New Changes to ACA Reporting Requirements Offer Welcome Relief to Employers and Others
Four changes have been made to the employer reporting requirements under the Affordable Care Act (ACA) for 2025.[1] These changes aim to simplify the reporting processes for employers.
Form 1095 Distribution – Effective for the 2024 reporting year, employers are no longer required to distribute Form 1095-C to all full-time employees (and plan sponsors of self-insured plans do not have to distribute Form 1095-B to individuals[2]). Instead, these forms only need to be provided upon request. In order to avail yourself of this new rule, you must:
Post a notice of availability that is “clear, conspicuous and accessible notice (at such time and in such manner as the Secretary may provide).” While the IRS has been instructed to issue guidance as to how and when the notice must be distributed, no such guidance has been issued as of the date of this alert.
Upon receipt of an employee request, distribute the form within 30 days or, if later, by January 31. Electronic distribution is permitted if the employee consents (which is valid until withdrawn in writing).
Employers must still prepare and file Forms 1095-C and 1095-B with the IRS eachyear (generally due to be filed with the Form 1094-C/1094-B transmittal form byMarch 31).
Reporting for Self-Insured Plans – Effective for the 2024 reporting year, employers and plan sponsors issuing Form 1095-C for self-insured plan coverage of spouses and dependents can use the individual’s full name and date of birth if their social security number (SSN) or other taxpayer identification number (TIN) cannot be obtained. This change eases the burden on employers who have experienced problems obtaining the necessary TIN from nonresident aliens with no SSN or TIN. The new rule avoids the need for employers to establish reasonable cause before they are able to use a date of birth.
Longer Response Time for ACA Penalty Letters – Employers who receive a Letter 226J from the IRS proposing assessment of employer shared responsibility payments under Section 4980H of the Internal Revenue Code (“ACA Penalties”) will now have 90 days to respond. This is an increase from the prior 30-day window, which often left employers without sufficient time to review and address issues. This new time limit applies to assessment proposed in taxable years beginning after December 23, 2024 (for calendar year plans, this would be 2025).
6-Year Statute of Limitations for ACA Penalties – A new 6-year statute of limitations will apply to the IRS’ assessment of ACA Penalties. This new time limit runs from the due date for the return (or the return filing date, if later) and applies to returns due after December 31, 2024. Previously, the IRS took the position there was no statute of limitations.
It is important to note that these changes only impact employers’ reporting requirements under federal law. Several states have their own reporting requirements (e.g., CA, MA, NJ, RI, D.C.), so employers will need to continue to comply with those state laws, where applicable.
Action Steps
In light of these changes, employers and plan sponsors with ACA reporting responsibilities should consider taking the following steps:
1. Update Processes and Post Notice. If you want to take advantage of the new exemption from distributing Forms 1095-C (or Forms 1095-B, where applicable):
Draft and post your notice of availability of Form 1095-C (or Forms 1095-B, where applicable). If you wish to post a notice before the IRS guidance is issued, you should consider following prior IRS guidance that was issued to address similar notice provisions that apply to Form 1095-Cs issued by reporting entities to covered nonemployees and non-full-time employees. Under this prior guidance, the notice must be posted prominently in a location on the reporting entity’s website that is reasonably accessible to all individuals who would be entitled to receive the form and must be retained in that same location through October 15 following the calendar year for which the statement was issued (or, if October 15 is a Saturday, Sunday or legal holiday, the next business day). The notice must state that the individual may obtain a copy upon request, include an email address and physical address to which the request may be submitted, and provide a telephone number for any questions. Even if you follow this prior guidance, however, you should still stay alert for IRS guidance that specifically applies to the current rule and act quickly to make any changes to your notice or its posting to the extent necessary to achieve full compliance.
Check with any vendors that you use to prepare your ACA reporting and update any existing processes as necessary, including the need to annually post the notice and keep it posted for the required time period.
Establish a process for timely responding to requests to obtain a copy of the form and, if you want to be able to provide the form electronically, draft a valid consent form.
2. Continue to Prepare and File Forms 1095-C and 1095-B with the IRS. Remember that you still have an obligation to file these statements with the IRS, with the required transmittal form (generally due by March 31).
3. Obtain Full Names and Dates of Birth. If you sponsor a self-insured plan and anticipate that you may have covered individuals who do not have a SNN or TIN, adopt procedures to obtain full names and dates of birth.
[1] These changes were part of the recently enacted Employer Reporting Improvement Act and the Paperwork Burden Reduction Act.
[2] The exemption for Forms 1095-B already existed under IRS guidance, but is now made part of the law.
Important Update: USPTO Fee Changes Effective January 2025
Highlights
Patent fees will increase across most categories, including filing, maintenance, and excess claims, on Jan. 19, 2025
New surcharges will apply to continuations filed six or nine years after the earliest benefit date (EBD); PTAB petitions will experience increases across the board
Trademark fees also will see adjustment including a unified application fee that will replace the TEAS Plus/Standard system, as well as others. Additional surcharges will apply for missing information, custom descriptions, and lengthy filings.
The U.S. Patent and Trademark Office (USPTO) is set to increase fees beginning Jan. 19, 2025, for patent-related fees, and Jan. 18, 2025, for trademark-related fees as part of routine updates at the USPTO to maintain alignment with operational costs and resource requirements. Tables that summarize targeted fee increases for the most common types of filings with the USPTO are included below. A global 7.5 percent increase is being applied to all filings that do not have a targeted fee increase.
Patent-Related Fees
Current Fee
Fee Effective 1/19/2025
Percentage Increase
Filing Fees
Utility Patent Application Fees
$1,820
$2,000
10%
Utility patent application issue fees
$1,200
$1,290
7.5%
Design patent application fees
$1,020
$1,300
27%
Design patent issue fees
$740
$1,300
76%
Claim Fees
Each independent claim in excess of 3
$480
$600
25%
Each claim in excess of 20
$100
$200
100%
Request for Continued Examination (REC) Fees
First RCE
$1,360
$1,500
10%
Second and subsequent RCE
$2,000
$2,860
43%
New Continuing Application Surcharge
Applications filed six (6) years or more after the earliest benefit date
$2,700
Applications filed nine (9) years or more after the earliest benefit date
$4,000
Information Disclosure Statement (IDS) and IDS Size Fees**
IDS filing fee
$260
$280
8%
IDS with 51 to 100 items of information
$200
IDS with 101 to 200 items of information
$500 less any amount previously paid
IDS with more than 200 items of information
$800 less any amount previously paid
Terminal Disclaimer Fees
Filing of Terminal Disclaimer
$170
$183
8%
Maintenance Fees
Fee due at 3.5 years
$2,000
$2,150
8%
Fee due at 7.5 years
$3,760
$4,040
7%
Fee due at 11.5 years
$7,700
$8,280
8%
Patent Term Extension (PTE) Applications Fees**
Application for PTE fee
$1,180
$2,500
112%
Initial Application for interim extension fee
$440
$1,320
200%
Request of a supplemental redetermination after a notice of final PTE determination
$1,440
Petition Fees
Petition Associated with Unintentional Delay of More Than 2 Years
$2,100
$3,000
43%
Patent Trials and Appeals Board (PTAB) Fees
Request of Review of PTAB Decision by Director Fees
$452
Petition for PTAB
25% increase for all PTAB trials
*Key adjustments are shown below for undiscounted (large) entity fees; small entities generally receive a 60 percent discount and micro entities generally receive a 75 percent discount on these undiscounted fees.**Fee applies to all entities with no discounts being given to small or micro entities.
Trademark-Related Fees
Current Fee
Fee Effective 1/19/2025
Percentage Increase
Application and Registration Fees
Unified Base Application Fees, per class*
$350
Intent-to-Use Applications (Statements of Use and Amendments to Allege Use) Fees, per class
$100
$150
50%
Madrid Protocol Applications (Application fee filed with WIPO (Section 66(a))), per class
$500
$600
20%
Post-Registration Maintenance Fees
Section 8 Declarations (filed between the 5th and 6th year after registration)
$225 per class
$325 per class
45%
Section 9 Renewals (filed every 10 years)
$300 per class
$325 per class
8%
Section 15 Declarations (Declaration of Incontestability)
$200 per class
$250 per class
25%
Section 71 Declarations
$225 per class
$325 per class
45%
Renewal fee filed at WIPO
$300 per class
$325 per class
8%
Petitions
Petition to the Director Fee
$250
$400
60%
Petition to Revive an Application Fee
$150
$250
67%
Letter of Protest Fee
$50
$150
300%
*The distinction between TEAS Plus and TEAS Standard applications will be eliminated and a single base application fee of $350 per class will apply to applications under Trademark Act Sections 1 and 44.
New surcharges will also be in effect for each of:
Insufficient Information: A $100 fee per class will be charged for applications lacking required details, such as the applicant’s name, domicile address, or entity type.
Custom Identifications: Using custom descriptions for goods or services instead of selecting from the USPTO’s ID Manual will incur a $200 fee per class.
Excessive Text Length: An additional $200 fee per class will apply for each set of 1,000 characters exceeding the initial 1,000 characters in custom descriptions.
For patent applications, we suggest considering a comprehensive review of your portfolio, at least with respect to each of the following:
Continuation applications that would have benefit dates of more than six or nine years
Information Disclosure Statements with over 50 cumulative prior art listings
Second or subsequent RCEs
Design patent applications
With respect to trademarks, those looking to file new applications with long or unusual descriptions of goods and services may consider filing these applications before the fees for using free-form text boxes and additional characters go into place.
Takeaways
If you are planning to file a new patent or trademark application, submit a renewal, or pay maintenance fees in the near future, it may be advantageous to do so before Jan. 19, 2025, or Jan. 18, 2025, respectively, to take advantage of the current fee structure before the increases take effect.
OFAC Relaxes Sanctions Against Post-Assad Syria – For Now
The US government signals careful optimism with a new general license authorizing some previously prohibited transactions, including many (but not all) transactions with Syrian governing institutions, for the next six months.
After a month of speculation about how US sanctions policy will treat the new leaders of Syria who swept into power in early December and sent Bashar al-Assad into exile, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has issued General License 24 under the Syria Sanctions Regulations (SySR), the Global Terrorism Sanctions Regulations (GTSR), and the Foreign Terrorist Organizations Sanctions Regulations (FTOSR) on January 6. With certain exceptions, the license temporarily authorizes:
Transactions with governing institutions in Syria following December 8, 2024.
Transactions in support of the sale, supply, storage, or donation of energy, including petroleum, petroleum products, natural gas, and electricity, to or within Syria.
Transactions that are ordinarily incident and necessary to processing the transfer of noncommercial, personal remittances to Syria, including through the Central Bank of Syria.
The license, which currently expires July 7, covers transactions that would otherwise be prohibited not only by the SySR, but also by the GTSR and the FTOSR, given that the new leaders of Syria are part of Hay’at Tahrir al-Sham (HTS), which currently remains a designated terrorist group under those other sanctions programs.
What Is NOT Authorized?
General License 24 does not cover:
Financial transfers to any person blocked pursuant to the GTSR, FTOSR, or SySR other than for (i) paying taxes, fees, or import duties to Syrian governing institutions; (ii) paying the wages of Syrian governing institution employees provided they are not listed on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List; or (iii) purchasing/receiving permits, licenses, public utility services, or other public services in Syria.
The unblocking of any property that has already been blocked pursuant to US sanctions regulations.
Any transactions involving military or intelligence entities, or any persons acting on their behalf.
Importation of Syrian-origin petroleum or petroleum products into the United States.
Any transactions for or on behalf of the Government of the Russian Federation or the Government of Iran or related to the transfer or provision of Iranian- or Russian-origin goods, technology, software, funds, financing, or services.
New investments in Syria (which OFAC broadly defines as a commitment or contribution of funds or other assets or a loan or extension of credit), except contributions for salaries or wages of Syrian governing institution employees who are not listed on the SDN List.
The bottom line is: except for the three specific categories of authorized activities, all previous economic sanctions concerning Syria still apply. We also think it is wise to assume that it remains prohibited to facilitate any of the activities listed above that are specifically carved out of General License 24’s authorization. Additionally, those seeking to export commodities, software, or technology to Syria must still follow the Syria-specific requirements in the Export Administration Regulations implemented by the US Department of Commerce’s Bureau of Industry and Security.
Helpful New FAQs
Along with the new general license, OFAC released several new FAQs that give some much-appreciated clarity to the state of economic sanctions against Syria. Our top takeaways from the OFAC answers are:
The purpose of General License 24 is ensuring that US sanctions “do not impede essential governance-related services in Syria following the fall of Bashar al-Assad on December 8, 2024, including for the provision of public services or certain transactions related to energy or personal remittances” (FAQ 1205).
General License 24 authorizes transactions with a governing institution (with the exceptions noted above), even if it’s operated by a sanctioned individual (FAQ 1208).
Syrian “governing institutions” are broadly defined to include “departments, agencies, and government-run public service providers (including public hospitals, schools, and utilities) at the federal, regional local level” across all of Syria. (FAQ 1206).
Previous general licenses, including those that that broadly authorize NGO operations in Syria, are still in effect, and may overlap with General License 24 (FAQs 1212 and 1209).
Conclusions
It appears OFAC will take a wait-and-see approach to decide how to deal with the new HTS-led government in the long term. But for the next six months, General License 24 offers long-awaited sanctions relief (temporary, and carefully circumscribed) for Syria’s new leaders, US persons and entities operating in Syria, and above all, the Syrian people.
FTC Imposes Record Fine on Oil Companies for Illegal Pre-Merger Conduct
On January, 7, 2025, the Federal Trade Commission (FTC) announced that crude oil producers XCL Resources Holdings, LLC (XCL), Verdun Oil Company II LLC (Verdun) and EP Energy LLC (EP) collectively will pay a $5.68 million civil penalty to resolve allegations they engaged in illegal pre-merger coordination, also known as “gun jumping,” in violation of the Hart-Scott-Rodino Act (HSR Act). This is the largest fine ever imposed for a gun jumping violation in US history.
The HSR Act requires merging parties to report transactions over certain size thresholds to the FTC and Department of Justice so that those agencies can conduct an antitrust review before closing. The agencies typically have 30 days after a transaction has been reported, which is known as the HSR waiting period, to conduct their initial assessment. The investigating agency can extend that waiting period by issuing a “second request” demand for additional information should they deem the transaction needs more in-depth review. During the HSR waiting period, the acquiror is prohibited from taking ownership or control over the target business. Such gun jumping is punishable by a civil penalty of up to $51,744 per day (the maximum penalty is adjusted annually).
On July 26, 2021, Verdun and XCL entered into a $1.45 billion agreement to acquire EP that triggered the HSR Act’s notification and waiting period requirements. During the initial 30-day HSR review period, the FTC’s investigation identified significant competitive concerns about the transaction, including that it would have eliminated head-to-head competition between two of only four significant energy producers in Utah’s Uinta Basin and would have harmed competition for the sale of Uinta Basin waxy crude oil to Salt Lake City refiners. To resolve those concerns, on March 25, 2022, the FTC entered into a consent agreement with XCL, Verdun and EP that required the divestiture of EP’s entire business and assets in Utah.
According to the FTC’s complaint, instead of observing the waiting period requirement, XCL and Verdun “jumped the gun” and assumed operational and decision-making control over significant aspects of EP’s day-to-day business operations immediately upon signing the purchase agreement. Per the complaint, the parties’ unlawful gun jumping activities during the interim period that were memorialized in the purchase agreement included:
Granting XCL and Verdun approval rights over EP’s ongoing and planned crude oil development and production activities. XCL immediately took advantage of these rights and ordered a stop to EP’s new well-drilling activities, resulting in a crude oil supply shortage for EP when the US market was facing significant supply shortages and multiyear highs in oil prices.
Providing that XCL and Verdun would bear all financial risk and liabilities associated with EP’s anticipated supply shortages, which resulted in XCL and EP working in concert to satisfy EP’s customers supply commitments, and EP employees reporting to their XCL counterparts with details on supply volumes and pricing terms. XCL engaged directly with EP’s customers and held itself out as coordinating EP’s supply and deliveries in the Uinta Basin.
Requiring EP to submit all expenditures above $250,000 to XCL or Verdun for approval. As a result, buyer approval was required before EP could perform a range of ordinary-course activities needed to conduct its business, such as purchasing supplies for its drilling operations and entering or extending contracts for drilling rigs.
Permitting XCL and Verdun to order EP to change certain ordinary-course business operations, including its well-drilling designs and leasing and renewal activities.
Allowing Verdun to review and coordinate with EP regarding prices for EP’s customers in the Eagle Ford region of Texas, with Verdun directing EP to raise prices in the next contracting period.
Providing XCL and Verdun with almost-unfettered access to EP’s competitively sensitive business information, including EP’s site design plans, customer contract and pricing information, and daily production and supply reports.
As stated in the FTC’s complaint, the waiting period obligation for this transaction began on July 26, 2021, the date the parties executed their purchase agreement. On October 27, 2021, during the course of the FTC’s investigation, XCL, Verdun and EP executed an amendment to the purchase agreement that allowed EP to resume operating independently and in the ordinary course of business, without XCL’s or Verdun’s control over its day-to-day operations, thereby ending the illegal gun jumping conduct. Thus, XCL, Verdun and EP were in violation of the HSR Act for 94 days.
This case is noteworthy not only for the magnitude of the penalty imposed on the transaction parties, but also because the violation arose both from provisions in the purchase agreement itself, as well as the parties’ conduct after they executed the purchase agreement. It serves as an important reminder that merging businesses in HSR-reportable transactions must maintain independent operations at least until expiration of the HSR waiting period and in some cases until closing (similar obligations can also apply to M&A transactions involving competitors even in non HSR-reportable deals). This independence must be reflected in both the transaction documents and the actions of the parties. Antitrust counsel can assist with drafting appropriate conduct of business covenants in the purchase agreement and properly navigating integration planning and preclosing coordination during the interim period between sign and close.
New Jersey Division of Consumer Affairs Publishes Privacy Law FAQs
On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers (“FAQs”) on the New Jersey Data Privacy Law (“NJDPL”). The FAQs are intended for the convenience of business that may be subject to the law and cover topics such as “What is ‘personal data’?” and “What rights does the NJDPL protect?”. The FAQs reiterate that small businesses and non-profits are subject to the NJDPL if they meet the law’s applicability thresholds. The FAQs also state that the Division of Consumer Affairs will issue regulations in 2025. The NJDPL becomes effective January 15, 2025.
Massachusetts Governor Maura Healey Signs into Law a Sweeping Health Care Market Oversight Bill
On January 8, 2025, Massachusetts Governor Maura Healey signed into law House Bill No. 5159, “An Act enhancing the health care market review process” (“H. 5159”), which was passed by the Massachusetts legislature in the last few days of 2024.
The bill will implement greater scrutiny of certain health care entities and affiliated companies—including private equity sponsors, significant equity investors, health care real estate investment trusts (“REITs”), and management services organizations (“MSOs”)—as well as pharmaceutical companies and pharmacy benefit management companies (“PBMs”) in the Commonwealth.
The passage of H. 5159 follows debate between the House and Senate earlier in 2024 over similar bills, which failed to pass during the summer legislative session. Notably, similar bills included debt limitations on certain private investor-backed entities and bans of certain private equity investments, as well as significant restrictions on the MSO business model. However, these restrictions (among various others) were stripped from H. 5159.
Although H. 5159 has widespread implications for health care entities in the Commonwealth, a significant portion of the bill is clearly aimed at increasing regulatory oversight of for-profit-backed health care organizations through increased regulatory oversight of certain health care transactions and expanded reporting obligations. The bill also seeks to contain health care costs, including by increasing oversight of pharmaceutical company and PBM arrangements.
Below in this alert we highlight some of the more significant provisions of H. 5159.
Health Policy Commission – Notices of Material Change
H. 5159 extends the authority of the Health Policy Commission (“HPC”) in the context of notices of material change under M.G.L. c. 6D § 13 (“Notices of Material Change”) to indirect owners and affiliates of health care providers, such as private equity companies, significant equity investors, MSOs, and health care REITs.
The bill also broadens the transactions that are subject to the HPC’s Notice of Material Change requirements to include (i) significant expansions in capacity of a provider or provider organization; (ii) transactions involving a significant equity investor resulting in a change of ownership or control of a provider or provider organization; (iii) real estate sale lease-back arrangements and other significant acquisitions, sales, or transfers of assets; and (iv) conversions of a provider or provider organization from a non-profit to a for-profit.
In the context of the HPC’s review of a Notice of Material Change, the HPC will be authorized to require the submission of documents and information from significant equity investors, such as information regarding the significant equity investor’s capital structure, financial condition, ownership and management structure, and audited financials.
H. 5159 also implements other related changes, such as reducing the market share threshold for mergers or acquisitions to be subject to the Notice of Material Change process (from “near majority” to “dominant” market share), enhancing the HPC’s authority to monitor post-transaction impacts, and expanding the review criteria for a cost and market impact review.
Health Policy Commission – Registration of Provider Organizations
Under H. 5159, the data and information collected under the HPC’s Massachusetts Registration of Provider Organizations Program (“MA-RPO Program”) will now also cover ownership, governance, and operational structure information of significant equity investors, health care REITs, and MSOs. H. 5159 also amends the MA-RPO Program reporting threshold to include revenue generated from payers other than commercial payers, such as governmental payers.
Health Policy Commission – Annual Cost Trends Hearing
As a complement to the increased authority discussed above, the list of stakeholders required to testify at the HPC’s Annual Cost Trends Hearing is expanded to include, among others, significant equity investors, health care REITs, and MSOs as well as PBMs and pharmaceutical companies.
Testimony from significant equity investors, health care REITs, and MSOs must cover topics such as health outcomes, prices, staffing levels, clinical workflow, financial stability and ownership structure of associated providers or provider organizations, dividends paid out to investors, and compensation (e.g., base salaries, incentives, bonuses, stock options, deferred compensation, benefits, and contingent payments to officers, managers, and directors of provider organizations owned or managed by the significant equity investors, health care REITs, or MSOs.
Testimony from PBMs and pharmaceutical companies must cover topics such as factors underlying drug costs and price increases as well as the impact of aggregate manufacturer rebates, discounts, and other price concessions on net pricing (provided that the testimony will not undermine the financial, competitive, or proprietary nature of the data).
H. 5159 further expands the topics covered by HPC’s Annual Cost Trends Hearings to expressly include costs, prices, and cost trends of providers, provider organizations, private and public payers, pharmaceutical companies, and PBMs as well as any impact of significant equity investors, health care REITS, or MSO on those costs, prices, and cost trends.
Health Policy Commission and CHIA – Operations Assessments
H. 5159 expands the categories of entities required to pay assessments to help fund the HPC and Center for Health Information and Analysis (“CHIA”) to include “non-hospital provider organizations,” pharmaceutical companies, and PBMs. A “non-hospital provider organization” is defined as any provider organization registered under the MA-RPO Program that is a non-hospital-based physician practice with annual gross patient service revenue of at least $500 million, a clinical laboratory, an imaging facility, or a network of affiliated urgent care centers. The methodology for calculating the amount assessed against each entity is based on entity type and the total amount appropriated by the Massachusetts legislature for the operation of HPC and CHIA.
CHIA – Reporting Requirements
Under H. 5159, CHIA will collect additional information from acute and non-acute care hospitals regarding their parent organizations and significant equity investors, health care REITs, and MSOs. Such information includes the audited financial statements of parent organizations’ out-of-state operations, significant equity investors, health care REITs, and MSOs, as well as financial data on margins, investments, and any relationships with significant equity investors, health care REITs, and MSOs.
H. 5159 also expands the scope of CHIA’s data collection under the MA-RPO Program. Notably, information subject to annual reporting will include, in relevant part, (i) comprehensive financial statements that include data on parent entities (including their out-of-state operations), corporate affiliates (including significant equity investors, health care REITs, and MSOs, as applicable), annual costs, annual receipts, realized capital gains and losses, accumulated surplus, and accumulated reserves; and (ii) information regarding other assets and liabilities that may affect the financial condition of the provider organization or the provider organization’s facilities (e.g., real estate sale-leaseback arrangements with health care REITs).
H. 5159 further provides that CHIA may require in writing, at any time, such additional information as CHIA deems reasonable and necessary to determine a registered provider organization’s organizational structure, business practices, clinical services, market share, or financial condition, including information related to its total adjusted debt and total adjusted earnings.
CHIA will also have the authority to require registered provider organizations with private equity investment to report required information on a quarterly basis and require disclosure of relevant information from any significant equity investor associated with a registered provider organization. CHIA may also assess increased penalties for non-compliance with these reporting requirements.
Acute and non-acute care hospitals and registered provider organizations should note that, pursuant to M.G.L. c. 12C § 17, the Massachusetts Attorney General (“AG”) may review and analyze any information submitted to CHIA under M.G.L. c. 12C §§ 8, 9, and 10. Thus, the AG may review and analyze all information regarding significant equity investors, health care REITs, and MSOs submitted to CHIA under H. 5159’s expanded reporting requirements.
Department of Public Health (“DPH”) – Determinations of Need
With exceptions, existing Massachusetts law forbids entities from making substantial capital expenditures for the construction of a health care facility or substantially changing the service of the facility unless DPH has approved a determination of need application (“DON”). H. 5159 expands and clarifies DPH considerations in reviewing a DON. These include (i) the state health resource plan; (ii) the Commonwealth’s cost containment goals; (iii) the impacts on the applicant’s patients, including considerations of health equity, the workforce of surrounding health care providers and on other residents of the commonwealth; and (iv) any comments and relevant data from CHIA and the HPC, and any other state agency. H. 5159 codifies a current DPH regulation allowing the period of time DPH has to review a DON to toll if an independent cost-analysis is required and clarifies the effective date of a determination of need issued to holders subject to cost and market impact reviews and/or performance improvement plans. Finally, the legislation adds that a party of record may review a DON for which it is appropriately registered and provide written comment or specific recommendations for consideration by DPH.
Department of Public Health – Licensure of Acute-Care Hospitals
H. 5159 adds provisions to the licensure process of acute-care hospitals, mandating that no original license shall be granted or renewed to establish or maintain such facilities if the main campus of the acute-care hospital is leased from a health care REIT (with an exemption for those acute-care hospitals leasing a main campus from a health care REIT as of April 1, 2024). An exempt acute-care hospital shall remain exempt “after a transfer to any transferee and subsequent transferees,” and those transferees shall be issued a license upon meeting all other requirements. “Main campus” is defined in H. 5159 as “the licensed premises within which the majority of inpatient beds are located.” Additional new licensure requirements for acute-care hospitals mandate the disclosure of documents to DPH relating to leases, licenses, or other agreements for the use, occupancy, or utilization of the premises occupied by the acute-care hospital. Acute-care hospitals also must remain in compliance with applicable reporting requirements.
Department of Public Health – Licensure of Office-Based Surgical Centers
H. 5159 mandates that DPH, in consultation with the Massachusetts Board of Registration in Medicine, establish rules, regulations, and practice standards for the licensing of office-based surgical centers by October 1, 2025. Such licensure will be effective for an initial period of two years and subject to renewal. Pursuant to H. 5159, DPH may impose a fine of up to $10,000 on (1) a person or entity advertising, announcing, establishing, or maintaining an office-based surgical center without a license and (2) a licensed office-based surgical center that violates DPH’s forthcoming rules and regulations. Each day during which a violation continues will constitute a separate offense, and DPH may conduct surveys and investigations to enforce compliance. Notwithstanding the foregoing, H. 5159 permits DPH to grant a one-time provisional license to applicant office-based surgical centers if such applicants hold a (1) current accreditation from the Accreditation Association for Ambulatory Health Care, American Association for Accreditation of Ambulatory Surgery Facilities, or the Joint Commission; or (2) current certification for participation in Medicare or Medicaid, and DPH determines that such applicants meet all other licensure requirements.
Attorney General’s Office – False Claims Statute
H. 5159 amends the Massachusetts False Claims Statute to extend potential liability to those with an “ownership or investment interest” in an entity that violates the statute, if such owner or investor knows of the violation and fails to disclose it to the Commonwealth within 60 days of identifying the violation. As a result, the AG has broadened authority to pursue actions against private equity companies and other owners or investors for not addressing a violation of the False Claims Act of which they are aware, regardless of whether the private equity company or other owner or investor caused the violation. Notably, the definition of “ownership or investment interest” captures significant equity investors, as defined elsewhere in the bill, as well as private equity companies with any investment or ownership interest in an entity that violates the statute.
Primary Care Payment and Delivery Task Force
H. 5159 also establishes a 23-member primary care payment and delivery task force (“Task Force”) charged with (i) studying primary care access, delivery, and payment; (ii) developing and issuing recommendations to stabilize and strengthen the primary care system and increase recruitment and retention of primary care workers; and (iii) increasing investment in, and patient access to, primary care in the Commonwealth.
Among other recommendations, the Task Force must create a primary care spending target for private and public payers that takes into account the cost to deliver evidence-based, equitable, and culturally competent primary care services and propose payment models to increase private and public reimbursement for primary care services.
The bill requires the Task Force to issue its first recommendations by September 15, 2025, and requires recommendations to be issued in a sequential manner thereafter, through May 15, 2026.
Takeaways
The true impact of H. 5159 will depend in large part on the regulatory bodies tasked with enforcement and implementation of its provisions. Importantly, we expect that HPC, which has been petitioning the legislature for greater oversight authority over the past several years to review private equity health care investments in Massachusetts, will play a central role in determining the level of scrutiny for-profit investors in hospital systems and provider organizations will face moving forward.
Ann W. Parks contributed to this article
Pay Transparency Reminder: 5 States’ Laws Take Effect in 2025
With the turn of the new year, employers must focus on refining their recruiting and retention efforts to ensure compliance with a handful of new pay transparency laws, specifically in Illinois, Minnesota, Vermont, Massachusetts, and New Jersey. The Illinois and Minnesota requirements became effective on January 1, 2025. The Vermont, Massachusetts, and New Jersey laws take effect at different points later in 2025.
These laws generate a host of questions, including with regard to application to staffing agencies, the use of pay bands to meet range requirements, items included in “other compensation,” the risks of going above the stated range, the size of permitted ranges, and potential applicability to remote and hybrid positions. In this article, in order of effective date, we review the primary requirements of the new laws and offer takeaways.
Quick Hits
Illinois, Minnesota, Vermont, Massachusetts, and New Jersey have pay transparency requirements becoming effective in 2025.
Several of the states impose requirements related to internal employees and promotional opportunities.
Many of the requirements are currently unclear and await further guidance.
Illinois
Beginning January 1, 2025, employers with fifteen or more employees are required to include a pay scale and benefits in job postings. In addition, within fourteen days after making an external job posting for a position, employers must announce, post, publish, or otherwise make known all opportunities for promotion to all current employees.
These job posting requirements apply to positions physically performed at least in part in Illinois and to positions reporting to a supervisor, office, or worksite in Illinois. Therefore, employers may need to include pay and benefits information for remote jobs.
“Pay scale and benefits” means “the wage or salary, or the wage or salary range, and a general description of the benefits and other compensation, including, but not limited to, bonuses, stock options, or other incentives the employer reasonably expects in good faith to offer for the position.” Employers can satisfy these requirements through a hyperlink to a publicly viewable webpage that includes the pay scale and the posting of a relevant and up-to-date general description of benefits in an easily accessible, central, public location on the employer’s website—and referring to that hyperlink in the job posting.
Regarding the use of third parties to announce, post, publish, or make known a job posting, an employer is required to provide the third party with the pay scale and benefits information (or hyperlink as described above). If the third party then fails to include the information on a job posting, the employer is not liable.
Illinois has begun rolling out guidance on these requirements. (See Equal Pay Act Pay Transparency FAQ.) In particular, Illinois has taken the position that all employees, whether located in Illinois or in another state, count toward the fifteen-employee threshold for compliance. The Illinois Department of Labor (IDOL) has also published a required “Equal Pay Act Pay Transparency Notice” for “All Illinois Employers with 15 or More Employees.”
Illinois has committed to providing additional guidance that will hopefully address, among other items, the extent to which an employer must describe any additional compensation and benefits in the job posting narrative.
Minnesota
Effective January 1, 2025, employers with thirty or more employees at one or more sites in Minnesota must include pay information and a general description of all benefits and other compensation in job postings. Specifically, an employer must disclose the starting salary range (which may not be open-ended), or, if the employer does not plan to offer a salary range for a position, a fixed pay rate. The range is comprised of the minimum and maximum annual salary or hourly range of compensation, based on the employer’s good-faith estimate, for a job opportunity at the time of the posting.
New Jersey
Beginning June 1, 2025, employers with ten or more employees over twenty calendar weeks and that do business, have employees, or take applications for employment in New Jersey, must make certain internal and external pay disclosures.
Specifically, covered employers must disclose, in each posting for new jobs and transfer opportunities that are advertised externally or internally, the hourly wage or salary, or a range of the hourly wage or salary and a general description of benefits and other compensation programs for which the employee would be eligible.
Covered employers must also make “reasonable efforts” to announce, post, or otherwise make known opportunities for promotion (defined as a change in job title and an increase in compensation) that are advertised internally or externally to all current employees in the affected department(s) before making a promotion decision. But promotions awarded on the basis of years of experience or performance are exempt from this requirement.
We anticipate further guidance from New Jersey in the upcoming months to help clarify these requirements.
Vermont
Beginning July 1, 2025, employers that do business in or operate in Vermont and have five or more employees must include compensation or a range of compensation in any advertisement of a specific Vermont job opening.
The “range of compensation” means the minimum and maximum annual salary or hourly wage that the employer expects, in good faith, to pay for the advertised job at the time the employer creates the advertisement.
Covered “Vermont job openings” include positions open to internal and/or external candidates and positions into which current employees may transfer or promote into that are (a) physically located in Vermont, or (b) performing work for an office or work location that is physically located in Vermont.
Notably, the Vermont law does not require a general description of benefits and other compensation.
Massachusetts
The Massachusetts Pay Transparency Act (the Act) requires employers with more than one hundred employees to submit wage data reports annually, with the first report being due by February 1, 2025. However, the Massachusetts Executive Office of Workforce Development has recently stated that covered employers will need only submit their most recent EEO-1 filings by February 1, and not provide any wage data.
In addition to the filing requirement, beginning October 29, 2025, employers with twenty-five or more employees in Massachusetts must: (1) disclose the pay range for a “particular and specific employment position” in the job posting for that position; (2) provide the pay range for a “particular and specific employment position” to an employee who is offered a promotion or transfer to a new position; and (3) upon request, provide the pay range for a “particular and specific employment position” to an employee holding that position and an applicant for that position. A “pay range” means the annual salary range or hourly wage range that the employer reasonably and in good faith expects to pay for the position at that time.
The Massachusetts law also imposes a host of pay reporting requirements that seem to depend on the U.S. Equal Employment Opportunity Commission (EEOC) implementing pay data reporting obligations. Given the upcoming change in presidential administrations, it is unclear at this point whether the EEOC will actually move forward with any such pay data reporting.
Key Takeaways
Employers may want to consider taking the following steps:
Training managers and HR professionals on these new compliance obligations, including promotion and opportunity requirements, and on how to respond to pay inquiries from job applicants and current employees
Reminding managers and supervisors that employees are allowed to discuss their pay with others
Undertaking a privileged pay equity audit
Developing/refining pay philosophies as needed to ensure consistency throughout the organization
Updating handbook policies to include anti-retaliation language to protect employees who raise concerns about pay transparency compliance
Watching for enforcement actions to understand state priorities and clarifications on requirements. For example, Colorado publishes state enforcement information. It is likely that Illinois, Minnesota, Vermont, Massachusetts, and New Jersey will similarly publish details about enforcement and penalties.
Reviewing state guidance to provide clarity on statutory language. Colorado, Maryland, New York, and Washington are some states with helpful guidance. For example, Maryland’s guidance illustrates the “general description of benefits” requirement by listing “Employer provided insurance such as health or life or other employer-provided insurance, Paid or unpaid time off work such as paid sick or vacation days, or leaves of absence, Retirement or savings funds such as 401(k) plans or employer-funded pension plans, or Other forms of compensation such as the value of employer-provided meals or lodging.” It further illuminates the “other compensation offered” by providing, as examples, “overtime, compensatory time, differentials, premium pay, tips, commissions, bonuses, stock or stock options, and any portion of service charges.”
Auditing job postings for compliance, including job postings hosted on third parties’ sites
The North Carolina Board of CPA Examiners: A Licensed Professional User’s Guide
The North Carolina Board of CPA Examiners (“Board”) plays a pivotal role in ensuring the integrity and professionalism of the accounting field within the state.
As the governing body for Certified Public Accountants (“CPAs”), the Board upholds rigorous standards of practice, oversees the licensing process, and enforces compliance with ethical rules and regulations. For both aspiring CPAs and experienced professionals, understanding the Board’s responsibilities, processes, and expectations is essential for navigating the path to licensure and maintaining professional standing. It can be a daunting task navigating the expectations. This article highlights some of the requirements and functions for licensees.
Licensing Process
The licensing process for Certified Public Accountants (CPAs) in North Carolina is a structured pathway that involves meeting educational, examination, and experience requirements. The North Carolina Board of CPA Examiners oversees the critical examination component of this process, managing the application, administration, and scoring of the Uniform CPA Exam. This exam is a crucial step in obtaining CPA licensure in all U.S. jurisdictions, and while the education and experience requirements may differ across states, the Uniform CPA Exam remains the same nationwide.
To sit for the Uniform CPA Exam in North Carolina, candidates must meet several eligibility criteria:
Be a U.S. citizen or resident alien, or a citizen of a foreign jurisdiction with similar examination privileges.
Be at least 18 years old.
Be of good moral character.
Meet the specific education requirements outlined by the Board.
Applicants may not be eligible to take the exam if the Board determines the applicant has violated the laws and rules of Professional Ethics and Conduct. An applicant can challenge this determination. Additionally, exam applicants are required to undergo a background check as part of the application process. If an applicant is concerned about a criminal conviction in their past and whether they will be eligible for licensure, they may ask the Board for a predetermination of eligibility as early as prior to entry into an educational program. Experienced counsel should be considered to assist in navigating these processes.
In addition to successfully passing the Uniform CPA Exam, an applicant must provide evidence of appropriate work experience and proof of successful completion of the North Carolina Association of CPAs course, NC Accountancy Law: Ethics, Principles, & Professional Responsibilities, an accountancy law course. The work experience and course must be completed prior to applying for licensure with the Board.
Maintaining the License
Once licensed, it’s important to carefully maintain all aspects of the Board’s requirements to retain the license. All CPAs licensed in North Carolina must:
renew their license annually before July 1 and pay a $60 renewal fee
complete Continuing Professional Education (CPE) in accordance with 21 NCAC 08G .0401, including at least 50 minutes of regulatory or behavioral professional ethics and conduct by December 31 each year and report those at the time of renewal
retain CPE completion certificates and provide them to the Board upon notification of an audit
notify the Board in writing of any change in mailing address, physical address, practice/business address, phone number, employment, email address, or website address within 30 days of a change
Failure to comply with any of the above could result in the licensee being disciplined.
Navigating Practice Complaints
A complaint against a CPA to the Board is taken seriously. An investigation can be quite daunting and overwhelming to the professional faced with one, and experienced counsel should be considered by the CPA if an investigation is opened.
The Board’s Professional Standards Committee (“Committee”) is a three Board member committee tasked with enforcing the Board’s law and rules of Professional Ethics and Conduct. Violations of the law or rules may result in discipline to the CPA in the form of revocation (partial or in full) of the license, censure, and/or imposition of a civil penalty.
The Board has jurisdiction to investigate and take action pursuant to their authority in N.C. Gen. Stat. §93-12(9) which states:
The Board shall have the power to adopt rules of professional ethics and conduct to be observed by certified public accountants in this State and persons exercising the practice privilege authorized by this Chapter. The Board shall have the power to revoke, either permanently or for a specified period, any certificate issued under the provisions of this Chapter to a certified public accountant or any practice privilege authorized by the provisions of this Chapter or to censure the holder of any such certificate or person exercising the practice privilege authorized by this Chapter. The Board also shall have the power to assess a civil penalty not to exceed one thousand dollars ($1,000) for any one or combination of the following causes:
Conviction of a felony under the laws of the United States or of any state of the United States.
Conviction of any crime, an essential element of which is dishonesty, deceit or fraud.
Fraud or deceit in obtaining a certificate as a certified public accountant.
Dishonesty, fraud or gross negligence in the public practice of accountancy.
Violation of any rule of professional ethics and professional conduct adopted by the Board.
Any disciplinary action taken shall be in accordance with the provisions of Chapter 150B of the General Statutes. The clear proceeds of any civil penalty assessed under this section shall be remitted to the Civil Penalty and Forfeiture Fund in accordance with G.S. 115C-457.2.
When the Board receives a complaint, staff and legal counsel review the allegations and evidence submitted. Once a determination has been made that an investigation should be commenced, an inquiry letter is sent to the CPA, allowing for a response to the allegations.
If you receive an inquiry letter, always respond. All CPAs are required to participate in inquiries from the Board. In a written response, be mindful of your tone and resist being argumentative or using unprofessional language. Provide the documentation requested, if any, in order to inform the Board and assist in their full and informed decision making. Experienced counsel at the inquiry stage can be quite helpful in determining the appropriate path of response. The Board is not obligated to provide counsel; however, every CPA has the right to be represented.
After their review of your response, the staff and legal counsel may send your reply to the Complainant for further information and response. The inquiry may end at this point if the determination is made that no violation has occurred.
If staff and legal counsel believe a violation has occurred, the Committee will be asked to review the complaint, any supporting documentation, and response(s). Their duty is to recommend to the full Board a resolution to the complaint after weighing whether there is competent evidence to proceed. They may recommend closing the matter, requesting additional information, or recommending that the matter continue forward down the disciplinary path. You or your counsel will be informed of their decision.
The Committee also has the ability to offer the CPA a resolution to settle the matter. The CPA (or their counsel) will receive the offer in the form of a consent order. This is an informal process, and a CPA should evaluate all the facts and violations alleged, as well as the sanction offered. Again, experienced counsel can assist with determining whether the offer of resolution proposed is reasonable or whether further due process is warranted. A public hearing, while expensive and time consuming for the CPA, may nonetheless be necessary.
Recovering From Los Angeles-Area Wildfires: Initial Steps After Loss or Damage to Your Home, Business or Other Property
Highlights
The January 2025 wildfires in Los Angeles have caused widespread destruction to homes, businesses, and other property, leaving affected individuals and businesses dependent on insurance for recovery
Insurance companies may attempt to deny or limit coverage in response to the surge of claims, making it important for policyholders to understand their rights and coverage options
Affected businesses and individuals should consider taking immediate steps, such as notifying insurers, documenting damages, reviewing insurance policies, and tracking additional living expenses to ensure comprehensive claims
The January 2025 Palisades, Altadena/Pasadena, and other wildfires in the Los Angeles area have fundamentally altered the lives of our clients, colleagues, friends, and family members, causing destruction and damage to homes, businesses, vehicles, educational and religious institutions, community centers, and other property. Affected people and businesses will be relying on their insurance companies to pay their loss and help them rebuild their lives. Insurance companies may respond to the wave of claims by looking for ways to deny and/or limit coverage.
In the aftermath of the fires, many policyholders may be unfamiliar with the first steps to consider taking from a best practices perspective after suffering a loss like this. A non-exhaustive list of initial steps to consider is as follows:
Put your insurance company on notice immediately of any claim or potential claim related to fire damage, such as from the Palisades fire. Depending on what has been damaged (i.e., structures or vehicles), multiple policies and insurers may be implicated. It is common to give notice of your loss through your insurance broker and/or agent.
Take time to locate and review complete copies of your insurance policies now. They may be available through your agent or broker or on the insurer’s website.
Review all applicable coverage and consider discussing with your broker or with insurance coverage counsel to understand the policy benefits to which you are entitled.
To the extent possible and once safe to do so, document all loss and damage from the fire, including both photos and videos. Preserve documentary evidence necessary to support your insurance claim.
Take an inventory of your personal property, furniture, appliances, etc., including gathering pictures and electronic or paper receipts documenting purchases.
Track and keep receipts of your extra living expenses while you are displaced, including receipts of meals, transportation, and hotels and other paid accommodations, etc.
Consider demanding that your insurance company advance all available policy benefits immediately, including but not limited to benefits for alternative housing or business interruption. Generally, alternative housing should be comparable to your living arrangements prior to the loss and damage. Many policies also cover debris cleanup and various other coverage relevant to fire damage.
Expect the insurance company to try to minimize its financial obligations in response to your claim. Take time to thoroughly evaluate and consider all communications from your insurance carrier carefully and do not agree to their adjustment of the claim without fully understanding their methodology and logic.
Even if your home or business has not been destroyed, smoke in and of itself can cause recoverable damage under the meaning of property policies. Insurers often take the position that smoke damage alone is not covered. A best practice is not to accept this at face value.
Property policies often contain a shorter deadline to sue than other types of policies and contracts, which deadline can be as short as one or two years from the date of the loss. Consider carefully evaluating the deadline to sue in case any disputes with insurers arise.
MiCAR in der Praxis: BaFin veröffentlicht Merkblatt für Krypto-Dienstleistungen
Die Bundesanstalt für Finanzdienstleistungsaufsicht („BaFin„) hat zum Jahresbeginn ein Merkblatt zu den Kryptowerte-Dienstleistungen gemäß der neuen EU-Verordnung über Märkte für Kryptowerte („MiCAR„) veröffentlicht. Diese Verordnung gilt seit dem 30. Dezember 2024 unmittelbar für Krypto-Dienstleister in der EU.
Das Merkblatt bietet Klarstellungen zu den erlaubnispflichtigen Krypto-Dienstleistungen und den Anforderungen an Anbieter. Die wesentlichen Punkte im Überblick:
Definitionen von Krypto-Dienstleistungen: Die BaFin präzisiert die erlaubnispflichtigen Kryptowerte-Dienstleistungen und verknüpft diese mit den bereits bekannten Wertpapierdienstleistungen der MiFID II.
Zulassung von Krypto-Dienstleistern: Das Merkblatt enthält detaillierte Informationen, ab wann eine Zulassungspflicht besteht und welche Unternehmen zulassungsfähig sind.
Notifizierung: Unternehmen mit bestehenden Lizenzen (z. B. Kredit- oder Wertpapierinstitute) können bestimmte Kryptowerte-Dienstleistungen ohne gesonderte Erlaubnis erbringen, müssen dies jedoch der BaFin gemäß den Vorgaben der MiCAR anzeigen (sog. „Notifizierung„). Die genauen Anforderungen an die Notifizierung werden im Merkblatt erläutert.
Das Merkblatt bietet Krypto-Unternehmen eine praktische Orientierungshilfe, um die neuen regulatorischen Anforderungen der MiCAR sicher und effizient zu erfüllen.
EU Taxonomy Developments: EU Platform on Sustainable Finance Call for Feedback on Draft Report on New Activities and Updated Technical Screening Criteria
On 8 January 2025, the EU Platform on Sustainable Finance (PSF) published a draft report and launched a call for feedback on proposed updates to the EU taxonomy. This includes revisions to the Climate Delegated Act and new technical screening criteria. Stakeholders are invited to submit feedback by 5 February 2025.
Key areas sought for feedback include:
Technical Screening Criteria (TSC): Updates to the criteria and Do No Significant Harm (DNSH) requirements to improve usability.
Revised Energy-Related Thresholds: Adjustments to support ensuring consistency and relevance.
Harmonization Efforts: Aligning activity titles and descriptions between Mitigation and Adaptation Annexes.
New Activities and Criteria: Proposals for activities in mining and smelting.
The PSF has noted that the most useful and valuable feedback that can be incorporated should be evidence-based and substantiated, concrete, and explain usability issues or provide recommendations for criteria or usability improvement.
Whilst this is not an official European Commission consultation, part of the PSF’s mandate is to provide recommendations to the European Commission on simplifying the EU Taxonomy and the wider sustainable finance framework. The review of this legislation fulfils the legal requirement to revisit criteria for transitional activities every three years, while continuing to develop technical screening criteria for new activities. The PSF’s Technical Working Group is said to have incorporated usability feedback from targeted stakeholder consultations, but this public consultation is aimed to obtain additional feedback and to further enhance the EU Taxonomy’s usability.
AI Versus MFA
Ask any chief information security officer (CISO), cyber underwriter or risk manager, or cybersecurity attorney about what controls are critical for protecting an organization’s information systems, you’ll likely find multifactor authentication (MFA) at or near the top of every list. Government agencies responsible for helping to protect the U.S. and its information systems and assets (e.g., CISA, FBI, Secret Service) send the same message. But that message may be evolving a bit as criminal threat actors have started to exploit weaknesses in MFA.
According to a recent report in Forbes, for example, threat actors are harnessing AI to break though multifactor authentication strategies designed to prevent new account fraud. “Know Your Customer” procedures are critical in certain industries for validating the identity of customers, such as financial services, telecommunications, etc. Employers increasingly face similar issues with recruiting employees, when they find, after making the hiring decision, that the person doing the work may not be the person interviewed for the position.
Threat actors have leveraged a new AI deepfake tool that can be acquired on the dark web to bypass the biometric systems that been used to stop new account fraud. According to the Forbes article, the process goes something like this:
“1. Bad actors use one of the many generative AI websites to create and download a fake image of a person.
2. Next, they use the tool to synthesize a fake passport or a government-issued ID by inserting the fake photograph…
3. Malicious actors then generate a deepfake video (using the same photo) where the synthetic identity pans their head from left to right. This movement is specifically designed to match the requirements of facial recognition systems. If you pay close attention, you can certainly spot some defects. However, these are likely ignored by facial recognition because videos are prone to have distortions due to internet latency issues, buffering or just poor video conditions.
4. Threat actors then initiate a new account fraud attack where they connect a cryptocurrency exchange and proceed to upload the forged document. The account verification system then asks to perform facial recognition where the tool enables attackers to connect the video to the camera’s input.
5. Following these steps, the verification process is completed, and the attackers are notified that their account has been verified.”
Sophisticated AI tools are not the only MFA vulnerability. In December 2024, the Cybersecurity & Infrastructure Security Agency (CISA) issued best practices for mobile communications. Among its recommendations, CISA advised mobile phone users, in particular highly-targeted individuals,
Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals.
In a 2023 FBI Internet Crime Report, the FBI reported more than 1,000 “SIM swapping” investigations. A SIM swap is just another technique by threat actors involving the “use of unsophisticated social engineering techniques against mobile service providers to transfer a victim’s phone service to a mobile device in the criminal’s possession.
In December, Infosecurity Magazine reported on another vulnerability in MFA. In fact, there are many reports about various vulnerabilities with MFA.
Are we recommending against the use of MFA. Certainly not. Our point is simply to offer a reminder that there are no silver bullets to achieving security of information systems and that AI is not only used by the good guys. An information security program, preferably one that is written (a WISP), requires continuous vigilance, and not just from the IT department, as new technologies are leveraged to bypass older technologies.