CHASING THE AMBULANCE CHASER?: TCPA Suit Against Accident Law Firm Shows Sharks Can Eat Each Other After All
This one will be fun for folks.
A personal injury law firm in Florida is being sued in a TCPA class action based on calls apparently made by a lead generator hoping to drum up work for the law firm.
The complaint alleges FRIEDLAND & ASSOCIATES, P.A. d/b/a Accident Claims called Plaintiff more than 130 times despite his number being on the DNC list and despite his requests to stop calling.
Fiedland moved to dismiss the suit but in Helmuth v. Friedland 2025 WL 442477 (S.D. Fl. Feb. 10, 2025) the Court denied the motion finding the complaint was properly pleaded.
Diving in a bit, the court found allegations Defendant “encouraged Plaintiff to engage the legal services” of Friedland and provided Plaintiff’s number to Defendant Friedland, which proceeded to call Plaintiff offering its legal services” were enough to show the calls were made at the law firms direction and subject to its control.
Next Friedland argued complaint should be dismissed because it does not identify the phone numbers the calls came from and does not state when the opt-out occurred in relation to the 130 alleged calls. The Court determined, however, that neither allegation was required given the large number of calls at issue– the court essentially inferred that the calls continued after a reasonable time elapsed.
The Court also refused to dismiss the willful damage request determining a jury might decide Friedland’s conduct was knowing or willful.
Indeed the Court refused to even throw out the injunctive relief claim determining that given over 100 calls were made to the guy there was a likelihood of future injury.
My goodness.
A complete loss for a law firm in a TCPA suit.
Can’t say I like to see it. But I don’t hate it either.
April 11, 2025 Is Coming!: Reminder On New FCC Revocation Rules [Video]
But at a high level, come April 11, 2025 you will need to break up all messaging and voice calling across your enterprise into three tiers: i) marketing; ii) informational; iii) exempted.
Come April 11, 2025 a stop response will require ALL communications requiring the same or greater level of consent to cease based on these tiers.
So a “stop” to a marketing message will require all calls and texts requiring PEWC or PIEP to cease;
A “stop” to an informational/transaction call will require all calls and texts requiring any level of express consent to cease;
A “stop” to an exempt message—such as a fraud alert—will require all messages of any kind using regulated technology to cease.
This is a very large change from the current rules.
There is a small opportunity to “clarify” with the consumer what they intended with their opt out request, but it cannot be used as a rebuttal and if the consumer does not respond you have to apply the rubric above.
Not good.
Also unlike the FCC’s one-to-one rule THERE IS NO LEGAL CHALLENGE to this rule and there has been no effort by anybody to stay it (although R.E.A.C.H. is considering such an effort.)
Biggest change in telecom this year folks. Hope you’re all ready.
“THE ULTIMATE CONSEQUENCE”: Small Businesses Fold as FCC Moves to Require Notification of Carrier Call Blocking– But Takes No Action on Real Problems
So the FCC plans to vote next month on a rule requiring carriers to advise callers when their calls have been blocked based on “reasonable analytics.”
On the one hand that’s fine, I guess. But the carriers should NEVER have been allowed to block calls without notification to begin with. That’s just insane.
And the fact we will all need to wait another year before Sip code 603+ to be in use is cold comfort.
But, slightly better than nothing I suppose.
What we really need is IMMEDIATE action on the R.E.A.C.H. petition to STOP illegal call/sms blocking and mislabeling— and to dismantle TCR. This is URGENT.
Every day I am hearing from another small business telling me that call and text blocking– particularly text blocking– is threatening to (or is–wait or it) putting them out of business. TCR is most of the problem, but the aggregators and carriers — including phantom voicemails the carriers are apparently using to “block” calls while still charging for the traffic– blocking on the basis of content is a massive problem.
So let’s back up and remind everyone of what’s at stake.
There are actually two separate issues, but they fall into the same basic concept of carriers blocking communications.
First, is carrier VOICE call blocking based on “reasonable analytics.” This was first authorized back in 2018 and there have now been a ton of revisions to a safeharbor created to allow carriers to violate section 201 of the Communications Act–which basically requires carriers to act as “common carriers” and connect all phone traffic.
As already noted, carriers have been allowed to block calls for years now based on an unspecific black box of requirements that, as far as I can tell, have resulted in BILLIONS of LEGAL AND CONSTITUTIONAL phone calls being blocked essentially at the FCC’s invitation with ZERO recourse.
I talked to a client YESTERDAY so was having so much trouble getting calls to go through he bought his own carrier operator. Plus he has to cycle through thousands of DIDs a day to avoid his numbers being labeled. As he tells me: “If you call more than 20 times a day from a DID they label you as spam. More than 40 they label you as scam.”
The carriers figure if you are calling at volume then your phone number must be important to your business. As soon as they know that they figure you will pay them to white label your number and they will block and label you until they pay up.
DISGUSTING.
Requiring the carriers to advise you (finally) when they block is step one–this should have been done years ago, of course– but so what if there’s no required redress?
And there isn’t.
Because the FCC has never said what can and cannot be blocked to begin with. That’s part of what the R.E.A.C.H. petition is trying to fix.
But that’s just the first problem and probably the smaller of the two.
The second problem is SMS blocking, and this is even more painful and the FCC has intentionally made it harder for businesses to address. And you REALLY need to understand this part– because it is nuts.
Also back in 2018 the FCC clarified that SMS isn’t a telecommunication service it is an “information service.” Because, you see, SMS isn’t a communication function its a storage function. You’re not talking to someone else when you send a message you’re just transferring a data set.
Crazy, absurd, tortured logic– and one of the worst rulings to come out of the FCC at that time.
The classification of SMS as a Title III information service was done specifically to allow carriers to block SMS. It was believed at the time that the carriers had successfully deployed SMS blocking already and the FCC didn’t want to upset the apple cart by stripping text blocking authority away from the carriers.
But they did.
By removing the requirement of the carriers to faithfully transmit all SMS messages it allowed the carriers to determine their own terms of use on content providers (people sending text messages) including declaring that certain content just wouldn’t be allowed on their networks.
Total violation of the First Amendment. A licensing scheme of the highest order.
It gets worse.
The carriers have conspired (anti-trust?) to only accept traffic registered through a company called The Campaign Registry. TCR is foreign owned and has both tremendous power and visibility in the telecom ecosystem right now.
TCR literally has the ability to prevent any business or political campaign from sending high volume text messages. And it is using that power to silence people based on CONTENT. And the aggregators are afraid of TCR rejections so they are not even submitting campaigns to TCR to begin with (just like they are blocking SMS and calls that they think the carriers won’t like.)
Just yesterday I was told of a campaign that an aggregator would not even submit to TCR for approval because the political message was “polarizing and considered offensive [to some].”
Prior restraints on free political speech are literally actively ongoing. It is a massive problem.
How big of a problem?
How about a small business that just shut down because it could not get 10DLC access. In the words of the owner:
To give you some background, we ran our business for five successful years using P2P texting – a model that allowed us to deliver highly responsive and personalized service. Our customer service was second to none, and we consistently met the high expectations of our clients. However, the introduction of 10DLC upended everything.
Here’s what happened…
Regulatory Impact:The 10DLC regulations brought with them a burdensome, protracted registration process. We were initially advised by our provider that unregistered traffic would soon be phased out (multiple times over the course of 2 years), prompting us to urge our clients to register promptly. Unfortunately, this promise was repeatedly reversed. Each time we were told to push for registration with an imminent cutoff, the timeline shifted unexpectedly. These delays were not trivial – they were lengthy enough to derail critical campaigns, especially for political clients with tight election deadlines.
Client Impact:The prolonged and unpredictable registration procedures forced our clients into a corner. Many of our smaller clients, who relied on our nimble P2P texting to engage with voters, found themselves unable to complete registration in time, rendering them unable to run their campaigns effectively. Worse yet, several larger clients, seeking more stable and predictable service, migrated to vendors who seemed to have insider information or more streamlined processes in place. The impact on our reputation was severe, despite our best efforts to support our clients every step of the way.
The Ultimate Consequence:After years of success, these cumulative issues made it impossible for us to maintain our business model. We prided ourselves on agility and excellent customer service, but the excruciating delays and inconsistent guidance around 10DLC left us with no viable path forward. This week, we made the difficult decision to close our doors.
Done.
Small business vaporized.
By a process that was never legal to begin with.
Its nuts.
And here’s the worst part– it doesn’t work. In fact, SMS spam has gotten WORSE since TCR took over its little role as censorship king of America.
Now how is that possible?
Before there was very little SMS spam. The FCC takes the reigns off the carriers and they put a foreign-owned company in charge of network access and now there is a ton of SMS spam.
Hmmmmm.
I wonder why that is?
Dear FCC:
I know you have A TON going on– and thank you very much for your efforts staying one-to-one–but we need a public comment period on the R.E.A.C.H. petition to stop all of this right away.
Thank you.
Navigating Text Messages in Discovery
In We The Protesters, Inc., et al., v. Sinyangwe et. Al, the Southern District of New York was recently called upon to resolve a discovery dispute that, according to the Magistrate Judge, “underscore[d] the importance of counsel fashioning clear and comprehensive agreements when navigating the perils and pitfalls of electronic discovery.” More specifically, the court was determining whether, without an express agreement between the parties’ counsel in place, plaintiffs could properly redact text messages based on responsiveness.
We The Protesters, Inc. Background
The litigation arose from a business divorce between the founders of nonprofit Campaign Zero. Plaintiffs’ complaint asserted 17 causes of action for inter alia, trademark infringement, unfair competition, misappropriation, and conversion. Defendants counterclaimed, accusing plaintiffs of copyright infringement, trademark infringement, cyberpiracy, and unfair competition.
In March 2024, the Hon. John P. Cronan granted in part and denied in part plaintiffs’ motion to dismiss three of defendants’ counterclaims. Discovery proceeded and the current dispute came to light after the parties exchanged productions of text messages and direct messages from a social media platform.
In drafting the operative discovery protocol, the parties agreed to collect and review all text messages in the same chain on the same day whenever a text within the chain hit on an agreed-upon search term. (Dkt. No. 64 at 1 & Ex. A). Plaintiffs understood this to mean they needed to produce only the portions of the messages from the same-day text chain that were responsive or provided context for a responsive text message.
Defendants had a different understanding, claiming the entire same-day text chain must be produced in unredacted form. Upon reviewing plaintiffs’ production, defendants objected and claimed plaintiffs’ unilateral redaction of these text messages was improper. Following an unsuccessful meet and confer, defendants filed a letter-motion seeking to compel production of unredacted copies of all text messages in the same chain that were sent or received within the same day. Plaintiffs responded, contending their redactions were proper and, in the alternative, seeking a protective order.
Discussion
Text Messages in Discovery
The court’s decision began with the observation that text messages are an increasingly common source of relevant and often critical evidence in 21st century litigation.[1] According to the court, text messages do not fit neatly into the paradigms for document discovery embodied by Rule 34 of the Federal Rules. Although amended in 2006 to acknowledge the existence of electronically stored information (ESI), i.e., email, the rules were crafted with different modes of communication in mind. Unlike emails, with text messages each text or chain cannot necessarily be viewed as a single, identifiable “document.”
And so, the issue is whether, for discovery purposes, each text message should be viewed as its own stand-alone “document”? Or is the relevant “document” the entire chain of text messages between the custodian and the other individual(s) on the chain, which could comprise hundreds or thousands of messages spanning innumerable topics?[2]
As the opinion notes, federal courts have adopted different approaches with respect to text messages. Some courts, including the Southern District of New York, suggest that a party must produce the entirety of a text message conversation that contains at least some responsive messages.[3] By contrast, other jurisdictions, like the Northern District of Ohio, hold “the producing party can unilaterally withhold portions of a text message chain that are not relevant to the case.”[4] “Still other courts have taken a middle ground.”[5]
Against this backdrop, the court noted that litigants are free to—and are well-advised to—mitigate the risk of this uncertain legal regime by agreeing on how to address text messages in discovery. Rule 29(b) specifically affords parties the flexibility to design their own, mutually agreed upon protocols for handling discovery, but “encourage[s]” counsel “to agree on less expensive and time-consuming methods to obtain information.”[6] Such “‘private ordering of civil discovery’” is “‘critical to maintaining an orderly federal system’” and “‘it is no exaggeration to say that the federal trial courts otherwise would be hopefully awash.’”[7]
The court noted a party may think twice about insisting on the most burdensome and costly method of reviewing and producing text messages for its adversary if it knows it will be subject to the same burden and cost. In general, the parties are better positioned than the court to customize a discovery protocol that suits the needs of the case given their greater familiarity with the facts, the likely significance of text message evidence, and the anticipated volume and costs of the discovery.[8]
Resolution Where Agreement is Incomplete
Here, the court noted the parties negotiated an agreement regarding the treatment of text messages. However, the agreement was incomplete. According to the court, email exchanged between the parties, along with the parties’ summary of the verbal discussions that took place show agreement that (1) discovery would include text messages; (2) specific search terms would be used to identify potentially responsive text messages; and (3) when a search term hit on a text message, counsel would review all messages in the same chain sent or received the same day, regardless of whether the text message that hit on the search term was responsive. The parties both produced responsive text messages in the form of same-day text chains, manifesting mutual assent that a same-day chain represented the appropriate unit of production. However, the parties’ agreement did not explicitly address whether, in producing those same-day text chains, texts deemed irrelevant and non-responsive would be redacted or, instead, the chains needed to be produced in their entirety. It was that failure that caused the instant dispute.
In resolving the dispute, the court viewed the issue through the prism of the parties’ prior agreement, discussions, and lack of discussions. The court indicated its task was not to determine the “right answer” to the redaction question in the abstract, but rather how to proceed with an agreement that was unknowingly incomplete. The court identified its task as akin to filling a gap in the parties’ incomplete agreement.[9]
In completing its task, the court noted the familiar principle of contract law that “contracting parties operate against the backdrop” of applicable law which, in this context, was supplied by Al Thani — the leading case in the Southern District on the issue of redactions from text messages and one authored by the presiding district judge in this litigation. Al Thani holds squarely that “parties may not unilaterally redact otherwise discoverable” information from text messages for reasons other than privilege.[10] Yet that is precisely what plaintiffs did.
The court further relied upon Judge Aaron’s decision in In re Actos Antitrust Litigation as instructive. In Actos, the issue involved “email threading,” i.e., the production of a final email chain in lieu of producing each separate constituent email. Specifically, a discovery dispute arose because defendants made productions “using email threading even though the Discovery Protocol, by its terms, did not permit such approach.”[11] Judge Aaron rejected defendants’ unilateral decision to use threading, explaining “if the issue had been raised when the parties were negotiating the Discovery Protocol, Plaintiffs may have been able to [avoid the issue], however, Plaintiffs were not provided the opportunity to negotiate how email threading might be accomplished in an acceptable manner.”[12] The court declined to impose threading on plaintiffs.
Here, the court found the Actos reasoning persuasive. If plaintiffs wanted to redact their text messages, it was incumbent upon them to negotiate an agreement to that effect or, in the absence of agreement, resolve the issue with the court before defendants made their production. Accordingly, as in Actos, the court construed the absence of a provision in the parties’ agreement allowing redaction of text messages to preclude plaintiffs from unilaterally redacting.
Considerations for Text Message Discovery
We The Protesters, Inc., is an important reminder of a few things. First, text messages and other forms of mobile instant messages are a critical form of evidence in today’s litigation. Any discovery protocol should address preservation, production, and potential redactions to that ESI. Additionally, given the cost and burden attendant to ESI, parties should leverage Rule 29(b) and fashion their own, mutually agreeable protocols for handling discovery, with an eye toward proportionality and efficiency. Finally, cooperation and communication are key in litigation. When in doubt, consider picking up the phone to opposing counsel. Here, had plaintiff confirmed its intention to redact content prior to production, much effort and cost may have been avoided.
[1] Mobile phone users in the United States sent an estimated 2 trillion SMS and MMS messages in 2021, or roughly 5.5 billion messages per day, a 25-fold increase from 2005. SMS and MMS messages represent only a subset of the universe of mobile instant messaging, or MIM, which also includes other means of messaging via mobile phones. MIM, in turn, does not account for the vast volume of instant messages, or IM, sent on computer-mediated communication platforms. The use of IM and MIM “has become an integral part of work since COVID-19.” Katrina Paerata, The Use of Workplace Instant Messaging Since COVID-19, Telematics and Informatics Reports (May 2023).
[2] After all, an email chain is typically confined to a single subject, whereas a single text chain can read more like a stream of consciousness covering countless topics.
[3] Lubrizol Corp. v. IBM Corp., (citing cases); see also Al Thani v. Hanke (noting the general rule that parties may not unilaterally redact otherwise discoverable documents for reasons other than privilege,) id. at *2; see also Vinci Brands LLC v. Coach Servs., Inc. (following Al Thani).
[4] Lubrizol at *4 (citing cases from various jurisdictions that follow this approach).
[5] Id. (citing cases from such jurisdictions).
[6] Id. 1993 Adv. Comm. Note.
[7] Brown v. Hearst Corp. (quoting 6 Moore’s Federal Practice § 26.101(1)(a)).
[8] See generally Jessica Erickson, Bespoke Discovery, 71 Vand. L. Rev. 1873, 1906 (2018) (“Parties should have more information than judges about the specific nature of their disputes and thus should be in a better position to predict the types of restrictions that will be appropriate.”).
[9] See In re World Trade Center Disaster Site Litig. (“In limited circumstances, a court may supply a missing term in a contract.”); Adler v. Payward, Inc.(“[C]ourts should supply reasonable terms to fill gaps in incomplete contracts.”) (citation omitted).
[10] Al Thani at *2.
[11] Id. at 551.
[12] Id.
A New Era: Trump 2.0 Highlights for Privacy and AI
Since the Trump 2.0 administration commenced, the U.S. federal government has experienced some major policy shifts. Several Biden-Harris administration era regulations are now eliminated or on a 60-day hold while under review. States and other organizations have filed lawsuits to stay implementation of certain Trump 2.0 initiatives (i.e., the funding freezes, deferred resignation offer, birthright citizenship, among others).
Below is a summary of some of the federal ‘de-regulation’ related to privacy and AI that we are following:
The January Freeze: COPPA Rule Amendments
Issued on inauguration day, January 20, 2025, the Executive Order titled “Regulatory Freeze Pending Review” (Regulatory Freeze EO) directed federal agencies to not propose or issue any new rule and to withdraw any rule sent to the Office of the Federal Register but not published as final in the Federal Register.
The Federal Trade Commission (FTC) finalized amendments to the Children’s Online Privacy Protection Rule (COPPA Rule Amendments) on January 16, 2025. The COPPA Rule Amendments were submitted to but not published in the Federal Register prior to January 20, 2025. Accordingly, while approved as final from the FTC’s perspective, the COPPA Rule Amendments remain a proposed rule with no effective date or compliance date. The Regulatory Freeze EO directs the FTC to “withdraw” the COPPA Rule Amendments until “a department or agency head appointed or designated by the President after noon on January 20, 2025, reviews and approves the rule.”
Also on January 20th, President Trump appointed FTC Commissioner Andrew Ferguson as FTC Chairman. While still in his role as a Commissioner, Chairman Ferguson voted in favor of the COPPA Rule Amendments but also cited “three major problems” in his concurring statement, which are:
Requiring operators to disclose and receive parental consent about the specific third parties to which the operators will disclose children’s personal information. Then-Commissioner Ferguson noted that not all additions or changes to the identities of third parties should require new parental consent. He suggested that the FTC “could have mitigated this issue” by clarifying that a “change is material for purposes of requiring new consent only when facts unique to the new third party, or the quantity of the new third parties, would make a reasonable parent believe that the privacy and security of their child’s data is being placed at materially greater risk.”
Prohibiting indefinite retention of children’s personal information. The COPPA Rule allows for retention of children’s personal information “as long as is reasonably necessary to fulfill the purpose for which the information was collected.” (§ 312.10). Then-Commissioner Ferguson criticized the addition of the prohibition on indefinite retention because it “is likely to generate outcomes hostile to users,” providing the example that “adults might be surprised to find their digital diary entries, photographs, and emails from their childhood erased from existence.” He wrote that, because the term indefinite is not defined, operators “can comply with the Final Rule by declaring that they will retain data for no longer than two hundred years […] And if ‘indefinite’ is not meant to be taken literally, then it is unclear how the requirement is any different than the existing requirement to keep the information no longer than necessary to fulfill the purpose for which it was collected.”
“Missed opportunity” to clarify that the Amended COPPA Rule is “not an obstacle to the use of children’s personal information solely for the purpose of age verification.” Commissioner Ferguson noted that the COPPA Rule Amendments “should have added an exception for the collection of children’s personal information for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled.”
Other notable changes in the COPPA Rule Amendments that were not part of the concurring statement include:
An official definition for “mixed audience”. While the concept of a mixed audience online service is covered in the COPPA Rule (see the FTC’s COPPA FAQs, Section D, Question 4), the COPPA Rule Amendments add a defined term for “mixed audience website or online service”. It means an online service that is directed to children within the meaning of COPPA but “that does not target children as its primary audience, and does not collect personal information from any visitor, other than for the limited purposes set forth in § 312.5(c), prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.”
Expanded Data Security Requirements. The COPPA Rule requires “reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” (§ 312.8) The COPPA Rule Amendments provide minimum requirements for this reasonableness standard, including a written information security program that contains many of the same safeguards required under state cybersecurity laws, i.e., an accountable person, risk assessments, testing and monitoring and vendor due diligence.
Not-So-Final: Sensitive Personal Data Transfers and Negative Options
On December 30, 2024, the U.S. Department of Justice released a Final Rule titled “Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Counties or Concern or Covered Persons” (DOJ Rules). President Biden’s Executive Order 14117 (EO 14117, dated February 28, 2024) directed the DOJ to issue the DOJ Rules. The DOJ Rules were published in the Federal Register on January 8, 2025.
In brief, the DOJ Rules apply to “U.S. persons,” which means U.S. citizens, national or lawful permanent residents, qualified refugees, entities organized under U.S. law or persons “in the U.S.” (§ 202.256). Subject to certain exemptions (§ 202.501 to § 202.511), U.S. persons are prohibited or restricted from knowingly engaging in a “covered data transaction,” which means a sales or licensing of “bulk sensitive personal data” or “United States Government-related data,” a vendor agreement, employment agreement, or investment agreement (§ 202.210), that involves access by a “country of concern” (§ 202.209) or “covered person” (§ 202.211.) (Counties of concern are China, Cuba, Iran, North Korea, Russia and Venezuela (§ 202.209).)
The DOJ Rules are effective on April 8, 2025. But, as a final rule published in the Federal Register prior to January 20th, the Regulatory Freeze EO requests that federal agencies “consider” postponing the effective date and opening a comment period for interested parties.
Even before the Regulatory Freeze EO was released, the DOJ had announced its intention to “continue to robustly engage with stakeholders to determine whether additional time for implementation is necessary and appropriate” during the 90 days between the DOJ Rules’ publication in the Federal Register and the effective date. Unlike many other Biden-era Executive Orders, EO 14117 was not rescinded on Inauguration Day. Whether the exclusion of EO 14117 means that the DOJ Rules will survive the regulatory freeze is unclear.
Another final rule subject to the regulatory freeze: FTC’s “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (Final Negative Option Rule), which was published in the Federal Register as final on November 15, 2024.
Parts of the Final Negative Option Rule were effective January 14, 2025, but businesses have until May 14, 2025, to comply with certain sections Final Negative Option Rule, i.e., § 425.4 (disclosures’ form, content and placement), § 425.5 (consent) and § 425.6 (simple cancellation mechanism).
Commissioner Holyoake wrote a dissent (89 FR 90540) to the Final Negative Option Rule, citing procedural issues and the failure to “define with specificity” the acts or practices that are unfair or deceptive and whether these practices are “prevalent.” FTC Chair Ferguson joined, which may indicate the parts of the Final Negative Option Rule that the FTC will revisit or replace. (More about the Final Negative Option Rule is available here).
A third rule – Personal Financial Data Rights Rule (PFDR Rule) – was published as final on November 8, 2024, and effective January 17, 2025 – three days before the Regulatory Freeze EO was issued. On February 3, 2025, the federal agency that issued the PFDR Rule – the Consumer Financial Protection Bureau (CFPB) – announced that Treasury Secretary Scott Bessent took over as acting head and ordered the CFPB to halt all activities. Subsequently, Democrats in Congress expressed concern in a February 7th letter to Acting Director Bessant. That same day, Russell Vought, the newly sworn-in Director of the Office of Management and Budget (OMB) and an architect of The Heritage Foundation’s Project 2025, reportedly replaced Secretary Bessant as acting head of the CFPB and echoed Secretary Bessant’s orders to the CFPB staff. In a social media post, Director Voight announced that the CFPB “will not be taking its next draw of unappropriated funding because it is not ‘reasonably necessary’ to carry out its duties. The Bureau’s current balance of $711.6 million is in fact excessive in the current fiscal environment.”
The CFPB website at https://www.consumerfinance.gov/ currently displays a “404: Page Not Found Error” and the CFPB offices were closed to CFPB staff and taken over by the Department of Government Efficiency (headed by Elon Musk) as of February 9, 2025.
The Congressional Review Act (CRA) (codified at 5 U.S.C. §§801- 808) also is a consideration for these final rules. If a final rule is deemed a “major rule” (5 U.S.C. §804) by the OMB, the CRA provides for a special congressional procedure to overturn the rule during a so-called look-back period. The OMB deemed each of the Negative Option Final Rule, the DOJ Rules and the PFDR Rule as a major rule.
The Senate Parliamentarian has determined that the CRA’s lookback period began on August 16, 2024, for rules submitted in the second session of the 118th Congress, which ended on January 3, 2025. Republican lawmakers already have indicated that they intend to use the CRA procedure to target as many as the Biden-Harris administration rules as possible.
The Big Shift in Artificial Intelligence Policy
President Biden’s Executive Order 14110 of October 30, 2023, titled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”, focused on “governing the development and use of AI safely and responsibly,” was rescinded by Trump’s Executive Order 14148 (“Initial Rescissions of Harmful Executive Orders and Actions”) and replaced by Executive Order 14179 (“Removing Barriers to American Leadership in Artificial Intelligence”) (Trump AI Executive Order) on January 23, 2025.
The Biden administration focused broadly on eight overarching principles for AI development: safety and security; privacy; managing AI bias and civil rights; consumer, patient and student protection; worker support; privacy; innovation and competition; worker support; international AI leadership; and federal use of AI. (Read more here.) By contrast, the Trump AI Executive Order is centered on deregulation and the promotion of AI innovation as a means of maintaining U.S. global dominance. (Read more here.)
The January Shakeup: The Data Privacy Framework
Like the CFPB and other U.S. federal government staffing changes as well as the controversial Deferred Resignation Program, President Trump fired three of the four members of the Privacy and Civil Liberties Oversight Board (PCLOB), including Chair Sharon Bradford Franklin, who was three years into her six-year term, Professor Edward Felton, and Travis LeBlanc, who served in the Obama administration.
By statute, the PCLOB can have up to five members appointed by the President and confirmed by the Senate. Three members constitute quorum and only three members of the PCLOB can be members of the same political party. As of January 31, 2025, only one PCLOB member – Beth Williams, who served in the first Trump administration, – remains at the PCLOB.
The PCLOB appointee removals are symbolically and practically significant to the future of the EU-U.S. Data Privacy Framework (DPF). The agreement between the European Commission and the U.S. that created the DPF (DPF Agreement) relies on a multi-layer mechanism for non-U.S. individuals to obtain review and redress of their allegations that their personal data collected through U.S. Signals Intelligence was unlawfully handled by the United States. As part of the negotiations for the DPF Agreement, President Biden issued Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086), directing federal agencies to address concerns – including redress mechanisms – relating to bulk digital surveillance by U.S. law enforcement and intelligence agencies. (These concerns underpinned objections from EU regulators to the DPF’s predecessors. (Learn more about DPF generally here.)
The PCLOB, which was created in 2004 to advise the federal government on civil liberties matters in connection with U.S. anti-terrorism laws, advised on the creation of the DPF’s redress mechanism. Even though the DPF Agreement was not voted into law by Congress and EO 14086 could be overturned by another President, the redress mechanism in the DPF Agreement was pivotal in demonstrating to the European Commissions that EU citizens could receive protection for their personal data that is essentially equivalent to EU data protection law.
While the U.S. federal government is amid structural changes initiated by Trump 2.0, businesses looking to prepare for and advance compliance efforts are faced with the difficult decision about whether to continue on with compliance efforts under the final rules described above or to stand down until the dust settles in Washington. For example, should a DPF-certified business revisit other cross-border transfer mechanisms now in case the DPF does not survive legal challenges? Meanwhile, state legislatures continue to fill the void. So far this year, many states have already teed up new or amended privacy laws and new AI laws. Since neither a new federal AI law nor a new federal consumer privacy law seem to be top of mind for the Administration, business can for now continue on with state law and federal sectoral law compliance efforts.
Krista Setera and Mary Aldrich contributed to this article.
In a Crisis, It Is Not Always Smart to Run for Shelter
Andre Haddad, CEO of the online car-sharing platform Turo, could have headed for shelter when the media storm hit. Instead, he appeared to embrace the adage, “Never let a good crisis go to waste.”
On New Year’s Day, not one but two vehicles rented through the Turo app were involved in horrific and high-profile tragedies, each generating worldwide coverage.
At 3:15 a.m. in New Orleans’s French Quarter, U.S. Army veteran Shamsud-Din Jabbar drove his rented Ford F-150 into a crowd of revelers, killing 14 people and injuring dozens more before police shot and killed him. Several hours later, Matthew Alan Livelsberger, an active-duty U.S. Army Green Beret, allegedly detonated his rented Tesla Cybertruck outside the main entrance of the Trump International Hotel Las Vegas before killing himself.
The media quickly zeroed in on Turo, a privately held company that has been described as an Airbnb for autos. A customer finds a privately owned vehicle they want to rent on the site, then books it from the “host” – an individual who can make money renting out their car to total strangers.
The Wall Street Journal on Jan. 2 questioned Turo’s safety record; Fox Business followed suit a day later. Both outlets noted that cars rented from Turo and other online sites are sometimes damaged, stolen, and abandoned, and some cars reportedly have been used for human smuggling.
While Turo initially addressed reporters’ questions with a statement, Haddad agreed to go live on CNBC on Jan. 3.
It was a smart move by the company. Haddad was humble, disarming, and appeared forthright. Even when addressing the toughest questions, he was not defensive but calm and earnest, and he used facts to tell his story.
CNBC news anchor Sara Eisen kicked off the interview by asking Haddad where the investigation stood.
“We’ve been working around the clock to investigate and partner with law enforcement,” Haddad said. “My first thoughts are for the families and victims. We are really heartbroken for them. This feels so unfair.”
Eisen then asked Haddad how Turo could rent vehicles to individuals who caused such destruction and death.
While the company uses a proprietary, data-based algorithm to screen each potential renter, Haddad stressed that these two individuals had no criminal record or any other disqualifying factors.
“They had valid U.S. driver’s licenses, in fact, they were decorated servicemen,” Haddad said. “They … could have boarded any flight. They could have rented any other car in any traditional car rental chain. They could have checked into any hotel, and there were no red flags, no one would have flagged them as a security risk. So, it’s a very challenging situation to deal with.”
Eisen pressed Haddad on safety concerns.
“You know there have been articles, including on NBC, that Turo is no stranger to safety concerns, and for years, these peer-to-peer platforms have been faced with criticism about stolen cars used for nefarious purposes,” she said. “What is it about the business?”
Haddad acknowledged that there have been many “terrorist attacks” using rented vehicles “over the last 20 years in the U.S. and abroad,” but said that Turo felt “very good” about its own trust and safety track record. He supported his position with a series of facts:
“We’ve been around for 13 years, so we’re not new. We’ve facilitated over 90 million book days, 27 million trips to date, and the rate of serious incidents on our platform over that whole period, across all of these trips, is less than 0.1%. So, our safety track record is very strong,” he said.
He added, “I believe that … Turo happened to be chosen this time instead of others because we have become a really large player in this market.”
Many companies would have refused to put their leader in front of the media. Too many risks, they would conclude. What if the CEO says something that digs the company into a deeper hole or opens it up to a lawsuit? It is easy to say, “Let’s just give them a statement and be done with it.”
But Haddad’s appearance provided the company with an opportunity to demonstrate a measure of humanity by acknowledging the victims and their families. Haddad also used the platform to underscore Turo’s work with legal authorities and to stress the company’s successful track record, highlight its state-of-the-art technology to screen for bad actors, and reiterate Turo’s support for hosts whose vehicles have been damaged.
Haddad and his team smartly recognized they had a compelling story to tell, and he was brave enough to tell it. Granted, there are times when it is best to say nothing, but the Turo case provides a roadmap for all CEOs and communications pros for how to handle a crisis.
Sometimes, the best strategy is putting the CEO out front and letting them deliver the message.
Congress Revisits Stablecoins
After unsuccessful past efforts to enact federal legislation regulating stablecoins, Congress has again turned to stablecoins. While it is always difficult to predict whether any bill will pass, there seems to be growing support in the current Congress, with the Senate Banking Committee and House Financial Services committee working closely together to adopt legislation.
In the Senate, a bipartisan bill entitled the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act is sponsored by Senators Bill Hagerty (R-TN), Tim Scott (R-SC), Cynthia Lummis (R-WY) and Kirsten Gillibrand (D-NY). The bill defines a payment stablecoin as a digital asset used for payment or settlement that is pegged to a fixed monetary value. It would permit both bank and certain nonbank entities to issue payment stablecoins, and provides for either federal or optional state regulation, depending on the total amount of stablecoins issued. The bill makes clear that payment stablecoins are not securities subject to SEC regulation, and instead provides for banking-like examination, supervision and enforcement.
In the House, House Financial Services Committee Chair French Hill (R-AR) and Digital Assets, Financial Technology, and Artificial Intelligence Subcommittee Chairman Bryan Steil (R-WI) announced a discussion draft of a bill entitled the Stablecoin Transparency and Accountability for a Better Ledger Economy (STABLE) Act. The bill is similar in many respects to the GENIUS Act in that it seeks to provide a path for the permitted issuance of payment stablecoins with regulation at either the federal or state level. A key difference between the GENIUS Act and STABLE Act is that while the GENIUS Act requires the Treasury Department to prepare a written study on “endogenously collateralized stablecoins,” also known as algorithmic stablecoins, the STABLE Act imposes a two-year moratorium on their issuance.
CISA and FDA Sound Alarm on Backdoor Cybersecurity Threat with Patient Monitoring Devices
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the U.S. Food and Drug Administration (“FDA”) released warnings about an embedded function they found in the firmware of the Contec CMS8000, which is a patient monitoring device used to provide continuous monitoring of a patient’s vital signs, including electrocardiogram, heart rate, temperature, blood oxygen and blood pressure.1 Healthcare organizations utilizing this device should take immediate action to mitigate the risk of unauthorized access to patient data, to determine whether or not such unauthorized access has already occurred, and to prevent future unauthorized access.
Contec Medical Systems (“Contec”), a global medical device and healthcare solutions company headquartered in China, sells medical equipment used in hospitals and clinics in the United States. The Contac CMS800 has also been re-labeled and sold by resellers, such as with the Epsimed MN-120.
The three cyber security vulnerabilities identified by CISA and FDA include:
An unauthorized user may remotely control or modify the Contec CMS8000, and it may not work as intended.
The software on the Contec CMS8000 includes a “backdoor,” which allows the device or network to which the device has been connected to be compromised.
The Contec CMS8000, once connected to the internet, will transmit the patient data it collects, including personally identifiable information (“PII”) and protected health information (“PHI”), to China.
Mitigation Strategies
Healthcare organizations should take an immediate inventory of their patient monitoring systems and determine whether their enterprise uses any of the impacted devices. Because there is no patch currently available, FDA recommends disabling all remote monitoring functions by unplugging the ethernet cable and disabling Wi-Fi or cellular connections if used. FDA further recommends that the devices in question be used only for local in-person monitoring. Per the FDA, if a healthcare provider needs remote monitoring, a different patient monitoring device from a different manufacturer should be used.
Healthcare providers that are not using impacted devices should still take the time to conduct an audit of their patient monitoring and other internet-connected devices to determine the risk of potential security breaches. Organizations should use this opportunity to evaluate, once again, their incident response plans, continue to conduct periodic risk assessments of their technologies, and evaluate whether their organization’s policies, procedures, and plans enable them to fulfill cybersecurity requirements.2
[1] See CISA, Contec CMS800 Contains a Backdoor (January 30, 2025); FDA, Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication (January 30, 2025).
[2] See e.g., Polsinelli’s discussion of cybersecurity compliance in 2025.
FINRA Facts and Trends: February 2025
Welcome to the latest issue of Bracewell’s FINRA Facts and Trends, a monthly newsletter devoted to condensing and digesting recent FINRA developments in the areas of enforcement, regulation and dispute resolution. We dedicate this month’s issue to FINRA’s 2025 Annual Regulatory Oversight Report. Read about the Report’s findings and observations, below.
FINRA Issues 2025 Regulatory Oversight Report
On January 28, 2025, FINRA published its 80-page 2025 Regulatory Oversight Report (the Report), offering insights and observations on key regulatory topics and emerging risks that firms should consider when evaluating their compliance programs and procedures. Broadly speaking, the Report identifies relevant rules, summarizes noteworthy findings, highlights key considerations for member firms’ compliance programs, and provides helpful and practical considerations as member firms analyze their existing procedures and controls.
The 2025 Report discusses 24 topics relevant to the securities industry. While many of these are perennially important topics, the Report also includes two new sections: third-party risk landscape and extended hours trading. Below, we provide an overview of the Report’s new priorities, together with certain continuing priorities highlighted in the Report.
A FINRA Unscripted podcast episode about the report — featuring Executive Vice President and Head of Member Supervision, Greg Ruppert, Executive Vice President and Head of Market Regulation and Transparency Services, Stephanie Dumont, and Executive Vice President and Head of Enforcement, Bill St. Louis — is available on FINRA’s website.
Newly Identified Priorities
Third-Party Risk Landscape: The most significant addition to the Report is a new top-level section on Third-Party Risk Landscape. Firms’ reliance on third parties for many of their day-to-day functions create risks, and, as the Report indicates, this new section was prompted by “an increase in cyberattacks and outages at third-party vendors” firms use.
As the broad heading indicates, the newly added material outlines effective practices and general steps to be taken by firms, including:
maintaining a list of all third-party vendor-provided services, systems and software components that the firm can leverage to assess the impact on the firm in the event of a cybersecurity incident or technology outage at a third-party vendor;
adopting supervisory controls and establishing contingency plans in the event of a third-party vendor failure;
affirmatively inquiring if potential third-party vendors incorporate generative AI into their products or services, and evaluating and reviewing contracts with these third parties to ensure they comply with the firms’ regulatory obligations, i.e., adding contractual language that prohibits firm or customer information from being ingested into the vendor’s open-source generative AI tool;
assessing third-party vendors’ ability to protect sensitive firm and customer non-public information and data;
ensuring that a vendor’s access to a firm’s systems and data is revoked when the relationship ends; and
periodically reviewing the third party’s vendor tool default features and settings.
Extended Hours Trading: In recent years, trading in National Market System stocks and other securities has extended beyond regular trading hours. In its other new section, FINRA reminds firms that offer extended hours trading that they must comply with FINRA Rule 2265, which requires that these firms provide their customers with a risk disclosure statement. Importantly, if a firm allows its customers to participate in extended hours trading online, the firm must be sure to post a risk disclosure statement on the firm’s website “in a clear and conspicuous manner.” In addition to Rule 2265, firms participating in extended hours trading must also comply with FINRA Rule 5310 (Best Execution and Interpositioning) and Rule 3110 (Supervision).
The Report recommends the following best practices to address any perceived risks associated with extended hours trading:
conducting best execution reviews geared toward evaluating how extended hours orders are handled, routed and executed;
reviewing customer disclosures to ensure they address the risks associated with extended hours trading;
establishing and maintaining supervisory processes designed to address the “unique characteristics or risks” of extended hours trading; and
evaluating the operational readiness and customer support needs during extended hours trading.
Continuing Priorities
In addition to the Report’s new topics, each of the Report’s sections — Financial Crimes Prevention, Firm Operations, Member Firms’ Nexus to Crypto, Communications and Sales, Market Integrity, and Financial Management — places special emphasis on certain continuing priorities that will remain key focus areas for FINRA in 2025:
Reg BI and Form CRS: Reg BI and Form CRS have been perennial areas of focus for FINRA since they first became effective in 2020. The 2025 Report details a number of new findings and observations for each of the four component obligations of Reg BI (Care, Conflict of Interest, Disclosure, and Compliance).
With respect to the Care Obligation, many of FINRA’s latest findings and observations center around firms’ obligations with respect to recommendations of complex or risky products. FINRA reminds firms making such recommendations to consider whether the investments align with the customer’s overall investment profile, and whether the investment would result in concentrations that exceed the firm’s policies or the customer’s risk tolerance, or that represent an inappropriate portion of a retail customer’s liquid net worth.
The primary addition to the Report concerning firms’ Conflict of Interest Obligation is a finding that firms may violate Reg BI by failing to identify all material conflicts of interest that may incentivize an associated person to make a particular recommendation, such as a financial incentive to recommend the opening of an account with the firm’s affiliate, or to invest in securities tied to a company in which the associated person has a personal ownership stake.
The Report also contains a new finding related to the Compliance Obligation, noting that firms must have written policies and procedures that address account recommendations (as distinct from investment recommendations), including transfers of products between brokerage and advisory accounts, rollover recommendations, and potentially fraudulent patterns of account switches by the same associate person.
While the Report contains no new findings or observations related to the Disclosure Obligation, FINRA continues to remind firms of their obligation to provide customers “full and fair” disclosures of all material facts related to the scope of their relationship and any conflicts of interest.
As it relates to Form CRS, the Report’s findings included failures to properly deliver Form CRS and to properly post Form CRS — including posting Form CRS on any websites maintained by financial professionals who offer the firm’s services through a separate “doing business as” website.
Cybersecurity and Cyber-Enabled Fraud: The Report’s section on Cybersecurity and Cyber-Enabled Fraud — titled Cybersecurity and Technology Management in previous years’ reports — includes several important additions in 2025.
Most prominently, the Report highlights the emerging risks associated with quantum computing, a new technology that relies on quantum mechanics to perform functions not possible for more traditional forms of technology. Noting that many financial institutions have recently begun exploring use of quantum computing in their business operations, the Report warns that these technologies could be exploited by threat actors. Among other things, quantum computing has the potential to quickly break current encryption methods utilized by firms in the financial services industry. FINRA recommends that firms considering the use of quantum computers place a particular emphasis on ensuring cybersecurity, third-party vendor management, data governance and supervision.
The Report also discusses a variety of cybersecurity threats and attacks that financial institutions must be prepared to counter. First, the Report observes an increase in the variety, frequency and sophistication of many common threats, including new account fraud, account takeovers, data breaches, imposter sites, and “quishing” (an attack that uses QR codes to redirect victims to phishing URLs). In addition to these more conventional threats, the Report also describes several emerging threats, including: Quasi-Advanced Persistent Threats (Quasi-APTs) (sophisticated cyberattacks intended to gain prolonged network or system access); Generative AI-Enabled Fraud (attacks that make use of emerging generative AI technology to enhance cyber-related crimes); and Cybercrime-as-a-Service (attacks perpetrated by criminals with technical expertise on a for-hire basis, or by selling cyber-attack tools to third parties).
Among the effective practices recommended by FINRA to combat these threats, the Report highlights two new practices: tabletop exercises, in which firms bring internal and external stakeholders together to ensure cyber threats are appropriately identified, mitigated and managed; and lateral movement, a method of subdividing a firm’s networks into various sections to make it more difficult for threat actors to gain access to a network in its entirety.
Senior Investors and Trusted Contact Persons: FINRA remains keenly focused on preventing the financial exploitation of senior investors. The Report reminds members of their regulatory obligations under FINRA Rule 4512 with respect to “Trusted Contact Persons” (TCPs) and FINRA Rule 2165 (Financial Exploitation of Specified Adults).
FINRA Rule 4512(a)(1)(F) requires FINRA members to make reasonable efforts to obtain the name of and contact information for a TCP for non-institutional customer accounts to address possible financial exploitation, to confirm the specifics of the customer’s current contact information, health status, or the identity of any legal guardian, executor, trustee, or holder of a power of attorney; or take other steps permitted by Rule 2165. In particular, Rule 2165 permits firms to place temporary holds on securities transactions and account disbursements if the member reasonably believes that financial exploitation of a Specified Adult has occurred, is occurring, has been attempted, or will be attempted. “Specified Adult” means (A) a natural person age 65 and older; or (B) a natural person age 18 and older who the member reasonably believes has a mental or physical impairment that renders the individual unable to protect his or her own interests.
In the “Findings and Effective Practices” section of the Report, FINRA notes that recent examinations and investigation focus on firms not making reasonable attempts to obtain the name and contact information of a TCP; not providing written disclosures explaining when a firm may contact a TCP; not developing training policies reasonably designed to ensure compliance with the requirement of Rule 2165; and not retaining records that document the firm’s internal review underlying any decision to place a temporary hold on a transaction.
As for suggested effective practices, the Report recommends, among other things: implementing a process to track whether customer accounts have designated TCPs, establishing specialized groups to handle situations involving elder abuse or diminished capacity, and hosting conferences or participating in industry groups focused on the protection of senior customers.
Anti-Money Laundering (AML) and Fraud: FINRA Rule 3310 requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act and its implementing regulations.
As for recommended effective practices, the Report recommends:
conducting thorough inquiries when customers — particularly the elderly — request an unusually significant amount of funds to be disbursed to a personal bank account;
conducting formal, written AML risk assessments;
incorporating additional methods for verifying customer identities when establishing online accounts;
delegating AML duties to specific business units that are best positioned to monitor and identify suspicious activity; and
establishing an AML training program for personnel that is tailored to the individuals’ roles and responsibilities.
The Report highlights one emerging risk: FINRA has observed an increase in investment fraud committed by those that engage directly with investors. This can include persuading victims to withdraw funds from their accounts as part of a fraudulent scheme. The FBI’s Internet Crime Report notes that “investment fraud is the costliest type of crime tracked by the FBI’s Internet Crime Complaint Center.” To help mitigate this threat, FINRA recommends: monitoring for sudden changes in a customer’s behavior, including withdrawal requests that are out of character for the customer; educating firm personnel that are in contact with customers on how to recognize red flags; and developing clear response plans for when the firm identifies a customer that has been victimized.
Private Placements: The Report’s section on private placements does not stray far from previous years’ reports, and primarily re-emphasizes a key area of focus for FINRA’s Enforcement division over the past two years, first highlighted in Regulatory Notice 23-08. As we reported at the time, Regulatory Notice 23-08 reminded member firms of their obligation to conduct a reasonable investigation of private placement investments prior to making any recommendation — including, most particularly, conducting an investigation of the issuer, its management and its business prospects, the assets held or to be acquired by the issuer, and the issuer’s intended use of proceeds from the offering. In its discussion of findings from targeted exams, FINRA further notes that firms fail to satisfy this obligation when, among other things, they do not conduct adequate research into issuers that have a lack of operating history, or where they rely solely on the firm’s past experience with an issuer based on previous offerings. FINRA’s findings offer a reminder to firms to apply scrutiny to all offerings, whether or not the issuer is a known quantity — and to be especially vigilant when an issuer is new to the space.
The Report’s findings also provide another cautionary tale: FINRA warns that firms fail to comply with Reg BI’s care obligation when they take the position that the firm is not making recommendations, even though the firms’ representatives have made communications to customers that include a “call to action” and are individually tailored to the customer. Firms should remain aware that these types of communications are likely to be viewed as investment recommendations, and ensure that they conduct reasonable diligence before making any such communication to a customer.
The Report also discusses an emerging trend concerning firms that have made material misrepresentations and omissions related to recommendations of private placement offerings of pre-IPO securities. As examples, FINRA cites firms that have failed to disclose potential selling compensation, and that have failed to conduct reasonable due diligence to confirm that the issuer actually held or had access to the shares it purported to sell.
Manipulative Trading: Member firms are prohibited, pursuant to a series of FINRA Rules, from engaging in impermissible trading practices. The relevant rules include FINRA Rule 2010 (Standards of Commercial Honor and Principles of Trade); FINRA Rule 5230 (Payments Involving Publications that Influence the Market Price of a Security); and FINRA Rule 5210 (Publication of Transactions and Quotations), which FINRA has relied on in pursuing enforcement actions accusing member firms of publicizing or circulating inflated trading activity.
The Report highlights certain recent findings, including firms having inadequate WSPs, not establishing surveillance controls designed to capture manipulative trading, and not establishing and maintaining a surveillance system reasonably designed to monitor for potentially manipulative trading.
Communications With the Public: As in previous years, the Report details the content standards prescribed for three categories of firm written communications: correspondence, retail communications and institutional communications.
The Report also presents findings on an emerging trend: retail communications focused on registered index-linked annuities (RILAs). FINRA’s findings concerning firms’ communications related to RILAs mirror many of the common findings in connection with other types of investments. For example, FINRA has found that firms have failed to adequately explain how RILAs function and the meaning of specialized terms that are specific to RILAs, as well as finding that firms have made inadequate disclosures of the risks, fees and charges associated with RILAs.
The Report also contains a new focus on firms’ communications made through social media and generative AI. In particular, it recommends that firms ensure that communications made with the assistance of generative AI (including chatbot communications used with investors) are appropriately supervised and retained. Similarly, the Report cautions that firms must maintain systems, including WSPs, reasonably designed to supervise communications disseminated on the firm’s behalf by influencers on social media.
The Report’s findings and observations are intended to serve as a guide for member firms to assess their current compliance, supervisory, and risk management programs and note any perceived deficiencies that could result in scrutiny by FINRA. Member firms are encouraged to focus on the findings, observations and effective practices relevant to their respective business models.
Australia’s Proposed Scams Prevention Framework
In response to growing concerns regarding the financial and emotional burden of scams on the community, the Australian government has developed the Scams Prevention Framework Bill 2024 (the Bill). Initially, the Scams Prevention Framework (SPF) will apply to banks, telecommunications providers, and digital platform service providers offering social media, paid search engine advertising or direct messaging services (Regulated Entities). Regulated Entities will be required to comply with obligations set out in the overarching principles (SPF Principles) and sector-specific codes (SPF Codes). Those failing to comply with their obligations under the SPF will be subject to harsh penalties under the new regime.
Why Does Australia Need a SPF?
Australian customers lost AU$2.7 billion in 2023 from scams. Whilst the monetary loss from scams is significant, scams also have nonfinancial impacts on their victims. Scams affect the mental and emotional wellbeing of victims—victims may suffer trauma, anxiety, shame and helplessness. Scams also undermine the trust customers may have in utilising digital services.
Currently, scam protections are piecemeal, inconsistent or non-existent across the Australian economy. The SPF is an economy-wide initiative which aims to:
Halt the growth in scams;
Safeguard the digital economy;
Provide consistent customer protections for customers engaging with Regulated Entities; and
Be responsive and adaptable to the scams environment.
What is a Scam?
A scam is an attempt to cause loss or harm to an individual or entity through the use of deception. For example, a perpetrator may cause a target to transfer funds into a specified bank account by providing the target with what appears to be a parking fine. However, financial loss caused by illegal cyber activity such as hacking would not be a scam as it does not involve the essential element of deception.
SPF Principles
The Bill sets out six SPF Principles which Regulated Entities must comply with. The SPF Principles will be enforced by the Australian Competition and Consumer Commission (ACCC) as the SPF General Regulator.
The SPF Principles are outlined in table 1 below.
SPF Principle
Description
1. Governance
Regulated Entities are required to ‘develop and implement governance policies, procedures, metrics and targets to combat scams’. In discharging their obligations under this principle, entities must develop and implement a range of policies and procedures which set out the steps taken to comply with the SPF Principles and SPF Codes. The ACCC is expected to provide guidance on how an entity can ensure compliance with their governance obligations under the SPF.
2. Prevent
Regulated Entities must take reasonable steps to prevent scams on or relating to the service they provide. Such steps should aim to prevent people from using the Regulated Entity’s service to commit a scam, as well as prevent customers from falling victim to a scam. This includes publishing accessible resources which provide customers with information on how to identify scams and minimise their risk of harm.
3. Detect
Regulated Entities must take reasonable steps to detect scams by ‘identifying SPF customers that are, or could be, impacted by a scam in a timely way’.
4. Report
Where a Regulated Entity has reasonable grounds to suspect that a ‘communication, transaction or other activity on, or relating to their regulated service, is a scam’, it must provide the ACCC with a report of any information relevant to disrupting the scam activity. Such information is referred to as ‘actionable scam intelligence’ in the SPF.
Additionally, if requested by an SPF regulator, an entity will be required to provide a scam report. The appropriate form and content of the report is intended to be detailed in each SPF Code.
5. Disrupt
A Regulated Entity is required to take ‘reasonable steps to disrupt scam activity on or related to its service’. Any such steps must be proportionate to the actionable scam intelligence held by the entity. As an example, for banks, appropriate disruptive activities may include:
Contacting customers to warn them of popular scams;
Introducing confirmation of payee features on electronic banking services; and
Placing a hold on payments directed to an account associated with scam activity to allow the bank time to contact the customer and provide them with information about the suspected scam.
6. Respond
Regulated Entities are required to implement accessible mechanisms which allow customers to report scams and establish accessible and transparent internal dispute resolution processes to deal with any complaints. Additionally, Regulated Entities must be a member of an external dispute resolution scheme authorised by a Treasury Minister for their sector. The purpose of such an obligation is to provide an independent dispute resolution mechanism for customers whose complaints have not been resolved through initial internal dispute resolution processes, or where the internal dispute resolution outcome is unsatisfactory.
Table 1
What are ‘Reasonable Steps’?
We expect that SPF Codes will provide further clarification regarding what will be considered ‘reasonable steps’ for the purposes of discharging an obligation under the SPF Principles. From the explanatory materials, it is evident that whether reasonable steps have been taken will depend on a range of entity-specific factors including, but not limited to:
The size of the Regulated Entity;
The services of the Regulated Entity;
The Regulated Entity’s customer base; and
The specific types of scam risk faced by the Regulated Entity and their customers.
Disclosure of Information Under the Reporting Principle
As indicated in table 1 above, the SPF reporting principle requires disclosure of information to the SPF regulator. It is clear from the explanatory materials that, to the extent this reporting obligation is inconsistent with a legal duty of confidence owed under any ‘agreement or arrangement’ entered into by the Regulated Entity, the SPF obligation will prevail. However, it is not expressly stated how this obligation will interact with statutory protections of personal information.
The Privacy Act 1988 (Cth) (Privacy Act) imposes obligations regarding the collection, use and disclosure of personal information. Paragraph 6.2(b) of Schedule 1 to the Privacy Act allows an entity to use or disclose information for a purpose other than which it was collected where the use or disclosure is required by an Australian law. Arguably, once the SPF is enacted, disclosure of personal information in accordance with the obligations under the reporting principle will be ‘required by an Australian law’ and therefore not in breach of the Privacy Act.
Safe Harbour Protection for Disruptive Actions
As noted in table 1, SPF Principle 5 requires entities to take disruptive actions in response to actionable scam intelligence. This may leave Regulated Entities vulnerable to actions for breach of contractual obligations. For example, where a bank places a temporary hold on a transaction, the customer might lodge a complaint for failure to follow payment instructions. To prevent the risk of such liability from deterring entities from taking disruptive actions, the SPF provides a safe harbour protection whereby a Regulated Entity will not be liable in a civil action or proceeding where they have taken action to disrupt scams (including suspected scams) while investigating actionable scam intelligence.
In order for the safe harbour protection to apply, the following requirements must be met:
The Regulated Entity acted in good faith and in compliance with the SPF;
The disruptive action was reasonable and proportionate to the suspected scam;
The action was taken during the period starting on the day that the information became actionable scam intelligence, and ending when the Regulated Entity identified whether or not the activity was a scam, or after 28 days, whichever was earlier; and
The action was promptly reversed if the Regulated Entity identified the activity was not a scam and it was reasonably practicable to reverse the action.
The assessment of whether disruptive actions were proportionate will be determined on a case-by-case basis. However, relevant factors may include:
The volume of information received or available;
The source of that information; and
The apparent likelihood that the activity is associated with a scam.
SPF Codes
As a ‘one-size-fits-all’ approach across the entire scams ecosystem is not appropriate, the SPF provides for the creation of sector-specific codes. These SPF Codes will set out ‘detailed obligations’ and ‘consistent minimum standards’ to address scam activity within each regulated sector. The SPF Codes are yet to be released.
It is not clear whether the SPF Codes will interact with other industry codes and, if so, how and which codes will prevail.
It appears from the explanatory materials that the SPF Codes are intended to impose consistent standards across the regulated sectors. It is unclear whether this will be achieved in practice or whether there will be a disproportionate compliance burden placed on one regulated sector in comparison to other regulated sectors. For example, because banks are often the ultimate sender/receiver of funds, will they face the most significant compliance burden?
SPF Regulators
The SPF is to be administered and enforced through a multiregulator framework. The ACCC, as the General Regulator, will be responsible for overseeing the SPF provisions across all regulated sectors. In addition, there will be sector-specific regulators responsible for the administration and enforcement of SPF Codes.
Enforcement
The proposed Bill sets out the maximum penalties for contraventions of the civil penalty provisions of the SPF.
There are two tiers of contraventions, with a tier 1 contravention attracting a higher maximum penalty in order to reflect that some breaches would ‘be the most egregious and have the most significant impact on customers’. A breach will be categorised based on the SPF Principle contravened as indicated in table 2 below.
Tier 1 Contravention
Tier 2 Contravention
SPF principle 2: prevent
SPF principle 4: detect
SPF principle 5: disrupt
SPF principle 6: respond
An SPF Code
SPF principle 1: governance
SPF principle 3: report
Table 2
In addition to the civil penalty regime, other administrative enforcement tools will be available including:
Infringement notices;
Enforceable undertakings;
Injunctions;
Actions for damages;
Public warning notices;
Remedial directions;
Adverse publicity orders; and
Other punitive and nonpunitive orders.
BOOM: R.E.A.C.H. Adds Two Critical Board Members to Help Guide Organization Through Rapid Growth
So R.E.A.C.H. is really on fire following its efforts in support of industry’s position on the FCC’s one-to-one consent rules.
With one-to-one seemingly out the window–or is it?–the R.E.A.C.H. standards remain the only comprehensive set of lead gen standards and everyone is taking notice.
Biggest uptick in membership yet this month and tons of activity and energy.
But the biggest news from Friday’s board meeting was the admission of two new and CRUCIAL members: Joey Liner and Michael Ferree.
If you have spent any time in the business you know these two.
Joey spent quite a bit of time with a major lead aggregator– I dare not speak its name–before setting up shop with Liner Connections as the go-to consulting firm in the lead generation space. He has also been instrumental in helping to bridge the gaps between R.E.A.C.H. and other organizations in the lead gen space– I am always very welcoming but others are not so much–and he is truly a advocate for standards the industry can live with. Love that.
Mike runs one of the best conferences in the Lead Generation World called… Lead Generation World. He also throws the FANTASTIC contact.io event each year and has tremendous reach in the space. He was also caught on to the risk posed by the FCC’s early one-to-one efforts and provided a platform for education that nobody else did. He has shown tremendous LEADERSHIP in the industry and has advocated for good actors– while pushing back against bad eggs– from the beginning.
Really proud to have these two on the board. They bring INCREDIBLE experience and CREDIBILITY to the organization and their addition really signals R.E.A.C.H. has come of age and taken a position of leadership through the lead generation, direct-to-consumer, and digital advertising communities.
Please join me in welcoming these two to the board of R.E.A.C.H.!
Trending in Telehealth: January 6 – 27, 2025
Trending in Telehealth highlights state legislative and regulatory developments that impact the healthcare providers, telehealth and digital health companies, pharmacists, and technology companies that deliver and facilitate the delivery of virtual care.
Trending in the past weeks:
Provider training
Telepharmacy
Licensure exceptions
A CLOSER LOOK
Proposed Legislation & Rulemaking:
In Ohio, the Department of Mental Health and Addiction Services proposed amendments to the mobile response and stabilization services (MRSS) rule. The changes would clarify when telehealth is a “clinically appropriate” modality for delivering MRSS, such as when a clinician requests a mobile response and that clinician is not available to respond in person as part of the MRSS team.
New York’s FY 2026 budget includes legislation to join the Nurse Licensure Compact (NLC). Joining the NLC would make it easier for certain categories of nurses licensed in other states to practice in New York either physically or through telemedicine, and for New York providers to offer virtual care to their patients who travel to other states.
Also in New York, Senate Bill 1430 passed the Senate and was referred to the Assembly. The proposed legislation would establish the New York state abortion clinical training program within the Department of Health. The curriculum would include training on the delivery of abortion and other reproductive healthcare services through telehealth.
Vermont’s Office of Professional Regulation proposed amendments to the Administrative Rules of the Board of Pharmacy that further elaborate on the state’s telepharmacy practicing and licensure requirements. Under the proposed rules, telepharmacists would be subject to the same rules and standards applicable to all modalities of pharmacy practice. The proposed rule also provides that pharmacists licensed in other jurisdictions who wish to provide only telepharmacy services from outside of Vermont to individuals located in Vermont may apply for an out-of-state telepharmacist license.
Finalized Legislation & Rulemaking Activity:
North Dakota adopted rule amendments that provide exceptions to physician licensure for telehealth providers licensed in another state, including for continuation of care for an established patient, care while the patient is located within the state temporarily, preparation for a scheduled in-person visit, practitioner-to-practitioner consultations, and emergency circumstances.
The Ohio governor signed Senate Bill 95 into law. The legislation provides an exception to current state law that prohibits pharmacists from dispensing dangerous drugs through telehealth or virtual means.
The Texas Medical Board repealed 22 Tex. Admin. Code § 170, which included regulations concerning the electronic prescribing of controlled substances. The board also repealed 22 Tex. Admin. Code § 174, concerning telemedicine generally, and replaced it with the new 22 Tex. Admin. Code § 175. These regulations state that a physician may not provide telemedicine medical services to patients in Texas unless the physician holds a full Texas medical license or an out-of-state telemedicine license as of September 1, 2022. The regulations also set parameters for the provision of telemedicine services and requirements for prescribing via telemedicine. Notably, 22 Tex. Admin. Code § 175.3 specifies requirements for prescribing for chronic pain via telemedicine, and states that a physician must use audio and video two-way communication for prescribing for chronic pain unless certain criteria are met.
Why it matters:
States continue to recognize the importance of training providers on the delivery of services via telehealth. New York’s inclusion of telehealth in its proposed provider training programs not only affirms telehealth as an effective care delivery method, but also illustrates an understanding of the modern trend of healthcare delivery through alternate means. Ohio’s proposed rule amendments designating telehealth as a “clinically appropriate” care delivery modality for MRSS further underscores these principles.
Increased demand for telepharmacy services has prompted states to reevaluate their laws and regulations. The legislation in Ohio and regulatory amendments and proposals in Texas and Vermont illustrate states’ necessary responses to the increased demand for telepharmacy services.
States continue to enact legislation reflecting the importance of the ability to provide telehealth services across state lines. While telemedicine is often viewed as an option for care delivery, it is important for states to recognize that in some instances, telemedicine is the optimal or exclusive modality available. North Dakota’s adopted rule amendments and New York’s proposal to join the NLC are prime examples of states recognizing the utility and periodic necessity of virtual care delivery.
Telehealth is an important development in care delivery, but the regulatory patchwork is complicated.