EDPB Adopts Statement on Age Assurance and Creates a Task Force on AI Enforcement
On February 12, 2025, during its February 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on assurance, which outlines ten principles concerning the processing of personal data when determining an individual’s age or age range. The EDPB is also cooperating with the European Commission on age verification in the context of the Digital Services Act (DSA) working group.
In addition, the EDPB extended the scope of the ChatGPT task force to artificial intelligence (AI) enforcement. The EDPB members underlined the need to coordinate the actions of the Data Protection Authorities (DPAs) regarding urgent sensitive matters and will set up a quick response team for that purpose.
In the statement, the EDPB outlines ten key principles to follow to implement a governance framework that complies with the General Data Protection Regulation (GDPR) to protect children and how their personal data is processed. The EDPB Chair, Anu Talus, stressed the importance of balancing the responsible use of AI within the GDPR framework. Businesses should ensure compliance with these evolving data protection standards, and our team is available to provide guidance on navigating the GDPR requirements and implementing effective compliance strategies.
“The GDPR is a legal framework that promotes responsible innovation. The GDPR has been designed to maintain high data protection standards while fully leveraging the potential of innovation, such as AI, to benefit our economy. The EDPB’s task force on AI enforcement and the future quick response team will play a crucial role in ensuring this balance, coordinating the DPAs’ actions and supporting them in navigating the complexities of AI while upholding strong data protection principles.” – EDPB Chair Anu Talus
www.edpb.europa.eu/…
Beware Broader Insurance Coverage Exclusions for Biometric Information Privacy Law Claims
It has been nearly two decades since Illinois introduced the first biometric information privacy law in the country in 2008, the Illinois Biometric Information Privacy Act (“BIPA”). Since then, litigation relating to biometric information privacy laws has mushroomed, and the insurance industry has responded with increasingly broad exclusions for claims stemming from the litigation. A recent Illinois Appellate Court decision in Ohio Security Ins. Co. and the Ohio Cas. Ins. Co. v. Wexford Home Corp., 2024 IL App (1st) 232311-U, demonstrates this ongoing evolution.
The plaintiff in a putative class action lawsuit sued Wexford Home Corporation (“Wexford”), alleging that Wexford violated BIPA by collecting, recording, storing, sharing and discussing its employees’ biometric information without complying with BIPA’s statutory disclosure limitations. Wexford tendered the putative class action lawsuit to its insurers, Ohio Security Insurance Company and Ohio Casualty Insurance Company, both of which denied coverage and filed a declaratory judgment action seeking a ruling that the insurers had no duty to defend or indemnify Wexford.
The insurers argued that there was no duty to defend or indemnify based on three exclusions: (1) the “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion (“Recording and Distribution Exclusion”), (2) the “Exclusion-Access Or Disclosure Of Confidential And Data-Related Liability-With Limited Bodily Injury Exception,” and (3) the “Employment-Related Practices Exclusion.”
The parties cross-moved for judgment on the pleadings, and the trial court granted judgment for Wexford, finding that the insurers owed a defense. The trial court reasoned that publication of material that violates a person’s right to privacy met the policies’ definition of personal and advertising injury, and therefore no exclusions applied to bar coverage. The insurers appealed. Although the insurers did not challenge the trial court’s ruling that the alleged BIPA claims qualified as personal or advertising injury sufficient to trigger coverage, they maintained that the trial court erred by not applying the three exclusions.
On appeal, the court focused on the Recording and Distribution Exclusion, which purports to bar coverage where the personal or advertising injury arises from the violation of any of three enumerated statutes (TCPA, CAN-SPAM Act, and FCRA) or any other statute that falls within a broad “catch all” provision that expands the exclusion to include violations of “[a]ny federal, state or local statute, ordinance or regulations other than the [three enumerated statutes] that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
The court relied on its earlier decision, National Fire Ins. Co. of Hartford and Cont’l Ins. Co. v. Visual Park Co., Inc., 2023 IL App (1st) 221160, in which it found an identical Recording and Distribution Exclusion to bar coverage for BIPA claims. That decision, however, represented a departure from earlier decisions that found similar catchall provisions did not encompass BIPA claims. For example, in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, 183 N.E.3d 47 (May 20, 2021), the same appellate court that decided Visual Park explained that the interpretive canon of ejusdem generis (which requires that general words following an enumeration of specific persons or things are deemed to apply only to persons or things of the same general kind or class of the specifically enumerated persons or things) required a finding that a similar catchall exclusion would be afforded limited reach and not extend to BIPA claims. In the Visual Park case, on the other hand, the appellate court concluded that a catchall provision like the one in Wexford was materially different and broader than prior versions of the exclusion. According to the Visual Park court, the exclusion’s reference to “disposal,” “collecting,” or “recording” of material or information sufficiently encompassed BIPA violations, whereas prior versions apparently did not. The appellate court again applied the interpretive canon of ejusdem generis to reach conclusions about the exclusion’s intended reach. The court reasoned that because the specifically enumerated statutes in the Recording and Distribution Exclusion protected personal information and privacy, the general catchall must have been intended to do so as well.
As Wexford, Visual Park, and the pre-Visual Park decisions illustrate, insurers are broadening the scope of exclusions that potentially apply to BIPA-related claims. Policyholders should carefully review their policies annually to identify changes in wording that might have a material impact on the scope of coverage. Experienced brokers and coverage counsel can help to ensure that material changes are identified early and, where appropriate, modified or deleted by endorsement.
Update on U.S. Climate Disclosure Requirements
As of early 2025, the landscape of climate disclosure requirements in the United States is shifting. Unsurprisingly, the Trump Administration has signaled its intent to roll back the federal climate disclosure rule promulgated by the Securities and Exchange Commission (“SEC” or “Commission”) last year. Meanwhile, implementation of California’s suite of climate disclosure laws is moving forward, and at least two other states are considering copy-cat legislation. As companies operating in the United States continue to prepare for compliance at the state level, they should consider these developments alongside potential changes to international and voluntary reporting standards and should work to implement corporate processes that ensure consistency and accuracy in reporting across all relevant frameworks.
SEC Climate Rule
In March 2024, the SEC adopted rules to standardize climate-related disclosures by public companies and public offerings. The rules were promptly challenged by multiple stakeholders, and the cases were consolidated before the U.S. Court of Appeals for the Eighth Circuit. Not long afterwards, on April 4, 2024, the SEC stayed implementation of the regulations pending judicial review of the legal challenges.
On February 11, 2025, Acting SEC Chair Mark Uyeda issued a statement announcing that he had directed SEC staff to request that the court not schedule the case for oral argument in order to allow time for the Commission to determine next steps in light of certain changes. Specifically, Acting Chair Uyeda cited as changes (1) his views that “[t]he Rule is deeply flawed and could inflict significant harm on the capital markets and the economy” and was promulgated without statutory authority; (2) the recent change in the composition of the Commission; and (3) President Trump’s recent memorandum regarding a regulatory freeze.
While next steps on the part of the Eighth Circuit and the SEC are yet to be seen, the SEC will likely seek to roll back the 2024 rule, potentially through a new notice-and-comment rulemaking process.
California Climate Disclosure Laws
Meanwhile, implementation of California’s climate disclosure laws is moving forward. In October 2023, California Governor Gavin Newsom signed into law three different bills: (1) SB 253, requiring disclosure of greenhouse gas emissions for companies with at least a billion dollars in revenue that are doing business in California; (2) SB 261, requiring climate-related risk disclosures for companies with at least $500 million in revenue that are doing business in California; and (3) AB 1305, requiring annual substantiation of offset sales and purchases, as well as net zero and emission reduction claims, for companies operating and making claims in California. Unlike the SEC rule, all of these laws apply regardless of whether a company is public or privately held.
In September 2024, Governor Newsom signed into law a set of amendments to SB 253 that, among other things, delayed the rulemaking deadline set for the California Air Resources Board until July 1, 2025. The amendments did not, however, delay any compliance timelines for covered entities. This means that covered entities must continue to plan for the first round of reporting on Scope 1 and Scope 2 emissions in 2026, with reference to FY 2025 data, even though a host of questions remain about the scope and mechanics of required reporting. In recognition of this uncertainty, on December 5, 2025, CARB issued an Enforcement Notice indicating that it would not pursue enforcement against entities working in “good faith” toward compliance, and that, for the first reporting year, it would be sufficient to rely on data already in a reporting entity’s possession as of the date of the notice. Not long after, CARB announced a public comment period to seek input from stakeholders on a range of implementation-related issues, including how CARB should define “doing business in California” for purposes of defining the universe of entities subject to compliance obligations under SB 253 and SB 261.
Implementation of the California laws seems unlikely to be stopped in court. On February 3, 2025, the U.S. District Court for the Central District of California substantially narrowed an ongoing judicial challenge to SB 253 and SB 261 by the U.S. Chamber of Commerce, California Chamber of Commerce, and other industry stakeholders. The court dismissed plaintiffs’ claims that these laws violate the Supremacy Clause of the U.S. Constitution and constitute extraterritorial regulation in violation of the Dormant Commerce Clause. The court has preserved, for now, a claim that these laws compel speech in violation of the First Amendment.
Pending Legislation in Other States
During the past several legislative sessions, New York has considered climate disclosure bills similar to California’s SB 253 and SB 261. In January 2025, these bills were once again introduced in the New York Senate as S3456 (Climate Corporate Data Accountability Act) and S3697 (Report of Climate-Related Financial Risk). While similar to SB 253, S3456 is more explicit on some points—for example, by specifying that the law’s applicability be determined with reference to consolidated revenue, including revenues received by all of the business’s subsidiaries.
Illinois and Washington also considered similar legislation in 2024 and may seek to introduce it in 2025.
Changes to International and Voluntary Frameworks
Companies that operate in the European Union (“EU”) have been preparing in earnest for compliance with the Corporate Sustainability Reporting Directive (“CSRD”) for well over a year. Nonetheless, the European Parliament is reportedly considering omnibus legislation that would potentially reduce the scope of CSRD applicability and reporting, as well as make changes to other EU sustainability laws. These changes could be relevant not only to companies with direct reporting obligations under these laws, but also to companies that report under voluntary standards, such as CDP, that have sought to align with the CSRD.
What’s Next?
Companies doing business in the United States should continue to monitor this shifting landscape at the U.S. state and international levels. As changes occur, it will be critical to reevaluate data collection and reporting processes to ensure consistency and compliance with all relevant frameworks.
ANOTHER MASSIVE TCPA SETTLEMENT: Blue Cross Pays Over $1,000.00 Per Class Member as Court Approves $1.6MM TCPA Class Action Settlement
From Red Cross to Blue Cross, TCPA risk is massive these days.
And wrong number calling, in particular, can be incredibly costly.
Just ask Citibank.
Or John Deere.
Or, now, Blue Cross.
In Stark v. BLUE CROSS AND BLUE SHIELD OF NORTH CAROLINA and CHANGE HEALTHCARE RESOURCES, LLC, 1:23-CV-22, 2025 WL 524781 (M.D.N.C. Feb 18, 2025) the Court approved a $1.6MM settlement related to Blue Cross making illegal robocalls to a wrong number.
Per the order:
the case arose because Change Healthcare allegedly made calls on behalf of BCBSNC to identify BCBSNC customers and increase enrollment in certain programs, but Change Healthcare made calls to wrong numbers or to consumers who had opted out of receiving these calls. Ms. Stark alleged that despite being told that her number no longer belonged to a BCBSNC customer, Change Healthcare continued to make sales calls to her number.
The class had 1,573 people in it– which means Blue Cross paid over $1,000.00 per class member!!! (Whoa)
Oh and per the order Class Counsel Avi Kaufman has “recovered via settlement more than $100 million on behalf of TCPA class members.”
This case will net him another $500k in fees.
So there you have it Blue Cross paid a ton of money to settle this– one of the highest-per-class-member settlements I have seen yet. Not sure why they paid so much but it is a good reminder to all of you out there– use the reassigned numbers database to avoid this sort of thing folks!
DEEP DIVE: What Does Mr. Trump’s Executive Order Seizing Control of Federal Agencies Really Mean–and is It Constitutional?
So last night Mr. Trump attempted to seize control of more or less the entire federal government. He signed an executive order purporting to bring all independent agencies–including the FCC, FTC, SEC, and perhaps most chillingly the Federal Election Commission–under his individual control.
No other president has done this. Most have avoided even the appearance of interfering in the workings of these agencies for fear of being viewed as wielding inappropriate control over the affairs of agencies designed by Congress to be independent.
But just because this feels like something a dictator would do– and to be clear, it is– does that mean Mr. Trump is actually trying to become one, and, if so, is it unconstitutional?
Maybe. And, maybe.
First, what even is an independent agency?
Independent agencies oversee certain functions of the federal government that require expertise and precision lawmaking that are generally beyond the ability of a Congress composed of–at best generalist lawmakers. These agencies have incredible power over areas of government function that require unique supervision to assure sound policy– like telecommunications, environmental protection, or how elections are conducted.
Independent agencies are unique because they tend to wield both executive and legislative powers. Using the FCC as an example, the Commission may issue rulings interpret or expand the law– such as the recent TCPA revocation ruling the FCC adopted last year. But they may also serve an executive role by bringing enforcement actions and issuing penalties– such as the recent Telnyx order.
And just to make sure everyone understands the difference between legislative and executive functions– legislative power involves MAKING THE LAW. Executive power involves ENFORCING THE LAW.
At the federal level Congress is responsible to MAKE the law. The president is responsible to faithfully ENFORCE the law.
That’s it.
(I look forward to a presidential debate one day–assuming either elections or debates will exist in the future–where the two candidates debate nothing more than who will better faithfully enforce the laws passed by Congress since that is, essentially, their only job.)
Now sometimes making and enforcing the law can blend. For instance when Congress passes a vague enactment–never!–an agency may attempt to interpret the law via an enforcement action. This happens when an agency sues a company for violating the law based on conduct that was never previously deemed to violate that law. We call this “regulation by enforcement” and basically everybody hates it because it is very unfair.
Still regulation by enforcement was quite common during the Obama era– the CFPB loved to regulate by enforcement– and we saw a bit of it during Biden’s presidency, particularly with the FTC “telemarketing sweep” where it decided, for the first time it was a violation of the TSR for engage in lead generation. Eesh.
All right, now that you understand the background what actually happened?
So late yesterday Mr. Trump ordered all independent agencies to report directly to his delegee, the Director of the Office of Management and Budget Russel Vought–who is now instantly one of the most powerful men in the world– so that he, Vought, can dictate their policy, priorities, and budget. As the order states Vought is to: “review independent regulatory agencies’ obligations for consistency with the President’s policies and priorities…”
In other words, the independent agencies are now to serve Mr. Trump and not the American people as a whole.
Cringe.
To be sure, Mr. Trump is casting his order as one intended to hold the agencies accountable to the people. Per his “fact sheet” the agencies must be brought within the President’s control because he was appointed by the people to control them.
Sort of.
Independent agencies used to be non-political. But beginning largely with the Obama administration these agencies have become increasingly political. But the heads of most of these agencies are appointed directly by the president and the president’s party generally control the policies and priorities of the agency.
So, for example, President Trump just appointed Brendan Carr as Chairman of the FCC. Biden appointed Jessica Rosenworcel. Carr will, presumably, guide the Commission consistent with a republican state of mind, just as Rosenworcel guided the Commission with a democratic state of mind. So the agencies are within the control of “the people” because the people decide the president and the president’s party controls the agency and the president picks the head of the agency. And for all past administrations since the 1930s this control and accountability has been deemed sufficient.
But not for Mr. Trump. Not this time.
This time he has decided that these agencies will not move without his direct control. The only way for agencies to be accountable to “the people” is for the agencies to answer directly to him.
Get it?
At best this is ultimate bureaucratic micromanagement. At worst, it is a mechanism by which Mr. Trump can set all of the machinery of government to work to serve his personal agenda– wherever the whims of the day may take him.
Yeah, I know, sounds like a dictator. (For those of you who really like Trump, just imagine Hillary Clinton becoming president in 2028 and having all of these new fun toys to play with Trump left for her.)
So… is it legal?
Maybe. And it depends just how expansive the intended control Mr. Trump is trying to seize really is.
If all Mr. Trump’s order is intended to do is dictate that no federal agency shall take any enforcement action without his approval– or, stated alternatively, that Mr. Trump is plans to dictate (there’s that word again) what enforcement activity the agencies engage in before it is taken–and nothing else, then I think this is likely constitutional.
Executive powers ARE preserved to the president in the Constitution and Congress can’t delegate away executive powers that don’t belong to it. So although this move would still make Trump the most powerful president since Lincoln the constitution permits this sort of thing in my view. So I have no problem with it. (I am a strict adherent to constitutional principles and have no problem with Mr. Trump helping himself to as much as the constitution permits.)
To the extent, however, Mr. Trump is stating he intends to dictate what regulations and rules are implemented by these agencies– i.e. that he intends to seize control of their LEGILSATIVE function– that would be a very serious problem. At that point the legislative and executive function would collapse into a single individual creating, as Madison wrote, “the very definition of tyranny.” Mr. Trump could then write the law to serve his agenda, and then have it enforced it as he saw fit. That would be unconstitutional in my view, and pretty horrifying frankly.
Unfortunately the Order is vague as to its implications and intentions on regulatory matters. The “fact sheet” speaks repeatedly about “executive power” yet suggests agencies must “submit draft regulations”–i.e. LEGISLATIVE actions– to the President. The order itself provides “No employee of the executive branch acting in their official capacity may advance an interpretation of the law as the position of the United States that contravenes the President or the Attorney General’s opinion on a matter of law, including but not limited to the issuance of regulations, guidance, and positions advanced in litigation, unless authorized to do so by the President or in writing by the Attorney General.” So it does seem the big play is in play, but maybe not. The limitation requiring only “executive branch” employees to abide may mean this rule only applies to agency enforcement activities and not to broader rulemaking.
Like I said… unclear.
So where does this leave TCPAWorld?
First, none of this applies to rules the Commission has already passed. The new requirements kick in 60 days from now and all past activity appears to be protected from the need for Mr. Trump’s blessing. This means the FCC’s current TCPA revocation rule–set to go into effect April 11, 2025– is likely to go into effect on that date, although I could see an effort to have the ruling stayed based on this order.
Second, we can expect all FCC enforcement activity to effectively cease pending Mr. Trump’s review. How he plays this will be very interesting. We can imagine a highly weaponized version of the FCC that goes after left-wing interests in social media and broadcast television. Then again we can imagine a neutered FCC that does very little enforcement of anything. What is unclear is where Mr. Trump stands on telemarketing, “robocalls,” or the TCPA more broadly. So it is unclear where in the pantheon of priorities the TCPA and enforcement proceedings against callers and carriers will land.
Third, the courts will need to decide how much power Mr. Trump now wields over the FCC’s legislative functions. I am looking forward to a statement from Chairman Carr on this subject–I’d expect that to be out today. Perhaps it will be business as usual. Or perhaps all FCC rulemaking and policy will now flow through Mr. Trump’s office– meaning Trump will ultimately have to sign off on whether or not the FCC takes action on the R.E.A.C.H. petition everybody is focused on right now.
This last piece is critical to understand.
When something massive and bizarre happens the most immediate impact tends to be paralysis. I’d expect a whole lot of nothing for a few months while people take in the true enormity of what just happened. In the meantime only actions Mr. Trump expressly dictates are likely to gain any traction with the Commission for the time being.
How to Report “Pig Butchering” Crypto Fraud and Qualify for a Whistleblower Award
2024 Revenue from Pig Butchering Scams Increased 40% Year-over-Year
According to a Chainanlysis report, revenue from pig butchering crypto frauds, also known as relationship investment scams, grew nearly 40% year-over-year (YoY). Additionally, the number of deposits to these scams increased by nearly 210% YoY.
Pig butchering scams exploit dating apps, social media platforms, messaging apps, and even random “wrong number” text messages to target possible victims. Once a fraudster establishes and builds a relationship with their target, they pitch fraudulent investment opportunities in cryptocurrencies, precious metals, or foreign currencies. Victims are then directed to deceptive trading platforms–operated by the same organized criminal gangs–where they convert their funds into cryptocurrency and then send the crypto to the fraudulent trading platforms. These platforms falsely display substantial investment gains, and victims ultimately find themselves unable to withdraw their funds. To make matters worse, the trading platforms often tell the victims that they are required to pay certain fees to access their (fake) investment gains. These “fees” are just another ploy used by the fraudsters to trick victims into sending additional crypto to their fraudulent platforms.
The Chainalysis report, titled Crypto Scam Revenue 2024: Pig Butchering Grows Nearly 40% YoY as Fraud Industry Leverages AI and Increases in Sophistication, found that cryptocurrency scams received at least $9.9 billion on-chain, an amount that may increase as Chainanalysis identifies more illicit addresses. The report noted that “crypto fraud and scams have continued to increase in sophistication, as the fraud ecosystem becomes more professionalized.” It also highlighted that “crypto drainers continued to proliferate and grew across the board — nearly 170% YoY revenue growth, almost 55% YoY increase in deposit size, and 75% YoY growth in number of deposits.”
Whistleblowers Can Help Combat Pig Butchering Crypto Frauds
Whistleblowers can assist the Commodity Futures Trading Commission (CFTC) in combatting these frauds by reporting original information about pig butchering crypto scams to the CFTC Whistleblower Office. The CFTC Whistleblower Reward Program offers monetary awards to whistleblowers whose original information leads to enforcement actions resulting in civil penalties in excess of $1 million. Whistleblowers reporting pig butchering crypto scams can receive CFTC whistleblower awards between 10% and 30% of the total monetary sanctions collected in successful enforcement actions. The largest CFTC whistleblower award to date is $200 million.
How to Report Pig Butchering Scams to the CFTC and Qualify for a Whistleblower Award
A whistleblower providing original information to the CFTC about an investment romance scam may qualify for an award if:
Their original information caused the CFTC to open an investigation, reopen an investigation, or inquire into different conduct as part of a current investigation, and the CFTC brought a successful enforcement action based in whole or in part on conduct that was the subject of the original information; or
The conduct (i.e., the pig butchering crypto scam) was already under examination or investigation, and the whistleblower provided original information to the CFTC that significantly contributed to the success of the enforcement action.
In determining an award percentage of between 10% and 30%, the CFTC considers the particular facts and circumstances of each case. For example, positive factors may include the significance of the information, the level of assistance provided by the whistleblower and the whistleblower’s attorney, and the law enforcement interests at stake.
If represented by counsel, a whistleblower may submit a tip anonymously to the CFTC. In certain circumstances, a whistleblower may remain anonymous, even to the CFTC, until an award determination. However, even at the time of a reward, a whistleblower’s identity is not made available to the public.
To report a pig butchering crypto fraud and qualify for an award under the CFTC Whistleblower Program, the CFTC requires that whistleblowers or their attorneys report the tip online through the CFTC’s Tip, Complaint or Referral Portal or mail/fax a Form TCR to the CFTC Whistleblower Office. Prior to submitting a tip, whistleblowers should consult with an experienced whistleblower attorney and review the CFTC whistleblower rules to, among other things, understand eligibility rules and consider the factors that can significantly increase or decrease the size of a future whistleblower award.
CFTC Partners with Federal Agencies and NGOs to Combat Pig Butchering
The CFTC’s Office of Customer Outreach and Education is partnering with other federal agencies and non-governmental organizations (NGOs) to raise awareness about relationship investment scams targeting Americans through “wrong number” text messages, dating apps, and social media. This effort includes an infographic that identifies the warning signs of pig butchering:
Additionally, the interagency Dating or Defrauding? social media awareness campaign warns Americans to be skeptical of any request from online friends for cryptocurrency, gift cards, wire transfers, or other forms of payment. The campaign provides information about how to recognize relationship investment scams, what to do if you are affected, and why to share the information to warn others.
Combatting Scams in Australia and the United Kingdom
In response to the growing threat of financial scams, the Australian Government has passed the Scams Prevention Framework Bill 2025. The Scams Prevention Framework (SPF) imposes a range of obligations on entities operating within the banking and telecommunications industries as well as digital platform service providers offering social media, paid search engine advertising or direct messaging services (Regulated Entities). In the first article of our scam series, Australia’s Proposed Scams Prevention Framework, we provided an overview of the SPF. In this article, we compare the SPF to the reimbursement rules adopted by the United Kingdom and consider the likely implications of each approach.
UK Model
The United Kingdom is a global leader in the introduction of customer protections against authorised push payment (APP) fraud. A customer-authorised transfer of funds may fall within the definition of an APP scam where:
The customer intended to transfer the funds to a person, but was instead deceived into transferring the funds to a different person; or
The customer transferred funds to another person for what they believed were legitimate purposes, but which were in fact fraudulent.
Reimbursement Requirement
A mandatory reimbursement framework was introduced on 7 October 2024 (the Reimbursement Framework) and applies to the United Kingdom’s payment service providers (PSPs). Under the Reimbursement Framework, PSPs are required to reimburse a customer who has fallen victim to an APP scam. The cost of reimbursement will be shared equally between the customer’s financial provider and the financial provider used by the perpetrator of the scam. However, PSPs will not be liable to reimburse a victim who has been grossly negligent by failing to meet the standard of care that PSPs can expect of their consumers (Consumer Standard of Caution) (discussed below), or who is involved in the fraud. Where the customer is classed as ‘vulnerable’, failure to meet the Consumer Standard of Caution will not exempt the PSP from liability.
Consumer Standard of Caution
The Consumer Standard of Caution exception consists of four key pillars:
Intervention – Consumers should have regard to interventions made by their PSP or a competent national authority such as law enforcement. However, a nonspecific ‘boilerplate’ warning will not be sufficient to shift the risk onto the customer.
Prompt reporting – Consumers, upon suspecting they have fallen victim to an APP scam, should report the matter to their PSP within 13 months of the last authorised payment.
Information sharing – Consumers should respond to reasonable and proportionate requests for information made by their PSP in assessing the reimbursement claim. Any requests for information must be limited to essential matters taking into account the value and complexity of the claim.
Involvement of police – Consumers should consent to their PSP reporting the matter to the police on their behalf. PSPs must consider the circumstances surrounding a customer’s reluctance in reporting their claim to the police before relying on this exception.
Failure to meet one or more of the above pillars will only exempt the PSP from liability where the customer has been grossly negligent. This is a higher standard of negligence than required under the common law and requires the customer to have shown a ‘significant degree of carelessness’.
Vulnerability
A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm. Personal circumstances relevant to determining whether a customer is ‘vulnerable’ include:
Health conditions or illnesses that affect one’s ability to carry out day-to-day tasks;
Life events such as bereavement, job losses or relationship breakdown;
Ability to withstand financial or emotional shocks; and
Knowledge barriers such as language and digital or financial literacy.
The Consumer Standard of Caution is not applicable to vulnerable customers. Accordingly, where the victim has been classified as a vulnerable customer, PSPs cannot avoid liability on the grounds of gross negligence for failing to meet the Consumer Standard of Caution.
Limit on Reimbursement
PSPs will not be required to reimburse amounts above the maximum level of reimbursement, which is currently £415,000 per claim.
Key Distinctions Between the SPF and the UK Model
Financial Burden of Scams
Both the UK and Australian models seek to incentivise entities to adopt policies and procedures aimed at lowering the risk of scams. By requiring PSPs to reimburse scam victims, the UK’s model shifts the economic cost of scams from customers onto PSPs. A similar purpose is achieved under the SPF, which provides for harsh financial penalties for entities that fail to develop and implement appropriate policies to protect customers against scams. However, a significant point of difference is the extent to which these financial burdens benefit victims of scams directly.
Under the UK model, a victim of an APP scam will be able to recover the full amount of their loss (up to the prescribed maximum amount) so long as:
They were not grossly negligent in authorising the payment;
They were not a party to the fraud;
They are not claiming reimbursement fraudulently or dishonestly;
The amount claimed is not the subject of a civil dispute or other civil legal action;
The payment was not made for an unlawful purpose; and
The claim is made within 13 months of the final APP scam payment.
In contrast, there is no indication that any funds paid under Australia’s SPF civil penalty provisions will be directed towards the reimbursement of victims. However, under the Scams Prevention Framework Bill 2025, where a Regulated Entity has failed to comply with its obligations under the SPF and this failure has contributed to a customer’s scam loss, the customer may be able to recover monetary damages from the Regulated Entity.
Possible Effect on Individual Vigilance
The UK’s Reimbursement Framework recognises that PSPs, as opposed to individuals, have greater resources available to combat the threat of scams. However, there is a risk that by passing the economic cost of scams onto PSPs, individuals will become less vigilant. Where an individual fails to make proper inquiries which would have revealed the true nature of the scam, they may still be eligible for reimbursement so long as they have not shown a ‘significant degree of carelessness’. With this safety net, individuals may become complacent about protecting themselves from the threat of scams.
In contrast to the UK model, individuals will continue to bear the burden of unrecoverable scam losses under Australia’s SPF unless a Regulated Entity’s breach of SPF obligations has contributed to the loss. As a result, individuals will continue to have a financial incentive to remain vigilant in protecting themselves against the threat of scams.
Scope of Framework
Australia
The SPF applies to entities across multiple industries, reflecting Australia’s ‘whole of the ecosystem’ approach to scams prevention. Upon introduction, the SPF is intended to apply to banking and telecommunications entities as well as entities providing social media, paid search engine advertising or direct messaging services. It is noted in the explanatory materials that the scope of the SPF is intended to be extended to other industries over time to respond to changes in scam trends.
The purpose of this wider approach is to target the initial point of contact between the perpetrator and victim. For example, a perpetrator may create a social media post purporting to sell fake concert tickets. Successful disruptive actions by the social media provider, such as taking down the post or freezing the perpetrator’s account, may prevent the dissemination of the fake advertisement and potentially reduce the number of individuals who would otherwise fall victim to the scam.
United Kingdom
In contrast, the UK’s Reimbursement Framework only applies to PSPs participating in the Faster Payments Scheme (FPS) that provide Relevant Accounts.
FPS
The FPS is one of eight UK payment systems designated by HM Treasury. According to the Payment Systems Regulator, almost all internet and telephone banking payments in the United Kingdom are now processed via FPS.
Relevant Account
A Relevant Account is an account that:
Is provided to a service user;
Is held in the United Kingdom; and
Can send or receive payments using the FPS,
but excludes accounts provided by credit unions, municipal banks and national savings banks.
Effect of Single-Sector Approach
Due to the United Kingdom’s single-sector approach, different frameworks need to be developed to combat scam activity in other parts of the ecosystem. This disjointed approach may create enforcement issues where entities across multiple sectors fail to implement sufficient procedures to detect and prevent scam activities. Further, it places a disproportionate burden on the banking sector, failing to acknowledge the responsibility of other sectors to protect the community from the growing threat of scams.
Key Takeaways
While both the United Kingdom and Australia have demonstrated a commitment to adopting tough anti-scams policies, they have adopted very different approaches. Time will tell which approach has the largest impact on scam detection and prevention.
The authors would like to thank paralegal Tamsyn Sharpe for her contribution to this legal insight.
Navigating D&O Coverage for Cyber Fraud: Lessons from Alaska
An Alaska federal court recently dismissed a construction company’s lawsuit, accusing a D&O insurer of bad faith refusal to provide coverage for an email spoofing scheme that resulted in nearly $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Travelers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). While the case was voluntarily dismissed before the D&O insurer responded to the complaint, the policyholder’s allegations tell a familiar story and highlight several areas of dispute that companies face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) experienced a 2023 cyber incident where an imposter tricked AFC into wiring $1.9 million into a fraudulent bank account via email. AFC’s CFO received an email that appeared to have been sent by the CFO of another company, Kuukpik, whom AFC worked closely with. The spoofed email asked when a payment would be made for money owed to Kuukpik by Nanuq, a wholly owned subsidiary of Kuukpik that AFC worked with closely on many projects.
This email was actually sent by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC provided cash payments to one another on a regular basis by an intercompany account shared by the two.
The spoofed email contained a similar email address to that of Kuukpik’s CFO, and the hacker later sent instructions via email to AFC’s CFO to send a wire to a bank in New Jersey. AFC’s controller initiated the automatic clearing house transfer to the New Jersey bank account as instructed by the hacker which caused Nanuq’s bank to transfer $1,915,448.32 into the fraudulent account. By the time AFC and Kuukpik realized the payment had been wired but not received by Kuukpik, the hacker and the money were gone.
Nanuq demanded that AFC compensate it for the money it lost and sent draft complaints with causes of action for negligence and negligent supervision and training. AFC sought coverage under its D&O policy for the fraudulent wire transfer that resulted from the spoofed email. AFC’s D&O insurer denied AFC’s claim under a “Data and Privacy Exclusion” endorsement that barred coverage all claims based upon or arising out of a list of cyber-related events that included “any unauthorized access to a computer system.”
The Coverage Lawsuit
AFC filed suit in Alaska, where AFC is incorporated and has its principal place of business. Its complaint alleged that the insurer breached the policy in refusing to defend and failing to indemnify AFC’s losses and acted in bad faith in adjusting and denying coverage for the $1.9 million in losses flowing from the fraudulent email scheme.
AFC asserted that, in denying coverage under the data and privacy exclusion, the insurer ignored the Alaska Change Endorsement, which states claims cannot be denied if an excluded cause of loss is secondary to a dominant covered cause of loss in an unbroken chain of events leading to the loss. The dominant cause of loss, AFC alleged, was AFC’s failure to use reasonable care when initiating the wire transfers and not the imposter CFO’s communication of wiring instructions. As a result, the Alaska Change Endorsement prevented the data and privacy exclusion from eliminating coverage.
AFC also contended that the insurer failed to account for the Data and Privacy Exclusion endorsement’s carveback for claims under Insuring Agreement A for non-indemnified losses of insured persons. The company asserted that this carveback applied to the company’s CFO and Controller. Having been “abandoned” by its insurer, AFC ultimately settled the case for nearly $1.7 million and then sought to recover those losses from the D&O insurer.
Before the insurer filed its answer, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal likely was the result of an out-of-court confidential settlement or other negotiated resolution. Notwithstanding AFC’s voluntary dismissal, the dispute highlights several recurring coverage issues that can help or hinder the chances of recovery if a claim occurs.
Address cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O policies, usually through endorsement and usually covering a laundry list of underlying cyber events. The intent is to shift “cyber” risks to cyber insurance policies. But as with most insurance issues, the devil is in the details, and many times cyber exclusions are written so broadly that they can encompass D&O exposures with only attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s policy was broad—it applied to “any claim based upon or arising out of,” among other things, loss or theft of, disclosure of, or unauthorized access to or use of personal private or confidential information, any unauthorized access to computer systems, any authorized access to cause intentional harm to a computer system, or any violation of law regarding the protection, use, collection, disclosure of, access to, or storage of personal private or confidential information. Policyholders should carefully assess whether their D&O policy has such an exclusion. If it cannot be eliminated entirely, consider limiting its scope by, for example, narrowing the broad causation language.
Policy coordination can avoid coverage gaps. While careful analysis and customization of D&O policy language can help prevent unexpected denials for cyber-related losses, focusing on a single line of coverage for significant loss events, especially cybersecurity incidents, may not be sufficient. D&O policies should be reviewed alongside other complementary coverages—like cyber policies—to ensure coverage grants and exclusions are working as intended and do not result in any unintended gaps.
The global cost of a data breach in the US now has reached $4.88 million on average in 2024, a double-digit percentage increase year to year and the highest total ever. Given those staggering costs, negotiating robust liability coverages with an eye towards cyber incidents is even more important because cyber policies may be quickly eroded and not available to respond to follow-on litigation, investigations, and other claims arising out of a cyber incident.
Understand governing law and its impact on coverage. The AFC dispute also showed how insurance outcomes can differ depending on governing law. Because AFC was an Alaskan company, its policy had an Alaska Change Endorsement that could intervene and preserve coverage based on dominant and secondary causes of loss. But that analysis could differ materially if a policy is governed by another state’s law or has a different state amendatory endorsement applying another rule. Policies may also have choice-of-law, choice-of-venue, and similar provisions that further impact what law governs the insurance claim and what coverage is available under a particular policy.
Evaluating these and other insurance issues in D&O and other liability policies proactively as part of regular insurance reviews can help place and renew stronger policies, maximize recovery, and prevent unexpected denials should a claim arise.
AI and Blockchain – 1+1 =3
Individually, AI and blockchain are among the hottest, most transformative technologies. Collectively, they are incredibly synergistic – hence the 1+1=3 concept in the title. We are seeing more examples of how the two will interact. Over time, the level of interaction will be extensive. Many projects are being developed that bring the power of AI to blockchain applications and vice versa. One of these projects that has garnered significant attention is the Virtuals Protocol. The project launched in October 2024 via integration with Base, an Ethereum layer-2 network. Just recently, the project announced that it is expanding to Solana.
The Virtuals Protocol is a decentralized platform for buying, trading, and creating AI agents. It transforms AI agents into tokenized, revenue-generating assets. By leveraging blockchain technology, Virtuals Protocol enables the creation, co-ownership, and interaction with AI agents, expanding their potential across various applications.
AI agents are software programs that can interact with their environment, collect data, and use the data to perform self-determined tasks to meet predetermined goals. Humans set goals, but an AI agent independently chooses the best actions it needs to perform to achieve those goals. See “What are AI Agents?” for more information.
How Virtuals Protocol Works
The Virtuals Protocol integrates AI agents, blockchain infrastructure, and tokenization to create a scalable, decentralized ecosystem. Here’s a breakdown of how it operates:
Agent Tokenization: AI agents are minted as ERC-20 tokens with fixed supplies, paired with $VIRTUAL in locked liquidity pools. These tokens are deflationary through buyback-and-burn mechanisms.
G.A.M.E Framework: Agents utilize multimodal AI capabilities, such as text generation, speech synthesis, gesture animation, and blockchain interactions. This framework allows agents to adapt in real-time.
Revenue Routing: Agents earn revenue through inference fees, app integrations, or user interactions. The proceeds flow into their on-chain wallets for buybacks or treasury growth.
Memory Synchronization: Agents retain cross-platform memory through a Long-Term Memory Processor, ensuring user-specific, contextual continuity.
Decentralized Validation: Contributions and model updates are governed by a Delegated Proof of Stake (DPoS) system, ensuring agent performance aligns with community standards.
On-Chain Wallets: Each agent operates an ERC-6551 wallet, enabling autonomous transactions, asset management, and financial independence.
What Virtuals Do
The Virtuals Protocol redefines digital engagement across gaming, entertainment, and decentralized economies. By simplifying AI adoption, rewarding contributors, and lowering barriers for non-experts, it creates a scalable ecosystem that delivers value for stakeholders. The platform’s agents collectively hold a valuation of over $850 million at the time of publishing, led by Mentigent and aidog_agent. Ownership of these two tokenized AI agents is fractionalized; each is held by more than 200 owners who receive a share of the revenue generated.
Sample Legal Issues Associated with Virtuals
As with any emerging technology, Virtuals Protocol faces several legal challenges:
Intellectual Property Rights: The creation and use of AI agents raise questions about the ownership and protection of intellectual property. Ensuring that creators and users have clear rights and protections is crucial;
Data Privacy: AI agents collect and process vast amounts of user data, raising concerns about data privacy and security. Robust safeguards are necessary to protect user information;
Liability and Safety Standards: Ensuring the safety and reliability of AI agents is essential. Legal frameworks must address potential liabilities and establish safety standards to protect users; and
Regulatory Compliance: As AI and blockchain technologies evolve, regulatory compliance becomes increasingly complex. Virtuals Protocol must navigate various legal requirements to ensure its operations remain lawful and ethical.
Securities Laws: The tokenization of AI agents as ERC-20 tokens and the fractionalized ownership of high-value AI agents may attract scrutiny under securities laws. If the SEC deems these tokens to be investment contracts under the Howey Test, the project could face enforcement actions, requiring registration. See here for our discussion on the SEC’s gameplan for crypto under Trump.
Consumer Finance Laws: The collection and processing of user data by AI agents could subject the project to data privacy and consumer protection regulations. Furthermore, if promotional efforts are perceived as deceptive or unfair to users or investors, this could lead to enforcement actions under federal or state consumer protection laws. To the extent revenue-sharing models are subject to consumer protection laws, this could trigger requirements for fair and clear disclosures to fractionalized owners.
AI-Specific Regulations: The Federal Trade Commission (FTC) has issued guidance emphasizing the importance of transparency and honesty in the use of AI, and cautioning against deceptive practices such as making misleading claims about AI capabilities or results. Overstating the capabilities or revenue generating potential of AI agents to attract users or investors could lead to increased regulatory scrutiny and enforcement. Proposed federal legislation, such as the Algorithmic Accountability Act, would require projects like Virtuals to assess the impacts of bias and discrimination on automated decision-making systems, including AI. AI agents may require audits for bias, transparency, and accountability, particularly given their use in user interactions and decision-making.
Despite the novel legal issues Virtuals Protocol presents, the project represents an exciting and significant advancement in the integration of AI and blockchain technologies. By transforming AI agents into tokenized assets, it creates new opportunities for digital engagement and revenue generation. However, addressing the associated legal issues is essential to ensure user trust and the platform’s sustainable growth.
Effective Dates of DEA Final Rules for Telemedicine Prescribing Delayed
On Friday, February 14, 2025, the Drug Enforcement Administration (“DEA”) and the U.S. Department of Health and Human Services (“HHS”) announced that the effective dates for two recently published final rules involving telemedicine prescribing of controlled substances – the final rule titled “Expansion of Buprenorphine Treatment via Telemedicine Encounter” and the final rule titled “Continuity of Care via Telemedicine for Veterans Affairs Patients” (collectively referred to herein as the “Buprenorphine and VA Telemedicine Prescribing Rules”) – are delayed from February 18, 2025, until at least March 21, 2025 (see our previous post on the Buprenorphine and VA Telemedicine Prescribing Rules).
The final rule delaying the effective dates of these final rules is scheduled for publication to the Federal Register on Wednesday, February 19, 2025.
The delays stem from the Presidential Memorandum titled “Regulatory Freeze Pending Review,” (the “Freeze Memo”) issued on January 20, 2025. The Freeze Memo orders all executive departments and agencies to “consider postponing” the effective dates of all rules published to the Federal Register that have not yet taken effect, such as the Buprenorphine and VA Telemedicine Prescribing Rules, until at least March 21, 2025 (sixty days from the issuance of the Freeze Memo), to allow review of any questions of fact, law, and/or policy raised by the rule, and to “consider opening” a comment period for stakeholders to comment on those questions. Accordingly, the DEA is also soliciting comments on: 1) the extension of the effective dates, 2) whether the effective dates should be further extended, and 3) questions of fact, law, and policy raised by these rules, for consideration by officials of the two agencies. Comments are due by February 28, 2025.
The Friday, February 14, 2025 announcement by HHS and DEA, delaying the effective dates, clarified that: “[t]hese new effective dates will not delay or limit the ability of the practitioners covered by these two rules to prescribe via telemedicine, because the ‘Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications,’ which has been in effect since May 10, 2023, permits practitioners to prescribe via telemedicine through December 31, 2025.”
The DEA issued a Notice of Proposed Rulemaking (“NPRM”) titled “Special Registrations for Telemedicine and Limited State Telemedicine Registrations” on January 17, 2025, the same date that HHS and DEA published the Buprenorphine and VA Telemedicine Prescribing Rules. Because the NPRM is in the early stages of the administrative rulemaking process, the proposed rule appears largely unaffected by the Freeze Memo, and comments remain due March 18, 2025.
Takeaways
Practitioners can continue to prescribe via telemedicine without first having an in-person visit with the patient, subject to compliance with other federal and state prescribing requirements, because the Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications, permits practitioners to prescribe via telemedicine through December 31, 2025. The EBG team continues to monitor any changes to the Buprenorphine and VA Telemedicine Prescribing Rules, which are now scheduled to go into effect on March 21, 2025.
David Shillcutt contributed to this article.
A More Business-Friendly Approach to Innovation, Risk Management and Derivatives Regulation: What to Expect From Incoming CFTC Chairman Brian D. Quintenz
President Donald Trump’s nomination of Brian D. Quintenz to serve as Chairman of the Commodity Futures Trading Commission (CFTC or Commission) portends a potential shift towards a more business-friendly regulatory approach to overseeing US derivatives markets and CFTC-regulated products. Informed by his years of private sector and public service experiences,1 Mr. Quintenz will return to the CFTC with helpful insights into how regulations practically impact market participants.
As a CFTC commissioner from 2017 to 2021 under the first Trump administration, Mr. Quintenz consistently focused on addressing actual market risks while promoting innovation and technology. Mr. Quintenz’s record suggests that he will be a chairman who embraces technological innovation while insisting on practical safeguards, seeks targeted rather than sweeping regulatory solutions, and works closely with other regulators both domestically and abroad. In each area, he has emphasized that the CFTC should seek to address real market impacts and consider the practical implications of the agency’s rulemakings and guidance. Drawing from his past public statements both while he was a CFTC commissioner and in the years following his government tenure, this advisory briefly examines how Mr. Quintenz’s regulatory worldview will likely influence several key CFTC initiatives, from market innovation to international harmonization efforts.
Following President Trump’s February 12 nomination, Mr. Quintenz will need to secure Senate confirmation before assuming the chairmanship. While the Senate has not yet scheduled confirmation hearings, the process typically extends several weeks or months after nomination as the Senate conducts its review.
Innovation and Technology
Mr. Quintenz’s approach to innovation and technology reflects a pro-business, pro-innovation stance moderated by practical risk management considerations. Rather than supporting blanket or vague regulations that inadvertently engulf a wide array of technologies, Mr. Quintenz has advocated for a more tailored approach that first identifies specific risks, then examines existing market-based solutions, and finally determines whether additional regulation can effectively address remaining concerns.2 Mr. Quintenz has argued “the Commission should not adopt . . . regulations to address amorphous, hypothetical concerns or simply for the sake of having them on the book.”3
Mr. Quintenz’s philosophy aligns with the CFTC’s mandate as set forth in the Commodity Exchange Act (CEA) for the agency to promote responsible innovation.4 Mr. Quintenz has consistently followed this mandate in his various leadership roles at the agency. For instance, as sponsor of the CFTC’s Technology Advisory Committee, he demonstrated this balanced approach by driving the broader integration of financial technology in derivatives markets while seeking appropriate safeguards through state-of-the-art risk control mechanisms and scalable cybersecurity programs.5
In the context of his record on supporting or challenging Commission rulemaking, his stance on the ultimately withdrawn Regulation Automated Trading (Reg AT) further illustrates his philosophy regarding innovation and risk management. Mr. Quintenz opposed the various iterations of Reg AT because in his view each proposal departed from promoting responsible innovation, arguing that the proposals would have imposed rigid, one-size-fits-all risk controls while failing to address specific market risks posed by automated trading.6 He particularly criticized one of Reg AT’s requirements to disclose proprietary source code without a subpoena, viewing this as an example of unnecessary regulatory overreach that would stifle innovation without providing corresponding regulatory benefits.7
Digital Assets. Drawing on his experience as both a CFTC commissioner and private fund advisor, Mr. Quintenz has demonstrated that he is a strong advocate for functional and well-regulated digital asset markets. He also has pushed for the agency to take a balanced and pragmatic perspective towards fraud concerns. In his public statements, Mr. Quintenz highlighted how digital assets can reduce settlement times from days to minutes and enable 24/7 market access — innovations he has argued could reduce costs for market participants while expanding global market accessibility.8
Notably, Mr. Quintenz has advocated for equal regulatory treatment for all financial products at the CFTC, arguing that regulators should focus on enforcing market integrity and preventing fraud rather than deciding which new products are worthy of investment through the adoption of additional regulatory requirements. He has maintained that federal regulators should avoid adopting regulations and imposing requirements with the goal of influencing investment decisions. In his view, investment decisions are best left to markets, investors, and consumers.9 At the same time, Mr. Quintenz has taken a firm stance on fraud and market manipulation, supporting enforcement actions to significantly penalize market misconduct by bad actors.10
Event Contracts. With respect to other innovative products, Mr. Quintenz has raised concerns about the current regulatory framework of CEA section 5c(c)(5)(C) and CFTC Regulation 40.11 covering event contracts,11 which are a type of swap that allow market participants to take positions on the outcomes of specific events. Under this regulation, the CFTC may prohibit a CFTC-regulated contract market or swap execution facility from offering certain event contracts if the contract:(1) involves terrorism, assassination, war, gaming, or an activity that is unlawful under any state or federal law; and (2) the CFTC determines that offering the contract would be against the public interest.12 The CFTC may also prohibit contracts involving similar activities that it determines by rule or regulation to be contrary to the public interest.13
In his March 2021 statement on the CFTC’s consideration of certain sports futures contracts, Mr. Quintenz argued that Congress, not the CFTC, must either ban these contracts outright or establish clear criteria for their review and approval.14 His dissent specifically challenged the CFTC’s decision-making process in the case, questioning both the Commission’s methodologies and statutory authority in evaluating whether the contracts are contrary to the public interest.15
Risk Management
Mr. Quintenz’s views on risk management have centered on targeted approaches rather than broad-sweeping regulations. He has advocated for “smart regulation” that diverges from one-size-fits-all proposals, instead prioritizing thoughtful analysis of policy goals, regulatory costs and impacts on incentives.16 Mr. Quintenz has applied this same principle to regulatory relief, supporting the codification of no-action relief in specific cases to enhance transparency and simplify compliance.17 This strategy reflects his broader commitment to creating clear, practical regulatory frameworks that address real rather than theoretical risks.
Enforcement
Mr. Quintenz has emphasized that “enforcement is not a substitute for guidance” in financial regulation.18 While supporting targeted action against clear violations, he has argued that using enforcement cases to establish regulatory policy — particularly for emerging technologies like digital assets — fails to provide market participants with the clarity they need.19 As he stated in June 2023, “Litigating whether specific tokens are securities through enforcement actions against third parties . . . is inappropriate and does little to protect consumers or provide markets with clarity.”20 To the contrary, Mr. Quintenz has advocated for a collaborative approach where regulators work with market participants to develop clear rules before pursuing enforcement actions.21
Collaboration on Domestic and International Issues
A central tenet of Mr. Quintenz’s regulatory approach has been his emphasis on enhanced coordination among domestic and international regulators. His previous work with Securities and Exchange Commission (SEC) Commissioner Hester Peirce reinforces his commitment to interagency coordination.22 It is likely that Mr. Quintenz will seek to collaborate with incoming SEC Chairman Paul Atkins and other SEC commissioners (including Commissioner Peirce) on areas of overlapping jurisdiction between the agencies, including digital asset classification and the regulation of joint registrants.
On the international front, Mr. Quintenz has advocated for regulatory deference and respect for sovereign regulatory frameworks.23 He has supported a robust deference regime that would limit duplicative regulation while protecting US interests, as evidenced by his support for exemptive relief for non-US derivatives clearing organizations.24 During his time as a CFTC commissioner, he consistently reiterated Congress’s statutory directive that the CFTC has authority to only regulate those foreign activities that have “a direct and significant connection with activities in, or effect on commerce, of the United States.”25
Mr. Quintenz also has advocated for increased reliance on substituted compliance and mutual recognition between jurisdictions as key tools to prevent market fragmentation.26 As a CFTC commissioner, Mr. Quintenz argued that mutual recognition between jurisdictions would preserve market liquidity while respecting different regulatory frameworks. Moreover, he supported a flexible, outcomes-based framework for future comparability determinations that will evaluate the goals of the CFTC’s regulations against the standards of its foreign counterparts’ regimes, as opposed to a rigid prescriptive comparison.27
Conclusion
With the proliferation of new and emerging technologies in US financial markets (such as digital assets, event contracts and generative artificial intelligence (Gen AI)), Mr. Quintenz’s vision for the CFTC will likely result in more pragmatic regulatory policy and enforcement. His support for innovation, emphasis on targeted risk management, and commitment to regulatory coordination will likely shape his approach as CFTC chairman. Under his leadership, the CFTC is likely to pursue a regulatory agenda that balances innovation with investor protection, emphasizing practical, actionable solutions. This approach, combined with his commitment to working with market participants and other regulators, will help guide the Commission through an increasingly complex and interconnected global financial system. For financial services firms, Mr. Quintenz’s chairmanship may signal a period of more pragmatic and targeted regulation, with an emphasis on addressing specific and identifiable risks.
1 Mengqi Sun, Trump Picks Brian Quintenz to Be CFTC Chairman, Wall St. J. (Feb. 13, 2025, 1:47 PM), https://www.wsj.com/articles/trump-picks-brian-quintenz-to-be-cftc-chairman-3e23352d.
2 Brian D. Quintenz, Comm’r, CFTC, “Statement of Commissioner Brian D. Quintenz on the End of His Term and Future Plans” (Aug. 19, 2021), available at: https://www.cftc.gov/PressRoom/SpeechesTestimony/quintenzstatement081921.
3 Brian D. Quintenz, Comm’r, CFTC, “Opening Statement of Commissioner Brian D. Quintenz before the Technology Advisory Committee” (Feb. 14, 2018), available at: https://www.cftc.gov/PressRoom/SpeechesTestimony/quintenzstatement021418.
4 7 U.S.C. § 5(b).
5 See Press Release, CFTC, “Commissioner Quintenz Named Sponsor of the Technology Advisory Committee” (Sept. 18, 2017), available at: https://www.cftc.gov/PressRoom/PressReleases/7611-17.
6 Supra note 3.
7 Brian Quintenz, Comm’r, CFTC, “Keynote Remarks Before the Symphony Innovate 2017 Conference” (Oct. 4, 2017), https://www.cftc.gov/PressRoom/SpeechesTestimony/opaquintenz1.
8 Supra note 6.
9 Brian D. Quintenz, Comm’r, CFTC, “Remarks at the Technology and Standards: Unlocking Value in Derivatives Markets Conference” (Nov. 30, 2017), https://www.cftc.gov/PressRoom/SpeechesTestimony/opaquintenz4.
10 Brian D. Quintenz, Comm’r, CFTC, “Statement of Commissioner Brian D. Quintenz Regarding the Commission’s Enforcement Action against BitMEX” (Oct. 1, 2020), available at: https://www.cftc.gov/PressRoom/SpeechesTestimony/quintenzstatement100120.
11 Brian D. Quintenz, Comm’r, CFTC, “Statement of Commissioner Brian D. Quintenz on ErisX RSBIX NFL Contracts and Certain Event Contracts” (Mar. 25, 2021), available at: https://www.cftc.gov/PressRoom/SpeechesTestimony/quintenzstatement032521.
12 7 U.S.C. § 7a-2(c)(5)(C).
13 Id.
14 Brian D. Quintenz, Comm’r, CFTC, “Statement of Commissioner Brian D. Quintenz on ErisX RSBIX NFL Contracts and Certain Event Contracts” (Mar. 25, 2021), available at: https://www.cftc.gov/PressRoom/SpeechesTestimony/quintenzstatement032521.
15 Id.
16 Brian D. Quintenz, Comm’r, CFTC, “Keynote Address of Commissioner Brian D. Quintenz before the Smart Financial Regulation Roundtable” (Nov. 2, 2017), available at: https://www.cftc.gov/PressRoom/SpeechesTestimony/opaquintenz3.
17 Id.
18 Brian D. Quintenz, Comm’r, CFTC, “Statement of Commissioner Brian D. Quintenz Regarding the Commission’s Enforcement Action against BitMEX” (Oct. 1, 2020), available at: https://www.cftc.gov/PressRoom/SpeechesTestimony/quintenzstatement100120.
19 Id.
20 Former CFTC Commissioner: Enforcement Is Not a Substitute for Guidance, N.M. Sun (June 8, 2023), https://newmexicosun.com/stories/644420239-former-cftc-commissioner-enforcement-is-not-a-substitute-for-guidance.
21 Id.
22 Supra note 2.
23 Id.
24 Id.
25 Brian D. Quintenz, Comm’r, CFTC, “Supporting Statement of Commissioner Brian D. Quintenz Regarding the Cross-Border Application of the Registration Thresholds and Certain Requirements Applicable to SDs and MSPs – Final Rule” (July 23, 2020), available at: https://www.cftc.gov/PressRoom/SpeechesTestimony/quintenzstatement072320.
26 Id.
27 Id.
What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level
The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.
The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.
CMMC Level 1:
DOD’s CMMC Level 1 guidance confirms what contractors have already understood: A contract will require a CMMC Level 1 self-assessment if it requires the contractor to process, store, or transmit only FCI on the contractor’s information system. Stated another way, if the contractor does not receive CUI in connection with the contract, then the contractor will only need a CMMC Level 1 self-assessment to perform the contract. Thus, contractors that have not historically received CUI when supporting DOD may be able to continue their DOD work with only a CMMC Level 1 self-assessment.
CMMC Level 2:
CMMC Level 2 is unique among the CMMC Levels because it is the only level that is bifurcated into a self-assessment and certification. DOD’s new guidance outlines which contracts will require a CMMC Level 2 self-assessment, and which contracts will require a certification.
DOD contracts will require a CMMC Level 2 certification if the contractor will receive CUI that falls under the National Archive’s “Defense Organizational Index Grouping.” Recall that the National Archives groups CUI into one of 20 overarching organizational index groups. The Defense index group consists of five types of CUI: (1) Controlled Technical Information; (2) DoD Critical Infrastructure Security Information; (3) Naval Nuclear Propulsion Information; (4) Privileged Safety Information; and (5) Unclassified Controlled Nuclear Information – Defense. Thus, contractors who receive any of these five types of CUI should expect their future contracts to require a CMMC Level 2 certification.
DOD contracts will require a CMMC Level 2 self-assessment if the contractor will only receive non-Defense CUI. That is, if a contract involves CUI, but not the five types of CUI identified above, then the contractor will only need a CMMC Level 2 self-assessment. Contractors who do not regularly receive Defense-related CUI may be able to continue their DOD work with only a CMMC Level 2 self-assessment. Note, however, that if a contractor is willing to invest the resources needed to comply with Level 2’s security requirements, then it may be worth pursuing a certification if there is any chance the contractor may wish to pursue opportunities requiring a Level 2 certification.
CMMC Level 3:
DOD’s guidance cautions officials to “avoid overuse of the CMMC Level 3 requirement.” This is consistent with past statements from DOD, which emphasized that very few contracts will require a CMMC Level 3 certification. DOD’s guidance identifies three situations when a CMMC Level 3 requirement may be appropriate: (1) contracts where the contractor will receive CUI associated with a breakthrough, unique, and/or advanced technology; (2) contracts involving a significant aggregation or compilation of CUI in a single information system or IT environment; and (3) contracts where an attack on a single information system or IT environment would result in widespread vulnerability across DOD. Contractors who regularly support contracts involving research and development of new and sensitive DOD technology or who collect significant amounts of CUI during performance should explore whether to obtain a CMMC Level 3 certification.
Overall, contractors should pursue a CMMC level that is appropriate for the types of DOD information they receive and is consistent with their future business objectives. Most important, to avoid losing out on contracting opportunities, contractors should not delay identifying and obtaining their desired CMMC level.