U.S. Treasury Department’s Final Rule on Outbound Investment Takes Effect
On January 2, 2025, the U.S. Department of the Treasury’s Final Rule on outbound investment screening became effective. The Final Rule implements Executive Order 14105 issued by former President Biden on August 9, 2023, and aims to protect U.S. national security by restricting covered U.S. investments in certain advanced technology sectors in countries of concern. Covered transactions with a completion date on or after January 2, 2025, are subject to the Final Rule, including the prohibition and notification requirements, as applicable.
The Final Rule targets technologies and products in the semiconductor and microelectronics, quantum information technologies, and artificial intelligence (AI) sectors that may impact U.S. national security. It prohibits certain transactions and requires notification of certain other transactions in those technologies and products. The Final Rule has two primary components:
Notifiable Transactions: A requirement that notification of certain covered transactions involving both a U.S. person and a “covered foreign person” (including but not limited to a person of a country of concern engaged in “covered activities” related to certain technologies and products) be provided to the Treasury Department. A U.S. person subject to the notification requirement is required to file on Treasury’s Outbound Investment Security Program website by specified deadlines. The Final Rule includes the detailed information and certification required in the notification and a 10-year record retention period for filing and supporting information.
Prohibited Transaction: A prohibition on certain U.S. person investments in a covered foreign person that is engaged in a more sensitive sub-set of activities involving identified technologies and products. A U.S. person is required to take all reasonable steps to prohibit and prevent its controlled foreign entity from undertaking transaction that would be a prohibited transaction if undertaken by a U.S. person. The Final Rule contains a list of factors that the Treasury Department would consider whether the relevant U.S. person took all reasonable steps.
The Final Rule focuses on investments in “countries of concern,” which currently include only the People’s Republic of China, including Hong Kong and Macau. The Final Rule targets U.S. investments in Chinese companies involved in the following three sensitive technologies sub-sets: semiconductor and microelectronics, quantum information technologies and artificial intelligence. The Final Rule sets forth prohibited and notifiable transactions in each of the three sectors:
Semiconductors and Microelectronics
Prohibited: Covered transactions relating to certain electronic design automation software, fabrication or advanced packaging tools, advanced packaging techniques, and the design and fabrication of certain advanced integrated circuits and supercomputers.
Notifiable: Covered transactions relating to the design, fabrication and packaging of integrated circuits not covered by the prohibited transactions.
Quantum Information Technologies
All Prohibited: Covered transactions involving the development of quantum computers and production of critical components, the development or production of certain quantum sensing platforms, and the development or production of quantum networking and quantum communication systems.
Artificial Intelligence (AI) Systems
Prohibited:
Covered transactions relating to AI systems designed exclusively for or intended to be used for military, government intelligence or mass surveillance end uses.
Covered transactions relating to development of any AI system that is trained using a quantity of computing power meeting certain technical specifications and/or using primarily biological sequence data.
Notifiable: Covered transactions involving AI systems designed or intended to be used for cybersecurity applications, digital forensics tools, penetration testing tools, control of robotic systems or that trained using a quantity of computing power meeting certain technical specifications.
The Final Rule specifically defines the key terms “country of concern,” “U.S. person,” “controlled foreign entity,” “covered activity,” “covered foreign person,” “knowledge” and “covered transaction” and other related terms and sets forth the prohibitions and notification requirements in line with the national security objectives stated in the Executive Order. The Final Rule also provides a list of transactions that are excepted from such requirements.
U.S. investors intending to invest in China, particularly in the sensitive sectors set forth above, should carefully review the Final Rule and conduct robust due diligence to determine whether a proposed transaction would be covered by the Final Rule (either prohibited or notifiable) before undertaking any such transaction.
Any person subject to U.S. jurisdiction may face substantial civil and/or criminal penalties for violation or attempted violation of the Final Rule, including civil fines of up to $368,137 per violation (adjusted annually for inflation) or twice the amount of the transaction, whichever is greater, and/or criminal penalties up to $1 million or 20 years in prison for willful violations. In addition, the Secretary of the Treasury can take any authorized action to nullify, void, or otherwise require divestment of any prohibited transaction.
OR AG Issues Guidance Regarding OR State Laws and AI
On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.
Consumer Protection – Oregon’s Unlawful Trade Practice Act (“UTPA”)
The Guidance emphasizes that misrepresentations, even when they are not directly made to the consumer, may be actionable under the UTPA, and an AI developer or deployer may be “liable to downstream consumers for the harm its products cause.” The Guidance provides a non-exhaustive list of examples that may constitute violations of the UTPA, such as:
failing to disclose any known material defect or nonconformity when delivering an AI product;
misrepresenting that an AI product has characteristics, uses, benefits or qualities that it does not have;
using AI to misrepresent that real estate, goods or services have certain characteristics, uses, benefits or qualities (e.g., a developer or deployer using a chatbot while falsely representing that it is human);
using AI to make false or misleading representations about price reductions (e.g., using AI generated ads or emails indicating “limited time” or “flash sale” when a similar discount is offered year-round);
using AI to set excessively high prices during an emergency;
using an AI-generated voice as part of a robocall campaign to misrepresent or falsify certain information, such as the caller’s identity and the purpose of the call; and
leveraging AI to use unconscionable tactics regarding the sale, rental or disposal of real estate, goods or services, or collecting or enforcing an obligation (e.g., knowingly taking advantage of a consumer’s ignorance or knowingly permitting a consumer to enter into a transaction that does not materially benefit them).
Data Privacy – Oregon Consumer Protection Act (“OCPA”)
In addition, the Guidance notes that developers, suppliers and users of AI may be subject to OCPA, given generative AI systems ingest a significant amount of words, images and other content that often consists of personal data. Key takeaways from the Guidance regarding OCPA include:
developers that use personal data to train AI systems must clearly disclose that they do so in an accessible and clear privacy notice;
if personal data includes any categories of sensitive data, entities must first obtain explicit consent from consumers before using the data to develop or train AI models;
if the developer purchases or uses another data’s company for model training, the developer may be considered a “controller” under OCPA, and therefore must comply with the same standards as the company that initially collected the data;
data suppliers and developers are prohibited from “retroactively or passively” altering privacy notices or terms of use to legitimatize the use of previously collected personal data to train AI models, and instead are required to obtain affirmative consent for any secondary or new uses of that data;
developers and users of AI must provide a mechanism for consumers to withdraw previously-given consent (and if the consent is revoked, stop processing the data within 15 days of receiving the revocation);
entities subject to OCPA must consider how to account for specific consumer rights when using AI models, including a consumer’s right to (1) opt-out of the use of profiling in decisions that have legal or similarly significant effects (e.g., housing, education or lending) and (2) request the deletion of their personal data; and
in connection with OCPA’s requirement to conduct data protection assessments for certain processing activities, due to the complexity of generative AI models and proprietary data and algorithms, entities “should be aware that feeding consumer data into AI models and processing it in connection with these models likely poses heightened risks to consumers.”
Data Security – Oregon Consumer Information Protection Act
The Guidance clarifies that AI developers (as well as their data suppliers and users) that “own, license, maintain, store, manage, collect, acquire or otherwise possess” personal information also must comply with the Oregon Consumer Information Protection Act, which requires businesses to safeguard personal information and implement an information security program that meets specific requirements. The Guidance also notes that to the extent there is a security breach, AI developers, data suppliers and users may be required to notify consumers and the Oregon Attorney General.
Anti-Discrimination – Oregon Equality Act
The Guidance explains that AI systems that “utilize discretionary inputs or produce biased outcomes that harm individuals based on protected characteristics” may trigger the Oregon Equality Act. The law prohibits discrimination based on race, color, religion, sex, sexual orientation, gender identity, national origin, marital status, age or disability, including in connection with housing and public accommodations. The Guidance also includes an illustrative example regarding how the law applies to the use of AI. Specifically, the Guidance notes that a rental management company’s use of an AI mortgage approval system that consistently denies loans to qualified applicants based on certain neighborhoods or ethnic backgrounds because the AI system was trained on historically biased data may be considered a violation of the law.
Crypto in the Courts: Five Cases Reshaping Digital Asset Regulation in 2025
There has rarely been a larger or more widely distributed financial market that existed in a more uncertain regulatory context than cryptocurrencies and decentralized finance (DeFi) at the start of 2025. In the past several years, the regulatory status of this asset class in the United States has been at the center of a concerted effort by the US Securities Exchange Commission (SEC) to apply the regime applicable to securities to diverse crypto instruments and methods of exchange and transfer. (Although the Commodity Futures Trading Commission (CFTC) has also consistently enforced its regulations on products it deems to be commodities, that effort has not led to the widespread litigation that is likely to define the regulatory status of these products.)
The SEC’s effort is now in jeopardy. As we begin 2025, the legal landscape surrounding digital assets stands at a critical inflection point, with several watershed cases poised to reshape how these assets will be governed, traded, and regulated in the United States. The convergence of these cases — spanning securities law, administrative procedure and federalism — presents opportunities to clarify how traditional legal frameworks apply to digital assets. Further, the Trump administration has promised that it will be a “pro-crypto” administration — driving the SEC towards a friendlier stance with the cryptocurrency industry and having cryptocurrency rules and regulations “written by people who love [the] industry, not hate [the] industry”1 — and that the United States will become the “crypto capital of the world.”2 President Donald Trump has nominated Paul Atkins, a former SEC Commissioner, to become the next SEC chairperson, stating in his announcement that Mr. Atkins “recognizes that digital assets & other innovations are crucial to Making America Greater than Ever Before.”3 The Trump administration’s announced intention to change the course of cryptocurrency regulation and the selection of an SEC chairperson who is an avowed advocate for innovation through blockchain technologies raise questions about the future of the pending litigation at the center of this industry.
This article examines five cases that may define the future of digital asset regulation in the United States and sets out the issues at stake in those cases. These cases are the Second Circuit’s review of SEC v. Ripple Labs, Inc., the interlocutory appeal in SEC v. Coinbase, Inc., and three cases representing the industry’s shift toward offensive litigation against federal agencies — Blockchain Association v. IRS, Bitnomial Exchange, LLC v. SEC, and Kentucky et al. v. SEC. The purpose of this article is not to predict how those cases will progress — that determination is going to lie in the hands of the courts and policymakers — but rather to make clear what is at stake, especially in light of an anticipated shift in regulatory priorities regarding digital assets with the Trump administration, which could decide to no longer support the government’s positions in these cases.
SEC v. Ripple Labs, Inc. (2d Cir.)
The SEC’s appeal in SEC v. Ripple Labs, Inc. follows a July 2023 ruling in the Southern District of New York that began when the SEC charged Ripple Labs, Inc. (Ripple) with conducting an unregistered securities offering through sales of its XRP token. The SEC argued that the offer and sale of XRP tokens constituted an offer and sale of investment contracts under SEC v. W.J. Howey, which provides that an “investment contract” is a contract, transaction, or scheme whereby a person: (1) “invests his money” (2) “in a common enterprise” and (3) “is led to expect profits solely from the efforts of the promoter or a third party.”4 In response, Ripple advanced an “essential ingredients test,” arguing that in addition to the three-part Howey test, investment contracts must also contain “essential ingredients”: (1) “a contract between a promoter and an investor that establishe[s] the investor’s rights as to an investment,” which contract (2) “impose[s] post-sale obligations on the promoter to take specific actions for the investor’s benefit” and (3) “grant[s] the investor a right to share in profits from the promoter’s efforts to generate a return on the use of investor funds.”5
The district court, in its July 2023 ruling, rejected Ripple’s novel “essential ingredients” test, noting that “in the more than seventy-five years of securities law jurisprudence after Howey, courts have found the existence of an investment contract even in the absence of Defendants’ ‘essential ingredients,’ including in recent digital asset cases in this District.”6 Nevertheless, the district court found that, while Ripple’s institutional sales violated securities laws, the company’s programmatic sales (sales of XRP on digital asset exchanges) and other distributions (such as employee compensation and third-party development incentives) did not constitute securities offerings — marking the first major setback to the SEC’s digital asset enforcement initiative.7 Crucially, the district court distinguished between XRP sales based on their economic reality: institutional sales to sophisticated buyers under written contracts were deemed securities transactions because buyers reasonably expected profits from Ripple’s efforts, while programmatic sales on exchanges were not because buyers could not know they were purchasing from Ripple. The court also found that other distributions failed to meet the basic requirements of an “investment of money” since recipients did not provide payment to Ripple.
The SEC filed a notice of appeal on October 4, 2024, and Ripple has cross-appealed. This will likely be the first appellate court to consider how Howey applies to digital assets unless the Trump administration determines to freeze the litigation.8 The SEC filed its appellate brief on January 15, 2025, arguing that the district court erred in concluding that programmatic sales to retail investors were not offers or sales of investment contracts under Howey because “investors were led to expect profits” based on the efforts of Ripple.9 The SEC also argued that other distributions of XRP were also offers or sales of investment contracts because Ripple the “recipients provided tangible and definable consideration in return for Ripple’s XRP.”10 Ripple will likely challenge whether digital assets are ever securities under the Howey framework.
The SEC maintains that the district court’s decision “conflicts with decades of Supreme Court precedent and securities laws.”11 If the SEC persists in this appeal, it will likely be the first appellate court to consider how Howey applies to particular types of primary sales of digital assets and, more broadly, how securities laws are to be applied to the digital asset economy. The appeal’s resolution will provide important clarity on how federal securities laws apply to various types of primary sales of digital assets.
SEC v. Coinbase, Inc. (2d Cir.)
On January 7, 2025, a Southern District of New York court granted Coinbase Inc.’s motion to certify for interlocutory appeal the court’s March 2024 order denying in substantial part Coinbase’s motion for judgment on the pleadings.12 The certification permits the Second Circuit to address Howey’s reach and application to digital assets, particularly in secondary market transactions.
The case arose from the SEC’s June 2023 enforcement action, alleging that Coinbase operated as an unregistered national securities exchange, broker and clearing agency by intermediating transactions in 13 digital assets that the SEC claimed were investment contracts and, thus, securities. The district court in March 2024 rejected Coinbase’s argument that cryptoasset transactions could not be investment contracts absent post-sale contractual obligations between issuers and purchasers.13
In granting Coinbase’s motion to certify for interlocutory appeal, the court found that the case presents a “controlling question of law regarding the reach and application of Howey to cryptoassets, about which there is substantial ground for difference of opinion.”14 In particular, the court emphasized that applying Howey to cryptocurrencies “is itself a difficult legal issue of first impression for the Second Circuit” and questioned the adequacy of the SEC’s application of Howey to secondary market sales.15
The grant of interlocutory appeal is significant for several reasons. First, it creates parallel tracks of appellate review in the Second Circuit, as the SEC’s appeal in Ripple Labs will also be pending. Both cases will allow the Second Circuit to examine how Howey applies to digital assets but from different procedural postures — Ripple Labs on final judgment and Coinbase on interlocutory appeal from a motion for judgment on the pleadings.
Second, the interlocutory appeal addresses a fundamental split in the Southern District of New York regarding whether and how Howey applies to secondary market transactions of digital assets. Judge Torres in Ripple Labs drew a distinction between Ripple’s institutional sales, which satisfied Howey, and programmatic sales (i.e., blind bid-ask transactions on exchanges), which did not. In contrast, Judge Rakoff in SEC v. Terraform Labs and Judge Failla in Coinbase declined to differentiate based on the manner of sale, finding that Howey could apply equally to secondary market transactions.16 The Second Circuit’s resolution of this split will have profound implications for all regulatory disputes relating to digital asset trading platforms, as the designation as a security triggers the application of the securities laws for all participants in the industry, including issuers, traders, and trading platforms.
Third, the appeal will address the novel question of how a digital asset’s “ecosystem” factors in the Howey analysis. The district court in Coinbase found that, unlike traditional commodities, cryptoassets lack inherent value absent their digital ecosystem — a distinction that helped justify treating them as securities.17 However, the district court also recognized in its certification of its appeal that Coinbase raised “substantial ground” to dispute this view of the ecosystem, noting Coinbase’s argument that other commodities such as carbon credits, emissions allowances and expired Taylor Swift concert tickets similarly have no inherent value outside of the ecosystem in which they are issued or consumed.18 The Second Circuit’s treatment of this issue could influence how other courts analyze a wide range of digital assets.
The implications for the digital asset industry are substantial. Coinbase represents the largest US digital asset exchange, and the SEC’s theory would subject most major trading platforms to securities regulation. Resolution of the interlocutory appeal could, therefore, provide crucial guidance on whether and when trading platforms must register with the SEC.
Blockchain Association et al. v. IRS (N.D. Tex.)
On December 27, 2024, three blockchain industry organizations filed suit in the Northern District of Texas, challenging Department of the Treasury (Treasury) regulations that would impose “broker” reporting requirements on DeFi participants.19 The case represents a significant test of Treasury’s authority to regulate the digital asset industry through information reporting requirements.
The challenged regulations implement provisions of the Infrastructure Investment and Jobs Act of 2021 requiring certain digital asset brokers to report transaction information to the Internal Revenue Service (IRS) on Form 1099-DA. The plaintiffs argue that Treasury’s interpretation of who qualifies as a “broker” exceeds its statutory authority. While Congress defined brokers as persons who “effectuate transfers of digital assets” for consideration, Treasury regulations extend to anyone providing “facilitative services” who theoretically could request customer information — potentially including software developers, front-end interface providers and other technology participants who never take custody of assets or directly execute trades.
The complaint raises several significant challenges under the Administrative Procedure Act (APA) and the US Constitution. The plaintiffs argue that the regulations are arbitrary and capricious, violating the APA by failing to engage in reasoned decision-making and ignoring substantial evidence about the practical impossibility of compliance for many DeFi participants. They also contend that the rules violate the Fourth Amendment by compelling warrantless collection of private information and the Fifth Amendment’s due process requirements through unconstitutionally vague standards for determining who qualifies as a broker.
The case has significant implications for the DeFi industry’s future in the United States. According to the IRS’s calculations, compliance with the regulations would cost the industry over $260 billion annually — a potentially existential burden for many DeFi projects. The plaintiffs argue this would force US-based DeFi participants to either relocate overseas, cease operations or fundamentally alter their business models in ways that undermine decentralization.
The case is part of a recent trend of offensive litigation by the cryptocurrency industry against federal agencies, as the industry increasingly turns to the courts to challenge perceived regulatory overreach. In doing so, litigants can at least initially select the venue of these proceedings, subject to the restrictions of the Federal Rules of Civil Procedure. Venue selection can be critical as certain courts in Texas, and the Fifth Circuit itself, have recently expressed criticism of expansive agency authority. In November 2024, the Northern District of Texas vacated the SEC’s rulemaking, expanding the definition of “dealer” under the Securities Exchange Act of 1934 (Exchange Act).20 The same month, the Fifth Circuit reversed a decision wherein Treasury imposed sanctions on Tornado Cash, a cryptocurrency software protocol that conceals the origins and destinations of digital asset transfers.21 The case remains in its early stages, as the government has yet to respond to the complaint.
Bitnomial Exchange, LLC v. SEC (N. D. Ill.)
Bitnomial Exchange, LLC v. SEC marks a notable offensive litigation against the SEC, with a futures exchange regulated by the CFTC directly challenging the SEC’s authority to regulate a cryptoasset security futures product.22 Filed in October 2024 in the Northern District of Illinois, the case stems from Bitnomial’s attempt to list XRP futures contracts after completing the CFTC’s self-certification process. The complaint seeks both a declaratory judgment that XRP futures are not security futures under the Exchange Act and injunctive relief to prevent SEC oversight of these products.
Bitnomial argues that the SEC has created an impossible regulatory situation by taking the view that XRP futures constitute security futures, requiring both registration of the underlying asset (XRP) as a security and Bitnomial’s registration as a national securities exchange. The exchange contends this position is legally untenable, particularly given the court’s ruling in SEC v. Ripple Labs, Inc. that “XRP, as a digital token, is not in and of itself a ‘contract, transaction[,] or scheme’ that embodies the Howey requirements of an investment contract,” and that anonymous secondary market sales of XRP do not constitute investment contracts.23
According to the complaint, even if Bitnomial were to accept the SEC’s position that XRP futures are security futures, compliance would be impossible because XRP itself is not registered as a security with the SEC — a prerequisite for listing single stock security futures under current regulations. Moreover, Bitnomial, as a trading venue rather than the issuer, lacks the authority to register XRP as a security.
The outcome of the litigation could have far-reaching implications for how digital asset futures products are regulated and traded in the United States. A ruling in Bitnomial’s favor would reinforce the CFTC’s exclusive jurisdiction over non-security futures products and potentially clear the way for other futures exchanges to list similar products. Conversely, if the SEC prevails, it could effectively prevent the listing of futures contracts on many digital assets, as the vast majority of digital assets are not registered as a security with the SEC and cannot be registered by the exchanges seeking to list futures on them. As cases are litigated across jurisdictions, there is also the possibility of a split in how federal circuits view secondary transfers of digital assets.
Kentucky et al. v. SEC (E. D. Ky.)
In November 2024, 18 states and a blockchain industry association filed a lawsuit against the SEC in the Eastern District of Kentucky, challenging the agency’s authority to regulate digital asset trading platforms as securities exchanges. The case, which remains in its initial stages, challenges the SEC’s assertion of regulatory authority over digital asset trading platforms, arguing that the agency’s approach improperly preempts state money transmitter laws and interferes with state unclaimed property regimes that many states have specifically adapted for digital assets.
The states detail how they have developed specific regulatory frameworks for crypto businesses, including licensing requirements and consumer protection measures. Under the SEC’s interpretation that most digital asset transactions constitute securities transactions, platforms facilitating these transactions would be required to register as securities exchanges, brokers or dealers. The states argue that this interpretation would effectively nullify their respective regulatory regimes, as the Exchange Act prohibits states from imposing certain requirements — including licensing and bonding requirements — on entities that qualify as securities brokers or dealers. For example, states such as Kentucky have issued guidance stating that transmitters of digital assets are money transmitters under state law. Still, this classification would be preempted if these entities must register with the SEC as securities intermediaries.
This case could help resolve a key question underlying several ongoing SEC enforcement actions against major crypto exchanges: whether secondary market transactions in digital assets on trading platforms constitute securities transactions subject to SEC oversight. A ruling that such transactions fall outside the SEC’s authority could undermine the agency’s enforcement strategy against these platforms. On the other hand, a decision upholding the SEC’s interpretation could strengthen the agency’s positions in these enforcement actions and potentially impact other trading platforms currently operating in the United States.
The timing of the lawsuit, filed just days after the 2024 presidential election, adds another layer of complexity to the litigation.
Conclusion
The five cases examined above will help define the coming shift in digital asset litigation under the new Trump administration. While the Second Circuit’s consideration of Ripple Labs and Coinbase will determine whether the manner of sale creates meaningful distinctions under Howey, the industry-led cases signal an equally important development: the emergence of coordinated challenges to agency authority. The Blockchain Association’s challenge to Treasury’s broker regulations, Bitnomial’s challenge to the SEC’s claim of authority over CFTC-regulated futures products, and 18 states’ defense of their regulatory frameworks collectively represent sophisticated attempts to define and limit federal oversight of digital assets.
The resolution of these cases, coupled with the anticipated regulatory shifts under the new administration, could fundamentally alter the landscape for digital asset innovation in the United States. Market participants should closely monitor these developments as they may significantly impact operational strategies and regulatory obligations in the digital asset space.
1 MacKenzie Sigalos, Here’s What Trump Promised the Crypto Industry Ahead of the Election, CNBC (Nov. 6, 2024), https://www.cnbc.com/2024/11/06/trump-claims-presidential-win-here-is-what-he-promised-the-crypto-industry-ahead-of-the-election.html.
2 Mauricio Di Bartolomeo, Trump’s Top 3 Bitcoin Promises and Their Implications, Forbes (Nov. 7, 2024), https://www.forbes.com/sites/mauriciodibartolomeo/2024/11/07/trumps-top-3-bitcoin-promises-and-their-implications/.
3 Rafael Nam, Trump Picks Crypto Backer Paul Atkins as New Securities and Exchange Commission Chair, NPR (Dec. 4, 2024), https://www.npr.org/2024/12/04/g-s1-36803/trump-crypto-paul-atkins-sec-chair.
4 SEC v. W.J. Howey, 328 U.S. 293 (1946).
5 SEC. v. Ripple Labs, Inc., 682 F. Supp. 3d 308, 322 (S.D.N.Y. July 13, 2023).
6 Id.
7 Id.
8 Hanna Lang and Chris Prentice, Trump’s New SEC Leadership Poised to Kick Start Crypto Overhaul, Sources Say, Reuters (Jan. 15, 2025), https://www.reuters.com/world/us/trumps-new-sec-leadership-poised-kick-start-crypto-overhaul-sources-say-2025-01-15/ (noting top Republican official at the SEC are “reviewing some crypto enforcement cases pending in the courts.”).
9 Brief for SEC at 27-28, SEC v. Ripple, No. 24-2648 (2d Cir. Jan. 15, 2025) (“Ripple publicly promised that it would create a rising tide that would lift the price of XRP for all investors, whether having purchased from Ripple, its affiliates, or a third party.”).
10 Id. at 49-50 (citing Intl. Teamsters v. Daniel, 439 U.S. 551, 560 n. 12 (1979) for the proposition that an “investment of money” under Howey includes “goods and services” so long as the investor provides “some tangible and definable consideration.”).
11 Nikhilesh De, SEC Files Notice of Appeal in Case Against Ripple (Oct. 2, 2024), CoinDesk, https://www.coindesk.com/policy/2024/10/02/sec-files-notice-of-appeal-in-case-against-ripple.
12 SEC v. Coinbase, Inc., No. 1:23-cv-04738-KPF (S.D.N.Y. Jan. 7, 2025).
13 SEC v. Coinbase, Inc., 726 F. Supp. 3d 260 (S.D.N.Y. Mar. 27, 2024).
14 Supra note 9 at 12.
15 Id. at 26.
16 SEC v. Terraform Labs Pte. Ltd., 684 F. Supp. 3d 170, 197 (S.D.N.Y. July 31, 2023) (“It may also be mentioned that the Court declines to draw a distinction between these coins based on their manner of sale, such that coins sold directly to institutional investors are considered securities and those sold through secondary market transactions to retail investors are not.”); Coinbase, Inc., 726 F. Supp. 3d at 293 (“Contrary to Defendants’ assertion, whether a particular transaction in a crypto-asset amounts to an investment contract does not necessarily turn on whether an investor bought tokens directly from an issuer or, instead, in a secondary market transaction.”).
17 Coinbase, Inc., 726 F. Supp. 3d at 295.
18 Coinbase, Inc., No. 1:23-cv-04738-KPF at *28.
19 Blockchain Ass’n et al. v. IRS, No. 3:24-cv-03259-X (N.D. Tex. Dec. 27, 2024).
20 See Nat’l Ass’n of Private Fund Managers et al. v. SEC, No. 4:24-cv-00250 (N.D. Tex. Nov. 21, 2024); Crypto Freedom All. of Tex. et al. v. SEC, No. 4:24-cv-00361 (N.D. Tex. Nov. 21, 2024).
21 See Van Loon v. Department of the Treasury, No. 23-50669 (5th Cir. 2024).
22 Bitnomial Exch., LLC v. SEC, No. 1:24-cv-09904 (N.D. Ill. Oct. 10, 2024).
23 Ripple Labs, Inc., 682 F. Supp. 3d at 324 (S.D.N.Y. July 13, 2023).
Yawara Ng also contributed to this article.
WELL THAT WAS NICE: Democratic FCC Commissioner “Welcome[s]” The Opportunity to Work with Olivia Trusty
So last week now-President Trump suggested he would nominate Olivia Trusty to serve as the fifth FCC commissioner and return the FCC to full strength.
We did a profile review of her last week and came to the conclusion she was really well qualified for the role.
Well apparently Democratic FCC Commissioner Anna M. Gomez is of the same mindset. Her office released a short statement on Thursday reading as follows:
“Congratulations to Olivia Trusty on the President-Elect’s announcement of his intent to nominate her as Commissioner of the Federal Communications Commission. She is widely respected, a consummate professional, and has a strong background on communications policy. I welcome the opportunity to work with her.”
Well look at that– a democrat welcoming a republican with open arms. Maybe there is hope for this country afterall.
Olivia Trusty’s nomination is looking pretty good from everything I have seen or heard. Will keep an eye on it.
DORA Takes Effect: Key Next Steps for Firms
After a two-year implementation period, the EU Digital Operational Resilience Act (DORA) takes effect on 17 January 2025.
DORA is part of the EU’s Digital Finance Package and aims to strengthen the financial sector’s ability to withstand and recover from operational disruption.
Despite DORA coming into effect, many financial entities and information communication and technology (ICT) third-party service providers (TPPs) continue to work towards DORA compliance.
Following 17 January 2025, financial entities will need to, among other things:
continue negotiating DORA-compliant contractual arrangements with TPPs to ensure such arrangements include the minimum contractual provisions set out in DORA;
establish and maintain their registers of information related to their ICT services, and engage with their national competent authorities (NCAs) on the delivery of such information ahead of the deadline for the first submission of these registers by NCAs to the European Supervisory Authorities (ESAs) on 30 April 2025;
monitor the adoption of the remaining technical standards on the subcontracting of ICT services and threat-led penetration testing as well as the publication of other DORA-related materials such as the highly anticipated guidance on the scope of ICT services;
enhance legacy ICT systems and infrastructure or integrate them with new systems to assist with the implementation of DORA’s requirements;
engage across multiple internal departments to avoid siloed efforts, miscommunication and/or gaps in compliance implementation, and ensure that the organisation is appropriately staffed to deal with ongoing DORA obligations;
prepare for engagement with NCAs who will play a key role in the supervision and enforcement of DORA; and
monitor the ESAs designation of TPPs as “critical” and determine any impact that such a designation may have on them where they utilise such a provider.
For further information on developments regarding DORA, please see our recent article (available here).
FTC Surveillance Pricing Study Uncovers Personal Data Used to Set Individualized Consumer Prices
The Federal Trade Commission’s initial findings from its surveillance pricing market study revealed that details like a person’s precise location or browser history can be frequently used to target individual consumers with different prices for the same goods and services.
The staff perspective is based on an examination of documents obtained by FTC staff’s 6(b) orders sent to several companies in July aiming to better understand the “shadowy market that third-party intermediaries use to set individualized prices for products and services based on consumers’ characteristics and behaviors, like location, demographics, browsing patterns and shopping history.”
Staff found that consumer behaviors ranging from mouse movements on a webpage to the type of products that consumers leave unpurchased in an online shopping cart can be tracked and used by retailers to tailor consumer pricing.
“Initial staff findings show that retailers frequently use people’s personal information to set targeted, tailored prices for goods and services—from a person’s location and demographics, down to their mouse movements on a webpage,” said FTC Chair Lina M. Khan. “The FTC should continue to investigate surveillance pricing practices because Americans deserve to know how their private data is being used to set the prices they pay and whether firms are charging different people different prices for the same good or service.”
The FTC’s study of the 6(b) documents is still ongoing. The staff perspective is based on an initial analysis of documents provided by Mastercard, Accenture, PROS, Bloomreach, Revionics and McKinsey & Co.
The FTC’s 6(b) study focuses on intermediary firms, which are the middlemen hired by retailers that can algorithmically tweak and target their prices. Instead of a price or promotion being a static feature of a product, the same product could have a different price or promotion based on a variety of inputs—including consumer-related data and their behaviors and preferences, the location, time, and channels by which a consumer buys the product, according to the perspective.
The agency will only release information obtained from a 6(b) study as long as all data has been aggregated or anonymized to protect confidential trade secrets from company respondents, and therefore the staff perspective only includes hypothetical examples of surveillance pricing.
The staff perspective found that some 6(b) respondents can determine individualized and different pricing and discounts based on granular consumer data, like a cosmetics company targeting promotions to specific skin types and skin tones. The perspective also found that the intermediaries the FTC examined can show higher priced products based on consumers’ search and purchase activity.
As one hypothetical outlined, a consumer who is profiled as a new parent may intentionally be shown higher priced baby thermometers on the first page of their search results.
The FTC staff found that the intermediaries worked with at least 250 clients that sell goods or services ranging from grocery stores to apparel retailers. The FTC found that widespread adoption of this practice may fundamentally upend how consumers buy products and how companies compete.
As the FTC continues its work in this area, it issued a request for information seeking public comment on consumers’ experiences with surveillance pricing. The RFI also asked for comments from businesses about whether surveillance pricing tools can lead to competitors gaining an unfair advantage, and whether gig workers or employees have been impacted by the use of surveillance pricing to determine their compensation.
The Commission voted 3-2 to allow staff to issue the report. Commissioners Andrew Ferguson and Melissa Holyoak issued a dissenting statement related to the release of the initial research summaries.
The FTC has additional resources on the interim findings, including a blog post advocating for further engagement with this issue, an issue spotlight with more background and research on surveillance pricing and research summaries based on the staff review and initial insights of 6(b) study documents.
CFPB Proposes Roadmap For States to Continue Regulatory Activity
The Consumer Financial Protection Bureau (CFPB) released a comprehensive report today, outlining detailed recommendations to strengthen state-level consumer protection laws and address modern risks in consumer financial markets. The CFPB also provided a compendium of guidance documents summarizing its enforcement strategies and regulatory insights, designed to serve as a resource for state lawmakers and regulators.
The report identifies areas of growing concerns such as increased market concentration, misuse of consumer data for targeted advertising, and the proliferation of junk fees, all of which necessitate stronger consumer protections to ensure fair competition and transparency.
Key recommendations from the report include:
Adopting the “abusive” standard: States are encouraged to incorporate the prohibition of “abusive” acts or practices into their statutes, a concept central to the CFPB’s enforcement under the Consumer Financial Protection Act (CFPA). This standard addresses harmful tactics such as dark patterns, excessive reliance on consumer misunderstanding, and exploitation of unequal bargaining power, without requiring proof of consumer harm. (See discussion on CFPB’s Policy Statement on Abusiveness here).
Removing barriers to effective enforcement: The CFPB recommends that states grant their attorneys general broad investigative powers, including pre-suit subpoenas, and the authority to pursue equitable relief, punitive damages, and revocation of corporate charters for egregious violators. States are also urged to establish consumer restitution funds, modeled after the CFPB’s Civil Penalty Fund, to compensate victims when offenders cannot.
Cracking down on junk fees: The CFPB advocates for explicit bans on hidden and misleading fees that obscure the true cost of goods or services, and on price-gouging tactics that exploit captive consumers. For example, it suggests requiring businesses to prominently disclose total prices upfront and prohibiting fees for services reasonably expected to be included in the advertised cost. (See discussion on the CFPB’s crackdown on junk fees here, here, here and here).
Enhancing consumer data privacy: The CFPB encourages states to create enforceable rights for consumers, including the ability to delete, correct, and control the use of their personal data. It also recommends prohibiting the sale of sensitive data to third-party brokers and limiting the use of such data for targeted advertising or discriminatory pricing practices. (See discussion on states’ consumer privacy legislative efforts here and here).
The CFPB also recommends that states eliminate burdensome proof requirements that hinder enforcement, such as the need to prove monetary injury or consumer reliance on misleading claims. Additionally, the Bureau urges states to expand consumer protection laws to safeguard small businesses and to allow private causes of action, enabling individuals to hold violators accountable through direct litigation.
Additionally, the CFPB’s report highlights its strong partnerships with state regulators, which have significantly bolstered enforcement and consumer protection capabilities.
Putting It Into Practice: The CFPB’s report includes specific model language recommended by the CFPB, such as definitions of “abusive” practices and provisions to address junk fees, which can provide a helpful starting point for lawmakers drafting or revising consumer protection statutes. With more tools, resources, and collaborative frameworks than in the past, Bureau leadership is hoping that state regulatory bodies are likely better equipped now to continue fill in the potential regulatory gap resulting from a new administration.
Listen to this post
Trade Group Calls for Clarity on Ohio Fintech Guidance
On January 14, 2025, the American Fintech Council (AFC) submitted a letter to the Ohio Department of Financial Institutions, urging it to re-examine its recent guidance on responsible bank partnerships and provide more clarity. The guidance, which outlines expectations for banks partnering with fintech companies, raised concerns among industry participants regarding its potential impact on innovation and competition in financial services.
The AFC’s letter stressed the need for clear guidance to ensure a balanced approach that protects consumers and supports innovation and competition within financial services. In particular, the AFC is seeking more detail on how banks should conduct due diligence on their fintech partners, what data privacy and security standards should be applied to these partnerships, and how consumer complaints should be handled.
The AFC highlighted the following areas where it believes additional clarity is needed:
Due Diligence Expectations. The letter seeks clarity on the specific due diligence requirements for banks partnering with fintech companies. This includes outlining the scope of due diligence reviews, the factors banks should consider when assessing fintech partners, and the documentation required to demonstrate compliance.
Data Privacy and Security. The AFC also seeks clarification on data privacy and security standards to ensure fintech partnerships adequately protect consumer information. This includes specifying the data security measures banks and fintech companies must implement, the protocols for data sharing and transfer, and the requirements for notifying consumers in case of a data breach.
Complaint Handling. Additionally, the AFC requested more detailed guidance on how banks and fintech companies should collaboratively handle consumer complaints related to their partnerships. This includes outlining the roles and responsibilities of each party in responding to complaints, the timelines for resolution, and the escalation procedures for unresolved issues.
Industry participants have expressed concerns that the current guidance lacks specificity and could lead to inconsistent interpretations and enforcement. This uncertainty may discourage banks from partnering with fintech companies, potentially stifling innovation and limiting consumer access to new financial products and services. The AFC argues that clearer guidance will foster a more predictable regulatory environment, promoting responsible partnerships while also encouraging continued growth in the fintech sector.
Putting It Into Practice: This development highlights the ongoing tension between fostering innovation in financial services and ensuring adequate consumer protection. Federal and state agencies continue to step up enforcement against bank-fintech partnerships and clarify existing rules and regulations (previously discussed here and here). While states like Ohio seek to provide guidance for bank-fintech partnerships, striking the right balance between encouraging growth and mitigating risks remains a challenge. Banks and fintechs alike should review their compliance obligations to ensure alignment with applicable federal and state standards.
Listen to this post
CFPB Proposes Interpretive Rule on Emerging Payment Mechanisms Under EFTA
On January 2, 2025, the Consumer Financial Protection Bureau (CFPB) proposed an interpretive rule under the Electronic Fund Transfer Act (EFTA) and Regulation E to clarify how emerging payment systems, such as those used in video games, esports betting, and the use of stablecoin, fit within the existing regulatory framework. According to the Bureau, their actions are part of a broader effort to ensure that companies offering these types of “financial products” have mechanisms in place to protect consumers against hacking attempts, account theft, scams, and unauthorized transactions. It is the CFPB’s belief that absent these protections, consumers may face challenges vindicating their rights in the event of unauthorized transfers or errors.
Key Highlights of the Proposed Rule
Under the interpretive rule, the CFPB would expand EFTA/Regulation E protections to in-game transactions in video games, esports betting, and transactions involving stablecoins. The proposal builds on the Bureau’s research and input from stakeholders, touching on the following notable areas:
Defining “Funds”:
The proposed interpretive rule would define the term “funds” to include assets that are used like money which include “stablecoins, as well as any other similarly-situated fungible assets that either operate as a medium of exchange or as a means of paying for goods or services.” Accordingly, it is intended to include widely held cryptocurrencies and stablecoins, as well as in-game virtual currencies that can be easily exchanged back to U.S. dollars. Notably, the Bureau states that what constitutes “funds” is a “fact-specific” inquiry and would not necessarily encompass funds that cannot be used to make payments or cannot be readily exchanged into fiat currency. (We previously discussed stablecoins here).
Defining “Accounts”:
The term “account” is defined in EFTA to encompass demand deposit accounts, prepaid accounts, and other consumer asset accounts established for personal, family, or household purposes.
The proposed rule adds that (i) digital currency wallets used to buy goods and services or facilitate peer-to-peer transfers, (ii) gaming accounts used to purchase virtual items from multiple game developers or players, and (iii) credit card rewards points accounts where consumers can buy points that can be used to purchase goods from multiple merchants may also fall under this category.
Market participants subject to EFTA must comply with certain error resolution and unauthorized transfer liability protections under Regulation E. Companies newly subject to EFTA under the proposed rule may be required to provide clear disclosures regarding EFT services, including fees, transfer limits, and error-resolution procedures.
Request for Information on Privacy Issues
Separate from the interpretive rule, the CFPB also issued a Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data to better understand how gaming companies offer financial products and collect and use consumer data. The purpose of the RFI is to assess whether the Bureau should consider changes to Regulation P, the rule that implements the privacy protections under the Gramm-Leach-Bliley Act. When it comes to the monetization of consumer data, both the CFPB and the FTC have been relatively active in this space, focused on how Big Tech companies monetize consumer data. Related to the Bureau’s Request for Information, the Bureau also published a blog last week asking video gamers and parents to share their experiences with gaming assets and transactions.
Putting It Into Practice: EFTA and Regulation E contain exceptions for certain securities or commodities transactions. These exceptions include any transfer of funds primarily purposed to buy or sell a security or commodity if, among other things, the security or commodity is regulated by the Securities and Exchange Commission (SEC) or the Commodity Futures Trading Commission (CFTC). It remains to be seen to what extent digital currencies will be regulated under the SEC as securities or under the CFTC as commodities. Should certain virtual currencies be classified and regulated as securities or commodities, subject transactions could be exempted from EFTA requirements.
Listen to this post
Lead Generation One-to-One TCPA Consent Rule and Marketing Contract Considerations
The FCC’s new rule requiring one-to-one consent becomes effective January 27, 2025. Much has been made about the myriad nuances those in the lead generation ecosystem must attend to in order to comply with the new rule. However, an often overlooked aspect of the new rule involves required and diligent contracting practices associated therewith.
In addition to revising and auditing websites and consent forms associated with sellers and callers obtaining lawful prior express written consent to contact consumers via regulated technologies (about products and services logically and topically associated with the website), in order to ensure compliance with the new rule sellers and callers should consult with an experienced TCPA compliance attorney in order to ensure that contracts with lead generators and purchasers contain all appropriate and necessary representations and warranties.
For example and without limitation, data collection, restrictions on the use of data and one-to-one consent obligations. Enforceable indemnity and defense provisions (e.g., compliance with applicable legal regulations, adherence to contractual warranties, etc.), along with insurance coverage provisions may also be advisable.
Recordkeeping requirements and obligations should also be squarely addressed in contracts, including, but not limited to, properly maintaining and securing copies of consumer contact information and consent language in compliance with the new rule and the Telemarketing Sales Rule.
Written marketing contracts, particularly in the lead generation world, should be diligently drafted and negotiated in order to satisfy applicable legal regulatory standards and minimize liability exposure. Incorporating one-to-one consent considerations is but one issue to consider. Without limitation, recordkeeping, use and transfer of data, indemnification, insurance, data privacy, data ownership, representations and warranties, liabilities and disputes should also be meaningfully addressed.
SCOTUS Upholds TikTok Ban: Implications for Digital Marketing and Emerging Platforms
The United States Supreme Court unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act (the “Act”) – more commonly referred to as the TikTok Ban – and rejected TikTok’s arguments that the Act violated the First Amendment. While the ultimate fate of TikTok’s U.S. operations remains uncertain, the Supreme Court’s ruling has clear implications for digital content and marketing professionals and their selection of platform strategies going forward.
In a per curiam opinion published today, the Supreme Court recognized its long-standing tradition of exercising caution when deciding cases that involve “new technologies with transformative capabilities[,]” and resolved the narrow question of the tension between the First Amendment and the potential risks associated with foreign adversary control over data collection from U.S. citizens. The Act makes it unlawful for any entity to provide certain services to “distribute, maintain, or update” a “foreign adversary controlled application” in the United States, which explicitly meant TikTok and its parent company, ByteDance Ltd. The Supreme Court also acknowledged that the Act applies to any application that is both “(1) operated by a ‘covered company’ that is ’controlled by a foreign adversary,’ ” which is any country subject to the reporting requirements of 10 U.S.C. § 4872 – which currently includes China, Russia, Iran, and North Korea – and “ ’(2) determined by the President to present a significant threat to the national security of the United States,’ following a public notice and reporting process.”
Noting the “striking bipartisan support” for the Act, the Supreme Court’s narrow decision reflects a growing concern among policymakers and courts regarding the national security implications of foreign-owned technology companies operating in the United States. Beyond the immediate impact on TikTok and its users, this ruling has broader implications for the tech industry and the relationship between the U.S. government and foreign-owned companies. It signals a willingness by the Court to uphold government restrictions on technology companies, particularly those with ties to countries considered foreign adversaries when national security concerns can be credibly invoked. Since the Act identified TikTok by name, it is just the first company to be subject to the ban; however, the Act provides a broader framework that could apply to other platforms operating in the United States. Indeed, the popular trend of U.S. TikTok users migrating to another Chinese app, RedNote, could very well implicate the Act.
Marketing and advertising stakeholders should particularly take note of today’s Supreme Court decision because of a challenge built into the Act: While content creators and marketers benefit from being early adopters of emerging platforms, including international platforms, the Act comes into play when an application reaches a critical mass of more than 1,000,000 monthly active users. In other words, the Act adds another layer of complexity for content creators as they consider building their presence and following on new applications. Once an application becomes sufficiently popular, it could be shut down if it is deemed controlled by a foreign adversary. Likewise, marketing and advertising agencies should more carefully scrutinize the risk that a platform could be shut down under the Act, frustrating ongoing agreements or campaigns.
Out with a Bang: President Biden Ends Final Week in Office with Three AI Actions — AI: The Washington Report
President Biden’s final week in office included three AI actions — a new rule on chip and AI model export controls, an executive order on AI infrastructure and data centers, and an executive order on cybersecurity.
On Monday, the Department of Commerce issued a rule on responsible AI diffusion limiting chip and AI model exports made to certain countries of concern. The rule is particularly aimed at curbing US AI technology exports to China and includes exceptions for US allies.
On Tuesday, President Biden signed an executive order (EO) on AI infrastructure, which directs agencies to lease federal sites for the development of large-scale AI data centers.
On Thursday, Biden signed an EO on cybersecurity, which directs the federal government to strengthen its cybersecurity systems and implement more rigorous requirements for software providers and other third-party contractors.
The actions come just days before President-elect Trump begins his second term. Yet, it remains an open question whether President Trump, who has previously supported chip export controls and data center investments, will keep these actions in place or undo them.
In its final week, the Biden administration issued three final actions on AI, capping off the administration that took the first steps toward creating a government response to AI. On Monday, the Biden administration announced a rule on responsible AI diffusion through chip and AI model export controls, which limit such exports to certain foreign countries. On Tuesday, President Biden signed an Executive Order (EO) on Advancing United States Leadership in Artificial Intelligence Infrastructure, which directs agencies to lease federal sites for the development of AI data centers. And on Thursday, Biden signed an Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, which directs the federal government to strengthen its cybersecurity operations.
The new AI actions come just days before President-elect Trump takes the White House. What Trump decides to do with Biden’s new and old AI actions, as we discuss below, may provide the first indication of the direction of his second administration’s approach to AI.
Rule on Responsible Diffusion of Advanced AI Technology
On Monday, the Department of Commerce’s Bureau of Industry and Security announced a sweeping rule on export controls on chips and AI models, which requires licenses for exports of the most advanced chips and AI models. The rule aims to allow US companies to export advanced chips and AI models to global allies while also preventing the diffusion of those technologies, either directly or through an intermediary, into countries of concern, including China and Russia.
“To enhance U.S. national security and economic strength, it is essential that we do not offshore [AI] and that the world’s AI runs on American rails,” according to a White House fact sheet. “It is important to work with AI companies and foreign governments to put in place critical security and trust standards as they build out their AI ecosystems.”
The rule divides countries into three categories, with different levels of export controls and licensing requirements for each category based on their risk level:
Eighteen (18) close allies can receive a license exception. Close allies are “jurisdictions with robust technology protection regimes and technology ecosystems aligned with the national security and foreign policy interests of the United States.” They include Australia, Belgium, Canada, Denmark, Finland, France, Germany, Ireland, Italy, Japan, Netherlands, New Zealand, Norway, South Korea, Spain, Sweden, Taiwan, and the United Kingdom.
Countries of concern, including China and Russia, must receive a license to export chips. A “presumption of denial” will apply to license applications from these countries.
All other countries are allowed to apply for a license, and “license applications will be reviewed under a presumption of approval.” But after a certain number of chips are exported, certain restrictions will apply for these countries.
The rule’s export controls fall into four categories depending on the country, its security standards, and the types of chips being exported.
Orders for chips of up to 1,700 advanced GPUs “do not require a license and do not count against national chip caps.”
Entities headquartered in close allies can obtain “Universal Verified End User” (UVEU) status by meeting high security and trust standards. With this status, these countries “can then place up to 7% of their global AI computational capacity in countries around the world — likely amounting to hundreds of thousands of chips.”
Entities not headquartered in a country of concern can obtain “National Verified End User” status by meeting the same high security and trust standards, “enabling them to purchase computational power equivalent to up to 320,000 advanced GPUs over the next two years.”
Entities not headquartered in a close ally and without VEU status “can still purchase large amounts of computational power, up to the equivalent of 50,000 advanced GPUs per country.”
The rule also includes specific export restrictions and licensing requirements for AI models.
Advanced Closed-Weight AI Models: A license is required to export any closed-weight AI model —“i.e., a model with weights that are not published” — “that has been trained on more than 1026 computational power.” Applications for these licenses will be reviewed under a presumption of denial policy “to ensure that the licensing process consistently accounts for the risks associated with the most advanced AI models.”
Open-Weight AI Models: The rule does “not [impose] controls on the model weights of open-weight models,” the most advanced of which “are currently less powerful than the most advanced closed-weight models.”
The new chip export controls build on previous export controls from 2022 and 2023, which we previously covered.
Executive Order on AI Infrastructure
On Tuesday, Biden signed an Executive Order on Advancing United States Leadership in Artificial Intelligence Infrastructure. The EO directs the Department of Defense and Department of Energy to lease federal sites to the private sector for the development of gigawatt-scale AI data centers that adhere to certain clean energy standards.
“These efforts also will help position America to lead the world in clean energy deployment… This renewed partnership between the government and industry will ensure that the United States will continue to lead the age of AI,” President Biden said in a statement.
The EO requires the Secretary of Defense and Secretary of Energy to identify three sites for AI data centers by February 28, 2025. Developers that build on these sites “will be required to bring online sufficient clean energy generation resources to match the full electricity needs of their data centers, consistent with applicable law.”
The EO also directs agencies “to expedite the processing of permits and approvals required for the construction and operation of AI infrastructure on Federal sites.” The Department of Energy will work to develop and upgrade transmission lines around the new sites and “facilitate [the] interconnection of AI infrastructure to the electric grid.”
Private developers of AI data centers on federal sites are also subject to numerous lease obligations, including paying for the full cost of building and maintaining AI infrastructure and data centers, adhering to lab security and labor standards, and procuring certain clean energy generation resources.
Executive Order on Cybersecurity
On Thursday, President Biden signed an Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. The EO directs the federal government to strengthen the cybersecurity of its federal systems and adopt more rigorous security and transparency standards for software providers and other third-party contractors. It directs various agencies — with some deadlines as soon as 30 days from the EO’s issuance — to evaluate their cybersecurity systems, launch cybersecurity pilot programs, and implement strengthened cybersecurity practices, including for communication and identity management systems.
The EO also aims to integrate AI into government cybersecurity operations. The EO directs the Secretary of Energy to launch a pilot program “on the use of AI to enhance the cyber defense of critical infrastructure in the energy sector.” Within 150 days of the EO, various agencies shall also “prioritize funding for their respective programs that encourage the development of large-scale, labeled datasets needed to make progress on cyber defense research.” Also, within 150 days of the EO, various agencies shall pursue research on a number of AI topics, including “human-AI interaction methods to assist defensive cyber analysis” and “methods for designing secure AI systems.”
The Fate of President Biden’s AI Actions Under a Trump Administration?
It remains an open question whether Biden’s new AI infrastructure EO, cybersecurity EO, and chip export control rule will survive intact, be modified, or be eliminated under the Trump administration, which begins on Monday. What Trump decides to do with the new export control rule, in particular, may signal the direction of his administration’s approach to AI. Trump may keep the export controls due to his stated commitment to win the AI race against China, or he may get rid of them or tone them down out of concerns that they overly burden US AI innovation and business.