FDIC Withdraws Proposed Rule on Brokered Deposits
On March 3, the FDIC announced the withdrawal of its proposed rule on brokered deposits, citing concerns regarding potential disruptions to the financial sector. This move follows significant pushback from industry stakeholders who argued that the proposed changes could have unintended consequences for liquidity management and market stability.
The proposed rule sought to alter the classification and regulatory treatment of brokered deposits by broadening the definition and imposing stricter reporting and supervisory requirements. It aimed to clarify which deposit arrangements qualified as brokered deposits and thus could have resulted in more deposits being subject to restrictions under the FDIC’s capital and liquidity rules. Industry participants also raised concerns that the changes could disrupt long-standing banking relationships, reduce funding access, and create additional disruptive compliance burdens.
The FDIC argued that brokered deposits pose risks to financial stability, particularly during times of market stress, contending that the proposed changes would help to mitigate potential overreliance on such funding sources. In its statement, the FDIC indicated that for any future regulatory action it takes related to brokered deposits, it will pursue such initiatives through new proposals or issuances that comply with the Administrative Procedure Act.
Putting It Into Practice: The withdrawal of the brokered deposits rule aligns with Acting Chairman Travis Hill’s stated commitment to streamlining the FDIC’s supervisory approach (previously discussed here). Given Hill’s focus on reducing regulatory burdens, financial institutions should expect further shifts in the FDIC’s approach to oversight.
Listen to this post
CFPB Continues Lawsuit Over Alleged Military Lending Act Violations
On March 1, and despite recent policy shifts under the new administration, the CFPB sent a letter to the judge overseeing its lawsuit against a fintech lender in the United States District Court for the Southern District of New York, stating that it would proceed with its filed action. The lawsuit, originally filed in September 2022, alleges violations of the Military Lending Act’s (MLA) restrictions on extensions of credit to covered servicemembers. The complaint further alleges violations of the Consumer Financial Protection Act’s (CFPA) prohibitions on unfair, deceptive, or abusive acts or practices (UDAAPs).
The CFPB’s letter follows the court’s denial of the lender’s request to stay the case. In its letter, the lender argued that the new administration needed time to reassess whether the enforcement action aligned with its regulatory priorities. Citing the CFPB’s broader enforcement pause under new leadership (previously discussed here), the lender contended that the lawsuit should be temporarily halted. However, the court rejected this argument and required the CFPB to clarify its position.
Specifically, the complaint alleges that the lender:
Exceeded the MLA’s 36% Rate Cap. The lender allegedly required military borrowers to pay membership fees as a condition of receiving credit, which resulted in an effective loan cost that exceeded the 36% cap imposed by the MLA.
Required Covered Borrowers to Submit to Arbitration. The lender allegedly included mandatory arbitration clauses in its loan agreements, in violation of the MLA’s prohibition of such clauses.
Failed to Make Mandatory Loan Disclosures. The lender allegedly did not provide covered borrowers with disclosures required under the MLA, including the Military Annual Percentage Rate (MAPR) and other key terms of the credit.
Restricted Consumers’ Ability to Cancel Memberships. The complaint alleges the lender violated the CFPA’s prohibition on deceptive acts or practices by making representations that consumers could cancel their memberships at any time while restricting cancellations for users with unpaid balances, effectively forcing them to continue accruing membership fees. In other cases, the lender refused to allow cancellation for users with unpaid membership fees, even after users had fully repaid their loans.
Putting It Into Practice: The CFPB’s decision to continue litigating this case signals that, despite leadership changes and the withdrawal of multiple lawsuits initiated by the previous administration (previously discussed here), certain Bureau enforcement priorities persist. Lenders should continue to monitor how the CFPB’s enforcement posture evolves under the new administration and adjust compliance strategies accordingly.
Listen to this Article
Hodl or Fold? The Insurance and Liability Minefield of Bitcoin for Business
Introduction
Cryptocurrency isn’t just for tech startups and X (formerly Twitter) enthusiasts anymore. Mainstream corporations are increasingly forced to consider Bitcoin—the undisputed “king” of crypto—and other investments into digital assets whether they are on board or not. Some, like Tesla and MicroStrategy (now rebranded as “Strategy”), have already poured billions into Bitcoin. Others, like Microsoft and Amazon, have fielded recent shareholder pushes to invest, while companies like GameStop are proactively positioning themselves to invest in Bitcoin and other crypto-related assets through updated, crypto-friendly investment policies. And with regulators starting to soften—think legal shifts and the White House’s recent announcement of a U.S. strategic crypto reserve—justifying a “no” might get tougher.
But whether a company “hodls” (crypto slang for holding an asset long-term) or “folds,” there are insurance and liability risks either way.
Reject Bitcoin? Shareholders could claim you failed to act in their best interest, and your directors and officers (D&O) insurers might leave you hanging.
Invest in Bitcoin? A cyberattack could wipe out your digital assets, and your crime or cyber insurer may deny coverage.
As recent legal and corporate developments show, companies need to think beyond the investment decision itself and assess the insurance-related implications of their decision to invest (or not invest) in Bitcoin, as well.
The Risk of Saying No: Could Shareholders Sue for Missing Bitcoin Gains?
Most boardrooms don’t associate Bitcoin with D&O insurance, but recent events suggest they should. For example, in December 2023, gaming retailer GameStop approved a policy authorizing CEO Ryan Cohen and a small committee of other executives handle the company’s securities investments—including in digital assets like Bitcoin. In November 2024, the National Center for Public Policy Research (NCPPR) pressed Microsoft to assess if Bitcoin could benefit its $484 billion in assets, mostly tied up in bonds and securities that the NCPPR said “barely outpace inflation.” The proposal urged a study on whether diversifying with Bitcoin would best serve shareholders’ long-term interests, arguing boards might have a fiduciary duty to consider a Bitcoin investment despite its short-term volatility. While Microsoft ultimately rejected the proposal, the retail giant Amazon is now facing a similar push. In December 2024, Amazon shareholders proposed allocating 5% of the company’s assets to Bitcoin. The proposal is awaiting a vote in April.
Historically, companies like Microsoft and Amazon could cite regulatory uncertainty as a reason to avoid Bitcoin. But with a friendlier U.S. regulatory stance taking shape—including the DOJ’s recent dismissals of their legal cases against crypto exchanges Coinbase and Gemini, increased political support for the industry, and the White House preparing to host its first-ever “Crypto Summit” later this month where it will announce the creation of a national strategic crypto reserve that will house billions of dollars worth of Bitcoin and other large-cap cryptocurrencies—Bitcoin’s legitimacy as a corporate asset could become an issue. As crypto regulation stabilizes, corporate boards may begin to encounter scrutiny over whether they are responsibly considering Bitcoin as an investment option.
This recent shift in corporate and regulatory sentiment towardsBitcoin raises an important question: If Bitcoin’s value rises and a company chooses to stay out, could shareholders claim the board failed in its fiduciary obligations, and, if so, would the company’s insurance program provide protection?
This risk isn’t hypothetical. Bitcoin has surged over 50% just in the past year. And its decade-long haul has been nothing short of staggering, rising from around $200-$300 in 2015 to peaks over $100,000 earlier this year—a gain of as much as 30,000%-40,000%. Even NVIDIA, one of the best-performing stocks of the era, has returned an estimated 25,000%-30,000%, making it one of the only public assets to come close—yet Bitcoin still edges it out.
While there has not (yet) been any reported litigation challenging a company’s decision not to invest in Bitcoin or other crypto-related assets, shareholders may begin to argue that a company’s refusal to consider a Bitcoin investment improperly disregarded significant potential benefits and undermined shareholders’ best interests. And while the strengths or weaknesses of their case could be debated, these recent instances of shareholder activism over investments in Bitcoin indicate that a lawsuit could be brought. If it is, the company will almost certainly want insurance coverage to defend against such allegations.
So, could a D&O policy cover a shareholder lawsuit alleging the board mismanaged corporate assets by rejecting Bitcoin? Notably, there is no standard form from the Insurance Services Office (ISO) for D&O insurance policies, and many such policies are manuscript—meaning they’re specifically drafted or tailored for an individual insured. Thus, while most D&O policies follow a general structure, and typically provide coverage for shareholder lawsuits alleging breach of fiduciary duty, the policy language can vary significantly between insurers and even between individual policies. Some policies may exclude claims involving speculative investments or financial decisions, which could be relevant in a Bitcoin-related lawsuit. Others may expressly exclude cryptocurrency-related claims altogether. If your company is fielding Bitcoin-related shareholder proposals or considering investment policy shifts to more freely allow investments in digital assets, it may be time to closely review your D&O policy language to ensure proper coverage for digital-asset-related investment decisions.
The Risk of Saying Yes: If You Buy Bitcoin, Can You Insure It?
For companies that do invest, the next challenge is securing those assets—and that’s where things get tricky. Saying “yes” to Bitcoin might juice your balance sheet, but it’s a magnet for thieves and scammers—and your crime or cyber insurers might not have your back. Just last month, crypto exchange ByBit lost $1.5 billion worth of the cryptocurrency Ethereum to an alleged North Korean hack, proving that even “secure” cold wallets (offline storage mechanisms) aren’t immune.
Crypto exchanges aren’t the only targets—corporate treasuries holding crypto are in the crosshairs too, and the losses sting just as bad. In December 2024, Web3 firm Hooked Protocol lost $9 million when hackers exploited a smart contract vulnerability. And in 2021, meatpacking giant JBS paid an $11 million Bitcoin ransom to regain access to its systems after a cyberattack—not a theft of corporate-owned crypto, but a forced payout from company funds. As more non-crypto-native companies move Bitcoin onto their balance sheets—just recently, three U.S.-based biotech firms each publicly pledged to buy $1 million worth—bad actors will be taking note.
So, can your cyber or crime policy cover Bitcoin theft? Cyber insurance might handle hacks or ransomware, but crypto? Policies built for data breaches may exclude “digital assets” or “speculative investments,” potentially leaving stolen Bitcoin uncovered. Crime insurance is better suited—think employee theft or third-party fraud—but many still define “money” as cash or traditional securities, not digital assets like Bitcoin. Social engineering scams (e.g., a CFO tricked into sending Bitcoin to a scammer) might slip through, too, unless you’ve got an endorsement for that.
Custody is another critical factor. If you hold Bitcoin in-house (whether in “hot” or “cold” storage), coverage might apply if “cryptocurrency” is explicitly listed as covered property. Store it with a third party, like Coinbase? Look for coverage for custodial losses. Additionally, insurers often impose exclusions and limitations that could restrict coverage. For example, “voluntary parting” (e.g., sending crypto to a scammer, even if duped) or “unsecured systems” (e.g., failing to implement multi-factor authentication) can endanger coverage. Insurers also hate crypto’s volatility—some cap payouts at the theft-day value, not a later cycle high.
As more companies explore Bitcoin investments, it’s critical to review existing cyber and crime policies to determine whether digital assets are adequately covered. Specialty crypto insurance products are emerging—offered by providers like Evertasand Coincover—but they’re far from standard. For now, companies holding Bitcoin should assume there are gaps in coverage unless their policy explicitly says otherwise and should take action to protect their risks accordingly.
So, What’s the Play? Insurance Takeaways for Corporate Policyholders.
Bitcoin presents a double-edged risk—whether a company invests or not, there’s exposure on both the D&O and cyber/crime insurance fronts.
Here’s what policyholders should do:
If you’re rejecting Bitcoin: Review your D&O coverage to ensure it would respond to shareholder suits alleging mismanagement of investment strategy over digital assets, like Bitcoin.
If you’re investing in Bitcoin: Review your cyber and crime policies for coverage gaps—especially regarding digital asset theft, exchange insolvency, and fraud.
Bitcoin isn’t just an investment decision—it’s a liability and insurance minefield. Whether your company hodls or folds, the right coverage makes all the difference.
Listen to this post
Executive Order Establishes Strategic Bitcoin Reserve and Digital Asset Stockpile
Bitcoin and other digital assets now have a welcome home in the United States government. On March 6, President Trump signed an executive order (the March 6 Order) establishing the Strategic Bitcoin Reserve and United States Digital Asset Stockpile. It implements a key component of the administration’s cryptocurrency framework outlined in the January 23 Executive Order, which directed the President’s Working Group on Digital Asset Markets to evaluate the feasibility of a national digital asset stockpile.[1] The March 6 Order creates mechanisms for centralizing and strategically managing federally owned digital assets previously scattered across government agencies.
Strategic Bitcoin Reserve vs. Digital Asset Stockpile: Key Distinctions
The March 6 Order creates the Strategic Bitcoin Reserve and the Digital Asset Stockpile, two distinct but related custodial accounts with different purposes and operational parameters. For each of the accounts, the Secretary of the Treasury is directed to establish dedicated offices to administer and maintain control of these accounts.
The Strategic Bitcoin Reserve is designed specifically for bitcoin (BTC) holdings and treats BTC as a reserve asset of strategic national importance. The reserve will be capitalized with BTC holdings from the Department of the Treasury that were forfeited through criminal or civil asset forfeiture proceedings. The March 6 Order also authorizes the Secretary of the Treasury and the Secretary of Commerce to develop strategies for acquiring additional BTC, provided these strategies are budget-neutral and “impose no incremental costs on American taxpayers.” BTC deposited into this reserve will not be sold and will be maintained as a long-term store of value. The March 6 Order cites BTC’s scarcity (with its permanent cap of 21 million coins) and security track record as key factors in this policy decision.
The United States Digital Asset Stockpile, by contrast, encompasses all digital assets other than BTC that have been forfeited to the Department of Treasury through civil or criminal proceedings. Unlike the Strategic Bitcoin Reserve, the Secretary of the Treasury retains discretion to determine “strategies for responsible stewardship” of these assets. The Order explicitly prohibits the acquisition of additional assets for the Stockpile beyond those obtained through forfeiture.
Implementation Timeline and Administrative Requirements
The Executive Order establishes an accelerated implementation schedule with specific deadlines:
Within 30 days: Each federal agency must provide a complete accounting of all digital assets in its possession and also review its legal authority to transfer government BTC to the Strategic Bitcoin Reserve and other digital assets to the Digital Asset Stockpile.
Within 60 days: The Secretary of the Treasury must deliver an evaluation of legal and investment considerations for establishing and managing both the Reserve and Stockpile, including recommendations for necessary legislation.
Context and State-Level Developments
The establishment of these custodial accounts addresses what the administration characterizes as a “crypto management gap” in which digital assets seized through forfeiture have been scattered across various federal agencies without clear management policies. According to the fact sheet accompanying the March 6 Order, premature sales of bitcoin have cost US taxpayers over $17 billion in lost appreciation.
The federal initiative comes as states are pursuing similar strategies. On the same day as the March 6 Order, the Texas Senate passed Senate Bill 21 in a 25-5 vote, which would establish a Strategic Bitcoin Reserve at the state level. The bill, which now awaits the governor’s signature, would make Texas the first state to create its own bitcoin holdings. Texas is among many other states that have introduced bitcoin reserve legislation, including Arizona, Alabama, Florida, Illinois, Massachusetts, Missouri, New Hampshire, North Dakota, Ohio, Oklahoma, Pennsylvania, Utah, Kansas, Wyoming and Kentucky. These efforts demonstrate the growing recognition by US governmental entities of the uses and benefits of digital assets and portend renewed US leadership on digital asset policy and innovation.
FOOTNOTES
[1] See Katten’s coverage of the January 23 Executive Order here.
Cross-Border Catch-Up: Remote Work Updates from New Zealand and the United Arab Emirates [PODCAST]
In this episode of our Cross-Border Catch-Up podcast series, Goli Rahimi (Chicago) and Kate Thompson (New York/Boston) discuss recent developments in remote work regulations, with a focus on New Zealand and the United Arab Emirates (UAE). Kate and Goli highlight New Zealand’s relaxed visa requirements, which now allow digital nomads to work remotely from the country for up to nine months. They also cover the Abu Dhabi Global Market’s introduction of new employment regulations designed to facilitate remote work, including provisions for necessary tools, cybersecurity measures, and fair treatment of remote employees in the UAE.
Regulation Round Up: February 2025
Welcome to the Regulation Round Up, a regular bulletin highlighting the latest developments in UK and EU financial services regulation.
Key developments in February 2025:
28 February
FCA Handbook Changes: The Financial Conduct Authority (“FCA”) published Handbook Notice 127, which sets out changes to the FCA Handbook made by the FCA board on 30 January and 27 February 2025.
27 February
Economic Growth / Consumer Duty: The FCA published a speech on, among other things, how the FCA is working to support growth initiatives in the economy and its approach to the Consumer Duty.
FCA Regulation Round‑up: The FCA published its regulation round‑up for February 2025. Among other things, it covers the launch of a new companion tool to the Financial Services Register and future changes to the pre‑application support services the FCA offers.
26 February
Reserved Investor Funds: The Alternative Investment Funds (Reserved Investor Fund) Regulations 2025 (SI 2025/216) were published, together with an explanatory memorandum. The Reserved Investor Fund is a new UK‑based unauthorised contractual scheme with lower costs and more flexibility than the existing authorised contractual scheme.
ESG: The European Commission proposed an Omnibus package on sustainability (here and here) to amend the sustainability due diligence and reporting requirements under the Corporate Sustainability Due Diligence Directive ((EU) 2024/1760) and the Corporate Sustainability Reporting Directive ((EU) 2022/2464). Please refer to our dedicated article on this topic here.
ESG: The European Commission published a call for evidence on a draft Delegated Regulation amending the Disclosures Delegated Act ((EU) 2021/2178) (Ares (2025) 1532453), the Taxonomy Climate Delegated Act (Commission Delegated Regulation (EU) 2021/2139) and the Taxonomy Environmental Delegated Act (Commission Delegated Regulation (EU) 2023/2486).
FCA Asset Management / Alternatives Supervision: The FCA published a portfolio letter explaining its supervision priorities for asset management and alternatives firms.
Cryptoassets: ESMA published the official translations of its guidelines (ESMA35‑1872330276‑2030) on situations in which a third‑country firm is deemed to solicit clients established or situated in the EU and the supervision practices to detect and prevent circumvention of the reverse solicitation exemption under the Markets in Crypto Assets Regulation (EU) 2023/1114 (“MiCA”).
24 February
Artificial Intelligence: The FCA published a research note on AI’s role in credit decisions.
Suitability Reviews / Ongoing Services: The FCA published a webpage and press release containing the findings of its multi‑firm review of suitability reviews and whether financial advisers are delivering the ongoing services that consumers have paid for.
21 February
Cryptoassets: The Financial Stability Board published summary terms of reference for its thematic peer review on its global regulatory framework for cryptoasset activities.
20 February
PRA Policy: The Prudential Regulatory Authority (“PRA”) published a policy statement (PS3/25) on its approach to policy.
Digital Operational Resilience: Two Commission Regulations supplementing the Regulation on digital operational resilience for the financial sector ((EU) 2022/2554) (“DORA”) were published in the Official Journal of the European Union (here and here).
17 February
Cryptoassets: ESMA published a consultation paper (ESMA35‑1872330276‑2004) on guidelines for the criteria to assess knowledge and competence under MiCA.
14 February
ESG: The FCA updated its webpage on its consultation paper on extending the sustainability disclosure requirements (“SDR”) and investment labelling regime to portfolio managers. Please refer to our dedicated article on this topic here.
ESG: The City of London Law Society published its response to HM Treasury’s November 2024 consultation on the UK green taxonomy.
Authorised Funds: The FCA published a document setting out its expectations on authorised fund applications.
Financial Sanctions: The Office of Financial Sanctions Implementation published a threat assessment report covering financial services.
13 February
Financial Regulatory Forum: HM Treasury published a statement following the third meeting of the joint UK‑EU Financial Regulatory Forum on 12 February 2025.
12 February
EU Competitiveness: The European Commission adopted a Communication setting out its vision to simplify how the EU works by reducing unnecessary bureaucracy and improving how new EU rules are made and implemented to make the EU more competitive.
European Commission 2025 Work Programme: The European Commission published a communication outlining its work programme for 2025 (COM(2025) 45 final).
10 February
Artificial Intelligence: The European Commission published draft non‑binding guidelines to clarify the definition of an AI system under the EU AI Act.
5 February
ESG: The EU Platform on Sustainable Finance published a report setting out recommendations to simplify and improve the effectiveness of taxonomy reporting. Please refer to our dedicated article on this topic here.
3 February
Payments: The FCA published a portfolio letter sent to payments firms setting out its priorities for them and actions it expects them to take.
Artificial Intelligence: The House of Commons Treasury Committee launched an inquiry into AI in financial services and published a related call for evidence.
Sulaiman Malik and Michael Singh contributed to this article
EDPB Launches Coordinated Enforcement Framework Action on the Right to Erasure
On March 5, 2025, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action (“CEF action”) addressing the right to erasure. The new CEF action follows the EDPB’s 2024 CEF action on the right of access.
During the course of 2025, 32 data protection authorities (“DPAs”) across the European Economic Area will take part in this initiative. The EDPB selected the right to erasure for the 2025 CEF action on the basis it is one of the most frequently exercised rights under the European General Data Protection Regulation and one which is frequently the basis of complaints to DPAs from individuals.
As part of the 2025 CEF action, DPAs will contact controllers from various sectors and may conduct fact-finding exercises or open new investigations. DPAs will evaluate how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right.
Read the Press Release.
Robots and Red Tape With Kamyar Maserrat [Video]
Kamyar Maserrat (Senior Counsel, Washington, D.C.) joined Robots and Red Tape to explore quantum computing and how it will change the computing ecosystem.
Tax Transparency and Data Privacy — Which Wins?
As tax authorities embrace new digital technologies, the issue of safeguarding citizens’ data privacy rights steps to the fore. Since the implementation of the EU General Data Protection Regulation (GDPR) in 2018, there has been a greater focus on data privacy from both the public and organisations. At the same time, the cooperative international effort to combat offshore tax evasion has been steadily increasing. Several information-sharing regimes have been conceived to allow tax authorities to share information globally relating to financial accounts and investments under Automatic Exchange of Information Agreements.
In J Webster v HMRC [2024] EWHC 530 (KB), Ms. Webster, a US citizen, brought a case against His Majesty’s Revenue and Customs (HMRC) regarding information sharing under the Foreign Account Tax Compliance Act. At the centre of this case stands the question of which wins — tax transparency or data privacy?
Automatic Exchange of Information (AEOI)
The United Kingdom shares information with foreign tax authorities under two specific regimes:
1. Foreign Account Tax Compliance Act (FATCA): The FATCA regime is US-specific. Financial institutions outside of the United States are required to provide the US tax authorities with information relating to the foreign financial accounts of US individuals. Information includes, for example, the individual’s name and address, account balance and amount of interest accrued.
2. Common Reporting Standard (CRS): Nicknamed “global FATCA” by commentators at its inception, the CRS requires the automatic exchange of financial account information between tax authorities globally. The information shared is largely the same as that under FATCA, with the addition of the date and individuals’ places of birth (in some cases).
In practice, financial institutions in the United Kingdom supply the required data to HMRC, which then provides it to the relevant tax authorities on an annual and automatic basis.
The GDPR
Data privacy in the United Kingdom is regulated by the UK GDPR (the retained version of the EU GDPR) and the Data Protection Act 2018. Under Article 4(1) of the UK GDPR, personal data means any information relating to an identified or identifiable natural person. There are seven key principles for processing personal data (found in Article 5, UK GDPR). Broadly, these require that personal data is: (i) processed lawfully, fairly and transparently, (ii) collected for specified, explicit and legitimate purposes only, (iii) limited to what is necessary for the purposes (minimisation), (iv) accurate, (v) not stored longer than necessary, and (vi) processed in a manner that ensures appropriate security of the data. Finally, the data controller must be responsible for and able to demonstrate compliance with the preceding six principles.
Importantly, personal data must only be transferred outside of the United Kingdom if the receiving countries have adequate levels of protection for data subjects in place or appropriate safeguards for the transfer of personal data (Article 46, UK GDPR).
So, Which Wins?
Ms. Webster argued that information sharing between tax authorities under the FATCA regime breached her data privacy and human rights. In summary, she claimed that there were no appropriate safeguards in place for the transfers by HMRC and that US law failed to provide adequate levels of protection. Additionally, the data transfers allegedly fell foul of the principle of proportionality, as bulk processing did not account for Ms. Webster’s personal circumstances — specifically, that Ms. Webster had no US tax obligations (having modest income in the United Kingdom and owning no assets or income in the United States).
Unfortunately, the central question of “which wins?” remains unanswered. The judgment focused more on questions of procedure than substance — for example, as argued by HMRC, whether the claim should have been brought via judicial review and was, therefore, an abuse of process.
However, it is not difficult to see some merit in Ms. Webster’s claim. The aims of FATCA and the CRS are clearly worthy, and tax transparency is important. However, since personal data is processed automatically and whether an individual poses any real risk of tax evasion is immaterial to that processing, it is unconvincing that the principles of proportionality and data minimisation are comfortably being met.
Information-sharing regimes have been challenged in other countries as well. For example, the Belgian Data Protection Authority has argued (in a decision that has since been annulled) that data exchanges under FATCA violate the EU GDPR since more information than necessary is shared and the purposes for the data transfers are insufficiently defined. The Slovakian Data Protection Authority also challenged FATCA on the grounds that the AEOI Agreement under which data transfers took place did not contain the necessary safeguards to transfer personal data to third countries.
It is widely agreed that the GDPR is far more comprehensive than US privacy laws — some might remember the highly publicised “Schrems II” case from 20201 where the Court of Justice of the European Union declared that the US privacy laws fail to ensure an adequate level of protection. Recent news about the US Treasury being hacked also inevitably raises concerns about the security of the personal data transferred, and with President Donald Trump’s firing of Democratic members of the Privacy and Civil Liberties Oversight Board since the beginning of his second term, more widespread privacy concerns now linger.
We will have to wait and see how the tension between tax transparency and data privacy culminates. A judgment that focuses on the merits of Ms. Webster’s concerns would bring us some much-needed answers. However, what is clear is that there is pressure on tax authorities to address concerns relating to the data privacy of individuals, which are not subsiding.
1 Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18.
Georgia Griesbaum contributed to this article
Cybersecurity in the Nuclear Industry: US and UK Regulation and the Sellafield Case
Key Points:
Real-world examples from both the U.S. and U.K. demonstrate that nuclear facilities are being targeted by sophisticated cyber attackers, including state actors. This isn’t just a theoretical risk—it’s happening now, and facilities must take it seriously.
The successful prosecution of Sellafield with significant fines (£332,500) shows that regulators are now willing to take strong enforcement action, even when no actual breach has occurred. Nuclear facilities cannot afford wait for an incident before improving their cybersecurity—they must be proactive.
With both the U.S. and U.K. strengthening their regulatory frameworks and increasing enforcement powers, nuclear facilities should take steps now to review and upgrade cybersecurity measures. This includes not just updating technical controls, but also ensuring compliance with security plans, auditing systems, and maintaining proper documentation.
National security regulators are particularly concerned about the vulnerabilities of nuclear facilities to cyberattacks. In March 2022, the U.S. Justice Department unsealed criminal indictments against four agents of the Russian government, charging them with offenses related to cyber “spearfishing attacks” which compromised the business network of the Wolf Creek Nuclear Operating Corporation (WCNOC) in Burlington, Kansas. Also of note is the October 2024 prosecution and conviction of Sellafield Ltd in the U.K. for three offenses involving inadequate cybersecurity controls. In that case, the company (rather than the hacker) was charged by the Office for Nuclear Regulation (ONR) for failing to protect sensitive nuclear information and for failure to follow its own cybersecurity plan between 2019 and 2023.
Fortunately, the nuclear facilities in both cases were not materially compromised in these attacks. The targeting of nuclear facility operators demonstrated that malicious actors intended to exploit cyber vulnerabilities within the nuclear industry.
U.S. Regulatory Framework
The Nuclear Regulatory Commission (“NRC”) has been active in establishing rules and guidelines to enhance the cybersecurity of U.S. nuclear facilities:
10 CFR Part 73.54: One of the NRC’s key regulatory frameworks that includes cybersecurity requirements, the regulation mandates that nuclear facilities establish and maintain a cybersecurity program to protect digital assets critical to safety, security, and emergency preparedness.
Regulatory Guide 5.71: In February 2023, the NRC revised its regulatory guide to provide detailed guidance on implementing cybersecurity measures. It outlines a defensive strategy that includes the identification of critical digital assets, continuous assessment of threats, and implementation of protective measures.
Nuclear Energy Institute (NEI) 08-09 (2018 Addendum): This document, developed by the nuclear industry with NRC’s endorsement, offers a comprehensive framework for cybersecurity programs. It emphasizes a risk-informed approach, allowing facilities to tailor their cybersecurity measures based on specific threats and vulnerabilities.
In 2013, the NRC’s Office of Nuclear Security and Incident Response established a Cyber Security Branch (CSB) to strengthen internal governance of the agency’s regulatory activities. Today, the NRC actively monitors threats associated with cybersecurity against NRC-licensed facilities. The CSB maintains a dedicated cyber assessment team responsible for analysing and evaluating real-world cyber incidents.
Today, the Nuclear Regulatory Commission (NRC) actively monitors threats associated with cybersecurity against NRC-licensed facilities. The Cyber Security Branch maintains a dedicated cyber assessment team responsible for analysing and evaluating real-world cyber incidents.
The team evaluates whether an identified threat could impact licensed facilities and makes recommendations for NRC actions and communications to the licensees. The NRC also coordinates with other intelligence and law enforcement communities including the National Counterterrorism Center, the Department of Homeland Security’s U.S. Computer Emergency Response Team, and the Federal Bureau of Investigation in working to prevent cyberattacks.
U.K. Regulatory Framework
The U.K. Nuclear industry is subject to a range of different cybersecurity regulations that all have at their heart the concept that effective cybersecurity is a mandatory requirement. These rules have existed in various forms over the years, but there is now increasing activity by regulators to strictly enforce them.
The U.K. Nuclear industry is subject to a range of different cybersecurity regulations that all have at their heart the concept that effective cybersecurity is a mandatory requirement.
The overarching framework is set out in the Civil Nuclear Cyber Security Strategy 2022. This strategy aims to strengthen the cybersecurity posture of the U.K. civil nuclear sector over five years. It focuses on four key objectives:
Risk Management: Prioritizing cybersecurity as part of a holistic risk management approach.
Risk Mitigation: Proactively addressing cyber risks, including those from legacy systems and new technologies.
Incident Management: Enhancing resilience by preparing for and responding to cyber incidents collaboratively.
Culture and Skills: Promoting a positive security culture and developing cyber skills within the sector.
Underpinning this strategy are an overlapping (and growing) regime of cybersecurity laws:
The Nuclear Industries Security Regulations 2003 (“the NISR”) governs a wide range of security issues, including obligations to ensure that “sensitive nuclear information” is kept secure.
The Network and Information Security Regulations (“NIS 1”) designates nuclear sites as critical infrastructure and imposes an obligation to implement “appropriate technical and operational measures” to protect IT systems and to ensure continuity of service.
Whilst these regimes have been in place for some time, regulators recently stepped up enforcement to ensure compliance with these laws as was evidenced by the recent prosecution of Sellafield.
The Sellafield Case
Sellafield Ltd, the company licensed to operate the Sellafield nuclear decommissioning and waste site, received a fine in October 2024 of £332,500 after pleading guilty to three offences relating to inadequate cybersecurity controls and procedures that it had in place across a four-year period.
The prosecution was brought by the U.K.’s independent nuclear regulator (the Office for Nuclear Regulation (“ONR”)) following its investigation where it had identified that Sellafield Ltd had failed to meet the requisite standards, procedures and arrangements set out in its own approved plan for cybersecurity as required under the NISR.
The ONR’s case was not brought on the basis that there had been an actual exploitation of the security failings (seemingly because there was a lack of evidence that attacks had been successful, rather than conclusive proof that the attacks were stopped). The basis of the prosecution was Sellafield’s unsatisfactory performance in relation to the management of its IT systems, and that had the vulnerabilities been exploited by attackers, it could have led to the unauthorised access to critical systems and loss of key data resulting in disrupted operations, damaged facilities and the delay of important decommissioning activities. In particular, Sellafield failed to comply with its own cybersecurity plan and failed to undertake annual checks on the security of its operational and information technology systems.
Following its guilty plea to three offences under the NISR, Sellafield Ltd was ordered to pay a fine of £332,500, along with prosecution costs of £53,253.20. Despite the successful prosecution, the ONR has reported that the cybersecurity failings have yet to be fixed and are subject to ongoing required improvements.
Going forward, the U.K. legal regime is only going to get stronger. The Government has announced that it plans to introduce a new Cyber Security and Resilience Bill which intends to strengthen the U.K.’s operational resilience to cyber threats by, amongst other things:
Updating the existing (NIS1) regime to ensure that more essential services are protected, including by increasing the scope of digital services and supply chains within the regime;
Increasing regulators’ powers through introducing new cost recovery mechanisms and the ability to proactively investigate potential vulnerabilities (similar to the U.S.’s 2022 update to inspection procedure 71130); and
Expanding reporting requirements.
It is worth noting that the European Union’s transition from NIS 1 to NIS 2 demonstrates a strengthened approach to cybersecurity, featuring expanded scope, more detailed requirements, and enhanced enforcement measures. This update emphasizes the EU’s dedication to protecting critical infrastructure and extends security obligations to equipment suppliers and service providers. The U.K. Government is likely to use NIS 2 as a model when developing its own Cyber Security and Resilience Bill.
Going forward, the U.K. legal regime is only going to get stronger. The Government has announced that it plans to introduce a new Cyber Security and Resilience Bill which intends to strengthen the U.K.’s operational resilience to cyber threats.
Looking Ahead
U.S. and U.K. regulators are focused on ensuring that organisations providing essential services, and their related key digital suppliers, implement sufficient technical controls to enhance the level of cybersecurity and help protect critical infrastructure. Those in the nuclear industry will be at the sharp edge of these changes and should take the opportunity to review their operational and technical cybersecurity measures now to ensure they are fit for purpose.
FROM CORN DOGS TO COURTROOMS: Sonic’s Texts Might Cost More Than a Combo Meal
Quick update here for you. Have you ever received a text about a fast food deal you never signed up for? Usually, I receive these texts because I signed up for some deal, like a free milkshake or a discount. That is the trade-off. You get a coupon; in return, you let them send you marketing you can opt out of. Well, Plaintiff in this newly filed class action lawsuit says he has, and he is taking Sonic Drive-In to court over it. The lawsuit, filed in the United States District Court for the Western District of Oklahoma, accuses Sonic of sending promotional texts to consumers who had placed their numbers on the National DNC Registry. See Brennan v. Sonic, Inc., No. 5:25-CV-00280 (W.D. Okla. filed Mar. 4, 2025).
According to the Complaint, Plaintiff added his number to the DNC Registry on February 3, 2024. That should have stopped unsolicited marketing texts, but by March 6, Sonic was already sending him offers for grilled cheese and 99-cent corn dogs. The Complaint details texts sent on March 6, March 11, March 13, March 15, and March 20. Plaintiff claims he never provided his phone number to Sonic, never had a business relationship with them, and never opted into any rewards program. So how did Sonic get his number? Interesting…
The lawsuit argues that Sonic’s “impersonal and generic” messages, their frequency, and the lack of consent all suggest that Sonic used an automatic telephone dialing system (“ATDS”).
This is where things make me ponder. This is not Plaintiff’s first TCPA lawsuit. He has previously filed complaints against Pizza Hut, DirecTV, Meyer Corporation, and Transfinancial Companies. That is a stacked lineup of big-name defendants. That track record raises some interesting questions. Is Plaintiff an unlucky mass marketing recipient or something else at play here? Is this about stopping unlawful texts, or is Plaintiff turning TCPA enforcement into a side hustle? Either way, it puts Sonic in a tough spot. This is where Troutman Amin always steps up to the plate for stellar legal work.
Beyond the Plaintiff’s individual claims, this lawsuit covers a broader group of consumers who allegedly received these messages. The Complaint defines two classes. The DNC Registry Class includes those on the registry but still got texts. Additionally, the Autodialed Text Class covers anyone who received automated marketing texts from Sonic without providing written consent.
If the Court sides with Plaintiff, Sonic might find itself in a legal pickle that no amount of tots and milkshakes can fix—no pun intended. We’ll be sure to keep you posted.
FCC’s New Consent Revocation Rule Set to Take Effect in April 2025
The Federal Communications Commission (FCC) has a new rule under the TCPA for revocation of consent for robocalls and text messages set to go into effect on April 11, 2025. This rule is designed to give consumers greater control over their ability to withdraw consent for marketing communications. Businesses that use text messaging and robocalls to communicate with customers should be reviewing their policies to ensure readiness with the new requirements.
Key Provisions of the New Rule
The FCC’s regulation prevents businesses from requiring consumers to use a specific method to revoke consent. Instead, consumers must be able to withdraw consent using any reasonable means that clearly conveys their request to stop receiving further calls or messages.
To provide clarity, the FCC has identified several standardized keywords — including “stop,” “quit,” “revoke,” “opt out,” “cancel,” “unsubscribe,” and “end” — that must be honored as explicit revocation requests. Additionally, the regulation establishes that opt-out requests submitted via automated or interactive voice response systems are presumed valid unless proven otherwise.
Burden of Proof on Businesses
When a consumer uses a method outside of those listed in the order to revoke consent, a rebuttable presumption is created that the consumer’s request is valid unless the sender can demonstrate otherwise. If a business’s texting system does not support reply messages, it must clearly disclose this limitation in each message and offer an alternative, reasonable method for revocation.
Shortened Compliance Timeframe
Previously, companies had more flexibility in processing opt-out requests, but the new rule mandates compliance within 10 business days of receiving a revocation request. Additionally, the rule expands the definition of consent revocation, specifying that withdrawing consent for one type of robocall or text message applies to all robocalls and texts from that sender.
Confirmatory Opt-Out Texts Allowed
One aspect of the rule has already gone into effect: Businesses may send a single confirmation text acknowledging the consumer’s opt-out request, provided that it contains no promotional content and is sent within five minutes of the revocation request. In cases where consumers have signed up for multiple types of messages, businesses may ask for clarification about which messages they wish to discontinue. However, if the consumer does not respond, the request must be interpreted as revoking consent for all robocalls and texts from that sender.
What Businesses Need to Know
At the moment, there are no legal challenges to this forthcoming FCC rule. Organizations — especially those engaged in business-to-business (B2B) outreach — should start preparing for compliance with these upcoming changes. The 10-day compliance window and the broad scope of revocation requests mean that companies may need to adjust existing consent management practices to remain in compliance with TCPA regulations.
With the new rule set to take effect soon, businesses should review their opt-out procedures, update their compliance policies, and ensure their customer communication platforms can accommodate these regulatory changes to avoid potential penalties.