A New Era for Crypto Regulation & Innovation? The Crypto Executive Order, a Rebooted SEC Crypto Task Force & the Journey Ahead
Recent regulatory developments in the crypto asset and financial technology space suggest that US regulators may be shifting toward a more balanced approach — one that prioritizes clearer regulations while fostering innovation over a more enforcement-driven strategy. President Trump’s recent executive order on this topic reshapes the Biden administration’s approach to crypto assets by eliminating many of the prior administration’s policies on crypto and establishing the President’s Working Group on Digital Asset Markets (Working Group). Acting US Securities and Exchange Commission (SEC) Chairman Mark Uyeda has relaunched the SEC’s Crypto Task Force, appointing Commissioner Hester Peirce to lead its efforts and set its objectives. The SEC has also moved to roll back problematic accounting guidance and pause certain enforcement actions against major crypto companies. Other key regulators, including the Commodity Futures Trading Commission (CFTC) and the Office of the Comptroller of the Currency (OCC), have yet to take similar steps. However, the president recently nominated Brian Quintenz to lead the CFTC, and Jonathan Gould to head the OCC, both of whom have substantial crypto experience. Taken together, these developments may signal a long-awaited shift toward regulatory clarity for crypto that balances innovation and investor protection.
If these developments are received favorably by the industry, we anticipate more investment and new entrants in the crypto asset space. In particular, we can expect additional research & development and new innovations by both start-ups and existing enterprises. Past cycles have brought a race to develop valuable technology and stake out intellectual property rights to capture the value represented by those innovations.
The Trump Administration’s Executive Order on Crypto Assets
On January 23, 2025, President Trump issued an executive order titled “Strengthening American Leadership in Digital Financial Technology,” which establishes a new framework for crypto asset policy. The order revokes prior executive order 14067 and the Department of the Treasury’s “Framework for International Engagement on Digital Assets,” effectively reversing the prior administration’s approach to crypto regulation. The Trump administration’s policy suggests a preference for open public blockchain networks, opposes the creation of a US central bank digital currency (CBDC) or the recognition of CBDCs issued by other countries, and seeks to provide regulatory certainty through better-defined jurisdictional boundaries.
The executive order also created the President’s Working Group on Digital Asset Markets, chaired by David Sacks as the Special Advisor for AI and Crypto. The Working Group’s mandate is to develop a federal regulatory framework governing crypto assets, including stablecoins, and to evaluate the potential creation and maintenance of a national crypto asset stockpile. They are tasked with submitting a report to the president within 180 days recommending regulatory and legislative proposals that advance the policies established in the executive order.
Federal agencies, including the SEC and CFTC, also must now review and potentially rescind previous regulatory guidance that conflicts with this new direction. Additionally, the Working Group will evaluate the feasibility of a national crypto asset reserve derived from lawfully seized cryptocurrencies and seek to ensure that existing and future US regulatory frameworks support US leadership in blockchain and digital financial technology.
Crypto Task Force Reboot & Pause on Binance Enforcement
In a related development, the SEC re-formed a new dedicated Crypto Task Force led by Commissioner Hester Peirce (Task Force). In an announcement titled “Crypto 2.0,” Commissioner Uyeda stated that, among other things, the Task Force aims to resolve long-standing uncertainties in crypto regulation by developing clearer registration pathways, enhancing disclosure frameworks, and ensuring a more consistent enforcement strategy. Many have criticized the SEC’s prior regulatory approach for relying too heavily on enforcement actions, which created uncertainty for industry participants. The Task Force will reportedly collaborate with stakeholders across the public and private sectors, including Congress, the CFTC, and international regulators, to shape a more coherent regulatory approach. The release announcing the Task Force acknowledges the need for a clear regulatory framework that fosters both innovation and investor protection.
Shortly after announcing the Task Force, the SEC and Binance jointly requested a 60-day stay of the SEC’s lawsuit against the crypto exchange, citing the potential impact of the newly established Task Force. The SEC previously sued Binance, its US unit, and founder Changpeng Zhao in June 2023, alleging market manipulation and investor deception. The request signals a potential shift in the SEC’s enforcement strategy, with some viewing it as a step toward a more crypto-friendly stance in line with the president’s broader industry goals. A similar pause was also requested in the SEC’s ongoing action against Coinbase.
Commissioner Peirce’s Statement on the Future of Crypto Regulation
In her February 4 statement titled “The Journey Begins,” Commissioner Peirce outlined the Task Force’s objectives and highlighted several key areas of focus.
Clarifying “Security” Status. The Task Force “is working hard” to assess different types of crypto assets and determine their status under securities laws. Currently, market participants face uncertainty regarding whether certain crypto assets qualify as securities, which affects compliance obligations, trading, and broader market adoption. To date, the SEC has largely relied on enforcement actions to define its stance, leaving investors and other market participants without clear regulatory guidance. Establishing a clear framework to help determine the security status of crypto assets has the potential to provide much-needed regulatory certainty, support responsible innovation, and facilitate greater institutional participation in the crypto markets.
Providing a Pathway to Registration & Trading for Unregistered Offerings. The Task Force “is thinking about” recommending SEC action to grant temporary prospective and retroactive relief for coin or token offerings not registered with the SEC if an entity takes responsibility to provide specified information, updates it, and accepts SEC jurisdiction in fraud cases. Such coins or tokens would be deemed non-securities, allowing trading on unregistered secondary markets if disclosures remain current. The potential success or failure of such a proposal is likely to depend on the specific disclosure requirements imposed and on whether the relief provided offers real benefits while avoiding excessive regulatory burdens.
New Crypto ETFs, Staking, and In-Kind Creations and Redemptions. The Task Force “will work” with the SEC staff to clarify the SEC’s approach to approving or denying proposed rule changes to list new types of crypto exchange-traded products. To date, the SEC has taken a cautious approach to crypto exchange-traded funds (ETFs), or investments focused on cryptocurrency assets, approving only spot Bitcoin and Ethereum ETFs, despite applications to create ETFs for other crypto assets (e.g., Ripple’s XRP). Existing crypto ETFs also cannot currently engage in staking. Staking typically involves committing crypto tokens to a blockchain network to earn rewards, sometimes requiring them to be locked for a period. ETFs also cannot engage in in-kind redemptions. Allowing staking could enable ETFs to generate additional yield for investors by participating in network validation, aligning ETF returns more closely with the underlying assets’ earning potential. Permitting in-kind creations and redemptions — where ETF shares are exchanged directly for crypto assets rather than cash — could also reduce transaction costs, improve tax efficiency, and minimize tracking errors. Clarifying the regulatory path forward on these issues has the potential to further expand investment opportunities and provide ETF investors with more cost-effective and capital-efficient access to crypto assets.
Addressing Crypto Lending and Staking Programs. The Task Force “plan[s] to work” to help address how crypto lending and staking programs can be structured consistent with applicable law. Currently, these programs face substantial regulatory uncertainty, particularly regarding whether they involve securities offerings subject to SEC registration and investor protection requirements. The SEC has pursued enforcement actions against certain crypto lending platforms, but clear guidance on compliant structures remains lacking. Establishing clear guidelines for crypto lending and staking programs could provide investors with greater confidence in accessing staking rewards while ensuring these services operate transparently and in compliance with regulatory protections.
Clarifying Custody Solutions for Investment Advisers. The Task Force “will work” with investment advisers to provide a framework within which advisers can safely, legally, and practically custody client assets themselves or with a third party. Currently, investment advisers face challenges in complying with the “Custody Rule” (Rule 206(4)-2 under the Investment Advisers Act of 1940), which requires client funds and securities to be held by a “qualified custodian.” This is because substantial ambiguity remains about whether any crypto custodians meet this standard and whether advisers can safely custody crypto assets themselves. Establishing a clear framework that provides advisers with a practical and legally compliant pathway to custody client assets has the potential to significantly reduce regulatory uncertainty for advisers to both individuals and investment funds and to help expand institutional participation in crypto-asset markets.
Updating Special Purpose Broker-Dealer Relief. The Task Force “will explore” updating its special-purpose broker-dealer framework to potentially allow broker-dealers to custody crypto asset securities alongside crypto assets that are not securities. Current securities laws effectively prohibit broker-dealers from facilitating transactions in many crypto assets, substantially limiting their ability to offer comprehensive crypto-related services. The SEC’s prior relief for special-purpose broker-dealers was very narrowly tailored and imposed operational constraints on broker-dealers, making it unworkable for most. Expanding the framework to permit custody of both security and non-security crypto assets would be a helpful first step in broadening its appeal.
If the Task Force can accomplish even half of these objectives, it bodes well for the larger crypto community.
There may also be reason to hope for such progress. As noted by Commissioner Peirce, the SEC recently rescinded “SAB 121,” which stands for Staff Accounting Bulletin No. 121. SAB 121 was issued by the SEC’s Office of the Chief Accountant and Division of Corporation Finance in March 2022, and it required financial institutions that custodied crypto assets to record them as both assets and liabilities on their balance sheets. As a result, banks and other financial institutions faced significantly higher capital requirements when holding crypto assets compared to more traditional assets, making crypto custody prohibitively expensive for many. Thus, SAB 121’s rescission simultaneously removes a major regulatory obstacle to providing crypto custody and marks a meaningful shift in the SEC’s regulatory approach.
Conclusion
While many questions remain, the regulatory developments above appear to signal a significant shift in the treatment of crypto assets by the SEC. In the crypto space, the relaxation of regulatory restrictions combined with new technological advancements often drives growth for the most innovative players, which can expand both market share and valuable intellectual property rights. Market participants should remain proactive in monitoring developments and position themselves to capitalize on the new opportunities that will emerge.
LONG GAME: Is One-to-One Coming Back in January, 2026? NCLC Wants to Make that Happen– Here’s How It Might
CPAWorld is an absolutely fascinating place.
So many incredible storylines always intersecting. And the Czar at the center of it all.
Enjoyable beyond words.
So here’s the latest.
As I reported yesterday NCLC is seeking to intervene before the Eleventh Circuit Court of Appeals in an apparent effort to seek an en banc re-hearing of the Court’s determination that the FCC exceeded its authority in fashioning the one-to-one rule. If successful, the NCLC could theoretically resurrect the rule before the one-year stay runs that the FCC put into effect following R.E.A.C.H.’s emergency petition last month.
So, in theory, one-to-one could be back in January, 2026 after all.
So let’s back up to move forward and make sure everyone is following along.
Way back in December, 2022 Public Knowledge–a special interest group with high power over the Biden-era FCC–submitted a proposal to shut down lead generation by banning the sale or transfer of leads.
I went to work trying to spread the word and in April, 2023 the FCC issued a public notice that was a real headfake— the notice suggested it was considering only whether to ban leads that were not “topically and logically” related to the website at issue. Most people slept on this–and many lawyers in the industry told folks this was no big deal– but I told everyone PRECISELY what was at stake.
Regardless of my efforts industry’s comments were fairly week as very few companies came forward to oppose the new rule.
In November, 2023–as only the Czar had correctly predicted– the FCC circulated a proposed rule that looked nothing like their original version– THIS version required “one-to-one” consent, just as I said it would.
Working with the SBA, R.E.A.C.H. and others were able to convince the Commission to push the effective date for the rule from 6 months to 12 months to give time for another public notice period to evaluate the rule’s impact on small business.
This additional six months also gave time for another trade organization to challenge the ruling in court (you’re welcome).
Ultimately with the clock winding down the final week before the rule was set to go into effect January 27, 2025 R.E.A.C.H. filed an emergency petition to stay the ruling with the FCC.
On Friday January 24, 2025 at 4:35 pm the FCC issued the desired stay— pushing back the effective date for up to another year. Twenty minutes later the Eleventh Circuit court of appeals issued a ruling striking down the one-to-one rule completely.
Now the NCLC enters and is seeking to reverse the appellate court’s decision and reinstate the rule. To do so it would need to:
Be granted an unusual post-hac intervention; and either
Be granted an unusual en banc re-hearing and then win that re-hearing; or
Be granted an unusual Supreme Court cert and then win that Supreme Court challenge.
As anyone will tell you, every piece of this is a long shot.
Still, however, it is possible.
For instance the Eleventh Circuit standard for en banc review is high but not overwhelmingly so:
“11th Cir. R. 40-6 Extraordinary Nature of Petitions for En Banc Consideration. A petition for en banc consideration, whether upon initial hearing or rehearing, is an extraordinary procedure intended to bring to the attention of the entire court a precedent-setting error of exceptional importance in an appeal or other proceeding, and, with specific reference to a petition for en banc consideration upon rehearing, is intended to bring to the attention of the entire court a panel opinion that is allegedly in direct conflict with precedent of the Supreme Court or of this circuit. Alleged errors in a panel’s determination of state law, or in the facts of the case (including sufficiency of the evidence), or error asserted in the panel’s misapplication of correct precedent to the facts of the case, are matters for rehearing before the panel but not for en banc consideration.”
To be sure the Eleventh Circuit’s ruling was quite extraordinary. Turned appellate review of agency action more or less on its head. A complete departure from established analytic norms in such cases.
But, as I have said multiple times, we are living in a whole new world right now. So what was weird and inappropriate six months ago may be very much the new paradigm today.
Of course being granted the rehearing in this environment would just be step one. NCLC would then actually have to win the resulting en banc review– which is by no means guaranteed even if the rehearing is granted.
But from a timing perspective all of this could theoretically happen within one year.
If NCLC is denied a rehearing they could theoretically seek Supreme Court review which could theoretically result in a ruling sometime in May or June, 2026– in the meantime the FCC’s stay of proceedings would likely be extended in light of the Supreme Court taking the case. But the odds of the Supremes taking such an appeal and then reversing the one-to-one rule seem astronomically small given the current makeup of the Court.
Then again, with Mr. Trump seizing control of independent agencies the rules regarding how courts review regulatory activity by these agencies just became INSANELY important. Again, we have a whole new paradigm and the Supremes may theoretically look for any vehicle to opine on the subject ahead of potentially catastrophic separation of power issues set up by Mr. Trump’s executive order this week.
The bottom line is this: one-to-one consent may rise again, and if the NCLC has its way–it will.
We will keep everyone posted on developments, of course, and the R.E.A.C.H. board will be discussing its own potential intervention efforts shortly.
More soon.
Financing and Debt Issuance for Data Center Developers: Insights from Womble Attorneys
Data center developers face a myriad of challenges when it comes to financing and debt issuance. In this blog post, Womble Of Counsel Barlow Keener delves into the intricacies of these topics with Womble Of Counsel David Beckstead and Womble Of Counsel Art Howson. The conversation covers essential aspects such as project finance models, revenue streams, and risk management. This comprehensive discussion aims to provide valuable insights for data center developers looking to enhance their financial strategies.
Barlow Keener: David, what are the primary considerations for data center developers when it comes to debt financing?
David Beckstead: When considering debt financing for data centers, it is crucial to understand that lenders are primarily interested in the project’s revenue streams and risk profile. They look for an acceptable return given the risk involved, and this includes examining co-location agreements, tenancy agreements, and the overall financial model. Lenders scrutinize the project’s utility supply, including power and water, and the potential impact of delays or downtime on revenue. Additionally, lenders are interested in the project’s location, proximity to power and water infrastructure, and the availability of fiber cables.
Barlow Keener: How do lenders assess the risk associated with data center projects?
David Beckstead: Lenders assess risk by evaluating various factors such as the project’s revenue streams, the creditworthiness of tenants, and the terms of service level agreements. Lenders are particularly interested in the service level agreements (“SLAs”), which outline minimum downtime and construction delay provisions.
Barlow Keener: Can you explain the concept of limited recourse financing in the context of data centers?
David Beckstead: Limited recourse financing means that the data center project’s assets are used to secure the lending, and the revenue streams are what lenders rely on for repayment. This model is common in project finance and is particularly relevant for data centers due to their unique infrastructure requirements.
Barlow Keener: What role do green loan principles play in data center financing?
David Beckstead: Green loan principles, such as those issued by Loan Market Association (“LMA”), the Asia Pacific Loan Market Association (“APLMA”), and the Loan Syndications and Trading Association (“LSTA”), are increasingly important in data center financing. These principles require data center operators to maintain certain energy and environmental design standards, which can make the project more attractive to lenders. Data center operators are expected to adhere to standards such as LEED certification, which focuses on energy efficiency and environmental sustainability.
Barlow Keener: Moving on beyond green loan principles, Art, how do lenders approach the construction phase of data center projects?
Art Howson: During the construction phase, lenders often require completion guarantees and financial support from sponsors, including minimum equity contribution requirements for the project. From a due diligence perspective, they typically review the project construction schedule closely in comparison with terms of the project’s revenue contracts, and structure the loan documents to mitigate the risk of potential delays or cost overruns.. Lenders may also require reserve to maintain funds on deposit to cover loan payments or other project costs.
Barlow Keener: Art, what are the key elements of a co-location agreement that lenders focus on?
Art Howson: Lenders focus on the terms of the data center’s revenue contracts, including the length of the lease, early termination risks, and the creditworthiness of tenants. They typically seek the ability to cure defaults under key project contracts, to protect their interests in case of default and ensure that the project’s revenue stream remains intact. And they will want to confirm that the tenancy agreements can be assigned to a new project owner if necessary, given the importance of those contracts as collateral for the loan.
Barlow Keener: How do lenders evaluate the supply of utilities for data center projects?
David Beckstead: Lenders evaluate the supply of utilities by examining the project’s power and water infrastructure. Lenders to data centers today are more than ever particularly interested in how power is secured, whether through dedicated power purchase agreements (“PPAs”) or other arrangements, as this is a critical factor for data center operations. Lenders will also assess the project’s proximity to power plants and water sources to ensure reliable utility supply.
Barlow Keener: Art, what are the common risk allocation strategies in data center financing?
Art Howson: Common risk allocation strategies include limitations on the amount of debt that can be advanced, in relation to equity contributions or to the projected value of the project. Lenders may also require the project to have payment and performance bonds in place with the key construction contractors and equipment suppliers, to mitigate risks outside of the borrower’s direct control.
Barlow Keener: In conclusion, financing and debt issuance for data center developers require a thorough understanding of various financial models, risk assessment strategies, and contractual terms. By focusing on revenue streams, utility supply, and green loan principles, data center developers can enhance their financial strategies and secure the necessary funding for their projects. The insights provided by Womble Of Counsel David Beckstead and Womble Of Counsel Art Howson offer valuable guidance for navigating the complexities of data center financing. As the data center industry continues to evolve, staying informed about these critical aspects will be essential for success.
New Data Privacy Working Group Created by US House Committee
On February 12, 2025, Congressman Brett Guthrie (R-KY), Chairman of the House Committee on Energy and Commerce, and Congressman John Joyce, M.D. (R-PA), Vice Chairman of the House Committee on Energy and Commerce, announced the establishment of a comprehensive data privacy working group (the Working Group). The Working Group also includes Representatives Morgan Griffiths (R-VA), Troy Balderson (R-OH), Jay Obernolte (R-CA), Russell Fry (R-SC), Nick Langworthy (R-NY), Tom Kean (R-NJ), Craig Goldman (R-TX), and Julie Fedorchak (R-ND).
The House Republicans created the Working Group to develop new federal data privacy standards. The Working Group welcomes input from a broad range of stakeholders. Stakeholders interested in engaging with the Working Group can reach out to [email protected] for more information.
This initiative presents an opportunity for companies to actively engage in shaping emerging federal data privacy standards. Feel free to contact us for guidance. We will monitor the Working Group’s progress and keep clients apprised of key developments as new federal privacy standards take shape.
“We strongly believe that a national data privacy standard is necessary to protect Americans’ rights online and maintain our country’s global leadership in digital technologies, including artificial intelligence. That’s why we are creating this working group, to bring members and stakeholders together to explore a framework for legislation that can get across the finish line,” said Chairman Guthrie and Vice Chairman Joyce. “The need for comprehensive data privacy is greater than ever, and we are hopeful that we can start building a strong coalition to address this important issue.”
energycommerce.house.gov/..
EDPB Adopts Statement on Age Assurance and Creates a Task Force on AI Enforcement
On February 12, 2025, during its February 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on assurance, which outlines ten principles concerning the processing of personal data when determining an individual’s age or age range. The EDPB is also cooperating with the European Commission on age verification in the context of the Digital Services Act (DSA) working group.
In addition, the EDPB extended the scope of the ChatGPT task force to artificial intelligence (AI) enforcement. The EDPB members underlined the need to coordinate the actions of the Data Protection Authorities (DPAs) regarding urgent sensitive matters and will set up a quick response team for that purpose.
In the statement, the EDPB outlines ten key principles to follow to implement a governance framework that complies with the General Data Protection Regulation (GDPR) to protect children and how their personal data is processed. The EDPB Chair, Anu Talus, stressed the importance of balancing the responsible use of AI within the GDPR framework. Businesses should ensure compliance with these evolving data protection standards, and our team is available to provide guidance on navigating the GDPR requirements and implementing effective compliance strategies.
“The GDPR is a legal framework that promotes responsible innovation. The GDPR has been designed to maintain high data protection standards while fully leveraging the potential of innovation, such as AI, to benefit our economy. The EDPB’s task force on AI enforcement and the future quick response team will play a crucial role in ensuring this balance, coordinating the DPAs’ actions and supporting them in navigating the complexities of AI while upholding strong data protection principles.” – EDPB Chair Anu Talus
www.edpb.europa.eu/…
Beware Broader Insurance Coverage Exclusions for Biometric Information Privacy Law Claims
It has been nearly two decades since Illinois introduced the first biometric information privacy law in the country in 2008, the Illinois Biometric Information Privacy Act (“BIPA”). Since then, litigation relating to biometric information privacy laws has mushroomed, and the insurance industry has responded with increasingly broad exclusions for claims stemming from the litigation. A recent Illinois Appellate Court decision in Ohio Security Ins. Co. and the Ohio Cas. Ins. Co. v. Wexford Home Corp., 2024 IL App (1st) 232311-U, demonstrates this ongoing evolution.
The plaintiff in a putative class action lawsuit sued Wexford Home Corporation (“Wexford”), alleging that Wexford violated BIPA by collecting, recording, storing, sharing and discussing its employees’ biometric information without complying with BIPA’s statutory disclosure limitations. Wexford tendered the putative class action lawsuit to its insurers, Ohio Security Insurance Company and Ohio Casualty Insurance Company, both of which denied coverage and filed a declaratory judgment action seeking a ruling that the insurers had no duty to defend or indemnify Wexford.
The insurers argued that there was no duty to defend or indemnify based on three exclusions: (1) the “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion (“Recording and Distribution Exclusion”), (2) the “Exclusion-Access Or Disclosure Of Confidential And Data-Related Liability-With Limited Bodily Injury Exception,” and (3) the “Employment-Related Practices Exclusion.”
The parties cross-moved for judgment on the pleadings, and the trial court granted judgment for Wexford, finding that the insurers owed a defense. The trial court reasoned that publication of material that violates a person’s right to privacy met the policies’ definition of personal and advertising injury, and therefore no exclusions applied to bar coverage. The insurers appealed. Although the insurers did not challenge the trial court’s ruling that the alleged BIPA claims qualified as personal or advertising injury sufficient to trigger coverage, they maintained that the trial court erred by not applying the three exclusions.
On appeal, the court focused on the Recording and Distribution Exclusion, which purports to bar coverage where the personal or advertising injury arises from the violation of any of three enumerated statutes (TCPA, CAN-SPAM Act, and FCRA) or any other statute that falls within a broad “catch all” provision that expands the exclusion to include violations of “[a]ny federal, state or local statute, ordinance or regulations other than the [three enumerated statutes] that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
The court relied on its earlier decision, National Fire Ins. Co. of Hartford and Cont’l Ins. Co. v. Visual Park Co., Inc., 2023 IL App (1st) 221160, in which it found an identical Recording and Distribution Exclusion to bar coverage for BIPA claims. That decision, however, represented a departure from earlier decisions that found similar catchall provisions did not encompass BIPA claims. For example, in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, 183 N.E.3d 47 (May 20, 2021), the same appellate court that decided Visual Park explained that the interpretive canon of ejusdem generis (which requires that general words following an enumeration of specific persons or things are deemed to apply only to persons or things of the same general kind or class of the specifically enumerated persons or things) required a finding that a similar catchall exclusion would be afforded limited reach and not extend to BIPA claims. In the Visual Park case, on the other hand, the appellate court concluded that a catchall provision like the one in Wexford was materially different and broader than prior versions of the exclusion. According to the Visual Park court, the exclusion’s reference to “disposal,” “collecting,” or “recording” of material or information sufficiently encompassed BIPA violations, whereas prior versions apparently did not. The appellate court again applied the interpretive canon of ejusdem generis to reach conclusions about the exclusion’s intended reach. The court reasoned that because the specifically enumerated statutes in the Recording and Distribution Exclusion protected personal information and privacy, the general catchall must have been intended to do so as well.
As Wexford, Visual Park, and the pre-Visual Park decisions illustrate, insurers are broadening the scope of exclusions that potentially apply to BIPA-related claims. Policyholders should carefully review their policies annually to identify changes in wording that might have a material impact on the scope of coverage. Experienced brokers and coverage counsel can help to ensure that material changes are identified early and, where appropriate, modified or deleted by endorsement.
Update on U.S. Climate Disclosure Requirements
As of early 2025, the landscape of climate disclosure requirements in the United States is shifting. Unsurprisingly, the Trump Administration has signaled its intent to roll back the federal climate disclosure rule promulgated by the Securities and Exchange Commission (“SEC” or “Commission”) last year. Meanwhile, implementation of California’s suite of climate disclosure laws is moving forward, and at least two other states are considering copy-cat legislation. As companies operating in the United States continue to prepare for compliance at the state level, they should consider these developments alongside potential changes to international and voluntary reporting standards and should work to implement corporate processes that ensure consistency and accuracy in reporting across all relevant frameworks.
SEC Climate Rule
In March 2024, the SEC adopted rules to standardize climate-related disclosures by public companies and public offerings. The rules were promptly challenged by multiple stakeholders, and the cases were consolidated before the U.S. Court of Appeals for the Eighth Circuit. Not long afterwards, on April 4, 2024, the SEC stayed implementation of the regulations pending judicial review of the legal challenges.
On February 11, 2025, Acting SEC Chair Mark Uyeda issued a statement announcing that he had directed SEC staff to request that the court not schedule the case for oral argument in order to allow time for the Commission to determine next steps in light of certain changes. Specifically, Acting Chair Uyeda cited as changes (1) his views that “[t]he Rule is deeply flawed and could inflict significant harm on the capital markets and the economy” and was promulgated without statutory authority; (2) the recent change in the composition of the Commission; and (3) President Trump’s recent memorandum regarding a regulatory freeze.
While next steps on the part of the Eighth Circuit and the SEC are yet to be seen, the SEC will likely seek to roll back the 2024 rule, potentially through a new notice-and-comment rulemaking process.
California Climate Disclosure Laws
Meanwhile, implementation of California’s climate disclosure laws is moving forward. In October 2023, California Governor Gavin Newsom signed into law three different bills: (1) SB 253, requiring disclosure of greenhouse gas emissions for companies with at least a billion dollars in revenue that are doing business in California; (2) SB 261, requiring climate-related risk disclosures for companies with at least $500 million in revenue that are doing business in California; and (3) AB 1305, requiring annual substantiation of offset sales and purchases, as well as net zero and emission reduction claims, for companies operating and making claims in California. Unlike the SEC rule, all of these laws apply regardless of whether a company is public or privately held.
In September 2024, Governor Newsom signed into law a set of amendments to SB 253 that, among other things, delayed the rulemaking deadline set for the California Air Resources Board until July 1, 2025. The amendments did not, however, delay any compliance timelines for covered entities. This means that covered entities must continue to plan for the first round of reporting on Scope 1 and Scope 2 emissions in 2026, with reference to FY 2025 data, even though a host of questions remain about the scope and mechanics of required reporting. In recognition of this uncertainty, on December 5, 2025, CARB issued an Enforcement Notice indicating that it would not pursue enforcement against entities working in “good faith” toward compliance, and that, for the first reporting year, it would be sufficient to rely on data already in a reporting entity’s possession as of the date of the notice. Not long after, CARB announced a public comment period to seek input from stakeholders on a range of implementation-related issues, including how CARB should define “doing business in California” for purposes of defining the universe of entities subject to compliance obligations under SB 253 and SB 261.
Implementation of the California laws seems unlikely to be stopped in court. On February 3, 2025, the U.S. District Court for the Central District of California substantially narrowed an ongoing judicial challenge to SB 253 and SB 261 by the U.S. Chamber of Commerce, California Chamber of Commerce, and other industry stakeholders. The court dismissed plaintiffs’ claims that these laws violate the Supremacy Clause of the U.S. Constitution and constitute extraterritorial regulation in violation of the Dormant Commerce Clause. The court has preserved, for now, a claim that these laws compel speech in violation of the First Amendment.
Pending Legislation in Other States
During the past several legislative sessions, New York has considered climate disclosure bills similar to California’s SB 253 and SB 261. In January 2025, these bills were once again introduced in the New York Senate as S3456 (Climate Corporate Data Accountability Act) and S3697 (Report of Climate-Related Financial Risk). While similar to SB 253, S3456 is more explicit on some points—for example, by specifying that the law’s applicability be determined with reference to consolidated revenue, including revenues received by all of the business’s subsidiaries.
Illinois and Washington also considered similar legislation in 2024 and may seek to introduce it in 2025.
Changes to International and Voluntary Frameworks
Companies that operate in the European Union (“EU”) have been preparing in earnest for compliance with the Corporate Sustainability Reporting Directive (“CSRD”) for well over a year. Nonetheless, the European Parliament is reportedly considering omnibus legislation that would potentially reduce the scope of CSRD applicability and reporting, as well as make changes to other EU sustainability laws. These changes could be relevant not only to companies with direct reporting obligations under these laws, but also to companies that report under voluntary standards, such as CDP, that have sought to align with the CSRD.
What’s Next?
Companies doing business in the United States should continue to monitor this shifting landscape at the U.S. state and international levels. As changes occur, it will be critical to reevaluate data collection and reporting processes to ensure consistency and compliance with all relevant frameworks.
ANOTHER MASSIVE TCPA SETTLEMENT: Blue Cross Pays Over $1,000.00 Per Class Member as Court Approves $1.6MM TCPA Class Action Settlement
From Red Cross to Blue Cross, TCPA risk is massive these days.
And wrong number calling, in particular, can be incredibly costly.
Just ask Citibank.
Or John Deere.
Or, now, Blue Cross.
In Stark v. BLUE CROSS AND BLUE SHIELD OF NORTH CAROLINA and CHANGE HEALTHCARE RESOURCES, LLC, 1:23-CV-22, 2025 WL 524781 (M.D.N.C. Feb 18, 2025) the Court approved a $1.6MM settlement related to Blue Cross making illegal robocalls to a wrong number.
Per the order:
the case arose because Change Healthcare allegedly made calls on behalf of BCBSNC to identify BCBSNC customers and increase enrollment in certain programs, but Change Healthcare made calls to wrong numbers or to consumers who had opted out of receiving these calls. Ms. Stark alleged that despite being told that her number no longer belonged to a BCBSNC customer, Change Healthcare continued to make sales calls to her number.
The class had 1,573 people in it– which means Blue Cross paid over $1,000.00 per class member!!! (Whoa)
Oh and per the order Class Counsel Avi Kaufman has “recovered via settlement more than $100 million on behalf of TCPA class members.”
This case will net him another $500k in fees.
So there you have it Blue Cross paid a ton of money to settle this– one of the highest-per-class-member settlements I have seen yet. Not sure why they paid so much but it is a good reminder to all of you out there– use the reassigned numbers database to avoid this sort of thing folks!
DEEP DIVE: What Does Mr. Trump’s Executive Order Seizing Control of Federal Agencies Really Mean–and is It Constitutional?
So last night Mr. Trump attempted to seize control of more or less the entire federal government. He signed an executive order purporting to bring all independent agencies–including the FCC, FTC, SEC, and perhaps most chillingly the Federal Election Commission–under his individual control.
No other president has done this. Most have avoided even the appearance of interfering in the workings of these agencies for fear of being viewed as wielding inappropriate control over the affairs of agencies designed by Congress to be independent.
But just because this feels like something a dictator would do– and to be clear, it is– does that mean Mr. Trump is actually trying to become one, and, if so, is it unconstitutional?
Maybe. And, maybe.
First, what even is an independent agency?
Independent agencies oversee certain functions of the federal government that require expertise and precision lawmaking that are generally beyond the ability of a Congress composed of–at best generalist lawmakers. These agencies have incredible power over areas of government function that require unique supervision to assure sound policy– like telecommunications, environmental protection, or how elections are conducted.
Independent agencies are unique because they tend to wield both executive and legislative powers. Using the FCC as an example, the Commission may issue rulings interpret or expand the law– such as the recent TCPA revocation ruling the FCC adopted last year. But they may also serve an executive role by bringing enforcement actions and issuing penalties– such as the recent Telnyx order.
And just to make sure everyone understands the difference between legislative and executive functions– legislative power involves MAKING THE LAW. Executive power involves ENFORCING THE LAW.
At the federal level Congress is responsible to MAKE the law. The president is responsible to faithfully ENFORCE the law.
That’s it.
(I look forward to a presidential debate one day–assuming either elections or debates will exist in the future–where the two candidates debate nothing more than who will better faithfully enforce the laws passed by Congress since that is, essentially, their only job.)
Now sometimes making and enforcing the law can blend. For instance when Congress passes a vague enactment–never!–an agency may attempt to interpret the law via an enforcement action. This happens when an agency sues a company for violating the law based on conduct that was never previously deemed to violate that law. We call this “regulation by enforcement” and basically everybody hates it because it is very unfair.
Still regulation by enforcement was quite common during the Obama era– the CFPB loved to regulate by enforcement– and we saw a bit of it during Biden’s presidency, particularly with the FTC “telemarketing sweep” where it decided, for the first time it was a violation of the TSR for engage in lead generation. Eesh.
All right, now that you understand the background what actually happened?
So late yesterday Mr. Trump ordered all independent agencies to report directly to his delegee, the Director of the Office of Management and Budget Russel Vought–who is now instantly one of the most powerful men in the world– so that he, Vought, can dictate their policy, priorities, and budget. As the order states Vought is to: “review independent regulatory agencies’ obligations for consistency with the President’s policies and priorities…”
In other words, the independent agencies are now to serve Mr. Trump and not the American people as a whole.
Cringe.
To be sure, Mr. Trump is casting his order as one intended to hold the agencies accountable to the people. Per his “fact sheet” the agencies must be brought within the President’s control because he was appointed by the people to control them.
Sort of.
Independent agencies used to be non-political. But beginning largely with the Obama administration these agencies have become increasingly political. But the heads of most of these agencies are appointed directly by the president and the president’s party generally control the policies and priorities of the agency.
So, for example, President Trump just appointed Brendan Carr as Chairman of the FCC. Biden appointed Jessica Rosenworcel. Carr will, presumably, guide the Commission consistent with a republican state of mind, just as Rosenworcel guided the Commission with a democratic state of mind. So the agencies are within the control of “the people” because the people decide the president and the president’s party controls the agency and the president picks the head of the agency. And for all past administrations since the 1930s this control and accountability has been deemed sufficient.
But not for Mr. Trump. Not this time.
This time he has decided that these agencies will not move without his direct control. The only way for agencies to be accountable to “the people” is for the agencies to answer directly to him.
Get it?
At best this is ultimate bureaucratic micromanagement. At worst, it is a mechanism by which Mr. Trump can set all of the machinery of government to work to serve his personal agenda– wherever the whims of the day may take him.
Yeah, I know, sounds like a dictator. (For those of you who really like Trump, just imagine Hillary Clinton becoming president in 2028 and having all of these new fun toys to play with Trump left for her.)
So… is it legal?
Maybe. And it depends just how expansive the intended control Mr. Trump is trying to seize really is.
If all Mr. Trump’s order is intended to do is dictate that no federal agency shall take any enforcement action without his approval– or, stated alternatively, that Mr. Trump is plans to dictate (there’s that word again) what enforcement activity the agencies engage in before it is taken–and nothing else, then I think this is likely constitutional.
Executive powers ARE preserved to the president in the Constitution and Congress can’t delegate away executive powers that don’t belong to it. So although this move would still make Trump the most powerful president since Lincoln the constitution permits this sort of thing in my view. So I have no problem with it. (I am a strict adherent to constitutional principles and have no problem with Mr. Trump helping himself to as much as the constitution permits.)
To the extent, however, Mr. Trump is stating he intends to dictate what regulations and rules are implemented by these agencies– i.e. that he intends to seize control of their LEGILSATIVE function– that would be a very serious problem. At that point the legislative and executive function would collapse into a single individual creating, as Madison wrote, “the very definition of tyranny.” Mr. Trump could then write the law to serve his agenda, and then have it enforced it as he saw fit. That would be unconstitutional in my view, and pretty horrifying frankly.
Unfortunately the Order is vague as to its implications and intentions on regulatory matters. The “fact sheet” speaks repeatedly about “executive power” yet suggests agencies must “submit draft regulations”–i.e. LEGISLATIVE actions– to the President. The order itself provides “No employee of the executive branch acting in their official capacity may advance an interpretation of the law as the position of the United States that contravenes the President or the Attorney General’s opinion on a matter of law, including but not limited to the issuance of regulations, guidance, and positions advanced in litigation, unless authorized to do so by the President or in writing by the Attorney General.” So it does seem the big play is in play, but maybe not. The limitation requiring only “executive branch” employees to abide may mean this rule only applies to agency enforcement activities and not to broader rulemaking.
Like I said… unclear.
So where does this leave TCPAWorld?
First, none of this applies to rules the Commission has already passed. The new requirements kick in 60 days from now and all past activity appears to be protected from the need for Mr. Trump’s blessing. This means the FCC’s current TCPA revocation rule–set to go into effect April 11, 2025– is likely to go into effect on that date, although I could see an effort to have the ruling stayed based on this order.
Second, we can expect all FCC enforcement activity to effectively cease pending Mr. Trump’s review. How he plays this will be very interesting. We can imagine a highly weaponized version of the FCC that goes after left-wing interests in social media and broadcast television. Then again we can imagine a neutered FCC that does very little enforcement of anything. What is unclear is where Mr. Trump stands on telemarketing, “robocalls,” or the TCPA more broadly. So it is unclear where in the pantheon of priorities the TCPA and enforcement proceedings against callers and carriers will land.
Third, the courts will need to decide how much power Mr. Trump now wields over the FCC’s legislative functions. I am looking forward to a statement from Chairman Carr on this subject–I’d expect that to be out today. Perhaps it will be business as usual. Or perhaps all FCC rulemaking and policy will now flow through Mr. Trump’s office– meaning Trump will ultimately have to sign off on whether or not the FCC takes action on the R.E.A.C.H. petition everybody is focused on right now.
This last piece is critical to understand.
When something massive and bizarre happens the most immediate impact tends to be paralysis. I’d expect a whole lot of nothing for a few months while people take in the true enormity of what just happened. In the meantime only actions Mr. Trump expressly dictates are likely to gain any traction with the Commission for the time being.
How to Report “Pig Butchering” Crypto Fraud and Qualify for a Whistleblower Award
2024 Revenue from Pig Butchering Scams Increased 40% Year-over-Year
According to a Chainanlysis report, revenue from pig butchering crypto frauds, also known as relationship investment scams, grew nearly 40% year-over-year (YoY). Additionally, the number of deposits to these scams increased by nearly 210% YoY.
Pig butchering scams exploit dating apps, social media platforms, messaging apps, and even random “wrong number” text messages to target possible victims. Once a fraudster establishes and builds a relationship with their target, they pitch fraudulent investment opportunities in cryptocurrencies, precious metals, or foreign currencies. Victims are then directed to deceptive trading platforms–operated by the same organized criminal gangs–where they convert their funds into cryptocurrency and then send the crypto to the fraudulent trading platforms. These platforms falsely display substantial investment gains, and victims ultimately find themselves unable to withdraw their funds. To make matters worse, the trading platforms often tell the victims that they are required to pay certain fees to access their (fake) investment gains. These “fees” are just another ploy used by the fraudsters to trick victims into sending additional crypto to their fraudulent platforms.
The Chainalysis report, titled Crypto Scam Revenue 2024: Pig Butchering Grows Nearly 40% YoY as Fraud Industry Leverages AI and Increases in Sophistication, found that cryptocurrency scams received at least $9.9 billion on-chain, an amount that may increase as Chainanalysis identifies more illicit addresses. The report noted that “crypto fraud and scams have continued to increase in sophistication, as the fraud ecosystem becomes more professionalized.” It also highlighted that “crypto drainers continued to proliferate and grew across the board — nearly 170% YoY revenue growth, almost 55% YoY increase in deposit size, and 75% YoY growth in number of deposits.”
Whistleblowers Can Help Combat Pig Butchering Crypto Frauds
Whistleblowers can assist the Commodity Futures Trading Commission (CFTC) in combatting these frauds by reporting original information about pig butchering crypto scams to the CFTC Whistleblower Office. The CFTC Whistleblower Reward Program offers monetary awards to whistleblowers whose original information leads to enforcement actions resulting in civil penalties in excess of $1 million. Whistleblowers reporting pig butchering crypto scams can receive CFTC whistleblower awards between 10% and 30% of the total monetary sanctions collected in successful enforcement actions. The largest CFTC whistleblower award to date is $200 million.
How to Report Pig Butchering Scams to the CFTC and Qualify for a Whistleblower Award
A whistleblower providing original information to the CFTC about an investment romance scam may qualify for an award if:
Their original information caused the CFTC to open an investigation, reopen an investigation, or inquire into different conduct as part of a current investigation, and the CFTC brought a successful enforcement action based in whole or in part on conduct that was the subject of the original information; or
The conduct (i.e., the pig butchering crypto scam) was already under examination or investigation, and the whistleblower provided original information to the CFTC that significantly contributed to the success of the enforcement action.
In determining an award percentage of between 10% and 30%, the CFTC considers the particular facts and circumstances of each case. For example, positive factors may include the significance of the information, the level of assistance provided by the whistleblower and the whistleblower’s attorney, and the law enforcement interests at stake.
If represented by counsel, a whistleblower may submit a tip anonymously to the CFTC. In certain circumstances, a whistleblower may remain anonymous, even to the CFTC, until an award determination. However, even at the time of a reward, a whistleblower’s identity is not made available to the public.
To report a pig butchering crypto fraud and qualify for an award under the CFTC Whistleblower Program, the CFTC requires that whistleblowers or their attorneys report the tip online through the CFTC’s Tip, Complaint or Referral Portal or mail/fax a Form TCR to the CFTC Whistleblower Office. Prior to submitting a tip, whistleblowers should consult with an experienced whistleblower attorney and review the CFTC whistleblower rules to, among other things, understand eligibility rules and consider the factors that can significantly increase or decrease the size of a future whistleblower award.
CFTC Partners with Federal Agencies and NGOs to Combat Pig Butchering
The CFTC’s Office of Customer Outreach and Education is partnering with other federal agencies and non-governmental organizations (NGOs) to raise awareness about relationship investment scams targeting Americans through “wrong number” text messages, dating apps, and social media. This effort includes an infographic that identifies the warning signs of pig butchering:
Additionally, the interagency Dating or Defrauding? social media awareness campaign warns Americans to be skeptical of any request from online friends for cryptocurrency, gift cards, wire transfers, or other forms of payment. The campaign provides information about how to recognize relationship investment scams, what to do if you are affected, and why to share the information to warn others.
Combatting Scams in Australia and the United Kingdom
In response to the growing threat of financial scams, the Australian Government has passed the Scams Prevention Framework Bill 2025. The Scams Prevention Framework (SPF) imposes a range of obligations on entities operating within the banking and telecommunications industries as well as digital platform service providers offering social media, paid search engine advertising or direct messaging services (Regulated Entities). In the first article of our scam series, Australia’s Proposed Scams Prevention Framework, we provided an overview of the SPF. In this article, we compare the SPF to the reimbursement rules adopted by the United Kingdom and consider the likely implications of each approach.
UK Model
The United Kingdom is a global leader in the introduction of customer protections against authorised push payment (APP) fraud. A customer-authorised transfer of funds may fall within the definition of an APP scam where:
The customer intended to transfer the funds to a person, but was instead deceived into transferring the funds to a different person; or
The customer transferred funds to another person for what they believed were legitimate purposes, but which were in fact fraudulent.
Reimbursement Requirement
A mandatory reimbursement framework was introduced on 7 October 2024 (the Reimbursement Framework) and applies to the United Kingdom’s payment service providers (PSPs). Under the Reimbursement Framework, PSPs are required to reimburse a customer who has fallen victim to an APP scam. The cost of reimbursement will be shared equally between the customer’s financial provider and the financial provider used by the perpetrator of the scam. However, PSPs will not be liable to reimburse a victim who has been grossly negligent by failing to meet the standard of care that PSPs can expect of their consumers (Consumer Standard of Caution) (discussed below), or who is involved in the fraud. Where the customer is classed as ‘vulnerable’, failure to meet the Consumer Standard of Caution will not exempt the PSP from liability.
Consumer Standard of Caution
The Consumer Standard of Caution exception consists of four key pillars:
Intervention – Consumers should have regard to interventions made by their PSP or a competent national authority such as law enforcement. However, a nonspecific ‘boilerplate’ warning will not be sufficient to shift the risk onto the customer.
Prompt reporting – Consumers, upon suspecting they have fallen victim to an APP scam, should report the matter to their PSP within 13 months of the last authorised payment.
Information sharing – Consumers should respond to reasonable and proportionate requests for information made by their PSP in assessing the reimbursement claim. Any requests for information must be limited to essential matters taking into account the value and complexity of the claim.
Involvement of police – Consumers should consent to their PSP reporting the matter to the police on their behalf. PSPs must consider the circumstances surrounding a customer’s reluctance in reporting their claim to the police before relying on this exception.
Failure to meet one or more of the above pillars will only exempt the PSP from liability where the customer has been grossly negligent. This is a higher standard of negligence than required under the common law and requires the customer to have shown a ‘significant degree of carelessness’.
Vulnerability
A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm. Personal circumstances relevant to determining whether a customer is ‘vulnerable’ include:
Health conditions or illnesses that affect one’s ability to carry out day-to-day tasks;
Life events such as bereavement, job losses or relationship breakdown;
Ability to withstand financial or emotional shocks; and
Knowledge barriers such as language and digital or financial literacy.
The Consumer Standard of Caution is not applicable to vulnerable customers. Accordingly, where the victim has been classified as a vulnerable customer, PSPs cannot avoid liability on the grounds of gross negligence for failing to meet the Consumer Standard of Caution.
Limit on Reimbursement
PSPs will not be required to reimburse amounts above the maximum level of reimbursement, which is currently £415,000 per claim.
Key Distinctions Between the SPF and the UK Model
Financial Burden of Scams
Both the UK and Australian models seek to incentivise entities to adopt policies and procedures aimed at lowering the risk of scams. By requiring PSPs to reimburse scam victims, the UK’s model shifts the economic cost of scams from customers onto PSPs. A similar purpose is achieved under the SPF, which provides for harsh financial penalties for entities that fail to develop and implement appropriate policies to protect customers against scams. However, a significant point of difference is the extent to which these financial burdens benefit victims of scams directly.
Under the UK model, a victim of an APP scam will be able to recover the full amount of their loss (up to the prescribed maximum amount) so long as:
They were not grossly negligent in authorising the payment;
They were not a party to the fraud;
They are not claiming reimbursement fraudulently or dishonestly;
The amount claimed is not the subject of a civil dispute or other civil legal action;
The payment was not made for an unlawful purpose; and
The claim is made within 13 months of the final APP scam payment.
In contrast, there is no indication that any funds paid under Australia’s SPF civil penalty provisions will be directed towards the reimbursement of victims. However, under the Scams Prevention Framework Bill 2025, where a Regulated Entity has failed to comply with its obligations under the SPF and this failure has contributed to a customer’s scam loss, the customer may be able to recover monetary damages from the Regulated Entity.
Possible Effect on Individual Vigilance
The UK’s Reimbursement Framework recognises that PSPs, as opposed to individuals, have greater resources available to combat the threat of scams. However, there is a risk that by passing the economic cost of scams onto PSPs, individuals will become less vigilant. Where an individual fails to make proper inquiries which would have revealed the true nature of the scam, they may still be eligible for reimbursement so long as they have not shown a ‘significant degree of carelessness’. With this safety net, individuals may become complacent about protecting themselves from the threat of scams.
In contrast to the UK model, individuals will continue to bear the burden of unrecoverable scam losses under Australia’s SPF unless a Regulated Entity’s breach of SPF obligations has contributed to the loss. As a result, individuals will continue to have a financial incentive to remain vigilant in protecting themselves against the threat of scams.
Scope of Framework
Australia
The SPF applies to entities across multiple industries, reflecting Australia’s ‘whole of the ecosystem’ approach to scams prevention. Upon introduction, the SPF is intended to apply to banking and telecommunications entities as well as entities providing social media, paid search engine advertising or direct messaging services. It is noted in the explanatory materials that the scope of the SPF is intended to be extended to other industries over time to respond to changes in scam trends.
The purpose of this wider approach is to target the initial point of contact between the perpetrator and victim. For example, a perpetrator may create a social media post purporting to sell fake concert tickets. Successful disruptive actions by the social media provider, such as taking down the post or freezing the perpetrator’s account, may prevent the dissemination of the fake advertisement and potentially reduce the number of individuals who would otherwise fall victim to the scam.
United Kingdom
In contrast, the UK’s Reimbursement Framework only applies to PSPs participating in the Faster Payments Scheme (FPS) that provide Relevant Accounts.
FPS
The FPS is one of eight UK payment systems designated by HM Treasury. According to the Payment Systems Regulator, almost all internet and telephone banking payments in the United Kingdom are now processed via FPS.
Relevant Account
A Relevant Account is an account that:
Is provided to a service user;
Is held in the United Kingdom; and
Can send or receive payments using the FPS,
but excludes accounts provided by credit unions, municipal banks and national savings banks.
Effect of Single-Sector Approach
Due to the United Kingdom’s single-sector approach, different frameworks need to be developed to combat scam activity in other parts of the ecosystem. This disjointed approach may create enforcement issues where entities across multiple sectors fail to implement sufficient procedures to detect and prevent scam activities. Further, it places a disproportionate burden on the banking sector, failing to acknowledge the responsibility of other sectors to protect the community from the growing threat of scams.
Key Takeaways
While both the United Kingdom and Australia have demonstrated a commitment to adopting tough anti-scams policies, they have adopted very different approaches. Time will tell which approach has the largest impact on scam detection and prevention.
The authors would like to thank paralegal Tamsyn Sharpe for her contribution to this legal insight.
Navigating D&O Coverage for Cyber Fraud: Lessons from Alaska
An Alaska federal court recently dismissed a construction company’s lawsuit, accusing a D&O insurer of bad faith refusal to provide coverage for an email spoofing scheme that resulted in nearly $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Travelers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). While the case was voluntarily dismissed before the D&O insurer responded to the complaint, the policyholder’s allegations tell a familiar story and highlight several areas of dispute that companies face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) experienced a 2023 cyber incident where an imposter tricked AFC into wiring $1.9 million into a fraudulent bank account via email. AFC’s CFO received an email that appeared to have been sent by the CFO of another company, Kuukpik, whom AFC worked closely with. The spoofed email asked when a payment would be made for money owed to Kuukpik by Nanuq, a wholly owned subsidiary of Kuukpik that AFC worked with closely on many projects.
This email was actually sent by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC provided cash payments to one another on a regular basis by an intercompany account shared by the two.
The spoofed email contained a similar email address to that of Kuukpik’s CFO, and the hacker later sent instructions via email to AFC’s CFO to send a wire to a bank in New Jersey. AFC’s controller initiated the automatic clearing house transfer to the New Jersey bank account as instructed by the hacker which caused Nanuq’s bank to transfer $1,915,448.32 into the fraudulent account. By the time AFC and Kuukpik realized the payment had been wired but not received by Kuukpik, the hacker and the money were gone.
Nanuq demanded that AFC compensate it for the money it lost and sent draft complaints with causes of action for negligence and negligent supervision and training. AFC sought coverage under its D&O policy for the fraudulent wire transfer that resulted from the spoofed email. AFC’s D&O insurer denied AFC’s claim under a “Data and Privacy Exclusion” endorsement that barred coverage all claims based upon or arising out of a list of cyber-related events that included “any unauthorized access to a computer system.”
The Coverage Lawsuit
AFC filed suit in Alaska, where AFC is incorporated and has its principal place of business. Its complaint alleged that the insurer breached the policy in refusing to defend and failing to indemnify AFC’s losses and acted in bad faith in adjusting and denying coverage for the $1.9 million in losses flowing from the fraudulent email scheme.
AFC asserted that, in denying coverage under the data and privacy exclusion, the insurer ignored the Alaska Change Endorsement, which states claims cannot be denied if an excluded cause of loss is secondary to a dominant covered cause of loss in an unbroken chain of events leading to the loss. The dominant cause of loss, AFC alleged, was AFC’s failure to use reasonable care when initiating the wire transfers and not the imposter CFO’s communication of wiring instructions. As a result, the Alaska Change Endorsement prevented the data and privacy exclusion from eliminating coverage.
AFC also contended that the insurer failed to account for the Data and Privacy Exclusion endorsement’s carveback for claims under Insuring Agreement A for non-indemnified losses of insured persons. The company asserted that this carveback applied to the company’s CFO and Controller. Having been “abandoned” by its insurer, AFC ultimately settled the case for nearly $1.7 million and then sought to recover those losses from the D&O insurer.
Before the insurer filed its answer, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal likely was the result of an out-of-court confidential settlement or other negotiated resolution. Notwithstanding AFC’s voluntary dismissal, the dispute highlights several recurring coverage issues that can help or hinder the chances of recovery if a claim occurs.
Address cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O policies, usually through endorsement and usually covering a laundry list of underlying cyber events. The intent is to shift “cyber” risks to cyber insurance policies. But as with most insurance issues, the devil is in the details, and many times cyber exclusions are written so broadly that they can encompass D&O exposures with only attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s policy was broad—it applied to “any claim based upon or arising out of,” among other things, loss or theft of, disclosure of, or unauthorized access to or use of personal private or confidential information, any unauthorized access to computer systems, any authorized access to cause intentional harm to a computer system, or any violation of law regarding the protection, use, collection, disclosure of, access to, or storage of personal private or confidential information. Policyholders should carefully assess whether their D&O policy has such an exclusion. If it cannot be eliminated entirely, consider limiting its scope by, for example, narrowing the broad causation language.
Policy coordination can avoid coverage gaps. While careful analysis and customization of D&O policy language can help prevent unexpected denials for cyber-related losses, focusing on a single line of coverage for significant loss events, especially cybersecurity incidents, may not be sufficient. D&O policies should be reviewed alongside other complementary coverages—like cyber policies—to ensure coverage grants and exclusions are working as intended and do not result in any unintended gaps.
The global cost of a data breach in the US now has reached $4.88 million on average in 2024, a double-digit percentage increase year to year and the highest total ever. Given those staggering costs, negotiating robust liability coverages with an eye towards cyber incidents is even more important because cyber policies may be quickly eroded and not available to respond to follow-on litigation, investigations, and other claims arising out of a cyber incident.
Understand governing law and its impact on coverage. The AFC dispute also showed how insurance outcomes can differ depending on governing law. Because AFC was an Alaskan company, its policy had an Alaska Change Endorsement that could intervene and preserve coverage based on dominant and secondary causes of loss. But that analysis could differ materially if a policy is governed by another state’s law or has a different state amendatory endorsement applying another rule. Policies may also have choice-of-law, choice-of-venue, and similar provisions that further impact what law governs the insurance claim and what coverage is available under a particular policy.
Evaluating these and other insurance issues in D&O and other liability policies proactively as part of regular insurance reviews can help place and renew stronger policies, maximize recovery, and prevent unexpected denials should a claim arise.