SEC Actions in Review: What Officers and Directors Should Know for 2025
As the regulatory landscape continues to evolve, public company officers and directors must stay abreast of the enforcement priorities and expectations of the Securities and Exchange Commission (SEC). Over the past year, the SEC has brought various enforcement actions that involve the oversight and reporting obligations of management and boards. These cases highlight potential blind spots in corporate compliance programs. This article summarizes recent enforcement actions related to director independence, cybersecurity, insider “shadow” trading, internal investigations, executive compensation beneficial ownership and insider transaction reports, and Artificial Intelligence, which despite the change in administration, public company officers and directors should view as potential areas of continued SEC focus over the upcoming year.
Director Independence
In September 2024, the SEC announced it had settled[1] charges against a director of an NYSE-listed consumer packaged goods company for violation of the proxy rules, for failure to disclose in his D&O questionnaire information about his close friendship with an executive officer, which caused the company to falsely list him as an independent director in its proxy statement.[2] This undisclosed relationship included multiple domestic and international paid vacations with the executive.[3] The director also allegedly provided confidential information to the executive about the company’s CEO search and instructed the executive to withhold information about their personal relationship to avoid the impression that the director was biased toward the executive becoming CEO of the company.[4] The director agreed to a civil penalty of $175,000, a five-year officer and director bar, and a permanent injunction from further violations of the proxy rules.
Takeaway: For directors, this case underscores the importance of being “honest, truthful, and forthright”[5] when completing D&O questionnaires and not treating them as mere formalities that are rolled forward from one year to the next. This enforcement action further shows that material misstatements and omissions in the D&O questionnaire can give rise to a direct violation of the proxy disclosure rules against the director for causing a company’s proxy statements to contain false and misleading statements. The determination of independence can be complex. However, directors are not tasked with making that determination themselves; they merely must disclose all relevant facts in their D&O questionnaires, including social relationships with management.
Cybersecurity
In October 2024, the SEC announced settlements with four issuers for misleading disclosures regarding cybersecurity risks and intrusions. [6] These cases stemmed from an ongoing investigation of companies impacted by the two-year long cyberattack against a software company, which the SEC charged a year earlier for failure to accurately convey its cybersecurity vulnerabilities and the extent of the cyberattack.[7] Each issuer charged by the SEC in October 2024 utilized this company’s software and discovered the actor likely behind the software company’s breach also had accessed their systems, but according to the SEC, their public disclosures minimized or generalized the cybersecurity incidents. Specifically, two of the issuers failed to disclose the full scope and impact of the cyberattack, including the nation-state nature of the threat actor, the duration of the malicious activities, and in one case[8] the number of compromised files and the large number of customers whose information was accessed, as well as in another case the percentage of code that was compromised.[9] The other two issuers failed to update their risk disclosures in SEC filings and instead framed cybersecurity risks and intrusions as general and not material[10] or in hypothetical terms[11] rather than disclosing the actual malicious activities and their impact on the company.
The SEC charged each issuer with violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act (which prohibit misleading statements or fraud in connection with the offering or sale of securities) and Section 13(a) of the Exchange Act and Rules 13a-1, 13a-11, 13a-13, and 13a-15(a) thereunder (rules related to required filings for public companies, including requirements that such filings include any material information to ensure filings are not misleading, and companies have internal controls and procedures over financial reporting). One of the companies also was charged with disclosure controls and procedures violations. While each issuer received credit for cooperating in the SEC investigation, the settlements included civil penalties ranging from $990,000 to $4 million.
Takeaway: When a cybersecurity breach is identified, the board and management must ensure their company’s disclosures are accurate, current, and tailored to the company’s “particular cybersecurity risks and incidents.”[12] Indeed, the SEC’s cybersecurity disclosure rules, adopted on July 26, 2023, specifically require registrants to, among other things, report on Form 8-K any cybersecurity incident deemed to be material and to disclose on Form 10-K the registrant’s processes for assessing, identifying, and managing material risks from cybersecurity threats, the material impacts of cybersecurity threats and previous incidents, and specific information relating to the role of the board and management in identifying and managing such risks.[13] As the SEC stated, “Downplaying the extent of a material cybersecurity breach is a bad strategy”[14] and, as these cases demonstrate, can subject the company to an enforcement investigation and action. Navigating cybersecurity disclosure obligations, however, especially when the breach is ongoing and the origin and impact is not fully understood, presents unique challenges for issuers. And despite the dissenting opinion in the October 2024 cybersecurity enforcement cases by two of the SEC commissioners, who believed the omitted details were not material to investors, the board and management must constantly evaluate whether their company’s cybersecurity risk disclosures, as well as the disclosed scope and impact of any material breach, are sufficiently detailed and remain accurate throughout the company’s investigation.
Insider “Shadow” Trading
In April 2024, the SEC won a jury verdict in an insider trading case based on a “shadow” insider trading theory.[15] Shadow trading involves an insider’s misappropriation of confidential information about the insider’s company to trade in securities of another company where there is a sufficient “market connection” between the two companies. In this case, the SEC alleged, and the jury found, the defendant used confidential information about a potential acquisition of the biotech company he worked for to purchase call options in a second biotech company in the belief its stock price would materially increase after the deal involving his company was publicly announced. What was novel about this case is the lack of commercial connection between the two companies and the fact that the confidential information did not directly relate to the company whose securities the defendant traded in.[16] The nexus between the two companies that served as the basis for the SEC’s insider trading charges was that they were both operating in a field where viable acquisition candidates were scarce, such that the announcement of the sale of the insider’s company was likely to drive up the stock price of the other company.
Takeaway: Officers and directors should take note of this case and, pending further judicial developments, should refrain from shadow trading when in possession of material non-public information (MNPI). Indeed, corporate insider trading policies and codes of conduct often prohibit trading in the securities of publicly-traded customers, vendors, and other commercial partners when an insider is in possession of MNPI. Further, the SEC’s success in this civil case, and the existence of criminal penalties for insider trading, creates an additional risk of criminal prosecution. In short, officers and directors should avoid becoming embroiled in allegations of shadow trading, which could be costly to defend, cause reputational damage, and lead to the imposition of significant sanctions.
Internal Investigations
The SEC has made clear that when a company fails to investigate and remediate wrongful conduct, it will hold officers and directors responsible even if they may not have been involved in the underlying violation. And when a board and management take prompt action to investigate, remediate, and self-report, the SEC will “reward [] meaningful cooperation to efficiently promote compliance” in the form of reduced charges and/or sanctions.[17]
In September 2024, the SEC brought unsettled civil fraud charges in federal court against the former CEO, former CFO, and former director and audit committee chair of a bankrupt (formerly Nasdaq-listed) software company for their roles in an alleged scheme that resulted in the company overstating and misrepresenting its revenues in connection with two public stock offerings that raised $33 million.[18] The SEC alleged that while the CEO initiated and directed the fraud, the CFO and director received a complaint from a senior company employee regarding revenue concerns about the main product disclosed in the offering materials, but other than consulting with outside counsel, they failed to investigate the employee’s concerns or correct the potential misstatements. As a result, both signed public filings that contained false and misleading statements and, in connection with the year-end audit, falsely represented to the outside auditors that they had no knowledge of any complaints regarding the company’s financial reporting. The SEC is seeking disgorgement of ill-gotten gains, civil penalties, and officer-and-director bars against each defendant. In its press release, the SEC warned, “This case should send an important signal to gatekeepers like CFOs and audit committee members that the SEC and the investing public expect responsible behavior when critical issues are brought to their attention.”[19]
In stark contrast, in December 2024 the SEC declined to impose a civil penalty in a settled administrative cease-and-desist action against a publicly-traded biotechnology company due to its self-reporting, proactive remediation, and meaningful cooperation.[20] The SEC credited the company’s board for (1) forming an independent special committee, which hired outside counsel to conduct an investigation into two anonymous complaints; (2) adopting the special committee’s remediation recommendations, including appointing an interim CEO, establishing a disclosure committee, and appointing two new independent directors; and (3) self-reporting the results of the internal investigation.[21] The SEC filed separate settled charges against the former CEO and former CFO for misleading investors about the status of FDA reviews of the company’s drug candidates related to a follow-on public offering. Among other sanctions, the CEO and CFO agreed to civil penalties, and the CEO agreed to an officer-and-director bar.[22]
Similarly, in a settled action announced in September 2024, the SEC credited a former publicly-traded technology manufacturer for conducting an internal investigation, self-reporting the investigation results, and implementing remedial measures.[23] Despite the existence of fraudulent conduct by a high-level employee, the SEC charged the issuer with only non-fraud violations of the financial reporting, books and records, and accounting control provisions of the federal securities laws and did not impose any penalty. The SEC explained in its press release that “this kind of response by a corporate entity can lead to significant benefits including, as here, no penalty.”[24] The SEC did bring civil fraud charges against the company’s finance director who perpetrated a fraud related to the company’s financial performance during a three-year period.[25]
Takeaway: When accounting errors or improper conduct are discovered or alleged, a company and its board should take prompt action. Conducting an independent investigation, undertaking prompt remediation, and being transparent with the company’s outside auditors are critical to ensuring accurate disclosures, preventing further errors and misconduct, and mitigating regulatory and legal exposure. Failing to do so will increase business and legal costs, damage the company’s reputation, and expose officers and directors to individual liability. And where appropriate, with the advice of experienced counsel, companies should evaluate the pros and cons of self-reporting, which regulators will credit as a mitigating factor when considering charges, sanctions, and settlements.
Executive Compensation
In December 2024, the SEC announced it had settled charges against an NYSE-listed fashion retail company for failing to disclose within its definitive proxy statements $979,269 worth of executive compensation related to perks and personal benefits provided to a now-former CEO for fiscal years 2019, 2020, and 2021.[26] These unreported personal benefits included expenses associated with the authorized use of chartered aircraft for personal purposes.[27] The company’s failure to disclose these benefits resulted in it underreporting the “All Other Compensation” portion of its then-CEO’s compensation by an average of 94% of the three fiscal years.[28] The SEC charged the company with violations of Sections 13(a) and 14(a) of the Exchange Act and Rules 12b-20, 13a-1, 13a-15(a), 14a-3, and 14a-9 thereunder (which prohibits companies from making false or misleading statements in proxy statements).[29] The SEC imposed a cease-and-desist order and declined to impose a civil penalty, in part due to the company’s prompt remediation and self-reporting.[30]
Takeaway: This case underscores the importance of companies having adequate processes, policies, and controls for identifying perks and personal benefits and ensuring they are included in executive compensation disclosures. SEC rules require, among other things, companies to disclose the total value of such benefits provided to named executive officers who receive at least $10,000 worth of such items in a given year. See Item 402 of Regulation S-K. Transparent disclosure not only fulfills a company’s regulatory obligations but also helps maintain public trust. Failing to fully report non-compensation benefits executives receive can lead to increased government scrutiny, reputational damage, and loss of investor confidence. And when a company falls short, prompt remediation is critical and can result in a reduction of regulatory sanctions.
Beneficial Ownership and Insider Transaction Reports
On September 25, 2024, the SEC announced charges against 23 officers, directors, and major shareholders for violating Sections 16(a), 13(d), and 13(g) of the Exchange Act, which requires reporting information concerning holdings and transactions in public company stock.[31] In addition, the SEC charged two publicly-traded companies for their failure to report these insiders’ filing delinquencies or for contributing to these insiders’ failures to file.[32] In its press release, the SEC explained the importance of complying with these reporting obligations: “To make informed investment decisions, shareholders rely on, among other things, timely reports about insider holdings and transactions and changes in potential controlling interests.”[33] The settlements included penalties ranging from $10,000 to $200,000 for individuals and $40,000 to $750,000 for companies — totaling more than $3.8 million in penalties.[34] The SEC used data analytics to identify individuals and entities with late required reports.
Takeaway: While it is unusual for the SEC to bring so many actions at once, the “SEC’s enforcement initiatives” are not surprising given the SEC’s continued focus on policing compliance.[35] The SEC continues to send a clear signal to insiders and investors that they need to “commit necessary resources to ensure these reports are filed on time” or risk enforcement action.[36] And as the SEC recently warned, “[T]hese reporting requirements apply irrespective of whether the trades were profitable and regardless of a person’s reasons for the transactions.”[37] For public companies that assist insiders in complying with these filing requirements, the SEC actions further make clear companies are not immune and must stay abreast of amendments and ensure their monitoring processes and controls are working effectively to ensure timely reporting.
Artificial Intelligence
The SEC continued its crackdown on “AI-washing” by bringing a settled enforcement action on January 14, 2025 against a restaurant services technology company due to alleged misrepresentations concerning “critical aspects of its flagship artificial intelligence [] product[.]”[38] According to the SEC, AI-washing is a deceptive tactic that consists of promoting a product or a service by overstating the role of artificial intelligence integration.[39] The product at issue in the enforcement action employed AI-assisted speech recognition technology to automate aspects of drive-thru ordering at quick-service restaurants. Among other things, the SEC accused the company of disclosing a misleading reporting rate of orders completed without human intervention using the product.[40] The company was charged with violations of Section 17(a)(2) of the Securities Act and Section 13(a) of the Exchange Act.[41] The SEC declined to impose a civil penalty based on the company’s cooperation during the Staff’s investigation and remedial efforts, with the company consenting to a cease-and-desist order.
While this most recent enforcement against AI-washing led to a cease-and-desist order, the Commission’s enforcement cases in 2024 included steep penalties for violators.[42] In an earlier enforcement action against two investment advisory companies, the SEC levied civil penalties of $400,000 for the company’s false and misleading statements concerning their purported use of artificial intelligence.[43] Specifically, the companies were alleged to have marketed to their clients (and prospective clients) that they were using AI in certain ways when they were not.[44] In the SEC’s press release, Chair Gary Gensler warned, “We’ve seen time and again that when new technologies come along, they can create buzz from investors as well as false claims by those purporting to use those new technologies. . . . Such AI washing hurts investors. . . . [P]ublic issuers making claims about their AI adoption must [] remain vigilant about [] misstatements that may be material to individuals’ investing decisions.”[45]
Takeaway: It is evident that “[a]s more and more people seek out AI-related investment opportunities,” the SEC becomes more and more committed to “polic[ing] the markets against AI-washing[.]” [46] The SEC’s emphasis, that any claims regarding AI must be substantiated with accurate information, makes it essential for companies integrating AI to have clear and accurate ways to measure and assess its AI-supported products and/or services. For directors and executives, this means carefully reviewing public disclosures and press releases related to AI technologies to ensure that all AI-related statements are supported by verifiable information. Without this verifiable information, a company opens itself up to significant penalties from enforcement actions brought pursuant to Section 17 of the Securities Act, which may also result in lost trust from shareholders around a company’s AI-related technologies.
Closing
The news for boards and management isn’t all bad; the number of SEC enforcement actions dropped significantly in 2024, and there is reason to believe that this drop may continue into 2025. In 2024, there were 583 SEC enforcement proceedings, compared to between 697 and 862 for each of the prior five years.[47] While the SEC touted record financial remedies for 2024,[48] over half of that amount came from a single case.[49] Signals from the new administration indicate reduced enforcement activity is likely to continue, given the administration’s focus on deregulation and government efficiency, which will likely lead to fewer resources available to the SEC. There also is an expectation that the SEC will avoid “regulation by enforcement” and take a “friendlier” view of certain activities that the outgoing SEC administration sought to reign in, such as with the crypto industry.[50] An additional factor pointing toward changes in enforcement approach is that the SEC is no longer able to try certain cases in administrative proceedings and instead must adjudicate such matters in federal jury trials.[51] This could result in the SEC choosing to pursue fewer actions or lesser sanctions, particularly given that it has historically been less successful in federal courts compared to in-house proceedings.[52] Nonetheless, the SEC’s enforcement actions involving public companies over the past year serve as a reminder to officers and directors of the importance of complying with their duties and obligations and ensuring strong internal controls and reporting practices. Staying ahead of compliance requirements is not just a matter of risk mitigation — it is essential for preserving shareholder trust and corporate integrity.
If you have questions about these and other SEC enforcement actions, contact the authors or your Foley & Lardner attorney.
[1] Typically with settled SEC actions, the settling party neither admits nor denies the SEC’s findings. See 17 CFR § 202.5.
[2] https://www.sec.gov/newsroom/press-releases/2024-161.
[3] See id.
[4] See id.
[5] See id.
[6] https://www.sec.gov/newsroom/press-releases/2024-174.
[7] https://www.sec.gov/newsroom/press-releases/2023-227. In July 2024, most of the SEC’s claims were dismissed; most notably, the court held that charges of internal accounting controls failures do not extend to cybersecurity deficiencies. See https://www.foley.com/insights/publications/2024/08/down-but-not-out-federal-court-curbs-sec-cybersecurity-enforcement-authority/.
[8] See https://www.sec.gov/newsroom/press-releases/2024-174.
[9] See id.
[10] See id.
[11] See id.
[12] Release Nos. 33-10459, 34-82746 (Feb. 21, 2018) (“We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents”).
[13] See Release Nos. 33-11216, 34-97989 (July 26, 2023); see also https://www.foley.com/insights/publications/2023/08/sec-adopts-new-cybersecurity-disclosure-rules/.
[14] https://www.sec.gov/newsroom/press-releases/2024-174.
[15] See https://www.sec.gov/enforcement-litigation/litigation-releases/lr-25970; see also https://www.sec.gov/enforcement-litigation/litigation-releases/lr-25170.
[16] https://www.foley.com/insights/publications/2024/03/sec-v-panuwat-shadow-trading-insider-trading-trial/.
[17] https://www.sec.gov/newsroom/press-releases/2023-234.
[18] https://www.sec.gov/newsroom/press-releases/2024-131.
[19] Id.
[20] https://www.sec.gov/newsroom/press-releases/2024-189.
[21] https://www.sec.gov/files/litigation/admin/2024/33-11332.pdf.
[22] https://www.sec.gov/files/litigation/admin/2024/34-101796.pdf.
[23] https://www.sec.gov/newsroom/press-releases/2024-116.
[24] Id.
[25] Id.
[26] https://www.sec.gov/newsroom/press-releases/2024-203
[27] Id.
[28] Id.
[29] Id.
[30] Id.
[31] https://www.sec.gov/newsroom/press-releases/2024-148
[32] Id.
[33] Id.
[34] Id.
[35] https://www.sec.gov/newsroom/press-releases/2023-219 (press release); https://www.sec.gov/files/33-11253-fact-sheet.pdf (fact sheet); https://www.sec.gov/files/rules/final/2023/33-11253.pdf (final rule).
[36] https://www.foley.com/insights/publications/2014/09/sec-charges-insiders-for-violations-of-section-16a/
[37] https://www.sec.gov/newsroom/press-releases/2024-148
[38] https://www.sec.gov/enforcement-litigation/administrative-proceedings/33-11352-s
[39] See https://www.sec.gov/newsroom/speeches-statements/gensler-office-hours-ai-washing-090424
[40] Id.
[41] Id.
[42] https://www.sec.gov/newsroom/press-releases/2024-36
[43] Id.
[44] Id.
[45] Id.
[46] See https://www.sec.gov/newsroom/press-releases/2024-70
[47] https://www.sec.gov/files/fy24-enforcement-statistics.pdf.
[48] https://www.sec.gov/newsroom/press-releases/2024-186.
[49] See https://www.sec.gov/enforcement-litigation/distributions-harmed-investors/sec-v-terraform-labs-pte-ltd-do-hyeong-kwon-no-23-cv-1346-jsr-sdny.
[50] https://www.nytimes.com/2024/12/04/business/trump-sec-paul-atkins.html.
[51] See https://www.foley.com/insights/publications/2024/06/us-supreme-court-rules-sec-securities-fraud-cases-federal-jury/.
[52] Id.
BANKING HEADACHES: Plaintiff Challenges Debt Collections Under TCPA ATDS Provisions
Hi Folks! We just saw an interesting complaint filed, where the plaintiff claims he revoked his consent to be contacted by a debt collector.
Generally, debt-collection-related TCPA lawsuits are at an all-time low, especially in the Ninth Circuit. However, Plaintiff Aaron Maxwell brought a complaint against First National Bank of Omaha for three different claims relating to its debt collection attempts, including a violation of the automatic telephone dialing system (“ATDS”) provisions of the TCPA. Maxwell v. First National Bank of Omaha, 2:25-cv-00652 (C.D. Cal. filed January 27, 2025). Plaintiff alleges that he revoked his consent to be contacted via a “certified notice” sent to Defendant. Id. The “certified notice” was a letter from Plaintiff’s counsel confirming that he represented Plaintiff and advising Defendant to no longer contact the Plaintiff. Id.
The de facto rule is that consumers may revoke TCPA consent through any reasonable means. New revocation rules—unimpacted by the 11th Circuit’s decision to strike down 1:1 consent requirements—are coming into effect April 11, 2025, which will codify the reasonable revocation rule into 47 C.F.R. § 64.1200, among additional changes.
It appears that a certified notice sent on Plaintiff’s behalf constitutes reasonable means through which to revoke consent.
Still, Maxwell v. First National Bank of Omaha is interesting because debt collectors have not been subject to many ATDS lawsuits in recent years, especially in the Ninth Circuit, as the Supreme Court in Facebook, Inc. v. Duguid and Ninth Circuit (subsequently) in Borden v. eFinancial, LLC have both held that an ATDS must generate random numbers—although those definitions are strangely inconsistent.
In any case, this is a TCPA lawsuit against a debt collector for violating the ATDS provisions. For debt collectors, courts within the Ninth Circuit have found that debt collection attempts are incompatible with ATDS usage because debt collectors do not generate random numbers. See McDonald v. Navy Federal Financial Group, 2023 WL 5797724 (D. Nev. Sept. 7, 2023) (finding implausible plaintiff’s claim that she was contacted by a debt collector using an ATDS).
It will be interesting to see how the court treats Plaintiff’s TCPA ATDS claim in this action. It seems that the ATDS claim should be dismissed, but courts within this circuit have gone the other way in recent years—even for debt collectors.
Circuit Court Employs Loper Bright to Knock Out the FCC’s TCPA One-to-One Consent Rule
In December 2023, Privacy World reported on an order from the Federal Communications Commission’s (“FCC”) designed in part to close the “lead generator loophole” in the agency’s Telephone Consumer Protection Act (“TCPA”) consent rules. Now, just over a year later, on January 24, 2025, the United States Court of Appeals for the Eleventh Circuit (“11th Circuit” or “Court”) resoundingly rejected the FCC’s closure efforts, finding that the agency exceeded its statutory authority under the TCPA.
The FCC Rule — As noted in our prior report, the FCC acted because under existing rules “consumers may unknowingly ‘consent’ through a single interaction with a comparison shopping or other type of website to be contacted by a multitude of unrelated commercial entities for marketing purposes.” Moreover, these “consent ‘leads’ may be sold to other entities who offer services in which the consumer did not knowingly indicate an interest initially.”
The FCC’s closure solution had two key components (collectively, the “FCC Rule”). First, it required texters and callers using automated or artificial or prerecorded voice technology to obtain a consumer’s prior express written consent to deliver marketing messages from a single seller at a time (i.e., on a “one-to-one basis”). Second, the content of the calls or texts must be “logically and topically” associated with the interaction (e.g., website) where the consumer provided contact information, even if the consumer “clearly and unmistakably” consented to the call (e.g., a consumer’s consent to receive calls from a home repair business would be invalidated if that consent was obtained on a website related to home mortgages). The agency had set January 27th as the date on which these requirements would take effect.
The Appeal and Other Opposition – The Insurance Marketing Coalition, a consortium representing a cross section of insurance industry stakeholders, promptly petitioned for the 11th Circuit to overturn the FCC Rule on several grounds. Other stakeholders strongly opposed the FCC Rule and sought revisions in the 12-month lead up to the January 2025 effective date. One interested group filed a last-minute stay request based on one of President Trump’s early Executive Orders.
Whatever the cause, at the last minute, on January 24, 2025, the FCC Itselfagreed to stay the Rule for another year, pending the result of the 11th Circuit case. The agency justified its action in part by anticipating that “judicial review of the rule is likely nearing completion.” Perhaps the FCC saw the handwriting on the wall because the Court overturned the FCC Rule that very same afternoon.
The Court’s Decision and Vacatur – The Court based its decision on the “common law concept of consent” that Congress sought to incorporate into the TCPA. To give prior express consent, “[o]ne need only ‘clearly and unmistakenly’ state that before receiving the robocall he is willing to receive [it].” Applying that concept, in the wake of Loper Bright, the Court ruled “the TCPA’s text is clear: Callers must obtain “prior express consent”—not ‘prior express consent’ plus.” As a result, “the FCC exceeded its statutory authority under the TCPA because the …new consent restrictions impermissibly conflict with the ordinary statutory meaning of ‘prior express consent’” in the TCPA. Although the FCC Rule might be “good policy,” it does not permit the agency to exceed its statutory authority to interpret the TCPA.
The Court found the FCC’s action of attempting to “redefine” the TCPA to include these additional restrictions to be a “serious defect.” As a result, the Court vacated the FCC Rule, a remedy that even the FCC did not contest. So, upon remand to the FCC, the prior consent rule (without the December 2023 restrictions) is resurrected.
What’s Next? – At this point, what is next at the FCC is unclear. There is now a new Chair of the agency, Brendan Carr, who did support the December 2023 order, without a separate statement. His agenda may not include a request to seek further review before the 11th Circuit, or for that matter, the U.S. Supreme Court. To date, he has made no statement on the Court’s decision and his intent. And the FCC’s decision not to contest the vacatur of the Rule may be predictive. Still, courts dealing with TCPA consent issues will likely look to what the 11th Circuit said and what “clearly and unmistakenly” means.
It is reasonable to expect a clamor from the coalition of consumer groups for the FCC to address the issue again within the confines of the Court’s decision. Part of the December 2023 order was a further notice of proposed rulemaking about “refining” the FCC Rule. However, the Rule is no longer there to refine. Finally, the FCC, until the approval of the proposed new member of the Commission, Olivia Trusty, is in a 2-2 posture, as well as leadership changes taking effect in the key Bureaus of the Commission; thus, there may not be further action in the near future on this issue. However, beware of any new FCC administrative action, in light of Loper Bright, as “the reviewing court shall decide all relevant questions of law.”
As for possible legislation, Congressman Pallone (D- N.J.) introduced an extensive TCPA reform bill in the last Congress, H.R. 7116, which did not address this issue. Again, although it is bipartisan issue, it is too early to know whether there is the appetite to address the TCPA in the new Congress, where there are also leadership changes on the relevant Congressional committees.
Eleventh Circuit Invalidates FCC’s One-to-One Consent Rule
On January 24, 2024, the Federal Communications Commission (FCC) delayed the effective date of the Telephone Consumer Protection Act’s (TCPA) one-to-one consent rule until January 26, 2026, or until the Eleventh Circuit concludes its judicial review of the rule and—if the court upholds the rule—the FCC issues a Public Notice specifying a sooner date (within 90 days of the court’s decision).
Hours later, the Eleventh Circuit issued its ruling, invalidating the rule on the grounds that the FCC had exceeded its statutory authority in its interpretation of “prior express consent.” The TCPA requires companies to obtain “prior express consent” before robocalling consumers. However, the FCC’s 2023 one-to-one consent rule expanded this requirement by mandating entity-specific consent and requiring that the subject matter of each call be logically and topically related to the interaction that prompted the consent. In striking down the rule, the Eleventh Circuit noted: “Rather than respecting the line that Congress drew, the FCC stepped right over it.”
The practical implications of this decision remain pending, as the FCC must now determine whether to appeal the ruling, substantially revise the rule or pursue an alternative approach. Notably, the current FCC appears to have adopted a distinct regulatory posture from its predecessor. In its delay order, the Commission emphasized the substantial implementation burden on industry stakeholders while acknowledging limited public interest harms associated with postponement.
Presently, the one-to-one consent rule will remain ineffective until at least January 2026, or until the FCC issues a Public Notice addressing the rule’s effective date—in the event that the rule withstands additional legal challenges. The FCC is expected to announce its intended course of action in the near future, whether that involves pursuing an appeal, undertaking rule revision or withdrawing the initiative altogether.
SEC Rescinds SAB 121
The SEC rescinded its cryptocurrency accounting guidance, Staff Accounting Bulletin (SAB) 121, on Jan. 23, 2025. Issued in March 2022, SAB 121 required crypto custodians to record digital assets held for customers as liabilities on their balance sheets. Some industry participants and lawmakers expressed concerns that the guidance could impact regulated entities’ willingness to offer crypto custody services. In May 2024, former President Biden vetoed a bipartisan bill that would have rescinded SAB 121.
SAB 122, which formally rescinds SAB 121, directs custodians to assess potential liabilities of digital assets held, rather than requiring liabilities to be recorded for those assets. As part of the assessment, custodians must determine whether to recognize a liability related to the risk of loss under their custody arrangements. When recognizing and measuring the liability, custodians must follow the standard accounting rules of the Financial Accounting Standards Board Accounting Standards Codifications under U.S. Generally Accepted Accounting Principles or International Accounting Standards under International Financial Reporting Standards. This change may encourage banks to offer digital asset custody services, which might lead to more banks and financial institutions entering the crypto custody market.
The decision to rescind SAB 121 follows the recent appointment of acting SEC Chairman Mark Uyeda and aligns with a recent executive order from President Trump that established a working group to develop a federal framework for digital assets. The move is also consistent with the SEC’s decision, under Uyeda’s leadership, to form a crypto task force led by SEC Commissioner Hester Peirce to craft clear and practical regulatory frameworks for the industry. These developments mark a significant shift from the previous administration’s approach to crypto regulation.
EVERYDAYS SCORES HOMEFIELD ADVANTAGE: Texas Court Finds That It Does Not Have General Jurisdiction And Transfers TCPA Case To Delaware
Hi TCPAWorld! Lots of excitement from all the one-to-one action, but here’s a reminder of some litigation basics curtesy of Magistrate Judge Jeffrey L Cureton out of the Nothern District of Texas.
In Kelly Bland v. Everdays, Inc., Judge Cureton handed defendants a procedural victory, recommending dismissal for lack of general personal jurisdiction and transferring the case to the District of Delaware. No. 4:24-CV-946-P, 2025 WL 297826 (N.D. Tex. Jan. 2, 2025), report and recommendation adopted sub nom. KELLY BLAND, Plaintiff, v. EVERYDAYS, INC., ET AL., Defendants., No. 4:24-CV-00946-P, 2025 WL 295735 (N.D. Tex. Jan. 24, 2025).
In this case, Kelly Bland, a Texas resident proceeding pro se, accused Everdays, a Delaware-based company, of violating the TCPA through unwanted robocalls made by an offshore telemarketing entity identified only as “John Doe.” Bland also claimed Everdays was vicariously liable for these calls and brought additional claims under Texas state law. However, Everdays struck back with a Federal Rule of Civil Procedure 12(b)(2) motion, arguing “Everdays contacts with the State of Texas are far too sparse for it to be considered “at home” such that the Court may exercise general jurisdiction over it.”
The court agreed with Everdays, noting that general jurisdiction requires “continuous and systematic” contacts with the forum state, a high bar that Everdays clearly didn’t meet. Despite Bland’s assertions that Everdays had a registered agent in Texas and some limited business activity in the state, the court emphasized that neither registering to do business nor minimal commercial activity is enough to establish general jurisdiction. The court also found Bland’s allegations of vicarious liability vague and unsupported by concrete facts linking Everdays to the alleged illegal telemarketing.
Faced with dismissal, Bland requested the case be transferred to Delaware, a move Everdays did not oppose. The court recommended the transfer, sparing Bland’s claims from outright dismissal while ensuring the litigation proceeds in the proper forum.
This case highlights a crucial reality in TCPA litigation: jurisdiction matters! For plaintiffs, it’s a reminder to thoroughly research and plead the defendant’s forum ties with specificity. For defendants, it shows the power of jurisdictional challenges as a tool to limit forum shopping and shift litigation to more favorable venues.
Read the full recommendations here: KELLY BLAND v EVERDAYS INC ET AL.
Will History Repeat Itself? Peering Into the Past to Predict the Next Four Years of CFTC Enforcement Actions
During every presidential transition, the futures industry looks for clues regarding what changes may be coming. History has shown that when administrations transition, far more stays the same than changes and that the direction of new Commodity Futures Trading Commission (CFTC) Commissioners and Directors can be surprising. But this year, the industry may have more clues than normal. This article assembles some of the available information to illuminate, to the degree possible, potential changes in the enforcement activity of the CFTC. Two significant factors aid that exercise. First, President Donald Trump is the second US president to serve nonconsecutive terms and the only one to do so recently. Accordingly, four years of activity by the Division of Enforcement (DOE) under the Trump administration are available for examination and comparison to the intervening four years under a different administration. Second, during the prior four years, CFTC Commissioners have been unusually outspoken regarding their views on enforcement actions in the form of dissents and separate opinions. Presuming the Commissioners transitioning from the minority to the majority of the Commission will be more likely to shape the enforcement regime to reflect those views, prior statements of the soon-to-be-majority party Commissioners provide additional guidance on the potential coming priorities at the CFTC.
Of course, a number of important variables could confound this guidance. In particular, a new Chairman and Director of the DOE could have the greatest influence on the path ahead, and at this point, neither seat is filled. Still, as set forth below, the available record suggests that (1) Enforcement will remain active; (2) fraud and manipulation will remain priorities; (3) technical violations, such as data reporting, may decline; and (4) enforcement priorities related to cryptocurrencies and decentralized finance (DeFi) will likely be different.
CFTC Enforcement Reviews
Generally, the DOE publishes the results of its enforcement activity annually. From 2018 through 2020, this took the form of an Annual Report of the Division of Enforcement.1 In 2017, 2022, 2023, and 2024, it released its “Annual Enforcement Results” as a press release with an addendum of statistics.2 Although no comprehensive summary of the enforcement cases brought was published for 2021, the CFTC published an Agency Financial Report, which provided extensive financial data and included some summary enforcement statistics.3 The absence of data from 2021 is noted below where relevant. These annual summaries tend to describe the accomplishments of the year’s enforcement activity, statistics regarding the categories of cases resolved and total fines and total financial penalties imposed. Although the format and method of presentation change among the styles of documents and their form, they provide a reasonable basis to compare activity in the Division across years.
Separate Commissioner Statements
The DOE most often resolves cases through settled agency actions approved by the Commission. Less frequently, cases are brought in federal court and either litigated to judgment or resolved with a consent order entered by the court. Although the Commission speaks as a whole through the language of the administrative order, Commissioners are free to publish their own views on the matter resolved.4 The publication of such separate statements has increased dramatically over the years covered in this article. In 2017, only 10 such statements were published.5 Moving forward eight years, in 2024, Commissioners published 103.6 That increase in activity provides a unique opportunity to understand the different views of the Commissioners and to potentially gain insight into the views that will be advanced by the majority party in the new administration.
Substantive Conclusions
Below are a handful of conclusions that are discernable for market participants attempting to anticipate what is likely to change and what is more likely to stay the same.
Although it may change focus, there is no reason to believe the DOE will be less active
Although the Trump administration has made broad statements that it intended to “dismantle Government Bureaucracy, slash excess regulations, cut wasteful expenditures and restructure Federal Agencies,”7 there is reason to doubt that such a policy will take the form of less activity by the CFTC Division of Enforcement. When comparing the Enforcement results of the first four years of the Trump administration to the four years under President Joe Biden, the CFTC brought, on average, seven more cases per year under the Trump administration than under the Biden administration. The following table sets forth the raw numbers.
Notably, the 2024 results were largely driven by the FTX matter, which resulted in $12.7 billion in monetary relief. If the FTX matter is excluded, the monetary relief for 2023 would be $4.5 billion, which brings the total closer to the 2023 figures. Additionally, the level of monetary relief increased in size; however, that increase appears far more likely to be driven by a nearly unbroken rise in monetary relief for many years:
Although there are certainly reasons outside of the administration that explain the magnitude of fines and the number of cases under both administrations, it remains true that the DOE resolved fewer cases during the Biden administration than during the four years when Trump was first president. That observation is amplified by the fact that 27 of the 291, or more than 9 percent, of enforcement cases since 2021 have involved alleged violations related to the use of unapproved methods of communication.8
Although the government may attempt to relieve the regulatory burden on market participants in other ways, historical enforcement activity does not provide evidence that the DOE is likely to be less active.
Enforcement activity could shift from reporting and recordkeeping to fraud and market abuse
A second potential observation supported by both the historical activity of the DOE and the statements of Commissioners is a shift in emphasis away from reporting and recordkeeping cases and a shift toward fraud and market abuse.
During the first Trump administration, the DOE made its priorities clear and articulated fraud and manipulation as significant areas of focus. Every Annual Review released during that time noted that the Commission prioritized “protecting customers in commodity and derivatives markets from fraud and other abuse.”9 Of course, the Division has always described stopping fraud market abuse as a priority, and those categories, combined, make up the majority of the settled docket in both periods under review. Nonetheless, the following charts, which reflect the allocation of cases by subject matter, as identified by the DOE in its reporting of activity, make a sustained reallocation of priorities evident.
Under the first Trump administration, fraud and manipulative conduct made up 64 percent of the resolved cases, with reporting cases comprising only 5 percent. Under the Biden administration, those combined cases of fraud and manipulative conduct fell to 50 percent of total enforcement matters and reporting cases grew by 12 percent. There are, of course, explanations outside the DOE that are relevant. The Department of Justice actively pursued spoofing cases during the Trump period, a pattern of misconduct that has declined in recent years. The SEC led a sweep of financial firms relating to cases involving off-channel communications during the Biden period, joined by the CFTC, which resulted in 27 actions during the prior four years.
Commissioners’ comments in the prior four years make clear that they support focusing DOE resources “on cases that will bring justice for victims, protect those that cannot protect themselves, and root out misconduct and wrongdoing — this is our core mission and core strength.”10 As Commissioner Summer Mersinger stated in a Dissent from a case involving DeFi, “The decision to devote resources to this case also raises concerns about the Commission’s enforcement priorities . . . For every case we bring against a DeFi protocol where there are no allegations of fraud or complaints of customers losing money, we risk taking resources from a case where innocent victims suffer actual financial harm at the hands of a real fraudster.”11
A reversal in the increase in actions relating to data reporting, in particular, seems highly likely. These actions include, primarily, cases brought based on errors in swap data reporting, but also include recordkeeping requirements for introducing brokers.12 During the four years of Trump’s first term, such actions were rare and a much smaller portion of the case activity. Of the 314 actions brought during the first Trump administration, only 16 (5.1 percent) involved reporting or recordkeeping violations. By contrast, under the Biden administration, of the 236 cases brought from 2021 to 2024, the Commission filed 41 cases (17.3 percent) involving reporting or recordkeeping violations.13
But even if the data on the increase in reporting and recordkeeping cases can be explained by the sweep related to off-channel communications, a reversion to the prior, lighter emphasis on enforcement cases for resolving reporting violations is also supported by the comments of Commissioners. Commissioner Caroline Pham has raised concerns regarding “the CFTC’s aggressive enforcement posture towards pursuing reporting violations with a strict liability standard and no materiality threshold, resulting in seven-figure penalties for anything less than 100% perfection.”14 That lack of tolerance for errors that underlie many of the data reporting cases came under particular scrutiny, with Commissioner Pham noting that, “It is fantastical for the Commission to expect perfection — 100% compliance for 100% of the time — when it comes to operations and technology systems and processes. That is impossible.”15
In a case in which a registrant settled a matter relating to a failure to record certain phone calls based on a lapse during the COVID-19 pandemic by the vendor retained to manage those recordings,16 Commissioner Pham stated that the order and settlement reflected “the Commission’s disturbing trend of ‘examination by enforcement’ — where the Division of Enforcement imposes a disproportionately high civil monetary penalty for one-off, non-material operational or technical issues with no misconduct, harm to clients, or financial losses, and that every other major regulatory authority addresses through an examination program conducted by supervisory staff (i.e., examiners).”17
Given the clear balance of resources focused on fraud and market misconduct cases in the first Trump administration and the expressions of frustration from sitting Commissioners regarding pursuing enforcement matters or issues that are better suited to resolution through the examination process, there is a strong possibility that enforcement priorities will be realigned away from data reporting cases in the second Trump administration.
Enforcement actions based on novel theories are likely to decline
Going forward, the Commission is likely to avoid enforcement matters perceived as applying new standards to historic conduct without the benefit of notice to the public prior to the change, so-called “regulation by enforcement.” Several cases brought in the last two years that have been perceived by Commissioners as applying new standards without fair notice have been highlighted by dissenting statements.
For example, in her dissent on the Commission’s off-channel communication enforcement action against Piper Sandler Hedging Services, LLC (Piper Sandler), Commissioner Mersinger emphasized that “regulation through enforcement is the antithesis of regulatory clarity and transparency.”18 In that case, the CFTC charged Piper Sandler, an Introducing Broker, with failing to retain required records.19 Commissioner Mersinger criticized the DOE for failing to apply the particular record retention rules unique to introducing brokers, instead effectively taking the view that, “everything is a business record, even if such a conclusion has no foundation in the Commodity Exchange Act or CFTC regulations.”20 Mersinger concluded: “I cannot support further settlements with IBs concerning offline communications violations until such time as the Commission as a whole, not just the Division of Enforcement, uses the actual words of the statute and the implementing regulation to clarify how an IB can properly comply with recordkeeping requirements.”21
Commissioner Pham has expressed similar suspicions of the CFTC’s use of “regulation by enforcement” and has even characterized the Commission’s actions as going beyond regulation by enforcement and becoming increasingly pernicious. In CFTC v. Cartu (Masten et al.), the Commission charged Ryan Masten and Bareit Media LLC (Bareit Media) with violating the Commodity Exchange Act for failing to register as a commodity trading advisor (CTA).22 The parties’ Consent Order noted that Bareit Media, which is controlled by Masten, offered customers the ability to obtain trade signals and automate trading on binary options platforms using those signals. In her dissent, Commissioner Pham admonished the CFTC for “once again changing its interpretation of the definition of a CTA in an enforcement action without sufficient explanation and without the opportunity for the public to comment.”23 Commissioner Pham noted that for 10 years, the Commission stated that “a technology provider that aggregates (but does not originate) trade signals and submits orders to an exchange is not likely required to register as a CTA.”24 Yet, the Commission arbitrarily changed its interpretation of the definition of a CTA to require technology providers that do not originate trade signals to register as CTAs, which Commissioner Pham claimed was “not merely regulation by enforcement.”25
Going forward, the DOE’s comments suggest that the Commission is less likely to support a foray into untested waters, bringing cases to establish standards or define conduct that was not clear from prior regulatory guidance. For many areas, notably cryptocurrencies, that limitation could be meaningful.
Cryptocurrency enforcement is likely to change
Likely changes in enforcement trends related to cryptocurrency are not necessarily dependent on the views of sitting Republican Commissioners and not illuminated by prior enforcement activity; instead, the strongest indication of the direction of cryptocurrency stems from the contrast between the Biden administration’s actions and Trump administration’s recent statements regarding cryptocurrency regulation.
It is certainly true that cryptocurrency cases are now a material part of the Enforcement docket, despite being virtually absent in the prior administration, as the number of cryptocurrency cases grew dramatically under the Biden administration. The CFTC under the Trump administration in 2020 brought just seven cryptocurrency cases; under the Biden administration, the number of cases increased to twenty in 2021, eighteen in 2022, and forty-seven in 2023. This increased attention towards cryptocurrency is not unique to the CFTC. For instance, under the Biden administration, the Federal Deposit Insurance Corporation (FDIC) issued “pause” letters to banks between March 2020 and May 2023, asking them to “pause, or not expand, planned or ongoing crypto-related activities and provide additional information.”26 Meanwhile, the SEC has also seen a steady increase in cryptocurrency enforcement actions under Biden.27
In stark contrast, the Trump administration’s campaign promised: it would be a “pro-crypto” administration; SEC Chairman Gary Gensler would be removed from his position to drive the SEC towards a friendlier stance with the cryptocurrency industry; cryptocurrency rules and regulations would be “written by people who love [the cryptocurrency] industry, not hate [the] industry”; the United States will create a strategic bitcoin reserve28; and America will become the “crypto capital of the world.”29 Notably, during his first term, the Trump administration approached block chain and decentralized finance by fostering discussions of the new technologies in the LabCFTC and other forums.30
In the case of the SEC, the new administration clearly selected an individual who publicly supported the potential for innovation in that space. Prior to his nomination, Paul Atkins was a co-chair of Token Alliance, an industry-led initiative of the Chamber of Digital Commerce whose “mission is to promote the acceptance and use of digital assets and blockchain-based technologies,”31 and has attended various podcasts and other public appearances discussing his support for cryptocurrencies. President Trump toted Paul Atkins as a “proven leader” who “recognizes that digital assets & other innovations are crucial to Making America Greater than Ever Before.”32
Such a focus on allowing “innovation” may decrease the efforts to use enforcement actions to shape the regulation of decentralized finance and blockchain matters. Some matters have been charged as straightforward registration failures, alleging that the activity allowed on the DeFi platform required registration as a futures commission merchant (FCM) or execution on a regulated platform. In CFTC v. Ooki DAO (formerly d/b/a bZeroX, LLC), the Commission obtained a default judgment against a decentralized autonomous organization (“DAO”) for engaging in unlawful off-exchange leveraged and margined commodity transactions; engaging in activities that can only be performed by a registered futures commission merchant; and failing to implement know your customer (KYC) and anti-money laundering (AML) procedures.33 Following CFTC v. Ooki Dao, the CFTC has also imposed fines on three DeFi protocols for illegally offering leveraged and margined retail commodity transactions in digital assets, failing to register as a swap execution facility, failing to register as a designated contract maker, and/or failing to register as a futures commission merchant.34 In doing so, Director Ian McGinley of the DOE stressed that the DOE will “aggressively pursue those who operate unregistered platforms that allow U.S. persons to trade digital assets themselves.” Notably, Commissioner Mersinger favored the application of the Commodity Exchange Act and CFTC rules to novel circumstances, but she dissented because the cases gave “no indication that customer funds have been misappropriated or that any market participants have been victimized by the DeFi protocols on which the Commission has unleashed its enforcement powers.”35 Commissioner Mersinger again noted that the CFTC engages in regulation by enforcement rather than inviting the public to help solve novel DeFi issues.
Finally, in In re Universal Navigation Inc., the Commission settled charges against Universal Navigation Inc. d/b/a Uniswap Labs (Uniswap), finding that Uniswap “illegally offered leveraged or margined retail commodity transactions in digital assets via a decentralized digital asset trading protocol.”36 The settlement order found that Uniswap provided users leveraged exposure to Ether and Bitcoin, which could be offered to non-Eligible Contract Participants only on a board of trade that was registered by the CFTC as a contract market because the leveraged tokens did not result in actual delivery within 28 days. Commissioner Mersinger dissented and stated the case has “all the hallmarks” of regulation through enforcement: “A settlement with a de minimis penalty that bears little relationship to the conduct alleged, sweeping statements about the broader industry that are not germane to the case at hand, and legal theories that have not been tested in court.”37 Commissioner Pham echoed this sentiment, arguing that the Commission’s actions violated the Administrative Procedure Act and noting the CFTC’s approach was “legally simplistic and conveniently cuts corners to create a pretext for enforcement.”38 If the newly constituted Commission focuses on fostering innovation, relying on the rulemaking process instead of enforcement actions to provide guidance on unsettled matters, and shifts its emphasis to the examination process from the enforcement process, such controversial extensions of jurisdiction may take a different form going forward. Accordingly, we anticipate that future enforcement actions involving cryptocurrency may be limited to fraud or manipulation cases.
Conclusion
Obviously, many factors will determine the shape of the DOE agenda, most of which are difficult to predict. Nonetheless, to the extent the sources identified herein provide some guidance, market participants can expect a DOE that continues a robust docket and seeks significant fines but focuses more on core matters of protecting investors from fraud and non-technical misconduct.
1 CFTC, “CFTC Division of Enforcement Issues Report on FY 2018 Results,” Release No. 7841-18 (Nov. 15, 2018), https://www.cftc.gov/PressRoom/PressReleases/7841-18; CFTC, “CFTC Division of Enforcement Issues Annual Report for FY 2019,” Release No. 8085-19 (Nov. 25, 2019), https://www.cftc.gov/PressRoom/PressReleases/8085-19; CFTC, “CFTC Division of Enforcement Issues Annual Report,” Release No. 8323-20 (Dec. 1, 2020), https://www.cftc.gov/PressRoom/PressReleases/8323-20.
2 CFTC, “CFTC Releases Annual Enforcement Results for Fiscal Year 2017,” Release No. 7650-17 (Nov. 22, 2017), https://www.cftc.gov/PressRoom/PressReleases/7650-17; CFTC, “CFTC Releases Annual Enforcement Results,” Release No. 8613-22 (Oct. 20, 2022), https://www.cftc.gov/PressRoom/PressReleases/8613-22; CFTC, “CFTC Releases FY 2023 Enforcement Results,” Release No. 8822-23 (Nov. 7, 2023), https://www.cftc.gov/PressRoom/PressReleases/8822-23; CFTC, “CFTC Releases FY 2024 Enforcement Results,” Release No. 9011-24 (Dec. 4, 2024), https://www.cftc.gov/PressRoom/PressReleases/9011-24.
3 CFTC, “FY 2021 Agency Financial Report,” (Nov. 15, 2021), https://www.cftc.gov/node/238691.
4 “Whenever the Commission issues for official publication any opinion, release, rule, order, interpretation, or other determination on a matter, the Commission shall provide that any dissenting, concurring, or separate opinion by any Commissioner on the matter be published in full along with the Commission opinion, release, rule, order, interpretation, or determination.” 7 U.S.C. § 2(a)(10)(C).
5 CFTC, Public Statements & Remarks, https://www.cftc.gov/PressRoom/SpeechesTestimony/index.htm?combine=&tid=All&field_speeches_testimony_type_value=Statements&year=2017 (last accessed Dec. 30, 2024).
6 CFTC, Public Statements & Remarks, https://www.cftc.gov/PressRoom/SpeechesTestimony/index.htm?combine=&tid=All&field_speeches_testimony_type_value=Statements&year=2024 (last accessed Dec. 30, 2024).
7 Andrea Hsu, ‘Apprehensive and fearful’: Federal workers await a dismantling under Trump, NPR (Nov. 13, 2024), https://www.npr.org/2024/11/13/nx-s1-5188566/government-efficiency-federal-workers-elon-musk-trump; see also, Marco Quiroz-Gutieerez, Trump Vowed to Oust SEC Chairman Gary Gensler, and These Crypto Advocates Could Take His Place (Nov. 10, 2024), https://fortune.com/2024/11/10/who-could-trump-name-to-replace-sec-chair-gary-gensler-crypto-policy-advocates/ (noting that Trump promised to oust Gary Gensler as SEC Chairman).
8 CFTC, “CFTC Orders Canadian Imperial Bank of Commerce to Pay $30 Million for Recordkeeping and Supervision Failures for Firm-Wide Use of Unapproved Communication Methods,” (Sept. 24, 2024) https://www.cftc.gov/PressRoom/PressReleases/8975-24.
9 See, e.g., CFTC, FY 2019 DOE Annual Report (Nov. 25, 2019), https://www.cftc.gov/media/3081/ENFAnnualReport112519/download.
10 Caroline D. Pham, CFTC, “Dissenting Statement of Commissioner Caroline D. Pham on Examination by Enforcement” (Aug. 19, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement082923b; Caroline D. Pham, CFTC, “Dissenting Statement of Commissioner Caroline D. Pham on DeFi Enforcement Action Involving Uniswap Protocol” (Sept. 4, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement090424 (“I believe the CFTC can and should vigorously pursue fraud and manipulation in our markets and bring bad actors to justice.”).
11 Summer K. Mersinger, “Dissenting Statement of Commissioner Summer K. Mersinger Regarding Settlement with Uniswap Labs” (Sept. 4, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement090424.
12 Summer K. Mersinger, CFTC, “Dissenting Statement of Commissioner Summer K. Mersinger Regarding Settlement With Piper Sandler Hedging Services, LLC” (Sept.23, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement092324.
13 See, footnote 3.
14 Caroline E. Pham, CFTC, “Dissenting Statement of Commissioner Caroline D. Pham on Large Trader Reporting Rule” (April 30, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement043024b.
15 Caroline E. Pham, CFTC, “Dissenting Statement of Commissioner Caroline D. Pham on Examination by Enforcement” (Aug. 29, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement082923b.
16 CFTC, “CFTC Orders Goldman Sachs to Pay $5.5 Million for Recordkeeping Violations and Violating a Prior Commission Order,” Release No. 8769-23 (Aug. 29, 2023), https://www.cftc.gov/PressRoom/PressReleases/8769-23.
17 See also, Caroline D. Pham, CFTC, “Dissenting Statement of Commissioner Caroline D. Pham on Examination by Enforcement” (Aug. 29, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement082923b (“Examination by enforcement is inherently ad hoc, not applied consistently across market participants, and does not provide a horizontal view to inform the Commission of potential systemic risk.”).
18 Summer K. Mersinger, CFTC “Dissenting Statement of Commissioner Summer K. Mersinger Regarding Settlement With Piper Sandler Hedging Services, LLC” (Sept. 23, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement092324.
19 CFTC, “CFTC Orders Piper Sandler to Pay $2 Million for Recordkeeping and Supervision Failures for Firm-Wide Use of Unapproved Communication Methods,” Release No. 8972-24 (Sept. 23, 2024), https://www.cftc.gov/PressRoom/PressReleases/8972-24.
20 Summer K. Mersinger, CFTC “Dissenting Statement of Commissioner Summer K. Mersinger Regarding Settlement With Piper Sandler Hedging Services, LLC” (Sept. 23, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement092324 (emphasis in original).
21 Id. See also, Summer K. Mersinger, “Dissenting Statement of Commissioner Summer K. Mersinger Regarding Enforcement Actions Against: 1) bZeroX,LLC, Tom Bean, and Kyle Kistner; and 2) Ooki DAO (Sept. 22, 2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement092222 (“While I do not condone individuals or entities blatantly violating the CEA or our rules, we cannot arbitrarily decide who is accountable for those violations based on an unsupported legal theory amounting to regulation by enforcement while federal and state policy is developing.”); Summer K. Mersinger, “Dissenting Statement of Commissioner Summer K. Mersinger Regarding Settlement with Uniswap Labs” (Sept. 4, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement090424 (“Regulation through enforcement is at best a band-aid. At some point, the Commission must engage in a rulemaking process around DeFi and consider our role in promoting responsible innovation for the future of the U.S. derivatives markets.”); Summer K. Mersinger, “Concurring Statement of Commissioner Summer K. Mersinger Regarding Settlement with Trafigura Trading LLC” (June 17, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement061724 (“For the past seven years, neither the Commission nor its staff has issued any advisory, guidance, frequently asked questions (“FAQs”), or any other statement informing the public of how it interprets Regulation 165.19(b). By failing to do so, and instead enforcing Regulation 165.19(b) beyond its textual bounds, the Commission engages in a textbook case of “regulation by enforcement,” which I have repeatedly opposed.”).
22 Consent Order for Permanent Injunction, CFTC v. Cartu et al., 20-CV-908-RP (W.D. Tex. Aug. 29, 2023).
23 See, Caroline D. Pham, CFTC, “Dissenting Statement of Commissioner Caroline D. Pham on CTA Interpretation in an Enforcement Action” (Aug. 29, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement092324 (“The CEA and CFTC regulations do not require every record of every business activity to be preserved.”).
24 Id.
25 Id. (“Such a broad proclamation is the act of kings, not of a free democracy.”). See also, Caroline D. Pham, “Statement of Commissioner Caroline D. Pham on SEC v. Wahi” (July 21, 2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement072122 (“The case SEC v. Wahi is a striking example of ‘regulation by enforcement’ . . . Regulatory clarity comes from being out in the open, not in the dark.”); Caroline D. Pham, “Statement of Commissioner Caroline D. Pham on Self-Reporting and Cooperation Credit in Enforcement Actions” (Aug. 19, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement081924 (“It has been my observation that most of the CFTC’s improper changes in the interpretation of decades-old CFTC regulations in violation of the Administrative Procedure Act due to the lack of a rational basis, reasoned decision-making, and public notice-and-comment—namely, regulation by enforcement—is because of unclear roles and responsibilities among CFTC divisions.”).
26 Brady Dale, The Big Moments in Biden’s Crypto Crackdown, AXIOS (Nov. 5, 2024), https://www.axios.com/2024/11/05/crypto-crackdown-biden-fdic (suggesting that the Biden administration has “been using its powers to stymie” the cryptocurrency industry).
27 Jay Dubow, et al., SEC Continues to regulate Cryptocurrency through Record-High Enforcement Efforts, Law.com (Nov. 13, 2024), https://www.law.com/thelegalintelligencer/2024/02/26/sec-continues-to-regulate-cryptocurrency-through-record-high-enforcement-efforts/ (“SEC ramped up its cryptocurrency enforcement efforts in 2023 to a record high.”).
28 MacKenzie Sigalos, Here’s What Trump Promised the Crypto Industry Ahead of the Election, CNBC (Nov. 6, 2024), https://www.cnbc.com/2024/11/06/trump-claims-presidential-win-here-is-what-he-promised-the-crypto-industry-ahead-of-the-election.html.
29 Maruicio Di Bartolomeo, Trump’s Top 3 Bitcoin Promises and Their Implications, Forbes (Nov. 7, 2024), https://www.forbes.com/sites/mauriciodibartolomeo/2024/11/07/trumps-top-3-bitcoin-promises-and-their-implications/.
30 See, e.g., CFTC, 2018 Annual Report at 5, (Nov. 2018) (“The story of virtual currency is also one about new technology. And it is a story about the need for robust enforcement to ensure technological development isn’t undermined by the few who might seek to capitalize on this development for an unlawful gain . . . through work across the Commission, as exemplified by the work of LabCFTC, our Commission has demonstrated its continued commitment to facilitating market enhancing innovation in the financial technology space.”). See also, CFTC, CFTC 2.0, https://www.cftc.gov/LabCFTC/CFTC2_0/index.htm (last accessed Dec. 28, 2024) (“CFTC 2.0 is intended to provide the agency opportunities to engage with new technologies to discover ideas and technologies that have the potential to improve the effectiveness and efficiency of the agency in carrying out its day-to-day activities. At the same time, CFTC 2.0 provides an opportunity for outreach to fintech innovators.”).
31 Token Alliance, Understanding Digital Tokens: Market Overviews and Proposed Guidelines for Policy Makers and Practitioners, GitHub, Aug. 21, 2018, at 2, 4 https://github.com/ChamberDigital/Token-Guidelines/blob/master/media/Token-Alliance-Whitepaper.pdf (“The Token Alliance is an industry-led initiative of the Chamber of Digital Commerce, developed to be a key resource for the emerging industry surrounding the generation and distribution of tokens using blockchain technology.”).
32 Donald J. Trump, Truth Social (Dec. 4, 2024), https://truthsocial.com/@realDonaldTrump/113595807734621827.
33 CFTC, “CFTC Imposes $250,000 Penalty Against bZeroX, LLC and Its Founders and Charges Successor Ooki DAO for Offering Illegal, Off-Exchange Digital-Asset Trading, Registration Violations, and Failing to Comply with Bank Secrecy Act,” Release No. 8590-22 (Sept. 22, 2022), https://www.cftc.gov/PressRoom/PressReleases/8590-22.
34 CFTC, “CFTC Issues Orders Against Operators of Three DeFi Protocols for Offering Illegal Digital Asset Derivatives Trading,” Release No. 8774-23 (Sept. 7, 2023), https://www.cftc.gov/PressRoom/PressReleases/8774-23.
35 Summer K. Mersinger, “Dissenting Statement of Commissioner Summer K. Mersinger Regarding Enforcement Actions Against: 1) Opyn, Inc.; 2) Deridex, Inc.; and 3) ZeroEx, Inc.” (Sept. 7, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement090723.
36 CFTC, “CFTC Issues Order Against Uniswap Labs for Offering Illegal Digital Asset Derivatives Trading”, Release No. 8961-24 (Sept. 4, 2024), https://www.cftc.gov/PressRoom/PressReleases/8961-24.
37 Summer K. Mersinger, “Dissenting Statement of Commissioner Summer K. Mersinger Regarding Settlement with Uniswap Labs” (Sept. 4, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement090424 (“Through this settlement, the Commission appears to be taking the position that any DeFi platform could be liable for any and all conduct occurring on its protocol. The practical effect of this approach is to severely chill the launching of any DeFi protocol within the United States and to significantly increase the odds that all DeFi innovation and economic activity will occur elsewhere.”).
38 Caroline D. Pham, CFTC, “Dissenting Statement of Commissioner Caroline D. Pham on DeFi Enforcement Action Involving Uniswap Protocol” (Sept. 4, 2024), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement090424.
QUOTEWIZARD LOSES AGAIN: Court Denies Company’s Effort to Re-Open Discovery to Defend Itself in Massive Certified Class Action
One of the most important things for TCPA class action defense attorneys to keep in mind is the CRITICAL importance of keeping discovery open after certification.
I have seen so many cases recently where Troutman Amin, LLP has been brought in to take over a case only to find that previous counsel has agreed to a schedule with all discovery closing before class certification is sought.
That is absolutely insane is my opinion.
And here’s an example of why that is.
As TCPAWorld readers well know QuoteWizard is facing MASSIVE exposure in a certified TCPA class action out in Massachusetts.
Read article on this here.
As if the situation weren’t bad enough already, QuoteWizard apparently allowed discovery to close before certification was sought.
As a result Plaintiff moved for certification on a revised class definition that QuoteWizard had never seen– terrible, but it happens all the time which is why moving to strike errant class definitions from the pleadings is so critical and assuring discovery remains open past certification is necessary.
Once the Plaintiff actually revealed the class, however, QuoteWizard realized it needed additional information from class members it didn’t have.
So last month it asked the court to re-open discovery so it could send some questions to class members to learn about their claims (QuoteWizard cannot unilaterally contact members of the class after certification because they are technically represented by Class Counsel.)
QuoteWizard wanted to ask class members the following:
Interrogatory No. 1: Have you ever made or received calls, texts, appbased messages (e.g., Teams, Discord, Slack), or emails, or attended virtual meetings (e.g., Zoom, Teams), on your cellular telephone related to your occupation or business?
Interrogatory No. 2: Have you ever used your cellular telephone for any purpose other than personal use? If so, please describe how you have used for cellular telephone for purposes other than personal use.
Interrogatory No. 3: Has an employer ever contributed in whole or in part to your cellular telephone bill or have you ever claimed a tax deduction related to your cellular telephone bill as a business expense?
Interrogatory No. 4: Have you ever signed up to receive insurance comparison information or insurance quotes and been contacted by QuoteWizard as a result of that request?
Interrogatory No. 5: Have you ever received text messages from QuoteWizard? If so, how many text messages have you received from QuoteWizard and when?
Well last week the Court denied QuoteWizard’s efforts reasoning that the discovery should have been conducted during the discovery phase:
Defendant could have (1) sought this information during discovery, or (2) upon receiving the expert report from Plaintiff in September 2023. Defendant did neither. Instead, Defendant elected to litigate other discovery issues and class certification before deciding to seek to reopen discovery.
Eesh.
Think ahead folks.
NEVER let discovery close before certification has been decided.
We will, of course, keep an eye on QuoteWizard and see if it survives this class action.
POINT OF SALE SORROW: Circle K Must Face Trial in TCPA Suit Involving Suggestive Confirmation Texts follow POS SMS Club Opt In
We spend a lot of time on this website discussing the dangers inherent in third-party lead generation, but not enough time is spent on the dangers of more basic processes to obtain consumer opt-in.
For instance, even the fairly reliable practice of having consumers enter phone numbers to opt in to text clubs as part of a point of sale transaction has its TCPA risks.
Consider the case of Abboud v. Circle K 2025 WL 307039 (D. Az. Jan. 27, 2025).
There a consumer sued Circle K alleging it was receiving text club notifications for a Tobacco club that she never signed up for.
Circle K responded by filing summary judgment arguing that the phone number at issue was provide don a POS screen with a disclosure and a call to action explaining that by providing the phone number the customer would receive a discount on products in exchange for signing up for the text club.
The POS submission was apparently followed by a double opt in where a message was sent to the number and the person with the handset responded “yes” to confirm their intention to subscribe to the text club.
Here are the messages it sent:
“Circle K: Reply ‘YES’ to Sign Up to receive special offers via txt message. Msg & Data rates may apply. Txt ‘STOP’ to Opt-Out. 855-276-1947.”
“Circle K: Reply ‘YES’ to get offers via txt. Go to myck.site/k2KmEU, Age-verify 18/21+ offers. Msg & Data rates may apply. Txt ‘STOP’ to Opt-Out. 855-276-1947.”
“Circle K: Reply ‘YES’ to get offers via txt. Go to myck.site/Qb9PtF, Age-verify 18/21+ offers. Msg & Data rates may apply. Txt ‘STOP’ to Opt-Out. 855-276-1947.”
Pretty clean right?
Well, not really. Watch.
The Plaintiff contended she never provided her number on the POS display to begin with. So when Circle K thereafter sent three separate requests that the consumer confirm the opt in to complete the process she turned around and sued for TCPA violations.
Circle K raised three arguments against Plaintiff’s claims.
First it argued the messages were not actually marketing because they were merely intended to confirm a transaction. The Court rejected this argument, however, and determined Circle K’s intent must be sent to the jury to decide. That is, a jury might decide Circle K was intentionally marketing to consumers using its opt in message since the opt in included the words “offer” and “special offers”:
“[H]ad merely stated “Circle K, reply yes to confirm the receipt of future text messages,” they would not run afoul of the TCPA. But that is not what the text messages said. Defendant made a discretionary choice to add additional verbiage to the text messages that went beyond confirming the recipient’s consent to receive future messages.”
Wow.
The Court also had little problem finding Circle K could not rely on somebody else’s consent to send messages to the Plaintiff. That issue was determined conclusively by the Ninth Circuit Court of Appeals some time ago and is rarely raised these days. And since Circle K could not prove it was was Plaintiff that actually provided her phone number–as opposed to some other customer that may have entered an incorrect phone number– that issue, too, is headed to the jury.
Defendant also lost on the “established business relationship” defense because it had no evidence Plaintiff had shopped at Circle K within 18 months of the texts at issue. And an established business relationship with the customer providing the number was insufficient– the relationship must be with the party receiving the messages.
So Circle K now must face potentially massive exposure in a TCPA class action because, in essence, every person on the DNC list it sent a confirmation text to that did not opt in might be a wrong number recipient– and have a claim for violation of the TCPA’s DNC rules.
Crazy. But also, seemingly the right result.
Pretty clear take aways here:
Businesses should NEVER include advertising content in a SMS opt-in confirmation message. I know there is sometimes pressure to do so but it must be resisted! This is especially true as the carriers essentially require double opt-ins for recurring messages–so the scale of risk a company may face if they get this wrong can be simply enormous;
Although this is a wrong number case keep in mind that recurring text clubs can generate massive risk from recycled numbers– numbers that change hands without the business knowing. The TCPA imposes strict liability for all wrong numbers–as Circle K just learned. Protecting yourself by using the Reassigned Numbers Database to detect numbers that change hands over time is critical;
Keep in mind that just because a consumer provides a phone number on a POS that does not mean that the consent process is lock solid. Again, consumers fat finger numbers all the time–and sometimes intentionally enter errant numbers. Consider linking POS transactions to identifiable transactions– i.e. limiting POS opt-in displays to credit card transactions as opposed to cash payments. This may help prove a link between the consumer you are texting and the person in the story (Then again it may just prove you texted the wrong person… so watch out.)
Notice Circle K could still have won this case if it could prove Plaintiff had visited one of its stores and made a purchase over the last 6 months. The EBR rule is quite powerful for DNC claims. Apparently Circle K had no such evidence, however, and fell back on arguing it had an EBR with the customer in its store that day. But that doesn’t help.
Appreciate you all.
To Disclose or Not to Disclose (and How Much) – That is the Question
U.S. Bank to pay multi-million-dollar settlement for failing to fully disclose cybersecurity incident.
The decision-making process involved in disclosing a cyber incident is a nuanced and delicate dance. Companies need to consider a myriad of factors, including when to disclose and how much detail to disclose to employees, customers, or regulators, such as the Securities and Exchange Commission (“SEC”).
A New York bank was recently forced to pay over $3.5 million to settle allegations that it minimized the extent of a cybersecurity incident in its SEC filings and public notices to customers. According to the SEC, the bank was negligent in making “materially misleading statements” regarding a cybersecurity incident involving the bank’s network between November 22, 2021 and December 25, 2021.
According to the SEC’s Order Instituting Cease-And-Desist Proceedings, the incident resulted in the “the encryption of data, network disruptions, and the exfiltration of the personally identifiable information (‘PII’) of approximately 1.5 million individuals, including customers, on December 3 and 4, 2021.” Specifically, a threat actor obtained “unauthorized access to [the bank]’s platform that enabled users to access [bank] applications and desktops remotely […], obtained credentials that enabled the threat actor to deploy ransomware that caused encryption on approximately 30% of [the bank]’s work stations and servers, and exfiltrated data, including customer PII, from its network.” The incident also impacted the bank’s “ability to originate, service, and close loans,” leading to the bank being forced to shut down its network for several hours, rebuild or restore servers, and reset passwords for employees. The bank was also forced to make a ransom payment in exchange for the threat actor’s promise to allow the bank to delete the exfiltrated data.
The SEC determined that the bank’s 2021 Form 10-K statement was materially misleading as the bank knew that at the time it was filed the bank had already experienced a cybersecurity attack that resulted in the exfiltration of the sensitive data of customers and employees, and had also interrupted the bank’s operations. From the SEC’s perspective, the 2021 Form 10-K statements characterized the cybersecurity attack as a hypothetical, when in fact it was not a hypothetical situation.
Additionally, the SEC found that the bank’s Customer Website Notice and 2022 Form 10-Q were misleading. The bank’s Customer Website Notice represented that there was only unauthorized access to the bank’s network, however, at the time the notice was released, it was aware that the “threat actor exfiltrated the PII of approximately 1.5 million individuals from [the bank’s] network.”
Further, when the bank filed its 2022 Form 10-Q, it stated that it had only “recently experienced a cyber incident that involved unauthorized access to our network and other customer data.” In both the Customer Website Notice and the 2022 Form 10-Q, the SEC again found that the bank misrepresented the extent of the incident. It failed to include details on the scope or consequence of the incident, particularly with regard to its awareness that exfiltration occurred, and it failed to disclose that fact to customers.
Due to these misstatements and omissions, the SEC found that the bank violated Section 17(a)(2) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20, 13a-1, 13a-13 and 13a-15 resulting in the payment to the SEC.
What Went Wrong?
In the wake of a cyber incident, deciding, when, how and how much information to share can be a difficult decision, and waiting until a crisis happens before formulating a response can exacerbate an already challenging situation. Plans should be developed and updated regularly to address all foreseeable areas of impact – including, of course, SEC filings. Involving legal, communications, and compliance resources, whether internal or external, becomes particularly critical when regulatory disclosures come into play.
Proactive Steps To Take – Regardless of Your Industry
Cybercrime is one of the most prevalent forms of fraud, regardless of industry, and companies should consider taking the following steps to prevent both cyber incidents and SEC reporting missteps:
Ensure the company maintains robust cybersecurity measurers to protect PII and financial information
Ensure that only authorized personnel have access to sensitive data
Regularly review and update cybersecurity policies and procedures
Stay current on latest fraud trends and prevention techniques (such as AI)
Provide adequate cybersecurity incident training
Maintain clear lines of communication between the communications and legal teams
Develop and update a clear process to fully identify and comply with all applicable regulatory requirements, including a clear process to properly inform the disclosure process to ensure factual and legal accuracy
Key Takeaways
If nothing else, the recent settlement demonstrates the importance of understanding regulatory expectations when faced with a cybersecurity incident. It is critical that companies immediately investigate the root cause and impact of the incident, determine whether exfiltration has occurred, analyze the company’s reporting obligations to regulators, individuals, and customers, and quickly determine the information necessary to disclose in a Form 10-Q, 10-K, or 8-K. Companies must review their incident response plans and protocols proactively and ensure that their executive leadership and incident response teams know how to respond, including having a robust disclosure process.
CFPB Examinations Highlight Fair Lending Risks in Credit Scoring Models
Amid recent technological advances in artificial intelligence and machine learning, on January 17, 2025, the CFPB issued its Winter 2025 Supervisory Highlights: Advanced Technologies Special Edition. This edition of Supervisory Highlights delivers critical industry reminders regarding the balance between regulatory requirements and technological innovation. As an appropriate summation of the CFPB’s overarching worldview, the opening sentence of the Supervisory Highlights explains that “[t]here is no ‘advanced technology’ exception to Federal consumer financial laws.”
In the Supervisory Highlights, the CFPB highlighted instances where credit scoring models used by credit card lenders and auto lenders may result in violations of the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B. For instance, recent CFPB examinations identified disparities in applicant outcomes resulting from the use of credit scoring models in underwriting and pricing credit card applications. The CFPB found disproportionately negative outcomes for protected groups across multiple card products, and critically, examiners suggested that the development or implementation protocols of credit scoring models contributed to the disparities.
According to the Supervisory Highlights, to challenge a disparate impact claim, a financial institution must establish a legitimate business need for a neutral policy or practice that has an adverse impact on a member of a protected class that cannot reasonably be achieved by means that are less disparate in their impact (see12 CFR Part 1002 Supp. I Sec. 1002.6(a)-2). Here, CFPB analysts identified potential alternative credit scoring models that meaningfully reduced disparities while maintaining comparable predictive performance, suggesting that there may be appropriate and less discriminatory alternative credit scoring models that would meet an institutions’ legitimate business needs.
The CFPB’s examiners also noted that financial institutions failed to have adequate compliance management systems (CMS) capable of identifying and addressing these types of fair lending risks. To address these concerns, examiners directed institutions to develop enhanced testing protocols to identify less discriminatory alternative credit models. Examiners required institutions to not only test their credit scoring models but, in the event that testing revealed prohibited basis disparities, to document the specific business needs their credit scoring models serve.
Additionally, in a continuation of a multi-year trend in its messaging, the CFPB also reminded institutions that using “black box” algorithms does not exempt them from providing an applicant with a statement of specific reason(s) for an adverse action as required under ECOA and Regulation B. Examiners found that certain institutions did not sufficiently ensure compliance with adverse action notice requirements and directed the institutions to test the methodologies used to identify principal reasons in adverse action notices.
This special edition of Supervisory Highlights underscores the need for the industry to balance technological innovation with robust compliance frameworks — keeping in mind the impact of any technological advances on existing fair lending laws. To navigate the regulatory landscape, financial institutions should regularly assess their use of artificial intelligence and machine learning models to ensure compliance with applicable laws, including ECOA and Regulation B, and should perform adequate testing to ensure ongoing compliance.
Listen to this post
SOLE CRUSHING: Shoe Company Hit with TCPA Complaint
Hey TCPAWorld!
It’s been several days and I’m still shell-shocked from one-to-one consent being stayed by the FCC. In some parallel universe, the rule goes into effect and the 11th Circuit doesn’t vacate the FCC’s order. Alas, here we are—business as usual with another TCPA complaint update.
This week, we’re covering a complaint filed against Easy Spirit, LLC, a footwear company specializing in comfortable and affordable shoes for women.
In WILSON v. EASY SPIRIT, LLC, No. 3:25-CV-00112-SFR (D.Conn. Jan. 22, 2025), Wilson (“Plaintiff”) alleges that even though Plaintiff has been listed on the National Do-Not-Call Registry (“DNCR”) for over 30 days, Easy Spirit, LLC (“Defendant”) delivered over a dozen text messages to Plaintiff’s residential number, including on nine separate days between December 19, 2024 and January 7, 2025, among others. One example reads:
EASY SPIRIT: End 2024 in style with an extra 40% OFF sale! Shop now: https://ltrk.co/EBYVIH
Id. at ¶ 13. Due to these accusations, Plaintiff filed a Complaint in the District of Connecticut alleging Defendant violated the DNC provisions, 47 U.S.C. 227(c)(5) and 47 C.F.R. § 64.1200(c)(2), by delivering telemarketing messages to Plaintiff, while Plaintiff was listed on the DNCR.
Plaintiff seeks to represent the following class:
National DNC Class: All persons throughout the United States (1) who did not provide their telephone number to Easy Spirit, LLC, (2) to whom Easy Spirit, LLC delivered, or caused to be delivered, more than one voice message or text message within a 12-month period, promoting Easy Spirit, LLC goods or services, (3) where the person’s residential or cellular telephone number had been registered with the National Do Not Call Registry for at least thirty days before Easy Spirit, LLC delivered, or caused to be delivered, at least two of the voice messages or text messages within the 12-month period, (4) within four years preceding the date of this complaint and through the date of class certification.
Id. at ¶ 21.
One-to-one consent was stayed. DNC provisions are alive and well. The new revocation rule—which requires revocation requests to be honored within a reasonable timeframe, not exceeding 10 business days— is scheduled to take effect on April 11, 2025.