CFPB Examinations Highlight Fair Lending Risks in Credit Scoring Models
Amid recent technological advances in artificial intelligence and machine learning, on January 17, 2025, the CFPB issued its Winter 2025 Supervisory Highlights: Advanced Technologies Special Edition. This edition of Supervisory Highlights delivers critical industry reminders regarding the balance between regulatory requirements and technological innovation. As an appropriate summation of the CFPB’s overarching worldview, the opening sentence of the Supervisory Highlights explains that “[t]here is no ‘advanced technology’ exception to Federal consumer financial laws.”
In the Supervisory Highlights, the CFPB highlighted instances where credit scoring models used by credit card lenders and auto lenders may result in violations of the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B. For instance, recent CFPB examinations identified disparities in applicant outcomes resulting from the use of credit scoring models in underwriting and pricing credit card applications. The CFPB found disproportionately negative outcomes for protected groups across multiple card products, and critically, examiners suggested that the development or implementation protocols of credit scoring models contributed to the disparities.
According to the Supervisory Highlights, to challenge a disparate impact claim, a financial institution must establish a legitimate business need for a neutral policy or practice that has an adverse impact on a member of a protected class that cannot reasonably be achieved by means that are less disparate in their impact (see12 CFR Part 1002 Supp. I Sec. 1002.6(a)-2). Here, CFPB analysts identified potential alternative credit scoring models that meaningfully reduced disparities while maintaining comparable predictive performance, suggesting that there may be appropriate and less discriminatory alternative credit scoring models that would meet an institutions’ legitimate business needs.
The CFPB’s examiners also noted that financial institutions failed to have adequate compliance management systems (CMS) capable of identifying and addressing these types of fair lending risks. To address these concerns, examiners directed institutions to develop enhanced testing protocols to identify less discriminatory alternative credit models. Examiners required institutions to not only test their credit scoring models but, in the event that testing revealed prohibited basis disparities, to document the specific business needs their credit scoring models serve.
Additionally, in a continuation of a multi-year trend in its messaging, the CFPB also reminded institutions that using “black box” algorithms does not exempt them from providing an applicant with a statement of specific reason(s) for an adverse action as required under ECOA and Regulation B. Examiners found that certain institutions did not sufficiently ensure compliance with adverse action notice requirements and directed the institutions to test the methodologies used to identify principal reasons in adverse action notices.
This special edition of Supervisory Highlights underscores the need for the industry to balance technological innovation with robust compliance frameworks — keeping in mind the impact of any technological advances on existing fair lending laws. To navigate the regulatory landscape, financial institutions should regularly assess their use of artificial intelligence and machine learning models to ensure compliance with applicable laws, including ECOA and Regulation B, and should perform adequate testing to ensure ongoing compliance.
Listen to this post
SOLE CRUSHING: Shoe Company Hit with TCPA Complaint
Hey TCPAWorld!
It’s been several days and I’m still shell-shocked from one-to-one consent being stayed by the FCC. In some parallel universe, the rule goes into effect and the 11th Circuit doesn’t vacate the FCC’s order. Alas, here we are—business as usual with another TCPA complaint update.
This week, we’re covering a complaint filed against Easy Spirit, LLC, a footwear company specializing in comfortable and affordable shoes for women.
In WILSON v. EASY SPIRIT, LLC, No. 3:25-CV-00112-SFR (D.Conn. Jan. 22, 2025), Wilson (“Plaintiff”) alleges that even though Plaintiff has been listed on the National Do-Not-Call Registry (“DNCR”) for over 30 days, Easy Spirit, LLC (“Defendant”) delivered over a dozen text messages to Plaintiff’s residential number, including on nine separate days between December 19, 2024 and January 7, 2025, among others. One example reads:
EASY SPIRIT: End 2024 in style with an extra 40% OFF sale! Shop now: https://ltrk.co/EBYVIH
Id. at ¶ 13. Due to these accusations, Plaintiff filed a Complaint in the District of Connecticut alleging Defendant violated the DNC provisions, 47 U.S.C. 227(c)(5) and 47 C.F.R. § 64.1200(c)(2), by delivering telemarketing messages to Plaintiff, while Plaintiff was listed on the DNCR.
Plaintiff seeks to represent the following class:
National DNC Class: All persons throughout the United States (1) who did not provide their telephone number to Easy Spirit, LLC, (2) to whom Easy Spirit, LLC delivered, or caused to be delivered, more than one voice message or text message within a 12-month period, promoting Easy Spirit, LLC goods or services, (3) where the person’s residential or cellular telephone number had been registered with the National Do Not Call Registry for at least thirty days before Easy Spirit, LLC delivered, or caused to be delivered, at least two of the voice messages or text messages within the 12-month period, (4) within four years preceding the date of this complaint and through the date of class certification.
Id. at ¶ 21.
One-to-one consent was stayed. DNC provisions are alive and well. The new revocation rule—which requires revocation requests to be honored within a reasonable timeframe, not exceeding 10 business days— is scheduled to take effect on April 11, 2025.
EPA Releases New MyPest Tracking System
On January 17, 2025, the U.S. Environmental Protection Agency (EPA) released its new MyPest tracking system to provide transparency and visibility into the real-time status of pesticide submissions. MyPest is a web-based system that tracks a registrant’s pesticide applications and products after submission via EPA’s Central Data Exchange (CDX). MyPest allows users to view and communicate with the Office of Pesticide Programs (OPP) regarding their pesticide products and pending applications.
Pursuant to the requirements in the Pesticide Registration Improvement Act of 2022 (PRIA 5), MyPest seeks to provide accurate, up-to-date information about pesticide applications that are with EPA’s OPP for review.
The MyPest application is available at https://oppt.my.site.com/mypestapp/s/.
EPA provides a user guide with instructions for using the MyPest application for specific functions based on the four available roles, including:
Company Admin (CA)
Every registrant company must have at least one user designated as the CA.
This the highest level in the hierarchy of user roles and gives the user the most access and control of any role in the company.
CAs can view the status of all current projects and can access product history to view information about previously submitted projects.
CAs are the only users allowed to invite new users, approve or deny new user requests, and revoke the access of a user.
A company can have multiple CAs, however, only the first CA for a company is approved directly by EPA. No other role can be assigned to a company before the first CA is approved by EPA. After the first CA is approved, that person will approve all other roles, including additional CA roles.
CAs can be assigned to multiple companies.
Company Representative (CR)
A company can have multiple CRs.
CRs have access to all user submissions on behalf of the company.
CRs can be assigned to multiple companies.
Consultant
A company can have multiple Consultants.
Consultants only have access to view the projects that they are currently working on or have worked on in the past.
By default, Consultants only have access to view information at the case level but can request to view the information at the product level. The Consultant’s cases are assigned by the CAs.
Contributor
Contributors are assigned for a specific purpose and for a limited time.
All information submitted by the Contributor is marked as “Confidential” but can be toggled on and off.
Any information marked as “Confidential” only can be viewed by the Contributor.
The CA assigns cases to the Contributor upon role request approval.
All MyPest roles are established per EPA Company Number. If a company has multiple Company Numbers, then a CA will need to be set up for each unique EPA Company Number.
The company CA first must request the CA role in MyPest. EPA approves only the first CA per EPA Company Number, as the CA then will approve future role requests.
UK ICO Publishes its 2025 Strategy for Online Tracking
On January 23, 2025, the UK Information Commissioner’s Office (“ICO”) published its new online tracking strategy for 2025 (the “Strategy”) which sets out how it intends to achieve its “vision” of “a fair and transparent online world where people are given meaningful control over how they are tracked online.” Through the Strategy, the ICO seeks to ensure that, amongst other things, individuals can operate online with trust and confidence and meaningfully control how their data is used, and organizations are not disadvantaged by following the rules and improving their approach to online tracking to ensure it is compliant.
The ICO has identified the following four areas where individuals are not being given sufficient control of their data as provided by data protection law:
Deceptive or absent choice: Individuals are often not presented with an adequate choice regarding the use of non-essential cookies and similar tracking technologies.
Uninformed choice: When individuals are presented with the option to provide consent, there are instances where organizations do not provide adequate information with respect to the purposes being consented to.
Undermined choice: When organizations appear to be transparent about their processing, there are instances when the processing activities performed do not align with the description of the processing.
Irrevocable choice: When individuals are presented with a clear and transparent option to provide consent, there are instances where there is no meaningful way to withdraw consent provided.
In the Strategy, the ICO explains how it proposes to take action on these issues, specifically by:
Encouraging publishers to deploy more privacy-preserving advertising that does not involve extensive profiling of individuals based on their online activity, habits and behavior potentially across different services and devices. In doing so, the ICO intends to revisit the requirements of the Privacy and Electronic Communications Regulations and to work with UK government to explore where amendments could be made.
Building on the ICO’s work in 2024 regarding cookies, the ICO now intends to focus on bringing the UK’s top 1,000 websites into compliance with regards to non-compliant cookie usage (see previous blog on the topic).
Ensuring that non-compliant online tracking does not take place on apps and Internet-connected TVs.
Publishing guidance on ‘consent or pay models’ (also published on January 23, 2025) which seeks to clarify how publishers can deploy these models to give individuals meaningful control over online tracking while supporting their economic viability.
Providing industry with clarity on requirements of data protection law. This includes, for example, publishing the final guidance on storage and access technologies (formerly known as the “cookie guidance”).
Investigating potential non-compliance by data management platforms that connect online advertisers and publishers.
Supporting the public in taking control of online tracking by publishing guidance on how individuals can understand and control the use of their information online, and raise awareness of their rights.
Read the ICO statement on the Strategy.
Here It Is!!! Deserve to Win (Ep. 30)– Breaking Down the Biggest Day in TCPAWorld History [Video]
So last Friday was the biggest day in TCPAWorld history so far with the massive one-two punch of the FCC staying the new TCPA one-to-one rule literally just minutes before the Eleventh Circuit Court of Appeals vacated the ruling altogether.
All of this minutes before the close of business the business night before the rule was set to go into effect today!
My goodness.
It was high drama throughout the night, however, with the CEO of a publicly traded company then specifically questioning REACH’s efforts in his own ill-advised attempt to take credit for the rulings. Just magnificent stuff.
TCPAWorld readership has been off the charts all weekend, and now you can enjoy Troutman Amin, LLP’s official analysis and reactions to all of these developments and–most importantly–its breakdown of the decision in IMC v. FCC and what happens next.
Watch the podcast now to hear the Czar, Queenie and the Countess discuss:
The lead up to the ruling and the last-minute efforts to stay the case;
The incredible last-minute stay issued by the FCC;
Lending Tree’s insane effort to take credit for the stay and claim of a supposed secret deal; and most importantly
The ruling of the Eleventh Circuit Court of Appeals striking down one-to-one consent:
What does this mean for lead generation?
What was the basis for the court’s ruling?
What happens next for compliance efforts?
This really is the most important podcast episode we have put out and it is yours FREE to watch (and re-watch) RIGHT NOW!!!:
New IRS Regulations Address Cross-Border Cloud Computing and Digital Infrastructure Transactions
Go-To Guide:
IRS issues final regulations classifying cross-border cloud transaction income as service income, including for purposes of sourcing such income for U.S. federal tax purposes.
Proposed regulations introduce a three-factor test for sourcing cloud transaction income based on location of intangible property, personnel, and tangible assets.
In light of the new rules, U.S. and non-U.S. businesses engaging in cross-border cloud computing and digital infrastructure transactions should carefully consider the location of their personnel, intangible property (including R&D activity), and tangible property that contribute to the generation of income from such transactions to optimize their tax planning and tax efficiency.
Proposed regulations also include anti-abuse provisions that seek to prevent artificial reduction of U.S. federal income tax liability in a manner inconsistent with the regulations’ purpose.
Final regulations refine definitions of cloud transactions and digital content transactions, replacing de minimis rule with predominant character test.
On Jan. 10, 2025, the IRS released two sets of regulations under Section 861 of the Internal Revenue Code. The Final Regulations treat income from cloud transactions as income from services and clarify definitions of cloud transactions and digital content transactions for U.S. federal income tax purposes. The Proposed Regulations provide a mathematical formula to determine the source of income from cloud transactions, based on the location of the taxpayer’s employees and assets (both tangible and intangible).
The Final Regulations took effect Jan. 14, 2025. The Proposed Regulations will not become effective until the IRS adopts final rules.
Impact on US and Non-US Businesses
The new regulations impact businesses across all industries, due to the widespread use of digital and cloud-based transactions. As mentioned in our August 2019 GT Alert, before the Proposed Regulations, the rule for sourcing income in connection with cloud transactions for U.S. federal tax purposes was unclear, and sourcing of such income was determined under the general rules under Section 861 and Section 862 of the Internal Revenue Code.
As discussed in more detail below, the Final Regulations and Proposed Regulations provide welcome guidance on how to analyze whether and what portion of income derived by non-U.S. businesses from providing on-demand network access (cloud transactions) in the United States would be sourced to the United States for U.S. federal income tax purposes, and would therefore generally be subject to U.S. tax.
This guidance is also relevant to U.S. businesses engaging in cloud transactions outside the United States because the sourcing of their income from such transactions would affect their ability to claim foreign tax credits in the United States for foreign income taxes imposed on such income.
Under the Proposed Regulations, if finalized as proposed, income from cloud transactions would be considered U.S.-sourced (and would therefore generally be subject to U.S. tax) to the extent that the non-U.S. business’ personnel, intangible property, and tangible property contributing to the generation of such income are located or performed within the United States. Factors such as the customers or executing agreements’ locations would not be relevant for purposes of such determination.
In light of the new final and proposed regulations, U.S. and non-U.S. businesses engaging in cross-border cloud computing and digital infrastructure transactions should carefully consider the location of their personnel, intangible property (including R&D activity), and tangible property that contribute to the income generation from such transactions to optimize their tax planning and tax efficiency.
Cloud Transactions as Service Income
The Final Regulations define a cloud transaction as “a transaction through which a person obtains on-demand network access to computer hardware, digital content, or other similar sources” and classify income from cloud transactions solely as income from the provision of services for U.S. federal income tax purposes. This differs from the 2019 Proposed Regulations, which classified income from cloud transactions either as income from the provision of services or from the lease of property based on nine factors enumerated in those regulations.
Proposed Three Factor Sourcing Test
For purposes of sourcing income from cloud transactions between U.S. source income and non-U.S. source income for U.S. federal income tax purposes, the Proposed Regulations follow the general sourcing rule that applies to service income, i.e., sourcing based on where the services are performed.
Under the Proposed Regulations, to determine the source of income, the location of the cloud services generating the cloud transaction income would be determined based on the location of the following three factors, to the extent they contribute to generating that income:
1.
Intangible property: The intangible property factor reflects the contribution of intangible assets, such as software, algorithms, and research, to the performance of cloud services. It includes research and experimentation expenses, royalties, and amortization for intangible assets used in the service. This factor is sourced based on the location of employees involved in research and experimentation related to the cloud transaction, and expenses are allocated among transactions based on their relative income. The IRS aims to use practical proxies like compensation and research expenditures to avoid complexities in tracing intangible property’s direct contribution.
2.
Personnel: The personnel factor accounts for the contribution of employees who directly engage in providing cloud services, such as technical staff and immediate managers overseeing operations. It excludes those in strategic, sales, or administrative roles. Compensation for these employees is allocated based on the time they spend working on cloud transactions. The portion of this factor attributed to U.S. sources is determined by the location of the employees performing these activities, ensuring that only those directly involved are included in the calculation.
3.
Tangible Property: The tangible property factor includes the value of physical assets, like servers and networking equipment, used in cloud transactions. It is calculated by including depreciation and rental expenses for property directly supporting the service. The U.S. portion of this factor is based on the location of the tangible property. Depreciation is computed without considering accelerated tax deductions, reflecting the true economic life of the property used in providing the cloud service.
The Proposed Regulations outline a formula to determine the U.S.-sourced portion of gross income from cloud transactions. This formula involves multiplying the gross income by a fraction. The denominator of this fraction is the sum of the three factors (intangible property, personnel, and tangible property), regardless of their location. The numerator is the sum of the portions of these factors that are located or performed within the United States.
A taxpayer is allowed to aggregate substantially similar cloud transactions and source the gross income from those transactions as if they were one transaction, but prohibits aggregation if it materially distorts the source of income. However, the Proposed Regulations’ sourcing rule would apply on a taxpayer-by-taxpayer basis. Therefore, when calculating the gross income of an entity that provides cloud services, only the assets and personnel of that entity are considered.
The Proposed Regulations also include a general anti-abuse provision, under which if the taxpayer has entered into or structured one or more transactions with a principal purpose of reducing its U.S. tax liability in a manner inconsistent with the regulations’ purpose, the IRS would adjust the source of the taxpayer’s gross income to reflect the location where the cloud transactions is performed.
The Proposed Regulations are not final Treasury regulations and, in the absence of an actual reliance provision within them, taxpayers cannot rely upon them. Nonetheless, they provide guidance and insight into the IRS’s directional thinking regarding sourcing income from transactions involving cloud computing and digital infrastructure. Further, income from cloud transactions characterized as services income may be re-sourced under the provisions of an income tax treaty if the taxpayer qualifies for the treaty’s benefits. This re-sourcing could be particularly significant for foreign tax credits, offering additional considerations for cross-border tax planning.
Digital Content Transactions
The Final Regulations define a digital content transaction as a transaction that constitutes a transfer of digital content or the provision of modification or development services or of know-how with respect to digital content. The definition of digital content remains unchanged but is refined to include “content that is not protected by copyright law solely because the creator dedicated the content to the public domain.” The Final Regulations replace the de minimis rule with a predominant character rule for characterizing transactions with multiple elements. The “predominant character” is determined by the primary benefit of value received by the customer, and the rule would apply to both digital content transactions and cloud transactions.
Connie Keng also contributed to this article.
Is the Future of Digital Assets in the United States Bright Again?
Yes, indeed! What Brad Garlinghouse of Ripple Labs called “Gensler’s reign of terror” ended with Securities and Exchange Commission (SEC) Chair Gary Gensler’s resignation upon President Donald Trump’s inauguration. Paul Atkins, who has co-chaired the Token Alliance, spoke of the need for a “change of course” at the SEC and will be given charge of the SEC when he is confirmed as its new Chairman.
While the greatest deliberative body takes time to exercise its constitutional role of advice and consent, President Trump and Acting SEC Chairman Mark Uyeda are moving ahead at lightning speed, each taking action in the first week of the new administration. The long-awaited paradigm shift in regulation for digital assets is here and the market likes what it sees, with Bitcoin now trading near an all-time high and the total market capitalization of digital assets topping the US$3 trillion mark. Projects are once again being funded in—and development teams are returning to—the United States.
The day after his inauguration, President Trump signed an Executive Order, Strengthening American Leadership in Digital Finance Technology, aiming to “support the responsible growth and use of digital assets, blockchain technology, and related technologies across all sectors of the economy.” This comes on the heels of a newly announced Crypto Task Force at the SEC, dedicated to developing a comprehensive and clear regulatory framework for digital assets, including “crypto” assets.
The Executive Order
In his Executive Order, President Trump points to the crucial role that the digital assets industry plays in the innovation and economic development of the United States, declaring it to be the policy of his administration to:
Protect and promote public blockchain networks, mining and validating, and self-custody of digital assets.
Protect and promote the U.S. dollar by promoting stablecoins worldwide.
Provide regulatory clarity and certainty built on technology-neutral regulations, including well-defined jurisdictional regulatory boundaries.
President Trump’s 2025 Executive Order revokes former President Biden’s 2022 Executive Order regarding crypto assets and orders the Secretary of the Treasury to likewise revoke all prior inconsistent Treasury policies.
Most significantly, the Executive Order establishes the “President’s Working Group of Digital Asset Markets” to be chaired by the “Special Advisor for AI and Crypto,” Silicon Valley venture capitalist David Sacks, who is sometimes called the “Crypto Czar.” Its Executive Director will be “Bo” Hines of North Carolina. The Working Group will consist of specified officials (or their designees) such as the Secretaries of the Treasury, Commerce, and Homeland Security, the Attorney General, the Director of Office, Management and Budget, the Homeland Security Advisor, and the Chairs of the SEC and the Commodities and Futures Trading Commission (CFTC).
The Working Group has been charged to hit the ground running:
By February 22, 2025, the Treasury, DOJ, SEC and other relevant agencies included in the Working Group shall identify all regulations, guidance documents, orders, or other items that affect the digital assets sector. In other words, what has the federal government done so far?
By March 24, 2025,each agency shall submit recommendations with respect to whether each identified regulation, guidance document, order, or other itemshould be rescinded or modified, or, for items other than regulations, adopted in a regulation.
By the end of last week, the SEC had already rescinded Staff Accounting Bulletin 121, an especially troubling piece of guidance that the SEC never approved and that Congress had sought to overturn but former President Biden retained. SAB 121 required crypto custodial banks to carry customer assets on their balance sheets—something required for no other asset. Upon rescinding SAB 121, SEC Commissioner Hester Pierce tweeted, “Bye, bye SAB 121! It’s not been fun.” Another piece of SEC guidance that might be on the chopping block is the so-called “Framework for ‘Investment Contract’ Analysis of Digital Assets,” which has confounded the digital assets industry since it was first adopted.
By July 22, 2025, the Working Group shall submit a report to the President recommending i that advance the policies established in the order. In particular:
The Working Group will propose a federal regulatory framework governing the issuance and operation of digital assets, including stablecoins, in the United States. The Working Group’s report shall consider provisions for market structure, oversight, consumer protection, and risk management.
The Working Group will have significant choices to make in this regard: Will it back the “FIT 21” bill that has already been approved by the U.S. House of Representatives, or will it seek to chart a different course? Will it back a merger of the CFTC with the SEC? How will it reconcile the desire to support technology innovation with national security interests and investor protection?
The Working Group will evaluate the potential creation and maintenance of a national digital asset stockpile and propose criteria for establishing such a stockpile, potentially derived from cryptocurrencies lawfully seized by the federal government through its law enforcement efforts. In this regard, President Trump might be seen as having backed off his earlier promise to create a Bitcoin reserve in the United States, as it is now being considered rather than proposed for immediate adoption. The word “Bitcoin” does not appear even once in the Executive Order.
President Trump’s Executive Order also prohibits the establishment, issuance, or promotion by federal agencies of Central Bank Digital Currencies (CBDCs) within the United States or abroad, terminating any ongoing plans or initiatives related to the creation of a CBDC within the United States. The libertarians who dominate appointments in the financial services sector of the administration are strongly opposed to CBDCs, viewing them as a threat to personal liberty.
In issuing this Executive Order, President Trump fulfilled his campaign promises relating to crypto assets. In a July 27, 2024, address to the Bitcoin 2024 Conference in Nashville, he promised to “end Joe Biden’s war on crypto.” He promised:
To “fire Gary Gensler,” who resigned upon Trump’s inauguration.
To “immediately shut down Operation Chokepoint 2.0,” which he is carrying out in his order to Department of the Treasury.
To appoint the aforementioned Working Group.
To defend the right to self-custody.
To ban CBDCs.
In the first week, we are seeing that, at least thus far, promises made are promises kept.
SEC Crypto Task Force
On the SEC side, Commissioner Hester Pierce, known as “Crypto Mom,” will head the Crypto Task Force that will work to develop a “sensible regulatory path that respects the bound of the law.” The SEC under former President Biden used “regulation by enforcement” rather than “regulation by rulemaking and interpretation” to regulate the crypto asset industry. President Trump’s SEC has already signaled the “course correction” that Paul Atkins called for before the election. Both Commissioners Peirce and Uyeda worked for Atkins in his prior stint as an SEC Commissioner. Others have observed that the Atkins-Peirce-Uyeda “triumvirate” might be the most powerful cohort of Commissioners that the SEC has ever seen.
The SEC announcement states that the Task Force will be focused on developing clear regulatory lines, realistic paths to registration, sensible disclosure frameworks, and deploying enforcement resources judiciously. The Task Force plans to hold future roundtables and is asking for public input as well.
The day that the SEC Task force was announced, Foley & Lardner submitted suggestions to the SEC for roundtable topics. Our suggestions included:
What Securities Act registration exemptions should be adopted to broaden market access to digital assets? An example might be the “safe harbor” that Commissioner Peirce proposed and refined, only to have it ignored by the Gensler SEC.
What guidance should the staff have given that it has failed to give? What guidance should be withdrawn? There has been no guidance about how Regulation S applies to digital asset offerings, to point out one shortcoming. The staff might have given guidance, but Chairman Gensler prohibited it, adopting the view that the SEC does not give legal advice.
What needs to change for you to “come in and register” if you are a token “issuer”? Plainly the system is broken now, as those who have tried to register were delayed indefinitely and ultimately conceded defeat. Others, seeing this, never even tried.
What needs to change for you to “come in and register” if you are a token “dealer” or “exchange”? These questions are paramount for crypto exchanges that do business in the United States and have been sued by the SEC for failing to register.
What needs to change for you to “come in and register” your crypto brokerage firm? What more can be done for you to “come in and register” your crypto fund? How can the SEC facilitate trading in securities tokens and other tokenized assets? How can the SEC better collaborate with the CFTC regarding digital assets? What legislation should the SEC recommend for adoption by Congress? All these questions, and more, need to be addressed by the SEC, engaging the public as the answers are determined. In each case, the SEC would act consistently with its statutory mandate to protect securities investors and assure fair and orderly markets.
Next Steps
Foley has offered to assist the SEC in its consideration of these questions and expect to be involved in some capacity along the way. Likewise, we expect to make submissions to the President’s Working Group. If you would like to be represented in that process to make sure that your views are considered, please reach out to either of the authors. We are engaging with the House Financial Services Committee and the Senate Banking Committee in addition to the Trump Administration, the SEC, and the CFTC.
Similarly, if you have a development team or a product and are looking to access the U.S. digital asset markets lawfully, we are standing by to help.
President Trump Issues Executive Order on Crypto as SEC Signals Enforcement Shift
On January 23, 2025, President Trump issued an executive order entitled “Strengthening American Leadership in Digital Financial Technology,” establishing his Administration’s policy “to support the responsible growth and use of digital assets, blockchain technology, and related technologies across all sectors of the economy” (the “EO”).
The EO sets out five high-level policy objectives:
protecting the lawful use of blockchain networks, participation in mining and validation, and self-custody of digital assets without unlawful censorship;
promoting dollar-backed stablecoins;
ensuring fair and open access to banking services;
providing “regulatory clarity” for digital assets based on “well-defined jurisdictional regulatory boundaries;” and
prohibiting Central Bank Digital Currencies (“CBDC”).
As an initial matter, the EO rescinds Executive Order 14067 issued by President Biden on March 9, 2022, which, among other things, placed “the highest urgency on research and development efforts into the potential design and deployment options of a United States CBDC.” The EO also rescinds the Department of the Treasury’s “Framework for International Engagement on Digital Assets,” issued on July 7, 2022. A press release regarding the framework stated that it set forth steps for international cooperation on digital assets while respecting core U.S. democratic values, protecting consumers, ensuring interoperability, and preserving the safety and soundness of the global financial system. A White House statement accompanying the EO asserts the framework “suppressed innovation and undermined U.S. economic liberty and global leadership in digital finance.”
In terms of affirmative directives, the EO accomplishes the following:
Establishes a Working Group on Digital Asset Markets to be chaired by a Special Advisor for AI and Crypto and include the Chairman of the Securities and Exchange Commission, the Chairman of the Commodity Futures Trading Commission, the Attorney General, and the Secretary of the Treasury, among seven other top officials.
Directs the Working Group to (1) identify regulations, guidance documents, and orders pertaining to the digital asset industry within 30 days, (2) submit recommendations regarding rescission, modification, or regulatory adoption of those items within 60 days, and (3) submit a report to President Trump recommending regulatory and legislative proposals to (a) establish a Federal framework for the issuance and operation of digital assets, including stablecoins, and (b) evaluate the potential creation and maintenance of a national digital asset stockpile.
Prohibits development of CBDCs, which the EO states “threaten the stability of the financial system, individual privacy, and the sovereignty of the United States,” underscoring that “any ongoing plans or initiatives at any agency related to the creation of a CBDC within the jurisdiction of the United States shall be immediately terminated, and no further actions may be taken to develop or implement such plans or initiatives.”
The accompanying White House statement highlights several key objectives of the Trump Administration in this space, including making “the United States the center of digital financial technology innovation by halting aggressive enforcement actions and regulatory overreach that have stifled crypto innovation under previous administrations,” and ensuring that “regulatory frameworks are clear” and the “growth of digital financial technology in America . . . remain[s] unhindered by restrictive regulations or unnecessary government interference.”
Also on January 23, 2025, the Securities and Exchange Commission (“SEC”) rescinded accounting guidance issued in 2022 entitled “Accounting for Obligations to Safeguard Crypto-Assets an Entity Holds for its Platform Users.” The guidance called upon certain regulated entities custodying digital assets on behalf of others to account for them as liabilities “to reflect [their] obligation to safeguard the crypto-assets held for [their] platform users.”
Two days earlier, the Commission issued a press release announcing that Acting SEC Chairman, Mark Uyeda, had launched a crypto task force “dedicated to developing a comprehensive and clear regulatory framework for crypto assets.” The press release stated that, “[t]o date, the SEC has relied primarily on enforcement actions to regulate crypto retroactively and reactively, often adopting novel and untested legal interpretations along the way. Clarity regarding who must register, and practical solutions for those seeking to register, have been elusive. The result has been confusion about what is legal, which creates an environment hostile to innovation and conducive to fraud.” It added that the task force’s focus will be to “help the Commission draw clear regulatory lines, provide realistic paths to registration, craft sensible disclosure frameworks, and deploy enforcement resources judiciously.”
These executive actions exhibit a shift from the prior Administration consistent with President Trump’s promise at the Bitcoin 2024 conference to make the U.S. the “crypto capital of the planet.” While it remains to be seen whether this will be pursued through shifts in enforcement prerogatives, rulemaking, or legislation, it appears that the crypto industry can expect a more amenable U.S. regulatory environment moving forward.
HIDING?: Big Law Firm Seeks to Prevent Jury From Learning of Firm’s “Size” or “Resources” in TCPA Trial
For those experiencing one-to-one fatigue here is a quick funny one for you.
So trial is scheduled to start today in a single-plaintiff TCPA case in Nevada: Brittany Woodman v. NPAS Solutions, LLC.
NPAS Solutions has hired Spencer Fane to represent it, and apparently Spencer Fane is concerned a jury might be prejudiced by any mention of the firm’s *ahem* size and resources.
Specifically, the firm asked the court to issue an order assuring Plaintiff is “prohibited from introducing any evidence and/or making any reference to, or mention of, the size of Spencer Fane LLP, its clients, the areas of law it practices, its resources, or the number of lawyers in the courtroom.”
Oh dear.
Per the firm’s filing such discussion would cause “unfair prejudice.”
So there you go. #Biglaw concerned of unfair prejudice to a client if a jury finds out the client is using #biglaw.
That’s pretty funny.
Regrettably the parties worked this one out on their own so we will never know how the Court would have ruled on it.
The case is Woodman v. NPAS Solutions, LLC, 2:22-cv-01540-GMN-DJA (D.NV.) for all you docket watchers out there.
Chat soon.
Do Stablecoin Patent Applications Signal a Cryptocurrency Evolution?
Stablecoins have emerged as one of the most transformative innovations in the cryptocurrency space, bridging the gap between the volatility of traditional cryptocurrencies like Bitcoin and the stability demanded by mainstream financial systems. This rise has brought with it a wave of innovation, and nowhere is this more apparent than in the growing number of patent applications for stablecoin technologies.
From algorithmic stabilization techniques to cross-border payment systems, the innovations behind these patent applications pave the way for a more stable crypto-economy. But what do these patent filings tell us about the future of stablecoin adoption? Are they merely defensive strategies by crypto traders and institutions, or do they hint at broader shift toward stablecoin integration into mainstream financial systems?
Background on Stablecoins
By way of background, stablecoins are cryptocurrencies designed to maintain a stable value, typically by pegging their price to a reserve asset such as fiat currency (e.g., the U.S. dollar), a commodity (e.g., gold), or even a basket of assets (e.g., using algorithms and smart contracts to regulate supply and stabilize value without collateral). Unlike traditional cryptocurrencies, which are prone to price volatility, stablecoins aim to combine the benefits of blockchain technology—such as transparency and decentralization—with price stability. Stablecoins have become a focal point for both financial and technological advancement, driving an increase in stablecoin patent applications since their inception in 2014.
The Growth of Stablecoin-Related Innovations
The adoption of stablecoins has sparked significant innovation, as reflected in the growing number of blockchain patent applications filed worldwide, with the majority being filed in the U.S. and China. Companies and financial institutions are increasingly vying to protect their proprietary technologies in this competitive space.
Although there were early pioneers in the stablecoin space as early as 2014, stablecoins gained widespread traction in subsequent years, particularly with the introduction of the widely popular Ethereum-based stablecoins like DAI in 2017. Between 2017 to 2020, the number of blockchain and stablecoin related patent applications surged, including innovations covering algorithmic stability mechanisms, smart contract frameworks, and regulatory compliance systems. Blockchain-related patent applications, including those specific to stablecoins, peaked in 2020.
Challenges and Recovery in Stablecoin Innovation
Between 2021 to 2022, cryptocurrencies struggled to compete with inflation, leading to the devaluation and collapse of several cryptocurrencies and stablecoins. While these downward pressures impacted innovation in stablecoin technologies, stablecoin-related intellectual property saw a resurgence in 2024 with an increase in blockchain and stablecoin related patent applications. Despite fluctuations, overall blockchain and stablecoin patent activity remains robust as interest in stablecoins and cryptocurrencies remains strong.
For example, earlier this month, Ripple, the creator of open source blockchain XRP, announced its plans to launch a stablecoin following its receipt of regulatory approval. This announcement resulted in an 11% surge in XRP’s value within 24 hours of the disclosure. This upward trend in stablecoins reflects the maturation and evolution of the cryptocurrency industry, signaling a shift toward wider institutional acceptance and broader utility.
The interest in stablecoin-related patents signals several key trends in the evolution of cryptocurrency:
Institutionalization of Cryptocurrency – Increasing involvement of financial institutions and regulatory oversight.
Regulatory Focus and Compliance – Emphasis on compliance to meet global regulatory standards.
Decentralized Finance and Innovation – Expansion of decentralized financial applications powered by stablecoins.
Global Adoption and Competition – A race among nations and corporations to lead in stablecoin technology and integration.
The Role of Stablecoins in the Future of Finance
The growth of stablecoin-related patent applications and intellectual property is a cornerstone of the evolving cryptocurrency landscape. Stablecoins have the potential to play a vital role in bridging traditional and digital finance, thereby enabling faster, more efficient transactions while adhering to the demands of regulators and consumers alike.
For businesses and innovators, this presents a dual opportunity: capitalize on the growing demand for stablecoins and protect innovations through strategic patent filings. As the cryptocurrency ecosystem continues to mature, stablecoins are poised to be at the forefront of this transformation, driving new opportunities for innovation and adoption.
FAR Controlled Unclassified Information Rule Standardizes and Extends Cybersecurity Requirements to All Federal Contractors
Go-To Guide:
New proposed FAR Controlled Unclassified Information (CUI) Rule would standardize cybersecurity requirements for all federal contractors and subcontractors.
Federal agencies and contractors must implement a new Standard Form to identify and safeguard CUI.
The Rule introduces eight-hour reporting requirement for potential CUI incidents or mismarked CUI.
Non-defense contractors and small businesses may face considerable compliance costs for initial setup and annual maintenance.
Public comment period on the proposed rule will remain open until March 17, 2025.
On Jan. 15, 2025, the Department of Defense (DoD), General Services Administration, and NASA, all members of the FAR Council, published a proposed FAR CUI Rule under Title 48 of the CFR. This proposed rule amends the Federal Acquisition Regulation (FAR) to implement the third and final piece of the National Archives and Records Administration’s (NARA) Federal Controlled Unclassified Information (CUI) Program, which dates back to Executive Order 13556 from 2010. A November 2024 GT Alert explains the history and origin of the FAR CUI journey.
As anticipated, the FAR CUI Rule applies to contractors of all federal executive agencies and implements NARA’s policies under 32 CFR part 2002, which codified a standardized approach to designating, handling, and safeguarding CUI. The proposed rule also introduces new procedures, including reporting and compliance obligations, and defines roles and responsibilities for both the government and contractors who use and handle CUI.
All Contractors Must Meet Baseline Cybersecurity Requirements
CUI Standard Form and Contract Clause. To advance uniformity across agencies, the proposed rule introduces a new standard form, SF XXX, which would be included in solicitations and contracts to “determine what information under the contract is considered CUI and how to properly safeguard the CUI.” Contractors that perform under an SF XXX would need to comply with FAR 52.204-XX (a new contract clause), which would further specify CUI requirements, such as NIST SP 800-171, revision 2 security requirements, or NIST SP 800-53 controls, as appropriate. It may also include agency-specific security requirements. The FAR Council also anticipates that a limited number of contractors would be subject to enhanced security requirements under NIST SP 800-172 to protect designated CUI that is associated with a critical program or high-value assets.
SF XXX (90 FR 4302)
To the extent that contractors need to flow down CUI with a subcontractor, contractors must also prepare an SF XXX and distribute it downstream “at all subcontract tiers” to ensure proper safeguarding throughout the supply chain. The expectation and goal are to ensure that all parties are aligned on what information is CUI and what is required to protect that information. The FAR Council estimates that, on average, it would take two hours to review the SF XXX, so both contractors and subcontractors should expect detailed CUI information and safeguarding instructions under each contract.
No CUI Contract Clause—FAR 52.204-YY. Identifying and Reporting Information That Is Potentially Controlled Unclassified Information. The proposed rule introduces a second contract clause that would apply where no CUI is involved in the performance of a contract (if the “No” box is marked in Part A of the SF XXX). Under this clause, contractors would need to notify the government “if there appears to be unmarked or mismarked CUI or a suspected CUI incident related to information handled by the contractor in performance of the contract.” This clause also flows down to subcontractors.
Solicitation Provision—FAR 52-204-WW. Notice of Controlled Unclassified Requirements. This new solicitation provision would notify “offerors that agencies will provide agency procedures on handling CUI during the solicitation phase if handling CUI is necessary to prepare an offer.” Like the proposed FAR 52.204-YY contract clause, this provision also provides that offerors should notify the contracting officer of any unmarked or mismarked CUI or a CUI incident during the solicitation phase.
Commercially Available, Off-the-Shelf Items. The CUI requirements under the proposed rule would not apply to solicitations and contracts that are solely for acquiring commercially available, off-the-shelf items. However, the new proposed FAR clauses would apply to acquisitions of commercial products and services, as well as to simplified acquisitions for other than commercial products or services.
Proposed Rule Principles
No Independent Certification; Ad-Hoc Verification. The proposed rule is distinct from the DoD’s implementation of its CUI Program and Cybersecurity Maturity Model Certification (CMMC) in that, as a default rule, contractors would not be required to submit evidence they are compliant with the CUI requirements. The FAR Council explains that “defense contractors should have already implemented system security plans in accordance with DFARS clause 252.204-7012 and non-defense contractors have incentive to ensure compliance with the requirements in FAR clause 52.204-XX to avoid liability for breaches of CUI that may result from improperly protecting CUI being handled on the contractor’s information system.” Instead, contractors may be required to furnish certain information upon request, including documentation to verify compliance with system security plans or training requirements in connection with a CUI incident.
Training Requirements. The proposed CUI requirements include minimum training requirements, which contractors and subcontractors would be required to complete as specified on the SF XXX. Agencies may, at their discretion, also require evidence that contractors and subcontractors have provided appropriate employee training on safeguarding CUI, as required under FAR clause 52.204-XX.
Eight-Hour Reporting. Where there is CUI that appears to be unmarked or mismarked, offerors and contractors must notify the contracting officer representative or designated agency official within eight hours of discovery. Further, non-defense contractors and subcontractors that discover a suspected or confirmed CUI incident—where “CUI was or could have been improperly accessed, used, processed, stored, maintained, disseminated, disclosed, or disposed of”—must report the incident to the agency as specified in the SF XXX. Subcontractors are also required to notify the prime or next higher tier subcontractor within the same eight-hour timeframe. (While the proposed rule does not attribute this requirement to defense contractors since they are expected to already comply with DFARS 252.204-7012, the relevant provision to “rapidly report” cyber incidents to DoD specifies a 72-hour timeframe from the time of discovery.)
Compliance Costs and Small Business Contractors. For non-defense contractors and subcontractors, the FAR Council estimates the following labor and hardware (Hw)/software (Sw) costs to comply with NIST SP 800-171, revision 2.
Type of Contractor
Initial Year CostsLabor | Hw/Sw
Recurring Annual CostsLabor | Hw/Sw
Small Business
$148,200 (est. 1,560 hours * $95)
$27,500
$98,800 (est. 1,040 hours * $95)
$5,000
Other Than Small
$543,400 (est. 5,720 hours * $95)
$140,000
$494,000 (est. 5,200 * $95)
$80,000
Separately, the proposed rule estimates that the annual cost to implement and maintain a system security plan is an additional $1,140 (est. 12 hours * $95). These estimates do not account for costs associated with NIST SP 800-53 or FedRAMP Moderate baseline compliance efforts because they are separately addressed under the proposed rule to standardize cybersecurity requirements for unclassified federal information systems (FAR Case 2021-019).
Much like DoD’s response to small business concerns under the CMMC rulemaking activities, as well as the Cybersecurity and Infrastructure Security Agency’s posture under the Cyber Incident Reporting for Critical Infrastructure Act proposed rules, small business contractors may not be granted categorical cost relief under the FAR CUI Rule. “[S]mall businesses that do business with DoD and handle CUI in performance of their contracts are already subject to requirements equivalent to the new FAR clause and provision,” and “small businesses that do business with other agencies that have included similar or overlapping safeguarding requirements under agency-specific contract terms may already be in partial or substantial compliance with the clause requirements.”
NIST SP 800-171 Revision 3 Updates. NIST issued revision 3 to SP 800-171 in May 2024, and as the publication nears its one-year anniversary, agencies will be required to meet the updated standards and guidelines (OMB Circular No. A-130 “Managing Information as a Strategic Resource”). The proposed rule acknowledges this and anticipates future rulemaking to incorporate the latest version. In doing so, the FAR Council explicitly notes the need to “immediately implement requirements to protect CUI on non-Federal information systems; therefore, this proposed rule does not seek to implement NIST’s most recent revision.”
Requirements for Federal Information Systems. Where the SF XXX specifies a federal information system using cloud computing services, the contractor must meet any agency-specified requirements and, at a minimum, must comply with the FedRAMP Moderate Baseline security controls. Where a contractor operates a non-federal information system but uses a cloud service provider to store, process, or transmit CUI, that cloud service provider must also meet FedRAMP Moderate Baseline standards.
Takeaways
While the new administration issued the standard regulatory freeze pending review, the order does not pause the public comment period, which will run through March 17, 2025, as scheduled. Moreover, federal contractors are advised that many of the obligations under the proposed rule are modeled after the established DFARS 252.204-7012, “which introduced many of these compliance requirements on defense contractors and subcontractors in 2015 and required compliance not later than December 31, 2017.” Interested parties should submit comments by March 17, 2025.
Federal Communications Commission’s One-to-One Consent Rule Under Telephone Consumer Protection Act Vacated Day Before Rule Set to Take Place
On Monday, January 27, 2025, the One-to-One Consent Rule (“the Rule”) promulgated by the Federal Communications Commission (the “Commission”) a year ago, on December 18, 2023, was set to go into effect.[1] Under this Rule, a consumer could not consent to a telemarketing or advertising robocall unless (1) he consents to calls from only one seller at a time, (2) he receives a clear and conspicuous disclosure that he will receive telemarketing calls or texts using an automatic telephone dialing system or an artificial or prerecorded voice, and (3) he consents only to calls whose subject matter is “logically and topically associated with the interaction that prompted the consent.”[2] The Commission viewed the Rule primarily as a way to prevent lead generators from using single consumer consent on the comparison shopping websites that often are the source of lead generation.[3] But the Rule was not limited to lead generators. Rather, it applied to all entities utilizing — themselves or through their vendors, affiliates, or other third parties — telemarketing calls or texts using regulated technology. The Rule thus required these businesses to overhaul their consent collection flows, revise contracts with vendors and other third parties, and otherwise reassess their business operations. The Rule also portended a substantial increase in Telephone Consumer Protection Act (TCPA) litigation, particularly as the key terms in the Rule — such as what it means to be “logically and topically associated with the interaction that prompted the consent” — were undefined.
Businesses subject to the One-to-One Consent Rule got their lucky break on Friday, January 24, 2025, the last business day before the Rule was set to go in effect. Initially, the Commission, acting sua sponte,issued an order postponing the effective date of the One-to-One Consent Rule by 12 months — to January 26, 2026 — or until the date specified in a public notice after the U.S. Court of Appeals for the Eleventh Circuit issues a decision on the petition filed by the Insurance Marketing Coalition (IMC) challenging the Rule (whichever is sooner).[4] The Commission found that, given the advanced stage of the judicial proceedings in the Eleventh Circuit, the litigation risks presented by the Rule for texters and callers acting in good faith, and concerns about the industry’s readiness for immediate compliance with the Rule, it was in the interest of justice to postpone the effective date of the rule.[5]
The Eleventh Circuit did not leave folks waiting for long. That same Friday afternoon, the court issued an opinion finding that the Commission exceeded its statutory authority under the TCPA because the new consent restrictions in the Rule “impermissibly conflict with the ordinary statutory meaning of ‘prior express consent.’”[6] In particular, the Eleventh Circuit noted that the term “prior express consent” as used in the TCPA statute only requires a consumer to “clearly and unmistakably” state that they are willing to receive the robocall — and says nothing about requiring one-to-one consent.[7] Nor does it say anything about the consumer’s consent being limited to calls that are “logically and topically associated with the interaction that prompted the consent.”[8] Thus, the requirements for a consumer to separately and independently consent to receive robocalls from each individual seller and for the robocalls to be “logically and topically associated with the interaction that prompted the consent” were contrary to the plain meaning of the statute; thus, they were in excess of the Commission’s statutory authority to implement the TCPA.[9] What is more, rather than remand the matter back to the agency, the Court altogether vacated the One-to-One Consent Rule.[10]
As a result of these two actions, the Commission is back to square one and will need to decide whether to pursue any further action to revive the One-to-One Consent Rule as well as whether it can be done in light of the Eleventh Circuit’s holding. More importantly, the business community does not need to worry about compliance with the Rule and can continue operating under the status quo, which still requires obtaining express written consent for marketing outreaches using regulated technology.
1 Second Report and Order, In re Matter of Targeting and Eliminating Unlawful Text Messages, Rules and Regulations Implementing the Tel. Consumer Prot. Act of 1991, Advanced Methods to Target and Eliminate Unlawful Robocalls, 38 FCC Rcd. 12247, 12258-69 (2023) (the “2023 Order”). The 2023 Order would, in relevant part, revise 47 C.F.R. § 64.1200(f)(9).
2 Id. at 12297.
3 Id. at 12258, ¶ 30.
4 FCC Order dated Jan. 24, 2025, In re Matter of Targeting and Eliminating Unlawful Text Messages, Rules and Regulations Implementing the Tel. Consumer Prot. Act of 1991, Advanced Methods to Target and Eliminate Unlawful Robocalls,issued by Eduard Bartholme III, Acting Chief, Consumer and Government Affairs Bureau.
5 Id. ¶ 4.
6 Ins. Marketing Coalition Limited v. FCC, Case No. 24-10277 (Jan. 24, 2025), Slip Op. at 4.
7 Id. at 18.
8 Id. at 20-21.
9 Id. at 18-22.
10 Id. at 25.