum of understanding (MOU) with the Occupational Safety and Health Administration (OSHA) formalizing coordination on EPA’s work to assess and manage existing chemicals under Section 6 of the Toxic Substances Control Act (TSCA). According to EPA’s press release, “EPA and OSHA anticipate that better coordination under this MOU will result in improved workplace health and safety protections for workers using existing chemical substances under TSCA and the Occupational Safety and Health (OSH) Act and allow for effective implementation of our national workplace and environmental protection statutes.”
EPA states that continuing the existing collaboration between EPA and OSHA on workplace exposures as part of EPA’s prioritization, risk evaluation, and risk management of existing chemicals, the MOU will further facilitate information sharing in the form of notification, consultation, and coordination where appropriate. According to EPA, the agencies will share information on:
TSCA Section 6 prioritization, risk evaluation, rulemaking, and implementation efforts as it pertains to chemical hazards in the workplace;
Outreach and communication materials for stakeholders about EPA rules and OSHA requirements, including TSCA Section 6 and OSHA rules that regulate the same chemical hazards;
Inspections and enforcement activity such as each agency’s areas of focus, complaints, inspections, and potential violations where mutual interest exists; and
Protocols to ensure that confidential information is being properly exchanged between the agencies when carrying out law enforcement actions or otherwise protecting health or the environment.
EPA notes in the press release that the 2016 amendments to TSCA expanded EPA’s authority and responsibility to protect workers, requiring EPA to consider potentially exposed and susceptible subpopulations in chemical risk evaluations, a category that explicitly includes workers. According to EPA, the agencies together have the statutory responsibility to ensure the safety and health of the public and the nation’s workforce through the timely and effective implementation of federal laws and regulations, including TSCA and the OSH Act. EPA states that the chemical rules that OSHA promulgates under the OSH Act and that EPA promulgates under TSCA Section 6(a) share a broadly similar purpose, and the control measures OSHA and EPA require to satisfy the objectives of their respective statutes may overlap or coincide.
According to EPA, TSCA differs from the OSH Act in several respects, however, including jurisdiction: TSCA regulates the use of chemicals more broadly, while the OSH Act regulates health and safety in the workplace. TSCA also covers a wider range of workers that are not covered under the OSH Act, such as volunteers, self-employed workers, and some state and local government workers. As a result, EPA states that its findings and occupational risk mitigations may differ from OSHA’s. For example, while OSHA has set regulatory exposure limits for some chemicals, OSHA set most of these limits shortly after the adoption of the OSH Act in 1970. EPA notes that by contrast, the exposure limits it is establishing as part of current risk management rules “are derived from current scientific review.”
EPA notes that “[r]equirements set under TSCA must use the best available science to address unreasonable risk — identified without consideration of cost or other non-risk factors; whereas standards set under the OSH Act are constrained by requirements that OSHA prove proposed controls are economically and technically feasible.” EPA states that although it considers non-risk factors such as the effect on the national economy and technological innovation when weighing options sufficient to address the unreasonable risk under TSCA, “the differences in statutory authorities can also lead to differences between the two agencies’ regulatory approaches.”
Commentary
While we are pleased that EPA is expanding upon its views of the ever unclear jurisdictional divide between its authority under TSCA and OSHA’s authority under the OSH Act, Bergeson & Campbell, P.C. (B&C®) was a bit disappointed with the revised MOU’s lack of substance. EPA has over the years shared with the regulated community that it was working on the MOU and aware of the need to clarify responsibilities considering Lautenberg’s enactment almost nine years ago. Despite the passage of time and the buildup, the MOU is remarkably devoid of specificity and anything truly “new.” The MOU can perhaps be best summarized as “EPA will talk to OSHA,” as it does routinely, and “EPA and OSHA will refer potential violations to each other.”
That EPA has different statutory authority under TSCA from OSHA’s statutory authority under the OSH Act is of course crystal clear. OSHA’s authority does not extend to certain types of workers (volunteers, self-employed, and some government employees). What is less clear is how the federal government toggles between its two grants of authority to ensure workers are adequately protected and suitably acknowledges the protective effects of compliance with the OSH Act, including the Hazard Communication Standard (HCS) and multiple OSHA Standards, and how EPA’s regulatory actions under TSCA are duplicative of or inconsistent with the HCS. These are the areas inviting the greatest uncertainty and on which the MOU’s provisions are most silent.
The agencies are urged to supplement their efforts in this regard in a few key areas. For example, the agencies should consider whether EPA or OSHA is better suited to promulgate workplace protective measures to ensure workers outside of TSCA authority are adequately protected and identify more precisely how best EPA and OSHA coordinate on hazard communication measures so that EPA does not require hazard statements on Safety Data Sheets (SDS) even though those hazards are well below the classification cutoffs under the HCS. This practice often leads to confusing or conflicting statements on an SDS, undermining the very purpose of the HCS.
The new Administration may wish to consider engaging in a more transparent public process to elicit stakeholder comments on ways to strengthen the interaction between EPA and OSHA. After all, the regulated community and other constituencies have much to contribute to identifying areas where greater clarity is needed.
HHS-OCR’s Proposed Rule and HIPAA Security Risk Assessment
On December 27, 2024, in the midst of the holiday season, the U.S. Department of Health and Human Services (HHS) deployed a proposed rule that would significantly modify the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Specifically, the proposed new rule includes express requirements for Covered Entities when conducting a Security Risk Assessment (SRA).
New requirements would include a written assessment that contains, among other things:
A review of the technology asset inventory and network map
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
Notably, while the “new” requirements have yet to be finalized or take effect, HHS’s Office of Civil Rights (HHS-OCR) has already begun to enforce these requirements on Covered Entities including the imposition of fines and penalties against Covered Entities whose failure to implement the proposed requirements result in a data breach affecting its patients’ protected health information (PHI).
For some time, HHS-OCR has acknowledged that the HIPAA Security Rule does not prescribe a specific risk analysis methodology, and it has recognized that methods of conducting a SRA will vary depending on the size, complexity, and capabilities of the organization. Further, HHS-OCR Guidance on Risk Analysis does not endorse or recommend any particular risk analysis or risk management model. While HHS-OCR provides a free proprietary tool for small to medium-size organizations to use when conducting a SRA, its product contains a disclaimer that use of the tool does not guarantee compliance with federal, state, or local laws.
Covered entities are therefore left to their own devices in discerning what methodologies and management models are appropriate for their organization when conducting a SRA. At the same time, the adopted methodology that an organization chooses may not be considered insufficient under HHS-OCR’s undisclosed standards. A Covered Entity with no SRA or an insufficient SRA may face significant fines and penalties in the event they are subject to a data breach and subsequent HIPAA compliance audit.
While Covered Entities may turn to third-party vendors that market themselves as specialists in providing HIPAA compliance services, including conducting SRAs, there is no guarantee this will satisfy the requirements under HIPAA. Recently, HHS-OCR has regarded SRAs performed by these vendors as deficient without providing any specific guidance to the Covered Entity as to exactly what aspects of their SRA were noncompliant with HIPAA.
This conundrum has recently dismayed a number of Covered Entities that are now facing fines and penalties in light of HHS-OCR’s recent HIPAA Security Risk Assessment enforcement initiative, which it has relentlessly pursued since October of 2024. It’s not yet clear whether the proposed requirements will make compliance with HIPAA’s Security Rule easier or create further confusion.
SBA Final Rule Impacts Small Business Government Contractor Valuations
Go-To Guide:
Small Business Administration Final Rule will impact the valuation of small business government contractors holding Multiple Award Contracts (MACs) and Federal Supply Schedules (FSS). The rule takes effect Jan. 16, 2025.
Under the rule, if a business cannot recertify as small 30 days following a merger or acquisition (i.e., disqualifying recertification), it will no longer be eligible for options or task orders set-aside for small businesses under MACs.
Disqualifying recertifications made before Jan. 17, 2026, will not affect eligibility for small business MAC orders or options. This delayed effect encourages the sale of small business contractors holding MACs in 2025.
The rule eliminates an exception for FSS orders and blanket purchase agreements (BPAs). As of Jan. 16, 2025, a disqualifying recertification makes an FSS vendor ineligible for FSS orders or BPAs set aside for small businesses.
For transactions involving two small business contractors and for single award contracts, the rule does not impact future orders or options eligibility.
Effective Jan. 16, 2025, the United States Small Business Administration (SBA)’s Final Rule will significantly impact mergers & acquisitions involving small business government contractors and investors in the government contracting industry. A September 2024 GT Alert summarizes important aspects of the SBA’s Proposed Rule and discusses key changes that might impact small business government contractors. The Final Rule echoes much of the Proposed Rule’s language and will affect the landscape for small business contractors and investors in the federal government contracting industry.
This GT Alert highlights several aspects of the Final Rule.
Small Business Recertification Applicable to Multiple Award Contracts
Small businesses government contractors must recertify their size and small business program status (i.e., 8(a), HUBZone, women-owned, or service-disabled veteran-owned) within 30 days of a merger, sale, or acquisition. Traditionally, following a recertification, the size of a small business (including its affiliates) was determined at the time the business submitted its initial offer that included price. When the small business received a contract award, the business was generally considered small throughout the life of that contract (including options thereunder). Before the Final Rule, that was generally true even where a large business merged with or acquired the small business.
Single Award vs. Multiple Award Contracts
The Final Rule draws a distinction between single award and MACs. Whether a small business can continue to receive future orders under an underlying contract after a disqualifying recertification depends upon whether the underlying contract or agreement is a single award or MAC. For single award small business contracts (or any unrestricted contract), a business that recertifies as other than small (i.e., “large”) remains eligible to receive orders and options. Conversely, for MACs set-aside for small businesses, a business that recertifies as other than small would be ineligible to receive orders and options.
One-Year Delay
This aspect of the Final Rule delays the effective date to Jan. 17, 2026, and explicitly states that it should not be retroactively applied. In response to industry comment, the Final Rule notes that it makes sense to allow some time to adapt and plan how best to comply with the new recertification provisions. Once in effect, the Final Rule will apply to existing contracts, but the provisions making businesses ineligible for orders or options after disqualifying recertifications will apply only to future disqualifying recertifications (i.e., ones that occur after Jan. 17, 2026). Accordingly, businesses that have made or will continue to make disqualifying recertifications before Jan. 17, 2026, will continue to be eligible to receive orders and options after Jan. 16, 2025.
The Final Rule’s delayed application will increase transaction volume involving small business contractors through Jan. 17, 2026. Until that date, the current regulatory regime will govern transactions involving a small business, meaning small businesses with set-aside MACs will continue to be eligible for set-aside orders even after they are acquired by a large business. If the transaction closes after Jan. 17, 2026, however, small businesses will not be eligible for set-aside orders or new MAC options.
This aspect of the Final Rule takes effect Jan. 17, 2026.
Eliminating the Federal Supply Schedule Exception
General Services Administration (GSA) Federal Supply Schedule (FSS) Multiple Award Schedule (MAS) Contracts
There has been a recognized exception to recertification requirements for set-aside orders or BPAs placed against an FSS contract, meaning that size status would be determined by the underlying FSS contract award date (or the date of its recertification for an option exercise). The Final Rule eliminates this exception and is not subject to the one-year delay. Therefore, as of Jan. 16, 2025, if a small business submits a disqualifying recertification, it will be ineligible for set-aside orders or BPAs under its GSA FSS MAS contract.
This aspect of the Final Rule takes effect Jan. 16, 2025.
Notable Exception: Transactions Between Two Small Businesses
The Final Rule carves out an exception for transactions involving two small businesses. In response to industry comment, the Final Rule amends which businesses will be ineligible for orders and options after a disqualifying certification due to merger, sale, or acquisition.
The Final Rule makes ineligible only those contract holders that have disqualifying recertifications involving a merger, sale, or acquisition with a large business. Where two small businesses individually qualify as small before a transaction, the Final Rule allows the contract holder to remain eligible for orders issued under an underlying set-aside MAC. As a result, small businesses will be poised to engage in transactions with other small businesses.
This aspect of the Final Rule takes effect Jan. 16, 2025.
Application to Outstanding Offers (the “180 Day Rule”)
The Final Rule also clarifies the effect of transactions that occur after a small business submits an offer for a set-aside opportunity and prior to award. Traditionally, if a merger, sale, or acquisition occurred after 180 days from the date in which a small business submitted an offer and the business could not recertify as small following the transaction, the government could still award to the business. This was generally true for single award and MAC set-asides.
Under the Final Rule, if the transaction occurs within 180 days of offer submission and the business submits a disqualifying recertification, the business will be ineligible for award.
But for transactions that occur after 180 days of offer submission, the Final Rule again draws a distinction between single award and MAC set-aside opportunities. If the merger, sale, or acquisition occurs after 180 days of offer submission and the business submits a disqualifying recertification, the business will still be eligible for single award set-asides. But if the transaction occurs after 180 days of offer submission and the business submits a disqualifying recertification, the business will be ineligible for a set-aside MAC or task order thereunder.
This aspect of the Final Rule takes effect Jan. 16, 2025.
Authorization to Protest a Size Recertification
Traditionally, there was no mechanism to allow a size protest or request for a formal size determination from another interested small business who believes that a size recertification is incorrect. For example, if a small business recertified as small following a merger, sale, or acquisition, another MAC contract holder could not challenge that recertification arguing the small business was not eligible for award.
The Final Rule authorizes MAC contract holders to request a formal size determination relating to size recertifications. Because the Final Rule will render a small business ineligible for orders set-aside under a MAC following a disqualifying recertification, the SBA believes that other contact holders should have the ability to question a size recertification.
This aspect of the Final Rule takes effect Jan. 16, 2025.
Conclusion
These changes will impact M&A activity, size protests, and related small business counseling and compliance. Small business regulations are consistently one of the most active areas of regulatory change. With a new administration and Congress, there is potential for further changes to these or other small business regulations.
New FY2025 USPTO Price Increases to Go into Effect Beginning on January 18, 2025
The United States Patent and Trademark Office (“USPTO”) has published a Final Rule[i] setting new patent and trademark fees, which target an overall 7.5 percent increase in the case of patent fees—with certain fees seeing even higher percentage increases. The Final Rule also includes certain new fees that may alter patent and trademark applicants’ typical practices, so it is important for applicants to become familiar with the upcoming fee changes. The patent fee changes will officially take effect on January 19, 2025, along with a set of trademark fee changes that are set to take effect on January 18, 2025.
Patent Filing Fee Increases
The Final Rule implements a roughly 10 percent fee increase for filing, search, and examination fees. As an example, the new total filing fees for an undiscounted entity (e.g., a “Large entity” filer) will increase from $1,820 to $2,000.
New Patent Continuation Fees
The Final Rule outlines new fees owed on continuation applications that claim priority to a patent application having a filing date more than six years earlier (but no more than nine years). (Note: This new fee does include consideration of claims of priority to provisional applications in determining whether the six-year limit is met.) For continuation applications filed more than six years after its earliest priority, an undiscounted entity will pay $2,700, in addition to normal filing fees.
Where a continuation application is filed more than nine years after its earliest priority date to a non-provisional application, an undiscounted entity will pay $4,000, in addition to filing fees. (Note: An applicant will not be charged more than one fee if more than one benefit claim is presented that qualifies the application for both new continuation fees. Instead, they will just pay the greatest fee that applies in their situation.)
Request for Continued Examination (“RCE”) Fees (Patent)
Filing costs for first RCE requests will increase by 10 percent, that is, moving from $1,360 to $1,500 for an undiscounted entity. The filing cost of any second (or subsequent, i.e., third, fourth, etc.) RCE request will increase by a much more substantial amount of 43 percent, moving from $2,000 to $2,860 for an undiscounted entity.
The new fees may make it more financially beneficial in some situations for an applicant to file a new continuation application rather than a second or subsequent RCE after a Final Office Action. However, as always, each situation is fact-specific, and the best strategic decisions should be made in conjunction with advice from counsel.
Excess Patent Claims Fees
Excess Claims fees will also see a sizeable “targeted” fee increase. The fees for each independent claim in an application in excess of three independent claims will go from $480 to $600 for undiscounted entities, and from $192 to $240 for undiscounted entities (i.e., a 25 percent increase). The fees for each claim in an application in excess of 20 total claims will go from $100 to $200 for undiscounted entities, and from $40 to $80 for undiscounted entities (i.e., a 100 percent increase).
New Patent Information Disclosure Statement (“IDS”) Fees for Excessive Citations
Filing an IDS that causes cumulative number of applicant-provided items of information to exceed 50 references but not 100 references: $200
Filing an IDS that causes cumulative number of applicant-provided items of information to exceed 100 references but not 200 references: $500 (less any excess IDS reference amount previously paid)
Filing an IDS that causes cumulative number of applicant-provided items of information to exceed 200 references: $800 (less any excess IDS reference amount previously paid)
Each IDS must also now “contain a clear written assertion” that the IDS is accompanied by the appropriate IDS excessive citation fee or that no IDS excessive citation fee is required. (A blanket “authorization to charge fees to a deposit account” is not considered a compliant written assertion under the new requirements, unless it specifically refers to the particular IDS fee that should be charged.)
Patent Trial and Appeal Board (“PTAB”) fee adjustments
All fees associated with filing and/or initiating an America Invents Act (“AIA”) trial (e.g., an Inter Partes Review (“IPR”) or a Post-Grant Review (“PGR”)) will increase by 25 percent.
Design Patent Fees
Nearly all design patent-related fees will go up by a larger percentage than utility patent fees. For example, for direct US filings, the design filing fees will increase 36 percent (from $220 to $300), search fees will increase by 88 percent (from $160 to $300), examination fees will increase by 9 percent (from $640 to $700), and issue fees will increase by 76 percent (from $740 to $1,300).
Thus, for an undiscounted entity, filing and issuance fees for a typical design patent currently costs $1,760. This amount will increase by 48 percent (to $2,600) when the new fees take effect.
Trademark Fee Adjustments
The Final Rule for Trademark fees sets or adjusts the fees starting January 18, 2025, as highlighted in the Fee Changes table available at https://www.uspto.gov/trademarks/fees-payment-information/summary-2025-trademark-fee-changes, and includes two general types of trademark fee adjustments: targeted fee adjustments and new base application fees.
Note: The USPTO is discontinuing the current Trademark Electronic Application System (“TEAS”) Standard and Plus application filing options and fees.
Sample Trademark fee increases for FY2025 are shown below:
TEAS Standard Application
Current Fee: $350
New Fee: n/a
TEAS Plus Application
Current Fee: $250
New Fee: n/a
Base Application (Sections 1 and 44), per class
Current Fee: n/a
New Fee: $350
Application Fee Filed with WIPO (Section 66(a)), per class
Current Fee: $500
New Fee: $600
Subsequent designation fee filed with WIPO (Section 66(a)), per class
Current Fee: $500
New Fee: $600
In the course of prosecution, an additional fee of $100 for insufficient information (e.g., missing color claim, translation, transliteration, living individual consent).
Section 9 Registration Renewal Application, per class
Current Fee: $300
New Fee: $325
Section 8 Declaration, per class
Current Fee: $225
New Fee: $325
Section 15 Declaration, per class
Current Fee: $200
New Fee: $250
Section 71 Declaration, per class
Current Fee: $225
New Fee: $325
Renewal Fee Filed at WIPO
Current Fee: $300
New Fee: $325
Supreme Court Won’t Consider Federal Contractor Minimum Wage Mandate
The Supreme Court on Monday, Jan. 13, 2025, declined to take up a decision addressing the president’s authority under the Procurement Act to issue a minimum wage mandate for employees working on federal government contracts. The denial of the petition for certiorari keeps a circuit split intact, and leaves federal contractors to navigate the wage mandate’s uncertain legal status while complying with the latest minimum wage hike to $17.75 per hour, which took effect Jan. 1.
President Biden issued Executive Order (EO) 14026 in 2021, which increased from $10.95 to $15 the minimum hourly wage for employees working on federal government contracts, and provided for annual increases to the minimum wage. In 2022, the U.S. Department of Labor (DOL) issued regulations implementing the EO.
In the case rejected by the Supreme Court, a Colorado federal court refused to grant a preliminary injunction barring enforcement of the wage mandate. The U.S. Court of Appeals for the Tenth Circuit affirmed. Bradford v. United States DOL, 2024 U.S. App. LEXIS 10382 (D. Colo. Apr. 30, 2024). The appeals court held the plaintiffs were not likely to show that the DOL lacked statutory authority to issue the DOL rule implementing EO 14026. The appeals court did not issue a final decision on the merits, however. The plaintiffs’ petition for certiorari asked the justices to address whether the wage mandate exceeds the president’s authority under the Procurement Act and, if not, whether the statute improperly gives lawmaking authority to the president. Their petition was denied, leaving these critical questions unresolved.
Meanwhile, two other challenges to the federal contractor wage mandate are pending.
In November, the U.S. Court of Appeals for the Ninth Circuit held that the president lacked authority under the Procurement Act to issue EO 14026. State of Nebraska v. Su, 2024 U.S. App. LEXIS 28010 (9th Cir Nov. 5, 2024). The appeals court also held the DOL regulation implementing the EO was arbitrary and capricious because the DOL failed to consider alternatives to the $15 rate, such as a lower wage rate or phasing in the $15 rate over several years.
Again, however, the Ninth Circuit also did not address the merits. Instead of invalidating EO 14026 and the implementing regulation, the Ninth Circuit sent the case back to the federal district court in Arizona, which had upheld the wage mandate in a legal challenge brought by several states. On remand, the district court is expected to issue a preliminary injunction barring application of the wage mandate, although it is not clear whether the injunction will apply to just the plaintiff states (to the extent of their relationships with the federal government as federal contractors) or as a complete ban to enforcement within the states. On Dec. 20, 2024, the DOL filed a petition for en banc rehearing of the divided Ninth Circuit panel decision.
The wage mandate is also facing an ongoing challenge in the U.S. Court of Appeals for the Fifth Circuit. The appeals court will consider the Biden Administration’s appeal of a 2023 decision invalidating EO 14026 in a case brought by the states of Louisiana, Mississippi, and Texas. The Texas district court had narrowly enjoined the wage mandate only as applied to the plaintiff state governments, refusing to issue a nationwide injunction because it did not want to “encroach” upon other federal courts that had upheld the executive order. State of Texas v. Biden, 2023 U.S. Dist. LEXIS 171265 (S.D. Tex. Sept. 26, 2023). The appeals court heard oral argument last August. The Fifth Circuit could reverse the Texas court and uphold EO 14026, setting up a split with the Ninth Circuit. This outcome is unlikely, however.
For now, the minimum wage mandate is in effect. But a broader reprieve (through a variety of avenues) may be forthcoming. The Trump Administration may opt to abandon the Fifth Circuit appeal and the bid to rehear the Ninth Circuit panel’s holding. President-Elect Trump also may opt to rescind President Biden’s executive order and decline to defend the wage mandate.
FTC to Hold Hearing on Impersonation Rule Amendment
The Federal Trade Commission (FTC) will hold an informal hearing at 1:00pm EST on January 17, regarding the proposed amendment to its existing impersonation rule.
We first wrote about the proposed changes to the FTC rule in an article in February 2024. The current impersonation rule, which governs only government and business impersonation, first went into effect in April 2024, and is aimed at combatting impersonation fraud resulting in part from artificial intelligence- (AI) generated deepfakes. When announcing the rule, the FTC also stated that it was accepting public comments for a supplemental notice of proposed rulemaking aimed at prohibiting impersonation of individuals. In essence, the rule makes the impersonation of a government entity or official or company unfair or deceptive.
The FTC announced the January hearing date in December 2024. The purpose of the hearing is to address amending the existing rule to include an individual impersonation ban and allow interested parties an opportunity to provide oral statements. There are nine parties participating in the hearing, including: the Abundance Institute, Andreesen Horowitz, the Consumer Technology Association, the Software & Information Industry Association, TechFreedom, TechNet, the Electronic Privacy Information Center; the Internet & Television Association, and Truth in Advertising.
While the original announcement of the proposed amendment indicated that the FTC would be accept public comments on the addition of both a prohibition of individual impersonation and a prohibition on providing scammers with the means and instrumentalities to execute these types of scams, the FTC has decided not to proceed with the proposed means and instrumentalities provision at this time. The sole purpose of the January 17 hearing is to “address issues relating to the proposed prohibition on impersonating individuals.” The public is invited to join the hearing live via webcast using this link.
Regulatory Update and Recent SEC Actions January 2025
Recent SEC Administration Changes
SEC Chair Gensler to Depart Agency on January 20
The Securities and Exchange Commission (the “SEC”) announced, on November 21, 2024, that its Chair, Gary Gensler, will step down. Chair Gensler’s resignation from the SEC will be effective at 12:00 pm EST on January 20, 2025. On December 4, 2024, President-elect Trump stated his intention to nominate Paul Atkins as the Chair of the SEC. Mr. Atkins served as a Commissioner from 2002 to 2008 and on the SEC staff in the 1990s.
SEC Announced Departure of Trading and Markets Division Director
The SEC, on December 9, 2024, announced that Haoxiang Zhu, Director of the Division of Trading and Markets, would depart the agency effective December 10, 2024. David Saltiel, a Deputy Director who also heads the Division of Trading and Markets Office of Analytics and Research, will serve as Acting Director. Mr. Saltiel served as the Division of Trading and Markets Acting Director for several months in 2021.
SEC Announces Departure of Corporation Finance Division Director
The SEC, on December 13, 2024, announced that Erik Gerding, Director of the Division of Corporate Finance, would depart the agency effective December 31, 2024. Cicely LaMothe is now the Acting Director. Ms. LaMothe previously served as the Deputy Director, Disclosure Operations for the Division of Corporation Finance. Before joining the SEC, Ms. LaMothe worked in the private sector for six years, including as the financial reporting manager for a public company and as a senior associate with a national accounting firm.
SEC Rulemaking
SEC Adopts Rule Amendments and New Rule Addressing Wind-Down Planning of Covered Clearing Agencies
The SEC, on October 25, 2024, announced the adoption of rule amendments and a new rule to improve the resilience and recovery and wind-down planning of covered clearing agencies. The rule amendments establish new requirements regarding a covered clearing agency’s collection of intraday margin, as well as its reliance on substantive inputs to its risk-based margin model. The new rule requires a covered clearing agency to specify nine elements for its recovery and wind-down plan that address: (1) the identification and use of scenarios, triggers, tools, staffing, and service providers; (2) timing and implementation of the plans; and (3) testing and board approval of the plans.
SEC Modernizes Submission of Certain Forms, Filings, and Materials Under the Securities Exchange Act of 1934
The SEC, on December 16, 2024, adopted amendments to require the electronic filing, submission, or posting of certain forms, filings, and other submissions that national securities exchanges, national securities associations, clearing agencies, broker-dealers, security-based swap dealers, and major security-based swap participants make with the SEC. Prior to the adoption of these amendments, registrants filed with, or otherwise submitted to, the SEC many of the forms, filings, or other materials in paper form. Under the amendments, registrants will make these filings and submissions electronically using the SEC’s EDGAR system, in structured data format where appropriate, or by posting them online.
SEC Adopts Rule Amendment to Broker-Dealer Customer Protection Rule
The SEC, on December 20, 2024, adopted amendments to Rule 15c3-3 (the “Customer Protection Rule”) to require certain broker-dealers to increase the frequency with which they perform computations of the net cash they owe customers and other broker-dealers from weekly to daily. The amendments will become effective 60 days after the date of publication of the adopting release in the Federal Register. Broker-dealers that exceed the $500 million threshold using each of the 12 filed month-end FOCUS Reports from July 31, 2024, through June 30, 2025, must comply with the daily computations no later than December 31, 2025.
SEC Enforcement Actions and Other Cases
SEC Charges Market Makers and Nine Individuals in Crackdown on Manipulation of Crypto Assets Offered and Sold as Securities
The SEC, on October 9, 2024, announced fraud charges against three companies purporting to be market makers and nine individuals for engaging in schemes to manipulate the markets for various crypto assets. The SEC alleges that the companies provided “market-manipulation-as-a-service” which included generating artificial trading volume through trading practices that served no economic purpose and that they used algorithms (or bots) that, at times, generated “quadrillions” of transactions and billions of dollars of artificial trading volume each day.
SEC Charges Investment Adviser and Owner for Making False and Misleading Statements About Use of Artificial Intelligence
The SEC, on October 10, 2024, announced charges against an investment adviser (the “Adviser”) and two individuals, an owner and a director of the Adviser, with making false and misleading claims about the Adviser’s purported use of artificial intelligence (“AI”) to perform automated trading for client accounts and numerous other material misrepresentations. The SEC’s order states that the two individuals raised nearly $4 million from 45 investors for the growth of the Adviser that was falsely described as having an AI-driven platform. The Adviser and individuals were charged with fraudulent conduct in the offer or sale of securities under the Securities Act of 1933 and the Securities Exchange Act of 1934, and the Adviser was charged with fraudulent conduct by an investment adviser under the Investment Advisers Act of 1940, as amended.
SEC Charges Advisory Firm with Failing to Adhere to Own Investment Criteria for ESG-Marketed Funds
The SEC, on October 21, 2024, charged a New York-based investment adviser (the “Adviser”) with making misstatements and for compliance failures relating to the execution of the investment strategy of three exchange-traded funds (“ETFs”) that were marketed as incorporating environmental, social, and governance (“ESG”) factors. According to the SEC’s order, the Adviser represented in the prospectuses for the ETFs and to the board of trustees overseeing the ETFs, that the ETFs would not invest in companies involving certain products or activities, such as fossil fuels and tobacco. Further, the SEC order states that the Adviser used data from third-party vendors that did not screen out all companies involved in fossil fuel and tobacco-related activities. The SEC’s order further finds that the Adviser did not have any policies and procedures over the screening process to exclude such companies. The Adviser consented to the entry of the SEC’s order finding that the firm violated the antifraud provisions of the Investment Advisers Act of 1940 and the Investment Company Act of 1940 and the Compliance Rule of the Investment Advisers Act.
“At a fundamental level, the federal securities laws enforce a straightforward proposition: investment advisers must do what they say and say what they do,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “When investment advisers represent that they will follow particular investment criteria, whether that is investing in, or refraining from investing in, companies involved in certain activities, they have to adhere to that criteria and appropriately disclose any limitations or exceptions to such criteria. By contrast, the funds at issue in today’s enforcement action made precisely the types of investments that investors would not have expected them to based on the Adviser’s disclosures.”
Directors of Money Market Fund Sued Over Share Class Conversion
Two shareholders (the “Shareholders”) filed a lawsuit alleging that the directors of a money market fund (the “Directors”) breached their fiduciary duty by failing to automatically move fund investors’ assets from higher cost share classes of the fund to lower-cost share classes. The Shareholders allege that the board of the money market fund allowed certain fund investors to continue paying higher fees as retail class shareholders rather than auto-converting their holdings to the cheaper, but otherwise identical premium class, even though their holdings were eligible for the “auto-conversion”. The complaint states that “[the Directors’] inaction demonstrates gross neglect or reckless disregard for the best interest of the class shareholders… Either the [Directors] have been recklessly uninformed of these massive overcharges that cause significant losses to the shareholders, or have known about the issue and inexcusably failed to take action to remedy it.” The Shareholders seek damages, restitution, disgorgement, and an injunction preventing the Directors from continuing to engage in the alleged conduct.
Two Entities Affiliated with Major Institutional Organization to Pay $151 Million to Resolve SEC Enforcement Actions
The SEC, on October 31, 2024, charged two affiliated and commonly-owned investment advisers (each an “Adviser” and together, the “Advisers”) in five separate enforcement actions for compliance failures including misleading disclosures to investors, breach of fiduciary duty, prohibited joint transactions and principal trades, and failures to make recommendations in the best interest of customers. The enforcement actions related to:
Conduit Private Funds – An Adviser made misleading statements regarding its ability to exercise discretion over when to sell and the number of shares to be sold, despite disclosures representing that it had no discretion.
Portfolio Management Program – An Adviser failed to fully and fairly disclose the financial incentive that the firm and some of its financial advisors had when they recommended the Adviser’s own Portfolio Management Program over third-party managed advisor programs offered by the Adviser.
Clone Mutual Funds – An Adviser recommended certain mutual fund products, Clone Mutual Funds, to its retail brokerage customers when materially less expensive ETF products that offered the same investment portfolios were available.
Joint Transactions – An Adviser engaged in $3.4 billion worth of prohibited joint transactions, which advantaged an affiliated foreign money market fund for which it served as the delegated portfolio manager over three U.S. money market mutual funds it advised.
Principal Trades – An Adviser engaged in or caused 65 prohibited principal trades with a combined notional value of approximately $8.2 billion. In order to conduct these transactions, according to the SEC’s order, a portfolio manager directed an unaffiliated broker-dealer to buy commercial paper or short-term fixed income securities from the Adviser which the other Adviser then purchased on behalf of one of its clients.
SEC Charges Adviser for Making Misleading Statements About ESG Integration
The SEC, on November 8, 2024, charged an investment adviser (the “Adviser”) with making misleading statements about the percentage of company-wide assets under management that integrated ESG factors. The Adviser stated in marketing materials that between 70 percent and 94 percent of its parent company’s assets under management were “ESG integrated.” However, in reality, these percentages included a substantial amount of assets that were held in passive ETFs that did not consider ESG factors. Furthermore, the SEC’s order found that the Adviser lacked any written policy defining ESG integration.
SEC Charges Three Broker-Dealers with Filing Deficient Suspicious Activity Reports
The SEC, on November 22, 2024, announced that three broker-dealers (the “Broker-Dealers”) agreed to settle charges relating to deficient suspicious activity reports (“SARs”) filed by the Broker Dealers. The SEC alleged that multiple SARs filed by the Broker-Dealers failed to include important, required information. SARs must contain “a clear, complete, and concise description of the activity, including what was unusual or irregular” that caused suspicion of the use of funds derived from illegal activity or activity that has no apparent lawful purposes. The SEC’s orders alleged that each Broker-Dealer filed multiple deficient SARs over a four-year period.
SEC Charges Former Chief Investment Officer with Fraud
The SEC, on November 25, 2024, charged the former co-chief investment officer (the “CIO”) of a registered investment adviser with engaging a multi-year scheme to allocate favorable trades to certain portfolios, while allocating unfavorable trades to other portfolios (also known as “cherry-picking”). The SEC’s complaint alleges that the CIO would place trades with brokers but wait until later in the day to allocate the trades among clients in the portfolios he managed. According to the complaint, the CIO’s delay in allocating the trades allowed him to allocate trades at first-day gains to favored portfolios and trades at first-day losses to disfavored portfolios.
SEC Charges Wealth Management Company for Policy Deficiencies Resulting in Failure to Prevent and Detect Financial Advisors’ Theft of Investor Funds
The SEC, on December 9, 2024, charged a wealth management company (the “Company”) with (1) failing to reasonably supervise four investment advisers and registered representatives (the “Financial Advisers”) who stole millions of dollars of advisory clients’ and brokerage customers’ funds and (2) failing to adopt policies and procedures reasonably designed to prevent and detect the theft. Specifically, the SEC found that the Company failed to adopt and implement policies designed to prevent the Financial Advisers from using two forms of unauthorized third-party disbursements, Automated Clearing House payments and certain patterns of cash wire transfers, to misappropriate funds from client accounts.
SEC Charges Two Broker-Dealers with Recordkeeping and Reporting Violations for Submitting Deficient Trading Data to SEC
The SEC, on December 20, 2024, announced settled charges against two broker-dealers (each a “Broker-Dealer” and together, the “Broker-Dealers”). According to the SEC’s order, the Broker Dealers made numerous blue sheet submissions to the SEC that contained various deficiencies, including inaccurate or missing information about securities transactions and the firms or customers involved in the transactions. The SEC found that, one of the Broker-Dealers made 15 types of errors, that caused nearly 11,200 blue sheet submissions to have missing or inaccurate data for at least 10.6 million total transactions, while the other Broker-Dealer made 10 types of errors that caused 3,700 blue sheet submissions to have misreported or missing data for nearly 400,000 transactions.
International Bank Subsidiary to Pay $4 Million for Untimely Filing of Suspicious Activity Reports
The SEC, on December 20, 2024, charged a registered broker-dealer (the “Broker-Dealer”) for failing to file certain SARs in a timely manner. According to the SEC’s order, the Broker-Dealer received requests in connection with law enforcement or regulatory investigations, or litigation that prompted it to conduct SARs investigations. The SEC’s order found that in certain instances, the Broker-Dealer failed to conduct or complete the investigations within a reasonable period of time.
SEC Files Settled Charges Against Multiple Entities for Failing to Timely File Form D in Connection with Securities Offering
The SEC, on December 20, 2024, announced charges against three companies (for this section only, the “Companies”) for failing to timely file Forms D for several unregistered securities offerings in violations of Rule 503 of Regulation D of the Securities Act of 1933. The SEC found that one of the Companies, a registered investment adviser that controls two private funds, failed to ensure that such private funds timely filed Forms D in connection with offerings involving the sale of membership interest in such private funds. The SEC found that two other Companies, both privately held companies, failed to timely file Forms D in connection with unregistered securities offerings for which the Companies engaged in certain communications that constituted general solicitations.
“Form D filings are crucial sources of information on private capital formation, and compliance with the requirement to make such filings in a timely manner is vital to the Commission’s efforts to promote investor protection while also facilitating capital formation, especially with respect to small businesses,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “Today’s orders find that the charged entities deprived the Commission and the marketplace of timely information concerning nearly $300 million of unregistered securities offerings.”
Shareholders File Derivative Complaint Against Independent Directors and Fund Management Alleging Breach of Fiduciary Duties
In December 2024, a derivative complaint was filed against the independent directors and fund management, alleging that their breach of fiduciary duties was responsible for the “astonishing collapse” of several funds. In December 2021, the board of directors (the “Board”) approved a plan of liquidation involving transferring nearly all the $300 million in assets of four closed-end feeder funds and a master fund, along with several private funds, for unlisted preferred units from the buying company (the “Buyer”). Ultimately, the units converted into common shares worth eight dollars each when the Buyer went public through a merger with a special purpose acquisition company. Since going public, the value of the shares has fallen to 81 cents, or less than a penny after accounting for a one-for-80 reverse stock split. According to the lawsuit, fund management and the Board did not inform the shareholders of the liquidation plan until weeks after it happened, and the liquidation plan was never submitted to shareholders for approval.
Other Industry Highlights
SEC Division of Examinations Announces its Examination Priorities for Fiscal Year 2025
The SEC Division of Examinations (the “Division”), on October 21, 2024, published its Fiscal Year 2025 Examination Priorities which highlights the practices, products, and services that the Division of Examinations believes present heightened risk to investors or the overall integrity of U.S. capital markets. The report indicated that the Division would focus on:
Investment Advisers – (1) adherence to fiduciary standards of conduct, (2) effectiveness of advisers’ compliance programs, and (3) examinations of advisers to private funds.
Investment Companies – (1) fund fees and expenses, and any waiver or reimbursements, (2) oversight of service providers (both affiliated and third-party), (3) portfolio management practices and disclosures, for consistency with claims about investment strategies or approaches and with fund filings and marketing materials, and (4) issues associated with market volatility.
The report also indicated that the Division is going to continue examining advisers and funds that have never been examined or those that have not been examined recently, with a particular focus on newly registered funds. The full report can be found here.
SEC Announced Enforcement Results for Fiscal Year 2024
The SEC announced that it filed a total of 583 enforcement actions in fiscal year 2024 while obtaining orders for $8.2 billion in financial remedies. The 583 enforcement actions represent a 26 percent decline in total enforcement actions compared to fiscal year 2023. Key areas of focus by the SEC included:
Off-channel communications. In fiscal year 2024, the SEC brought recordkeeping cases against more than 70 firms resulting in more than $600 million in civil penalties.
Marketing Rule (Rule 206(4)-1 under the Investment Advisers Act of 1940, as amended (the “Advisers Act”)) compliance. More than a dozen investment advisers were charged with non-compliance of the Advisers Act Marketing Rule including charges for advertising hypothetical performance to the general public without implementing policies and procedures reasonably designed to ensure hypothetical performance was relevant.
Misleading claims regarding AI. AI and other emerging technologies presented heightened investor risk from market participants using social media to exploit elevated investor interest in emerging investment products and strategies. These actions included multiple actions against advisers alleging the use AI in their investment processes.
SEC Risk Alert Highlights Examination Deficiencies Found in Core Focus Areas for Registered Investment Companies
The SEC’s Division of Examinations (the “Staff” or the “Division”) issued a risk alert (the “Alert”) regarding its review of certain core focus areas and associated document requests for registered investment companies (each a “Fund”, and collectively, the “Funds”). The Alert highlighted that examinations typically focus on whether Funds: (1) have adopted and implemented effective written policies and procedures to prevent violation of the federal securities laws and regulations, (2) provided clear and accurate disclosures that are consistent with their practices, and (3) promptly addressed compliance issues, when identified.
The Staff reviewed deficiency letters sent to Funds during the most recent four-year period and analyzed deficiencies and weakness related to the core areas of fund compliance programs, disclosures and filings, and governance practices. Below are some of the common deficiencies:
Fund Compliance Programs
Funds did not perform required oversight or reviews as stated in their policies and procedures or perform required assessments of the effectiveness of their compliance programs.
Funds did not adopt, implement, update, and/or enforce policies and procedures.
Policies and procedures were not tailored to the Funds’ business models or were incomplete, inaccurate, or inconsistent with actual practices.
Funds’ Codes of Ethics were not adopted, implemented, followed, enforced, or did not otherwise appear adequate.
Chief Compliance Officers did not provide requisite written annual compliance reports to Fund boards.
Fund Disclosures and Filings
Fund registration statements, fact sheets, annual reports, and semi-annual reports contained incomplete or outdated information or contained potentially misleading statements.
Sales literature, including websites, appeared to contain untrue statements or omissions of material fact.
Fund filings were not made or were not made on a timely basis.
Fund Governance Practices
Fund board approvals of advisory agreements appeared to be inconsistent with the requirements of the Investment Company Act of 1940, as amended, and/or the Funds’ written compliance procedures.
Fund boards did not receive certain information to effectively oversee Fund practices.
Fund boards did not perform required responsibilities.
Fund board minutes did not fully document board actions.
The full alert can be accessed here.
SEC’s Division of Investment Management’s Disclosure Review and Accounting Office Identifies Common Issues Found in Review of Tailored Shareholder Reports
As of July 24, 2024, open-end funds have been required to file more concise annual and semi-annual reports (“Tailored Shareholder Reports” or “TSRs”) that highlight information that the SEC deems “particularly important” to retail shareholders in assessing and monitoring their fund investments. After three months of TSR filings, on November 8, 2024, the Division of Investment Management’s Disclosure Review and Accounting Office (“DRAO”), which is responsible for reviewing TSR filings, published Accounting and Disclosure Information 2024-14 (the “ADI”) which flags common issues it has identified in its review of TSR filings and provides a reminder to funds of certain requirements.
Issues Regarding Expense Information
Annualizing expenses in dollars paid on a $10,000 investment in a semi-annual shareholder report, instead of reflecting the dollar costs over the period on a non-annualized basis.
Calculating expenses in dollars paid on a $10,000 investment by incorrectly multiplying the “Costs paid as a percentage of your investment” by $10,000, instead of multiplying the figure in the “Cost paid as a percentage of your investment” column by the average account value over the period based on an investment of $10,000 at the beginning of the period.
Presenting expenses in dollars paid on $10,000 investments to the nearest cent, when the figure must be rounded to the nearest dollar.
Funds might consider noting in their semi-annual reports that costs paid as a percentage of a $10,000 investment is an annualized figure.
Issues Regarding Management’s Discussion of Fund Performance
Disclosure by many ETFs of average annual total returns for the past one-, five-, and 10-year periods based on market value, instead of the ETF’s net asset value; additional disclosure of market value performance is not permitted to be included in the shareholder reports.
Failure by some funds to compare their performance to an appropriate broad-based securities market index both in their shareholder reports and in its prospectus.
Failure by some funds to include a statement to the effect that past performance is not a good predictor of the fund’s future performance, or to utilize text features to make the statement noticeable and prominent.
Other Issues
Including portfolio-level statistics, such as average maturity or average credit rating, under the heading “Graphical Representations of Holdings,” instead of under the heading “Fund Statistics.”
Disclosing holdings as a percentage without specifying the basis for the presentation of the information (i.e., net asset value, total investments, or total or net exposure).
Disclosing material fund changes while omitting the required cover page disclosure or including the cover page disclosure but failing to include any disclosure about the material fund changes.
Including broken links (to their websites) in their shareholder reports.
Including extraneous and sometimes lengthy disclosures such as disclaimers or risks that are not required or permitted.
For Inline XBRL structured data purposes, tagging all of their indexes as broad-based indexes instead of tagging their additional indexes with the separate tag intended for additional indexes.
For further information, the complete ADI may be accessed, here.
Direct Employer Assistance and 401(k) Plan Relief Options for Employees Affected by California Wildfires
In the past week, devastating wildfires in Los Angeles, California, have caused unprecedented destruction across the region, leading to loss of life and displacing tens of thousands. While still ongoing, the fires already have the potential to be the worst natural disaster in United States history.
Quick Hits
Employers can assist employees affected by the Los Angeles wildfires through qualified disaster relief payments under Section 139 of the Internal Revenue Code, which are tax-exempt for employees and deductible for employers.
The SECURE Act 2.0 allows employees impacted by federally declared disasters to take immediate distributions from their 401(k) plans without the usual penalties, provided their plan includes such provisions.
As impacted communities band together and donations begin to flow to families in need, many employers are eager to take steps to assist employees affected by the disaster.
As discussed below, the Internal Revenue Code provides employers with the ability to make qualified disaster relief payments to employees in need. In addition, for employers maintaining a 401(k) plan, optional 401(k) plan provisions can enable employees to obtain in-service distributions based on hardship or federally declared disaster.
Internal Revenue Code Section 139 Disaster Relief
Section 139 of the Internal Revenue Code provides for a federal income exclusion for payments received due to a “qualified disaster.” Under Section 139, an employer can provide employees with direct cash assistance to help them with costs incurred in connection with the disaster. Employees are not responsible for income tax, and payments are generally characterized as deductible business expenses for employers. Neither the employees nor the employer are responsible for federal payroll taxes associated with such payments.
“Qualified disasters” include presidentially declared disasters, including natural disasters and the coronavirus pandemic, terrorist or military events, common carrier accidents (e.g., passenger train collisions), and other events that the U.S. Secretary of the Treasury concludes are catastrophic. On January 8, 2025, President Biden approved a Major Disaster Declaration for California based on the Los Angeles wildfires.
In addition to the requirement that payments be made pursuant to a qualified disaster, payments must be for the purpose of reimbursing reasonable and necessary “personal, family, living, or funeral expenses,” costs of home repair, and to reimburse the replacement of personal items due to the disaster. Payment cannot be made to compensate employees for expenses already compensated by insurance.
Employers implementing qualified disaster relief plans should maintain a written policy explaining that payments are intended to approximate the losses actually incurred by employees. In the event of an audit, the employer should also be prepared to substantiate payments by retaining communications with employees and any expense documentation. Employers should also review their 401(k) plan documents to determine that payments are not characterized as deferral-eligible compensation and consider any state law implications surrounding cash payments to employees.
401(k) Hardship and Disaster Distributions
In addition to the Section 139 disaster relief described above, employees may be able to take an immediate distribution from their 401(k) plan under the hardship withdrawal rules and disaster relief under the SECURE 2.0 Act of 2022 (SECURE 2.0).
Hardship Distributions
If permitted under the plan, a participant may apply for and receive an in-service distribution based on an unforeseen hardship that presents an “immediate and heavy” financial need. Whether a need is immediate and heavy depends on the participant’s unique facts and circumstances. Under the hardship distribution rules, expenses and losses (including loss of income) incurred by an employee on account of a federally declared disaster declaration are considered immediate and heavy provided that the employee’s principal residence or principal place of employment was in the disaster zone.
The amount of a hardship distribution must be limited to the amount necessary to satisfy the need. If the employee has other resources available to meet the need, then there is no basis for a hardship distribution. In addition, hardship distributions are generally subject to income tax in the year of distribution and an additional 10 percent early withdrawal penalty if the participant is below age 59 and a half. The participant must submit certification regarding the hardship to the plan sponsor, which the plan sponsor is then entitled to rely upon.
Qualified Disaster Recovery Distributions
Separate from the hardship distribution rules described above, SECURE 2.0 provides special rules for in-service distributions from retirement plans and for plan loans to certain “qualified individuals” impacted by federally declared major disasters. These special in-service distributions are not subject to the same immediate and heavy need requirements and tax rules as hardship distributions and are eligible for repayment.
SECURE 2.0 allows for the following disaster relief:
Qualified Disaster Recovery Distributions. Qualified individuals may receive up to $22,000 of Disaster Recovery Distributions (QDRD) from eligible retirement plans (certain employer-sponsored retirement plans, such as section 401(k) and 403(b) plans, and IRAs). There are also special rollover and repayment rules available with respect to these distributions.
Increased Plan Loans. SECURE 2.0 provides for an increased limit on the amount a qualified individual may borrow from an eligible retirement plan. Specifically, an employer may increase the dollar limit under the plan for plan loans up to the full amount of the participant’s vested balance in their plan account, but not more than $100,000 (reduced by the amount of any outstanding plan loans). An employer can also allow up to an additional year for qualified individuals to repay their plan loans.
Under SECURE 2.0, an individual is considered a qualified individual if:
the individual’s principal residence at any time during the incident period of any qualified disaster is in the qualified disaster area with respect to that disaster; and
the individual has sustained an economic loss by reason of that qualified disaster.
A QDRD must be requested within 180 days after the date of the qualified disaster declaration (i.e., January 8, 2025, for the 2025 Los Angeles wildfires). Unlike hardship distributions, a QDRD is not subject to the 10 percent early withdrawal penalty for participants under age 59 and a half. Further, unlike hardship distributions, taxation of the QDRD can be spread over three tax years and a qualified individual may repay all or part of the amount of a QDRD within a three-year period beginning on the day after the date of the distribution.
As indicated above, like hardship distributions, QDRDs are an optional plan feature. Accordingly, in order for QDRDs to be available, the plan’s written terms must provide for them.
AI Drug Development: FDA Releases Draft Guidance
On January 6, 2025, the U.S. Food and Drug Administration (FDA) released draft guidance titled Considerations for the Use of Artificial Intelligence To Support Regulatory Decision-Making for Drug and Biological Products (“guidance”) explaining the types of information that the agency may seek during drug evaluation. In particular, the guidance outlines a risk framework based on a “context of use” of Artificial Intelligence (AI) technology and details the information that might be requested (or required) relating to AI technologies, the data used to train the technologies, and governance around the technologies, in order to approve their use. At a high level, the guidance underscores the FDA’s goals for establishing AI model credibility within the context of use.
This article provides an overview of the guidance, including example contexts of use and detailing the risk framework, while explaining how these relate to establishing AI model credibility through the suggested data and model-related disclosures. It further details legal strategy considerations, along with opportunities for innovation, that arise from the guidance. These considerations will be valuable to sponsors (i.e., of clinical investigations, such as Investigational New Drug Exemption applications), along with AI model developers and other firms in the drug development landscape.
Defining the Question of Interest
The first step in the guidance’s framework is defining the “question of interest:” the specific question, decision, or concern being addressed by the AI model. For example, questions of interest could involve the use of AI technology in human clinical trials, such as inclusion and exclusion criteria for the selection of participants, risk classification of participants, or determining procedures relating to clinical outcome measures of interest. Questions of interest could also relate to the use of AI technology in drug manufacturing processes, such as for quality control.
Contexts of Use
The guidance next establishes contexts of use – the specific scope and role of an AI model for addressing the question of interest – as a starting point for understanding any risks associated with the AI model, and in turn how credibility might be established.
The guidance emphasizes that it is limited to AI models (including for drug discovery) that impact patient safety, drug quality, or reliability of results from nonclinical or clinical studies. As such, firms that use AI models for discovering drugs but rely on more traditional processes to address factors that the FDA considers for approving a drug such as safety, quality, and stability, should be aware of the underlying principles of the guidance but might not need to modify their current AI governance. An important factor in defining the contexts of use is how much of a role the AI model plays relative to other automated or human-supervised processes; for example, processes in which a person is provided AI outputs for verification will be different from those that are designed to be fully automated.
Several types of contexts of use are introduced in the guidance, including:
Clinical trial design and management
Evaluating patients
Adjudicating endpoints
Analyzing clinical trial data
Digital health technologies for drug development
Pharmacovigilance
Pharmaceutical manufacturingGenerating real-world evidence (RWE)
Life cycle maintenance
Risk Framework for Determining Information Disclosure Degree
The guidance proposes that the risk level posed by the AI model dictates the extent and depth of information that must be disclosed about the AI model. The risk is determined based on two factors: 1) how much the AI model will influence decision-making (model influence risk), and 2) the consequences of the decision, such as patient safety risks (decision consequence risk).
For high-risk AI models—where outputs could impact patient safety or drug quality—comprehensive details regarding the AI model’s architecture, data sources, training methodologies, validation processes, and performance metrics may have to be submitted for FDA evaluation. Conversely, the required disclosure may be less detailed for AI models posing low risk. This tiered approach promotes credibility and avoids unnecessary disclosure burdens for lower-risk scenarios.
However, most AI models within the scope of this guidance will likely be considered high risk because they are being used for clinical trial management or drug manufacturing, so stakeholders should be prepared to disclose extensive information about an AI model used to support decision-making. Sponsors that use traditional (non-AI) methods to develop their drug products are required to submit complete nonclinical, clinical, and chemistry manufacturing and controls to support FDA review and ultimate approval of a New Drug Application. Those sponsors using AI models are required to submit the identical information, but in addition, are required to provide information on the AI model as outlined below.
High-Level Overview of Guidelines for Compliance Depending on Context of Use
The guidance further provides a detailed outline of steps to pursue in order to establish credibility of an AI model, given its context of use. The steps include describing: (1) the model, (2) the data used to develop the model, (3) model training, (4) and model evaluation, including test data, performance metrics, and reliability concerns such as bias, quality assurance, and code error management. Sponsors may be expected to be more detailed in disclosures as the risks associated with these steps increase, particularly where the impact on trial participants and/or patients increase.
In addition, the FDA specifically emphasizes special consideration for life cycle maintenance of the credibility of AI model outputs. For example, as the inputs to or deployment of a given AI model changes, there may be a need to reevaluate the model’s performance (and thus provide corresponding disclosures to support continued credibility).
Intellectual Property Considerations
Patent vs. Trade Secret
Stakeholders should carefully consider patenting the innovations underlying AI models used for decision-making. The FDA’s extensive requirements for transparency and submitting information about AI model architectures, training data, evaluation processes, and life cycle maintenance plans would pose a significant challenge for maintaining these innovations as trade secrets.
That said, trade secret protection of at least some aspects of AI models is an option when the AI model does not have to be disclosed. If the AI model is used for drug discovery or operations that do not impact patient safety or drug quality, it may be possible to keep the AI model or its training data secret. However, AI models used for decision-making will be subject to the FDA’s need for transparency and information disclosure that will likely jeopardize trade secret protection. By securing patent protection on the AI models, stakeholders can safeguard their intellectual property while satisfying FDA’s transparency requirements.
Opportunities for Innovation
The guidance requires rigorous risk assessments, data fitness standards, and model validation processes, which will set the stage for the creation of tools and systems to meet these demands. As noted above, innovative approaches for managing and validating AI models used for decision-making are not good candidates for trade secret protection, and stakeholders should ensure early identification and patenting of these inventions.
We have identified specific opportunities for AI innovation that are likely to be driven by FDA demands reflected in the guidance:
Requirements for transparency
Designing AI models with explainable AI capabilities that demonstrate how decisions or predictions are made
Bias and fitness of data
Systems for detecting bias in training data
Systems for correcting bias in training data
Systems for monitoring life cycle maintenance
Systems to detect data drift or changes in the AI model during life cycle of the drug
Systems to retrain or revalidate the AI model as needed because of data drift
Automated systems for tracking model performance
Testing methods
Developing models that can be tested against independent data sets and conditions to demonstrate generalizability
Integration of AI models in a practical workflow
Good Manufacturing Practices
Clinical decision support systems
Documentation systems
Automatic systems to generate reports of model development, evaluation, updates, and credibility assessments that can be submitted to FDA to meet regulatory requirements
The guidance provides numerous opportunities for innovations to enhance AI credibility, transparency, and regulatory compliance across the drug product life cycle. As demonstrated above, the challenges that the FDA seeks to address in order to validate AI use in drug development clearly map to potential innovations. Such innovations are likely valuable since they are needed to comply with FDA guidelines and offer significant opportunities for developing a competitive patent portfolio.
Conclusion
With this guidance, the FDA has proposed guidelines for establishing credibility in AI models that have risks for and impacts on clinical trial participants and patients. This guidance, while in draft, non-binding form, follows a step-by-step framework from defining the question of interest and establishing the context of use of the AI model to evaluating risks and in turn establishing the scope of disclosure that may be relevant. The guidance sets out the FDA’s most current thinking about the use of AI in drug development. Given such a framework and the corresponding level of disclosure that can be expected, sponsors may consider a shift in strategy towards using more patent protection for their innovations. Similarly, there may be more opportunities for identifying and protecting innovations associated with building governance around these models.
In addition to using IP protection as a backstop to greater disclosure, firms can also consider introducing more operational controls to mitigate the risks associated with AI model use and thus reduce their disclosure burden. For example, firms may consider supporting AI model credibility with other evidence sources, as well as integrating greater human engagement and oversight into their processes.
In meantime, sponsors that are uncertain about how their AI model usage might interact with future FDA requirements should consider the engagement options that the FDA has outlined for their specific context of use.
Comments on the draft guidance can be submitted online or mailed before April 7, 2025, and our team is available to assist interested stakeholders with drafting.
The FAR Council Publishes Long-Awaited CUI Rule
On January 15, 2025, the Federal Acquisition Regulation (“FAR”) Council issued its long-awaited “CUI Rule.” CUI, or Controlled Unclassified Information, is information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. For nearly 15 years, contractors have struggled to determine what information meets this definition. The CUI rule is an opportunity for the federal government to finally provide contractors with the guidance needed to better identify and safeguard the CUI they receive in connection with their federal contracts.
Contractors Handling CUI Will Be Subject to a New FAR Clause
The federal government will implement the bulk of the CUI Rule through a new FAR clause: FAR 52.204-XX. FAR 52.204-XX will apply to all contracts where CUI is involved in the contract, except for contracts that are for purely commercially available off-the-shelf items. The CUI rule also makes clear that federal agencies, not contractors, are responsible for determining whether contracts will involve CUI.
Safeguarding Requirements
Under FAR 52.204-XX, contractors are only required to safeguard the CUI identified in a newly created form, SF XXX, which agencies will provide with each contract. The following safeguarding requirements will apply to any CUI identified in the SF XXX:
Any special safeguarding requirements identified in the SF XXX.
For contractor’s own information systems (i.e., non-federal information systems), the contractor must comply with National Institute of Standards and Technology (“NIST”) SP 800-171, Revision 2 security requirements.
For Federal information systems, the contractor must comply with agency-identified security requirements from the latest version of NIST SP 800-53.
For cloud service providers (“CSP”), the CSP must comply with the FedRAMP Moderate security requirements.
Reporting Requirements
FAR 52.204-XX introduces two new reporting requirements. First, contractors are subject to a new cyber incident reporting requirement. Under this requirement, contractors must report any suspected or confirmed “CUI incident” that occurs on a non-federal information system within eight hours of discovery to a yet-to-be-identified agency official. A “CUI incident” is the improper access, use, disclosure, modification, or destruction of CUI. If a contractor is found to be at fault for the CUI incident, the contractor “may be” liable for costs incurred by the government in responding to and mitigating the incident.
Second, contractors must notify the contracting officer within eight hours of discovery of any information that the contractor “believes” is CUI that is not identified in the SF XXX or is not marked or properly marked as required in the SF XXX. The contractor must then “appropriately safeguard” that information while the contracting officer determines whether it is CUI.
Subcontractors
Contractors are required to include FAR 52.204-XX in subcontracts, at any tier, or other contractual instruments that will involve CUI identified in the SF XXX. The term “other contractual instruments” has the potential to extend the reach of this new FAR clause to third parties that are not directly supporting the contract effort, but who have access to CUI.
Overall, FAR 52.204-XX, and the CUI rule as a whole, have the potential to bring much-needed clarity to federal contractors regarding which contracts involve CUI, what type of CUI contractors will receive, and what safeguards they must put in place. Whether that clarity materializes will depend on how federal agencies implement the rule.
New Artificial Intelligence (AI) Regulations and Potential Fiduciary Implications
Fiduciaries should be aware of recent developments involving AI, including emerging and recent state law changes, increased state and federal government interest in regulating AI, and the role of AI in ERISA litigation. While much focus has been on AI’s impact on retirement plans, which we previously discussed here, plan fiduciaries of all types, including health and welfare benefit plans, must also stay informed about recent AI developments.
Recent State Law Changes
Numerous states recently codified new laws focusing on AI, some of which regulate employers’ human resource decision-making processes. Key examples include:
California – In 2024, California enacted over 10 AI-related laws, addressing topics such as:
The use of AI with datasets containing names, addresses, or biometric data;
How one communicates health care information to patients using AI; and
AI-driven decision-making in medical treatments and prior authorizations.
For additional information on California’s new AI laws, see Foley’s Client Alert, Decoding California’s Recent Flurry of AI Laws.
Illinois – Illinois passed legislation prohibiting employers from using AI in employment activities in ways that lead to discriminatory effects, regardless of intent. Under the law, employers are required to provide notice to employees and applicants if they are going to use AI for any workplace-related purpose.
For additional information on Illinois’ new AI law, see Foley’s Client Alert, Illinois Enacts Legislation to Protect against Discriminatory Implications of AI in Employment Activities.
Colorado – The Colorado Artificial Intelligence Act (CAIA), effective February 1, 2026, mandates “reasonable care” when employers use AI for certain applications.
For additional information on Colorado’s new AI law, see Foley’s Client Alert, Regulating Artificial Intelligence in Employment Decision-Making: What’s on the Horizon for 2025.
While these laws do not specifically target employee benefit plans, they reflect a trend toward states regulating human resource practices broadly, are aimed at regulating human resource decision-making processes, and are part of an evolving regulatory environment. Hundreds of additional state bills were proposed in 2024, along with AI-related executive orders, signaling more forthcoming regulation in 2025. Questions remain about how these laws intersect with employee benefit plans and whether federal ERISA preemption could apply to state attempts at regulation.
Recent Federal Government Actions
The federal government recently issued guidance aimed at preventing discrimination in the delivery of certain healthcare services and completed a request for information (RFI) for potential AI regulations involving the financial services industry.
U.S. Department of Health and Human Services (HHS) Civil Rights AI Nondiscrimination Guidance – HHS, through its Office for Civil Rights (OCR), recently issued a “Dear Colleague” letter titled Ensuring Nondiscrimination Through the Use of Artificial Intelligence and Other Emerging Technologies. This guidance emphasizes the importance of ensuring that the use of AI and other decision-support tools in healthcare complies with federal nondiscrimination laws, particularly under Section 1557 of the Affordable Care Act (Section 1557).
Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in health programs and activities receiving federal financial assistance. OCR’s guidance underscores that healthcare providers, health plans, and other covered entities cannot use AI tools in a way that results in discriminatory impacts on patients. This includes decisions related to diagnosis, treatment, and resource allocation. Employers and plan sponsors should note that this guidance applies to a subset of health plans, including those that fall under Section 1557, but not to all employer-sponsored health plans.
Treasury Issues RFI for AI Regulation – In 2024, the U.S. Department of Treasury published an RFI on the Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector. The RFI included several key considerations, including addressing AI bias and discrimination, consumer protection and data privacy, and risks to third-party users of AI. While the RFI has not yet led to concrete regulations, it underscores federal attention to AI’s impact on financial and employee benefit services. The ERISA Industry Committee, a nonprofit association representing large U.S. employers in their capacity as employee benefit plan sponsors, commented that AI is already being used for retirement readiness applications, chatbots, portfolio management, trade executions, and wellness programs. Future regulations may target these and related areas.
AI-Powered ERISA Litigation
Potential ERISA claims against plan sponsors and fiduciaries are being identified using AI. In just one example, an AI platform, Darrow AI, claims to be:
“designed to simplify the analysis of large volumes of data from plan documents, regulatory filings, and court cases. Our technology pinpoints discrepancies, breaches of fiduciary duty, and other ERISA violations with accuracy. Utilizing our advanced analytics allows you to quickly identify potential claims, assess their financial impact, and build robust cases… you can effectively advocate for employees seeking justice regarding their retirement and health benefits.”
Further, this AI platform claims it can find violations affecting many types of employers, whether a small business or a large corporation, by analyzing diverse data sources, including news, SEC filings, social networks, academic papers, and other third-party sources.
Notably, health and welfare benefit plans are also emerging as areas of focus for AI-powered ERISA litigation. AI tools are used to analyze claims data, provider networks, and administrative decisions, potentially identifying discriminatory practices or inconsistencies in benefit determinations. For example, AI could highlight patterns of bias in prior authorizations or discrepancies in how mental health parity laws are applied.
The increasing sophistication of these tools raises the stakes for fiduciaries, as they must now consider the possibility that potential claimants will use AI to scrutinize their decisions and plan operations with unprecedented precision.
Next Steps for Fiduciaries
To navigate this evolving landscape, fiduciaries should take proactive steps to manage AI-related risks while leveraging the benefits of these technologies:
Evaluate AI Tools: Undertake a formal evaluation of artificial intelligence tools utilized for plan administration, participant engagement, and compliance. This assessment includes an examination of the algorithms, data sources, and decision-making processes involved, including an assessment to ensure their products have been evaluated for compliance with nondiscrimination standards and do not inadvertently produce biased outcomes.
Audit Service Providers: Conduct comprehensive audits of plan service providers to evaluate their use of AI. Request detailed disclosures regarding the AI systems in operation, focusing on how they mitigate bias, ensure data security, and comply with applicable regulations.
Review and Update Policies: Formulate or revise internal policies and governance frameworks to monitor the utilization of AI in operational planning and compliance with nondiscrimination laws. These policies should outline guidelines pertaining to the adoption, monitoring, and compliance of AI technologies, thereby ensuring alignment with fiduciary responsibilities.
Enhance Risk Mitigation:
Fiduciary Liability Insurance: Consider obtaining or enhancing fiduciary liability insurance to address potential claims arising from the use of AI.
Data Privacy and Security: Enhance data privacy and security measures to safeguard sensitive participant information processed by AI tools.
Bias Mitigation: Establish procedures to regularly test and validate AI tools for bias, ensuring compliance with anti-discrimination laws.
Integrate AI Considerations into Requests for Proposals (RFPs): When selecting vendors, include specific AI-related criteria in RFPs. This may require vendors to demonstrate or certify compliance with state and federal regulations and adhere to industry best practices for AI usage.
Monitor Legal and Regulatory Developments: Stay informed about new state and federal AI regulations, along with the developing case law related to AI and ERISA litigation. Establish a process for routine legal reviews to assess how these developments impact plan operations.
Provide Training: Educate fiduciaries, administrators, and relevant staff on the potential risks and benefits of AI in plan administration, emerging technologies and the importance of compliance with applicable laws. The training should provide an overview of legal obligations, best practices for implementing AI, and strategies for mitigating risks.
Document Due Diligence: Maintain comprehensive documentation of all steps to assess and track AI tools. This includes records of audits, vendor communications, and updates to internal policies. Clear documentation can act as a crucial defense in the event of litigation.
Assess Applicability of Section 1557 to Your Plan: Health and welfare plan fiduciaries should determine whether your organization’s health plan is subject to Section 1557 and whether OCR’s guidance directly applies to your operations, and if not, confirm and document why not.
Fiduciaries must remain vigilant regarding AI’s increasing role in employee benefit plans, particularly amid regulatory uncertainty. Taking proactive measures and adopting robust risk management strategies can help mitigate risks and ensure compliance with current and anticipated legal standards. By dedicating themselves to diligence and transparency, fiduciaries can leverage the benefits of AI while safeguarding the interests of plan participants. At Foley & Lardner LLP, we have experts in AI, retirement planning, cybersecurity, labor and employment, finance, fintech, regulatory matters, healthcare, and ERISA. They regularly advise fiduciaries on potential risks and liabilities related to these and other AI-related issues.
Connecticut Data Privacy Act New Opt-out Rights
On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025. Businesses must now honor global opt-out preference signals sent by consumers, e.g., via the Global Privacy Control, and treat those signals as requests to opt out of targeted advertising and sale of personal data. Additional resources are available on the Attorney General’s website.