CFPB Slaps Wise with $2.5 Million Penalty for Deceptive Remittance Practices
CFPB Slaps Wise with $2.5 Million Penalty for Deceptive Remittance Practices. In a landmark ruling, the Consumer Financial Protection Bureau (CFPB) has ordered the international remittance company, Wise, to pay a hefty fine of $2.5 million after discovering a series of illegal actions, including deceptive advertising, misleading fees, and failure to properly disclose crucial costs […]
Bad News & Good News: Ransomware Up, Payments Down in 2024
American blockchain analysis firm Chainalysis reports that ransomware payments declined significantly in 2024, dropping to $813 million from $1.25 billion in 2023 – a 35% decrease. The company’s sleuthing also revealed that only 30% of victims who entered negotiations with ransomware actors ultimately paid a ransom. That’s big. And this downward payment trend occurred despite 2024 being a record year for ransomware attacks overall.
This work reveals a disconnect between attack volume and successful extortion, suggesting organizations are becoming more resilient to ransomware pressure tactics. Some of the possible factors contributing to the decrease in ransomware payments include:
Law Enforcement and International Collaboration: Increased law enforcement actions and improved international collaboration have been effective in disrupting ransomware operations. For example, the takedown of LockBit by the UK’s National Crime Agency (NCA) and the US FBI led to a 79% decrease in payments.
Increased Gap Between Demands and Payments: The difference between ransom demands and actual payments is increasing. Incident response data shows that a majority of clients do not pay at all.
Shift in Ransomware Ecosystem: The collapse of LockBit and BlackCat led to a rise in lone actors and smaller groups that focus on small to mid-size markets with more modest ransom demands.
Illegitimate Victims on Data Leak Sites (more on this below): Some threat actors have been caught overstating or lying about victims, or reposting claims by old victims. LockBit has been known to publish as high as 68% repeat or fabricated victims on its data leak site after being ostracized by the underground community following law enforcement action.
Ransomware Actors Abstaining From Cashing Out: Ransomware operators are increasingly abstaining from cashing out their funds (such that the funds flow isn’t tracked), likely due to uncertainty and caution amid law enforcement actions targeting individuals and services facilitating ransomware laundering.
Victim Refusal to Pay: More victims are choosing not to pay ransoms due to improved cyber hygiene and overall resiliency.
Chainalysis also gives a summary of the data leak trends in 2024:
unprecedented growth in ransomware data leak sites, with 56 new sites emerging in 2024 – more than twice the number identified in 2023
researchers note significant concerns about the accuracy of these reported leaks:
many leaks overstated their impact, claiming entire multinational organizations when only small subsidiaries were affected
over 100 organizations appeared on multiple leak sites
ransomware gang LockBit, following law enforcement disruption, artificially inflated their numbers by reposting old victims and fabricating new ones – with up to 68% of their posts being repeat or false claims
This analysis suggests that while data leak sites showed record numbers in 2024, the actual scope of successful ransomware attacks may be significantly lower than the raw numbers indicate.
CIPA SUNDAY: Class Certified! Instant Replay Catches Prudential Offside—It’s 4th & Long, What’s Their Next Move?
Greetings CIPAWorld!
We are bringing back CIPA Sundays! And what better day to do it than Super Bowl Sunday—where the only replay we should be analyzing is on the field. But off the field, a different kind of replay is making headlines—one that allegedly tracks every move you make online, even the ones you think are erased. While millions tune in for the big game, another play-by-play happens behind the scenes. Imagine filling out an online life insurance quote form. You type in your age, financial details, and perhaps even information about your medical history. Then you delete something, perhaps reconsidering how much you want to share. But what if that erased data was never truly gone? What if every keystroke, every backspace, every moment of hesitation was silently recorded? That’s exactly what Prudential Financial allegedly did, and a federal court gave thousands of California residents the green light to challenge the practice together.
In a significant ruling for digital privacy, Judge Charles Breyer of the Northern District of California refused to let Prudential and its partners sidestep liability, certifying a class action that could reshape the boundaries of online data collection. See Torres v. Prudential Fin., Inc., No. 22-CV-7465-CRB, 2024 WL 4894289 (N.D. Cal. Nov. 26, 2024). Does this case sound familiar? It should. The one and only Baroness blogged about it here: The ActiveProspect Saga: Privacy Challenges Continue Post-Javier. This case illustrates how courts deal with modern surveillance technologies, the boundaries of implied consent, and whether companies can justify real-time user tracking under the pretext of “data collection.”
So, let’s get a little technical for a moment for those unfamiliar with this tech. The technology at issue here is TrustedForm, a session replay tool that does more than just log user submissions. In turn, it generates a second-by-second reconstruction of a user’s entire interaction with Prudential’s quote form, capturing information even if it is deleted before submission. Here’s how it works: the moment a visitor lands on the form, TrustedForm assigns them a unique tracking ID and begins recording. Think of it like a surveillance camera for your browser—monitoring every keystroke, every backspace, every time you hover over a field but hesitate to fill it out. By the time users hit “Get an instant quote,” Prudential and its partners already have a fully mapped-out replay of their entire thought process. But here’s the twist—users never agreed to this level of tracking. At no point were they explicitly told that their interactions were being recorded in real time.
With this in mind, let’s now switch gears and break down the Court’s reasoning so we can work through the Court’s analysis to fully understand it. Before deciding whether a class could be certified, the Court tackled standing—a threshold issue in privacy litigation. In Campbell v. Facebook, Inc., 951 F.3d 1106, 1117 (9th Cir. 2020), Judge Breyer reaffirmed that CIPA violations inherently confer standing because they protect substantive privacy rights, not just procedural ones. Unlike some privacy claims that require proof of harm beyond statutory violations, Plaintiff didn’t need to show her data was misused—the unconsented recording itself was enough to constitute concrete injury under TransUnion L.L.C. v. Ramirez, 594 U.S. 413, 423 (2021).
Prudential’s primary defense hinged on implied consent—arguing that website visitors were sufficiently “on notice” of session replay tracking through privacy policies, industry norms, and even news articles discussing online monitoring. However, the Court wasn’t convinced. Relying on Calhoun v. Google, L.L.C., 113 F.4th 1141, 1147 (9th Cir. 2024), the Court emphasized that for consent to be valid, it must be to “the particular conduct, or substantially the same conduct” at issue. Generic disclosures about data collection won’t cut it.
Prudential then pointed to its privacy policy, but the Court found this argument lacking, distinguishing Torres from its own prior decision in Javier v. Assur. IQ L.L.C., 649 F. Supp. 3d 891, 896-97 (N.D. Cal. 2023). While Javier held that a privacy policy might put users on “inquiry notice” for statute of limitations purposes, it didn’t establish actual consent. Here, no reasonable user clicking through Prudential’s quote form would expect that their keystrokes and deleted inputs were being recorded in real time.
Another hurdle Prudential tried to establish was the identification of class members—arguing that individual inquiries would dominate. The Court disagreed. Under Briseno v. ConAgra Foods, Inc., 844 F.3d 1121, 1125 (9th Cir. 2017), the Ninth Circuit doesn’t require plaintiffs to demonstrate administrative feasibility at the certification stage. It found that Prudential’s own database, combined with user affidavits, would be sufficient to identify affected consumers.
Next, one of Prudential’s more technical arguments was that some class members may have used VPNs, making it difficult to verify whether they were in California. However, the Court found this issue insufficient to defeat predominance. The Court suggested that ZIP code cross-referencing and affidavits could establish California residency. See Zaklit v. Nationstar Mortg. L.L.C., No. 5:15-cv-2190-CAS(KKx), 2017 WL 3174901, at *9 (C.D. Cal. July 24, 2017). It also pointed out that CIPA’s protections extend to communications “in transit” through California, meaning that even non-residents could potentially qualify if their data was intercepted while in the state.
With class certification granted, the battle over Prudential’s use of TrustedForm is far from over. The defendants—Prudential, ActiveProspect, and Assurance IQ—aren’t waiting for the trial to try to shut this case down. They’ve filed an early motion for summary judgment, arguing that their use of TrustedForm doesn’t violate California’s wiretapping law, CIPA § 631(a). The motion is set for a hearing on March 28, 2025, with briefing continuing through February and March.
The core of this motion revolves around whether ActiveProspect qualifies as a “third-party eavesdropper” under CIPA or if it was merely a service provider acting on Prudential’s behalf. The defense insists that TrustedForm is just a compliance tool, incapable of independent use, while Plaintiffs argue that recording user interactions without explicit consent is exactly the kind of digital surveillance CIPA was meant to prevent. Defendants might also move to exclude the expert testimony of Plaintiffs’ software expert, adding another layer of complexity. If they do, that motion will be fully briefed by March 13, 2025.
Meanwhile, the Court has scheduled a case management conference for March 28, 2025, immediately following the summary judgment hearing. Depending on how Judge Breyer rules, this case could either be heading toward trial—or be over before it ever gets there.
Bottom line? This fight is far from over, and Torres could still set a significant precedent for online tracking and consumer privacy rights. The next few months will be one to watch, and we’ll be sure to keep you updated.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
Eleventh Circuit Strikes Down One-to-One Consent Rule
On February 6, 2025, the Eleventh Circuit Court of Appeals struck down the FCC’s one-to-one consent rule (previously discussed here). Applying the Supreme Court’s decision in Loper Bright Enters. v. Raimondo, 9 the Eleventh Circuit ruled that the FCC exceeded its legal authority by enforcing additional consent restrictions not explicitly outlined in the Telephone Consumer Protection Act (TCPA).
The FCC had implemented the one-to-one consent rule as a safeguard against excessive telemarketing calls. By requiring consumers to grant consent to each specific seller, the rule sought to minimize unwanted marketing communications.
By invalidating the rule, the court effectively maintains the status quo, which allows businesses to rely on a single instance of consumer consent for multiple lead generators.
Putting It Into Practice: This ruling likely ends the FCC’s push on the one-to-one consent rule. In the short term, it will need to decide whether it appeals the ruling to a possible hostile Supreme Court. A Trump-centric FCC may have a different view altogether. We will keep monitoring the space for future developments.
Listen to this post
CFPB Signals Shift in Position on Section 1071 Compliance Pause
This week, the CFPB filed an emergency notice in the Fifth Circuit Court of Appeals, indicating that it no longer opposes a pause in compliance with its Section 1071 small business data-collection rule (previously discussed here, here, and here). This marks a significant departure from its previous stance as it navigates ongoing legal challenges from lenders.
The notification was submitted just before a scheduled hearing in the case challenging the rule’s validity, and states “Counsel for the CFPB has been instructed not to make any appearances in litigation except to seek a pause in proceedings.” This shift raises questions about the rule’s near-term enforceability, particularly for financial institutions that have been preparing for its implementation.
The Section 1071 rule, established under the Dodd-Frank Act, is designed to enhance transparency in small business lending. It mandates that financial institutions:
Collect and retain data on small business credit applications. Businesses must track and document applications for credit from small businesses to ensure fair lending practices and monitor access to credit for minority- and women-owned businesses.
Gather applicants’ demographic details. Lenders are required to ask applicants for self-reported demographic information including race, ethnicity, and gender. This will be used to assess lending trends and potential disparities.
Report lending decisions to regulatory bodies for oversight. Collected data must be submitted to the CFPB and other relevant regulatory agencies to facilitate enforcement actions and policy assessments related to fair lending laws.
Establish compliance protocols to ensure adherence with reporting requirements. Institutions must implement internal systems to collect, store, and submit required data while ensuring privacy protections for applicants.
Putting It Into Practice: The CFPB finalized the rule as a result of a lawsuit brought by the California Reinvestment Coalition and other plaintiffs who sought to compel the agency to implement Section 1071 of the Dodd-Frank Act, which had been enacted in 2010 but not enforced for years. The lawsuit led to a settlement agreement in 2020, under which the CFPB committed to a timeline for proposing and finalizing the rule. So while it may not be possible to rescind the law, a pause may lead to the Bureau carving back some of the data collection requirements. We will continue monitor the Section 1071 compliance landscape for further developments.
Listen to this post
California AB 3108 Creates Potential Mortgage Fraud Issue for Lenders on Owner-Occupied Mortgage Loans Made for a Business Purpose
California Assembly Bill 3108 became effective on January 1, 2025 and could conceivably make certain business purpose loans secured by owner-occupied property subject to mortgage fraud claims by the borrowers. The primary goal of the new law—passed unanimously by the State Assembly and nearly unanimously by the State Senate (with one apparent absentee)—is to protect borrowers from certain predatory practices by mortgage lenders and brokers. However, unintended consequences may arise.
Assembly Bill 3108 makes it felony mortgage fraud for a “mortgage broker or person who originates a loan” to intentionally:
Instruct or otherwise deliberately cause a borrower to sign documents reflecting the terms of a business, commercial, or agricultural loan, with knowledge that the borrower intends to use the loan proceeds primarily for personal, family, or household use.
Instruct or otherwise deliberately causes a borrower to sign documents reflecting the terms of a bridge loan, with knowledge that the loan proceeds will be not used to acquire or construct a new dwelling. For purposes of this subdivision, a bridge loan is any temporary loan, having a maturity of one year or less, for the purpose of acquisition or construction of a dwelling intended to become the consumer’s principal dwelling.
This law is clearly intended to go after bad actors with respect to both mortgage loans and bridge loans. However, it also opens up the possibility that a delinquent or defaulting borrower with a business purpose loan could claim that the mortgage lender or broker committed a felony by persuading the borrower to claim that the loan was made for business purposes when the lender knew that the loan was actually for personal purposes.
Putting It Into Practice: All mortgage lenders and mortgage brokers should have policies in place for determining and documenting when loans are made for business purposes. This is the time to review those policies and make sure they are as protective as possible. At a minimum, those policies should include the following:
Obtain a handwritten letter signed in the lender’s presence by the borrower detailing the business purpose of the loan.
Gather corroborating evidence of the business purpose, such as financial statements and invoices.
Have the applicant sign a business purpose certificate.
If possible, fund the loan proceeds to a business bank account.
Consider recording a telephone conversation with the applicant discussing the business purpose, but be sure to inform the applicant that the call is being recorded, as required by California law.
Consider obtaining a legal opinion from the borrower’s counsel.
Having these policies in place could significantly reduce the risk that a borrower will later claim that the mortgage lender or broker has committed felony mortgage fraud in violation of AB 3108.
Listen to this post
EPA Postpones Addition of Nine PFAS to Toxics Release Inventory for Reporting Year 2025
On February 5, 2025, the U.S. Environmental Protection Agency (EPA) delayed until March 21, 2025, the effective date of a January 2025 rule adding nine per- and polyfluoroalkyl substances (PFAS) to the list of chemicals subject to toxic chemical release reporting under the Emergency Planning and Community Right-to-Know Act (EPCRA) and the Pollution Prevention Act (PPA). 90 Fed. Reg. 9010. As reported in our January 13, 2025, blog item, the January rule updates the regulations to identify nine PFAS that must be reported pursuant to the National Defense Authorization Act for Fiscal Year 2020 (FY2020 NDAA). The PFAS added to the Toxics Release Inventory (TRI) are:
Ammonium perfluorodecanoate (PFDA NH4) (Chemical Abstracts Service Registry Number® (CAS RN®) 3108-42-7);
Sodium perfluorodecanoate (PFDA-Na) (CAS RN 3830-45-3);
Perfluoro-3-methoxypropanoic acid (CAS RN 377-73-1);
6:2 Fluorotelomer sulfonate acid (CAS RN 27619-97-2);
6:2 Fluorotelomer sulfonate anion (CAS RN 425670-75-3);
6:2 Fluorotelomer sulfonate potassium salt (CAS RN 59587-38-1);
6:2 Fluorotelomer sulfonate ammonium salt (CAS RN 59587-39-2);
6:2 Fluorotelomer sulfonate sodium salt (CAS RN 27619-94-9); and
Acetic acid, [(γ-ω-perfluoro-C8-10-alkyl)thio] derivs., Bu esters (CAS RN 3030471-22-5).
In the February 5, 2025, notice, EPA states that it is delaying the effective date of the rule in response to President Trump’s January 20, 2025, memorandum entitled “Regulatory Freeze Pending Review.” The memorandum directed the heads of executive departments and agencies to consider postponing for 60 days from the date of the memorandum the effective date for any rules published in the Federal Register that had not yet taken effect for the purpose of reviewing any questions of fact, law, and policy that the rules may raise.
SEC Cybersecurity Disclosure Trends: 2025 Update on Corporate Reporting Practices
Go-To Guide:
Since April 2024, 41 companies disclosed cybersecurity incidents via Form 8-K, with 26 filing under voluntary Item 8.01 and 15 under mandatory Item 1.05, which requires reporting if the incident had a material impact on the company.
Following the SEC’s May 2024 guidance clarifying that Item 1.05 is intended only for mandatory filings, companies appear to be increasingly filing voluntary non-material cybersecurity incidents under Form 8-K Item 8.01 rather than under Item 1.05.
Recent cybersecurity incident disclosures contain more detailed information about affected systems and compromised data, particularly in Item 1.05 filings, than the more general disclosures filed right after the rule became effective.
Some amended Form 8-K filings under both rules focus on operational recovery status and typically conclude no material impact occurred, even under Item 1.05 filings.
Six months after the SEC’s Cybersecurity Incident Disclosure Rule (SEC Rule) came into force, an April 2024 GT Alert summarized disclosure trends. The GT Alert identified that the companies who filed a mandatory form 8-K disclosing a cybersecurity incident had erred on the side of caution, hedged on whether the materiality threshold had been met or outright stated that it had not, reported an incident early, and provided only high-level information about the incident.
The SEC’s Division of Corporation Finance (Corp Fin) issued clarifying guidance on May 21, 2024, noting that companies were filing materiality disclosures under new Item 1.05 for incidents that did not rise to the level of a material adverse event. In other words, companies possibly afraid of being second-guessed were opting to report under Item 1.05 even when they determined that the cybersecurity incident did not have a material adverse event. The SEC’s guidance clarified that new Item 1.05 was only appropriate for cybersecurity incidents that had a material effect on the company and suggested companies could avail themselves of voluntary disclosure under Item 8.01 instead.
As a potential result of the May guidance, companies are increasingly filing non-material cyber incident disclosures under Item 8.01 of Form 8-K, while material incidents continue to be reported under Item 1.05. Since April 2024, 41 companies have filed a form 8-K to disclose a new cybersecurity incident, but 26 did so under 8.01 and 15 did so under 1.05.1 Additionally, companies are providing more detailed disclosures about affected systems and data, but amended filings often lack clarity on when additional information was discovered and primarily confirm the resumption of operations with no material impact.
SEC Rule Disclosure Requirements
As a recap, the SEC Rule requires the following:
1.
Disclosure Requirement: Companies must disclose material incidents within four business days of determining their materiality by filing a Form 8-K under Item 1.05.
2.
Materiality Determination: The assessment of materiality must happen without unreasonable delay after discovering the incident. A cybersecurity incident is material if it has a “substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or would have “significantly altered the ‘total mix’ of information made available.” There is no bright-line test for assessing materiality. When assessing materiality, the SEC directed public companies to consider both quantitative and qualitative factors, including the immediate consequences and long-term implications for operations, customer relationships, financial performance, brand reputation, and the likelihood of litigation or regulatory action.
3.
Delay Exception: The only reason to delay disclosure is a written request from the U.S. Attorney General to protect national security or public safety.
4.
Form 8-K Content: The form must include:
–
discovery date and status (ongoing or not),
–
description of the incident’s nature and scope,
–
information about stolen or altered data,
–
potential impact on operations, including financial effects, and
–
remediation efforts or plans.
5.
Amended Form 8-K Filing: Once this information becomes known, the SEC’s Final Rule requires companies to amend a prior Form 8-K to disclose any information called for that was unavailable at the time of the initial Form 8-K filing. Amendments must be filed within four business days after the company, without unreasonable delay, determines such information or within four business days after such information becomes available.
Emerging Cybersecurity Incident Disclosure Trends
Looking at the disclosures companies have made up until today, there are five emerging trends:
1.
Disclosures of non-material incidents are increasingly filed under Item 8.01. The SEC’s guidance was effective in providing a roadmap for public companies to disclose incidents deemed initially immaterial under Item 8.01. Since then, more companies have started using Item 8.01 to disclose non-material cybersecurity incidents in their 8-K filings.
2.
Uptick in companies reporting material impact. Since April 2024, there has been an uptick in companies disclosing a material impact of their cyber incidents under Item 1.05. Six out of 15 companies specified the material impact on their financial condition or results of operations in their disclosures under Item 1.05, whereas prior to April 2024, there were none. However, there are still no cases where the company later (in the amended Form 8-K) confirms that there was in fact material impact. So far, the amended disclosures conclude that there is no material impact or that material impact is reasonably unlikely.
3.
More detail in the disclosures. Companies are starting to include more details in their 8-K filings than the first half of 2024. For instance, companies report about the affected systems, particularly the impacted data, such as whether it contains sensitive personal information. On the other hand, filings under Item 8.01 have been considerably shorter, generally providing a high-level overview of the incident, as they do not need to meet the content requirements for the material incident disclosure under Item 1.05.
4.
Amended disclosures do not include the date when additional information was identified. While an amended Form 8-K must be filed within four business days after additional information becomes available, companies do not indicate the date when they became aware of additional information on the incident. Hence, it cannot be determined whether companies have met the timing requirement.
5.
Amended disclosures often focus on the resumption of operations and confirm no material impact has been identified. Generally, companies use the amended Form 8-K under both Items 1.05 and 8.01 (i) to indicate that they have resumed their normal business activities and (ii) to confirm that the incident does not or is unlikely to have a material impact.
1 This number excludes amended filings.
Treasury Secretary Scott Bessent Appointed as Acting CFPB Director
On January 31, 2025, the CFPB announced President Donald Trump had appointed Scott Bessent as Acting Director of the CFPB. In a brief statement, Bessent expressed his commitment to advancing the administration’s agenda to lower costs for Americans and accelerate economic growth.
Industry groups have welcomed Bessent’s leadership, anticipating a rollback of regulations established during tenure of former Director Rohit Chopra.
Putting It Into Practice: Given Bessent’s background in investment and finance, there may be a move towards more industry-friendly regulations. Financial institutions should monitor potential shifts in CFPB policies and enforcement priorities under Secretary Bessent’s leadership. We will continue to monitor these developments.
Listen to this post
New York AG Reaches $1 Billion Settlement with ‘Predatory’ Lender
On January 22, New York Attorney General Letitia James announced a $1 billion settlement with a now defunct cash advance firm and its officers. The settlement resolves allegations that the firm and its officers repeatedly engaged in fraudulent and deceptive predatory lending practices aimed at small business owners in violation of New York law.
The lawsuit alleges that the firm and its network of affiliated companies engaged in a range of deceptive lending practices. These alleged transgressions included misrepresenting the true cost of financing by disguising high-cost loans as merchant cash advances, which often led to small business owners to believe they were not taking on debt. The lawsuit also claimed the firm charged unreasonable interest rates, frequently exceeding 100%, and imposed hidden fees. These practices allegedly trapped borrowers in debt cycles, making it difficult for them to sustain their businesses. The firm was also accused of employing aggressive and harassing debt collection tactics, including threats and intimidation, which led to significant distress to small business owners.
Specifically, the settlement requires the firm to:
Forgive debts of affected small businesses. Over $534 million of outstanding debt owned by more than 18,000 small businesses nationwide will be canceled.
Pay restitution to affected small business owners. $16.1 million will be paid immediately for distribution to borrowers who were harmed by the firm’s practices.
Settling officers to pay a fine. The settling officers agree to pay a fine of $12.7 million dollars.
The company and its officers are also permanently banned from the merchant-cash advance industry.
Putting It Into Practice: This state-level settlement underscores the importance of monitoring actions by state regulators, particularly during a period of potential shifts in federal regulatory authority (previously discussed here). Companies engaged in lending or debt collection practices should proactively review their policies and procedures to ensure compliance with state laws and regulations.
Listen to this post
Illinois ‘Swipe Fee’ Law Faces Continued Pushback as Court Partially Extends Injunction
On February 6, 2025, the U.S. District Court of the Northern District of Illinois declined to issue a preliminary injunction to stop an Illinois “swipe fee” law that would ban certain credit and debit card fees from applying to credit unions while extending a previous preliminary injunction to apply to out-of-state banks. (See our previous coverage of this litigation here, here, and here).
The Interchange Fee Prohibition Act (“IFPA”) is a novel law that would prohibit credit and debit companies from charging fees on the tax and tip portions of credit and debit card transactions beginning July 1, 2025. The rest of the transaction, including the price of goods or services, would still be subject to the fees.
In August, banking industry groups filed a lawsuit challenging the state law, arguing that it was preempted by federal banking statutes and regulations. In addition to preemption arguments, they expressed concerns that financial institutions would be unable, from a practical standpoint, to comply with the law by the July 1 deadline. They further contended that the proposed new law would require banks and credit card companies to implement costly new computer systems to distinguish between transaction amounts, taxes, and tips.
In December, U.S. District Court Judge Virginia Kendall issued a preliminary injunction barring the IFPA from applying to federally chartered banks but declined to extend the relief to state banks and credit card companies. After reviewing supplemental briefing from the parties, on Thursday, Judge Kendall further denied an extension of the injunction to credit unions, holding that the Federal Credit Union Act did not preempt the new state law. But Judge Kendall granted preliminary injunctive relief to out-of-state banks operating in Illinois, holding that the Riegle–Neal Interstate Banking and Branching Efficiency Act “likely preempts” the IFPA.
Putting It Into Practice: When it was enacted last year, Illinois’ new swipe fee law was a bold and novel change to the payment processing landscape that threatened to upend how everyday payment transactions are processed. The mixed preemption rulings in this pending litigation are likely to create additional uncertainty in that the new proposed law would apply to certain industry participants, but not others. This underscores the key challenges and difficulties that arise when states attempt to pass legislation related to payment systems that are national and international in scope.
EPA Administrator Zeldin Announces Five Pillar Initiative to Guide EPA; What Does It Mean for OCSPP?
U.S. Environmental Protection Agency (EPA) Administrator Lee Zeldin on February 4, 2025, announced the “Powering the Great American Comeback Initiative” (PGAC Initiative). It consists of five pillars and is intended to serve as a roadmap to guide EPA’s actions under Administrator Zeldin.
The five pillars are:
Clean Air, Land, and Water for Every American;
Restore American Energy Dominance;
Permitting Reform, Cooperative Federalism, and Cross-Agency Partnership;
Make the United States the Artificial Intelligence Capital of the World; and
Protecting and Bringing Back American Auto Jobs.
Administrator Zeldin explained Pillar 3 by stating, “Any business that wants to invest in America should be able to do so without having to face years-long, uncertain, and costly permitting processes that deter them from doing business in our country in the first place.” [Emphasis added.] We agree and would urge Administrator Zeldin to consider the years-long new chemical approval process under the Toxic Substances Control Act (TSCA).
There has been much discussion about the Trump Administration’s desire to reduce the size of the government by reducing the federal workforce and restore common sense to the decision-making process. What is getting lost in the discussion and actions taken to “right-size” the government is that chemical manufacturers and formulators rely on EPA action to bring new products to market. The public seldom hears about how agencies like EPA play a vital role in promoting innovation and supporting job creation. Instead, political rhetoric has been about reducing agency headcounts and budgets, but not enough about how to improve agency performance and efficiency.
This is not new. Dr. Richard Engler and I wrote in November 2024 about the newly unveiled Department of Government Efficiency (DOGE), “If DOGE can identify ways to improve the operation and efficiency of [EPA’s Office of Chemical Safety and Pollution Prevention (OCSPP)] (e.g., by ensuring appropriate resources and updated technology), this could lead to economic gains, greater investment, innovation, and sustainability, and yes, more jobs in the United States.” I would expand what we wrote in November to include the PGAC Initiative.
American businesses need OCSPP, a critically important EPA office charged with conducting safety reviews of existing products and the gatekeeper for new chemical products, to be properly resourced (with funds, people, and technology), operate efficiently and effectively, and be held accountable for performance. If the PGAC Initiative and DOGE efforts lead to OCSPP’s proper resourcing, it would go a long way in reversing the trend of fewer new chemicals being submitted to EPA for approval in the United States and reducing the commercialization of innovative new chemistries overseas instead of here in the United States.