FinCEN Removes Beneficial Ownership Reporting Requirements for U.S. Companies and U.S. Persons, Sets New Deadlines for Foreign Companies
On March 21, 2025 the Financial Crimes Enforcement Network (FinCEN) issued an interim final rule that removes the requirement for U.S. companies and U.S. persons to report beneficial ownership information (BOI) to FinCEN under the Corporate Transparency Act (CTA).
Going forward, only foreign companies (not U.S. companies owned by non-U.S. persons) that have registered to do business in the U.S. will be required to comply with the CTA.
Foreign entities that meet the new definition of a “reporting company” and do not qualify for an exemption from the reporting requirements must report their BOI to FinCEN under new deadlines, detailed below. These foreign entities, however, will not be required to report any U.S. persons as beneficial owners, and U.S. persons will not be required to report BOI with respect to any such entity for which they are a beneficial owner.
The following deadlines apply for foreign entities that are reporting companies:
Reporting companies registered to do business in the United States before March 21, 2025, must file BOI reports no later than 30 days from that date.
Reporting companies registered to do business in the United States on or after March 21, 2025, have 30 calendar days to file an initial BOI report after receiving notice that their registration is effective.
EU CSDDD Under US Pressure: Some Insights on the PROTECT USA Act
The European Commission’s (EC) recent announcement of the Omnibus Simplification Proposals signals that it has heard the challenges and objections raised by companies affected by the new requirements of the Corporate Sustainability Reporting Directive (CSRD) and Corporate Sustainability Due Diligence Directive (CSDDD). But in the US, Senator Bill Hagerty (R-TN), a member of the Senate Banking Committee, has introduced legislation that could impose substantial challenges to CSDDD compliance for US companies.
As a reminder, the EC proposed amendments for the implementation and transposition deadlines of the CSRD and CSDDD, as well as amending the scope and requirements of the CSRD and CSDDD. But the Prevent Regulatory Overreach from Turning Essential Companies into Targets Act of 2025 (PROTECT USA Act)[1] proposed by Senator Hagerty targets “foreign sustainability due diligence regulation” such as the CSDDD, and would prohibit US companies from being forced to comply with the CSDDD. If enacted as currently drafted, US companies will be faced with a significant conflict in complying with the PROTECT USA Act and the CSDDD.
Further, the PROTECT USA Act intends to protect US companies from any enforcement action by the EU or its member states for non-compliance with the CSDDD. Section 5(a) of the PROTECT USA Act states: “No person may take any adverse action towards an entity integral to the national interests of the United States for action or inaction related to a foreign sustainability due diligence regulation.”[2] And § 5(b) prevents U.S. federal or state courts from enforcing any judgment by a foreign court relating to any foreign sustainability due diligence regulation “unless otherwise provided by an Act of Congress.”[3]
The PROTECT USA Act could apply to a significant number of US companies, defining “an entity integral to the national interest of the United States” as “any partnership, corporation, limited liability company, or other business entity that does business with any part of the Federal Government, including Federal contract awards or leases.”[4] It also includes entities:
[O]rganized under the laws of any State or territory within the United States, or of the District of Columbia, or under any Act of Congress or a foreign subsidiary of any such entity that—
(i) derives not less than 25 percent of its revenue from activities related to the extraction or production of raw materials from the earth, including—
(I) cultivating biomass (whether or not for human consumption);
(II) exploring or producing fossil fuels;
(III) mining; and
(IV) processing any material de-rived from an activity described in subclause (I), (II), or (III) for human use or benefit;
(ii) has a primary North American Industry Classification System code or foreign equivalent associated with the manufacturing sector; or
(iii) derives not less than 25 percent of its revenue from activities related to the mechanical, physical, or chemical transformation of materials, substances, or components into new products;
(iv) is engaged in—
(I) the production of arms or other products integral to the national defense of the United States; or
(II) the production, mining, or processing of any critical mineral.[4]
And the PROTECT USA Act has a catch-all that will apply to any entity “the President otherwise identifies as integral to the national interests of the United States.”[5]
The PROTECT USA Act builds on opposition to the CSDDD raised during the Biden Administration and, given the Republican majorities in both the US House and Senate, advances the argument that the CSDDD challenges US sovereignty. In a February 26, 2025 bicameral letter to Scott Bessent, the Secretary of the US Department of the Treasury and Kevin Hassett, the Director of the White House National Economic Council, legislators described the CSDDD as “a serious and unwarranted regulatory overreach, imposing significant economic and legal burdens on U.S. companies.”[6] Thus, the PROTECT USA Act may serve as an incentive to further limit the scope of the CSDDD.
We recently reviewed how companies should address CSRD requirements while the EC works through the Omnibus Simplification Proposals.[7] The PROTECT USA Act adds an additional layer of complexity for US companies in navigating the uncertainty of the EC’s legislative process along with the significant limits the PROTECT USA Act might present. SPB’s policy experts in the US and EU can support companies in making prudent business decisions in a rapidly changing legislative environment.
[1] https://www.hagerty.senate.gov/wp-content/uploads/2025/03/HLA25119.pdf
[2] Id.
[3] Id.
[4] Id.
[5] Id.
[6] https://www.banking.senate.gov/imo/media/doc/csddd_letter_to_treasury-nec_draft_22525_zg.pdf.pdf
[7] https://natlawreview.com/article/what-should-companies-do-csrd-while-they-wait-eu-make-its-mind
Corporate Transparency Act 2.0 – Narrowing Reporting Requirements
On March 21, 2025, the Financial Crimes Enforcement Network (“FinCEN”) issued an interim final rule that significantly changes the reporting requirements under the Corporate Transparency Act (“CTA”). This alert summarizes the key changes to the reporting requirements and what they mean for your business.
Key Takeaways
Domestic companies1 are now exempt from all reporting requirements.
Foreign companies and foreign pooled investment vehicles no longer need to report U.S. person beneficial owners2 (but will need to report any non-U.S. person beneficial owners).
Compliance is still effectively voluntary as FinCEN has announced it will not be enforcing penalties and this rule is not yet effective.
Exemption for Domestic Companies
All domestic reporting companies are now completely exempt from the requirement to:
File initial beneficial ownership information (“BOI”) reports.
Update previously filed BOI reports.
Correct previously filed BOI reports.
FinCEN states that this reduction of requirements will eliminate the substantial compliance burdens for millions of U.S. businesses whose information would not be “highly useful” in the efforts to “detect, prevent, or prosecute money laundering, the financing of terrorism of terrorism, proliferation finance, serious tax fraud, or other crimes.”3
Changes for Foreign Companies
Foreign companies still must report beneficial ownership information, but with two important exemptions:
Foreign companies are exempt from reporting beneficial ownership information for any U.S. persons who are beneficial owners.
U.S. persons are exempt from providing their beneficial ownership information to foreign companies.
Foreign companies with only U.S. beneficial owners will not need to report any beneficial owners.
Changes for Foreign Pooled Investment Vehicles
Foreign pooled investment vehicles now only need to report:
Non-U.S. individuals who exercise substantial control over the entity (not an individual who has the greatest authority over the strategic management of the entity).
If multiple non-U.S. individuals exercise control, only the non-U.S. person with the greatest authority must be reported.
Foreign pooled investment vehicles with only U.S. beneficial owners will not need to report any beneficial owners.
Extended Deadline
Foreign reporting companies and pooled investment vehicles will have until the later of 30 days after this rule is published in the federal register, or 30 days after their registration to do business in the United States.
Next Steps
FinCEN is accepting comments on this interim final rule. The agency will assess these exemptions based on public comments and plans on issuing a final rule later this year.
1 See our prior advisories on the general application of the CTA and its specific application for those with entities for estate planning purposes for information on what is a domestic reporting company, a foreign reporting company, and beneficial owner information.
2 As a reminder, generally a beneficial owner is any individual who (directly or indirectly) (a) exercises substantial control over the company or (b) owns or controls at least 25% of the company’s ownership interests.
3 Please see full rule and explanation from FinCEN here.
How the Trump Administration’s War on Cartels Will Reshape the Financial Sector
On March 11, 2025, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a Geographic Targeting Order (GTO) aimed at disrupting drug trafficking and money laundering along the southwestern border. The GTO significantly lowers the Currency Transaction Reports (CTR) threshold from $10,000 to $200 for money service businesses (MSBs) operating in 30 zip codes across California and Texas. Treasury Secretary Scott Bessent emphasized the move as part of a broader effort to curb cartel influence, underscoring “deep concern with the significant risk to the U.S. financial system [from] the cartels, drug traffickers, and other criminal actors along the Southwest border.”
Despite its broader deregulatory agenda, the Trump administration has made clear that financial crime regulations — particularly those targeting money laundering, sanctions compliance, and illicit financing — are exceptions to its broader policy shift. The administration’s intensified crackdown on drug cartels underscores the financial sector’s growing role in national security and foreign policy enforcement. Banks and regulated institutions operating along the U.S.-Mexico border, or with substantial exposure to Mexico and Central America, must prepare for heightened compliance and due diligence expectations.
The Southwest Border GTO: A Glimpse into FinCEN’s Enforcement Priorities
GTOs compel financial institutions to implement heightened monitoring and reporting measures within specific high-risk regions. These orders, typically in effect for 180 days with the possibility of renewal, serve as a key intelligence-gathering and enforcement tool to disrupt illicit financial flows.
The March 11 GTO affects MSBs — including foreign exchange dealers, check cashers, issuers of traveler’s checks, and money transmitters — rather than banks. However, its implications extend far beyond these institutions. The drastic reduction of the CTR threshold to $200 reflects the cartels’ ability to efficiently launder drug proceeds through small, frequent transactions that evade traditional detection mechanisms.
Should the data gathered from this GTO indicate widespread illicit activity, regulators may extend its reach to regional and community banks, imposing even greater compliance burdens. More critically, the order signals heightened regulatory scrutiny on financial institutions’ roles in detecting and preventing cartel-related transactions. Banks with exposure to high-risk sectors must proactively enhance monitoring systems, train staff on emerging threats, and prepare to demonstrate robust compliance measures during regulatory examinations.
Drug Cartels as Terrorist Organizations: A Paradigm Shift for Financial Institutions
On his first day in office, President Trump signed an executive order initiating the designation of certain drug cartels as Foreign Terrorist Organizations (FTOs). On February 20, the State Department formally classified eight cartels under this designation, triggering sweeping legal and financial consequences.
Under U.S. law, FTO designation prohibits financial institutions from conducting transactions with these organizations and mandates the immediate blocking or freezing of assets linked to them. The move significantly expands the enforcement scope of the Treasury’s Office of Foreign Assets Control (OFAC), which oversees sanctions on terrorist organizations and other prohibited entities.
For financial institutions, this shift requires a fundamental reassessment of compliance strategies. Banks must refine sanctions screening processes, update risk management frameworks, and bolster due diligence measures to ensure they do not inadvertently facilitate transactions tied to these entities. Even transactions that do not explicitly list cartel-affiliated individuals or businesses may pose risks, necessitating enhanced scrutiny of financial flows originating from cartel-controlled regions.
In addition to shifting compliance strategies, the new FTO designation carries with it a risk for increased civil litigation against banks under the Anti-Terrorism Act (ATA). From approximately 2014 to present, federal courts throughout the country have seen an increase in civil matters against banks for providing financial services to FTOs and/or their affiliates, and therefore aiding and abetting acts of terrorism. While these claims ordinarily involve foreign banks predominantly located in the Middle East, Russia, China, and Europe, this new designation and the accompanying GTO could result in similar lawsuits against U.S. depository institutions.
Cartels have embedded themselves in diverse sectors — including agriculture, mining, transportation, and even financial services — complicating compliance efforts. Institutions that fail to adapt face increased criminal and civil liabilities, underscoring the urgent need for proactive risk mitigation measures.
The Road Ahead: Navigating an Intensified Regulatory Landscape
As the Trump administration intensifies efforts to dismantle cartel financial networks, financial institutions must brace for a rapidly evolving regulatory environment. Enhanced reporting obligations, stricter compliance requirements, and expanded due diligence mandates are set to redefine risk management strategies across the sector.
Institutions operating along the U.S.-Mexico border will be particularly affected, navigating the dual pressures of FinCEN’s GTO mandates and broader cartel-related sanctions. Strengthening internal controls, refining anti-money laundering frameworks, and integrating advanced transaction monitoring tools will be critical in maintaining compliance and mitigating legal risks.
While these regulatory shifts may impose short-term costs, they ultimately safeguard financial institutions from unwitting involvement in illicit activities. More importantly, they reinforce the industry’s pivotal role in national security efforts, ensuring that the financial system remains a bulwark against transnational crime.
By staying ahead of regulatory developments and embracing a proactive compliance posture, banks and financial institutions can not only protect themselves but also contribute meaningfully to the broader fight against cartel-driven financial crime.
FinCEN Eliminates Corporate Transparency Act’s Reporting Obligations for U.S. Persons
On March 21, 2025, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) released an interim final rule (Interim Rule) that broadly eliminates Beneficial Ownership Information (BOI) reporting under the Corporate Transparency Act (CTA) for all U.S. reporting companies and all U.S. beneficial owners of foreign reporting companies. Under the Interim Rule, which FinCEN is implementing immediately, only companies created under foreign law and registered to do business in the U.S. will be required to submit BOI reports (unless otherwise exempt), and only foreign beneficial owners of such nonexempt foreign entities will be reportable.
Based on FinCEN’s estimates supporting the original BOI Rule (Original Rule), exempting all U.S. reporting companies shrinks the compliance universe by 99.8 percent.
How Did We Get Here?
The CTA whiplash, playing out in courts since early December, took a sharp turn by the government over the last month. On February 18, FinCEN restored the reporting obligations under the Original Rule after the last nationwide injunction against the CTA had been lifted at the government’s request. FinCEN gave reporting companies a grace period for compliance that would have ended, for most companies, on March 21.
Then, on February 27, FinCEN announced that it was suspending CTA enforcement pending a formal extension of the compliance deadlines beyond March 21. On March 2, the U.S. Treasury took this a step further, announcing the total suspension of CTA enforcement against U.S. persons and a rulemaking process “that will narrow the scope of the [BOI] rule to foreign reporting companies only.”
The Interim Rule puts this policy change into effect. The primary legal basis for this “narrowing” is a provision of the CTA that provides a regulatory process by which the U.S. Treasury may, subject to several statutory requirements, create additional exemptions from the BOI reporting obligations. In a court filing made after the March 2 announcement, the government elaborated on the policy change by noting the U.S. Treasury “intends to focus on foreign entities that could engage in illicit transactions from abroad.”
Policy Change or a New CTA?
Congress enacted the CTA to combat money laundering, the financing of terrorism, and other serious financial crimes by requiring tens of millions of private companies operating in the U.S. to identify their beneficial owners and disclose to FinCEN personal information about such companies and beneficial owners. FinCEN stores this information in a secure, nonpublic electronic warehouse for law enforcement purposes. Yet, FinCEN pegs the estimated number of reporting companies subject to the Interim Rule at less than 12,000 annually. Supporters of the CTA point to this fact, and findings made by Congress that bad actors conceal their ownership of entities in the U.S. to facilitate illicit transactions, in their criticism of the policy change. We could see judicial scrutiny of the Interim Rule if a plaintiff with legal standing decides to bring a case.
FinCEN is soliciting comments from the public on the Interim Rule, noting it “will assess the exemptions [in the Interim Rule], as appropriate, in light of those comments and intends to issue a final rule this year.” Among other unanswered questions, the Interim Rule does not address how BOI received by FinCEN from U.S. companies and their beneficial owners will be handled – nearly 16 million reports under the Original Rule were submitted to FinCEN prior to March 21.
Expect the CTA Saga to Continue
In addition to potential legal challenges to the Interim Rule, numerous cases challenging the CTA remain on court dockets and will continue to work their way through the legal process. Separately, some state legislatures have shown interest in developing their own versions of the CTA (which could be impacted by the ultimate resolution of the pending cases against the CTA), with New York having adopted the New York LLC Transparency Act (applicable to limited liability companies formed or registered to do business in New York and set to take effect January 1, 2026).
What Vice Chancellor Strine Got Wrong In Massey Energy Co.
Vice Chancellor Leo Strine famously wrote that “Delaware law does not charter law breakers”. In re Massey Energy Co., 2011 WL 2176479, at *20 (Del. Ch. May 31, 2011). Professor William J. Moon picks up on this theme in a forthcoming essay, Havens for Corporate Lawbreaking:
Yet even the fiercest defenders of the firm’s profit motive concede that the corporation’s profit-seeking function cannot justify breaking the law. As a matter of American corporate law, directors and officers are in breach of their fiduciary duties if they facilitate or engage in profit-maximizing illegal activities. Or so we thought.
Professor Moon’s essay calls out Nevada and the Cayman Islands as “corporate lawbreaking havens”. But are Vice Chancellor Strine and Professor Moon correct that Delaware does not charter corporate lawbreakers? I think not.
In JCCrandall, LLC v. Cnty. of Santa Barbara, 328 Cal. Rptr. 3d 828, 831 (Ct. App. 2025), review denied and ordered not to be officially published (Mar. 19, 2025), a California Court of Appeal pointed out the cannabis is illegal:
It is often said that cannabis is legal in California. The statement is not true. Under federal law, cannabis is illegal in every state and territory of the United States. (See Controlled Substances Act, 21 U.S.C. § 801 et seq.; 21 U.S.C. § 812 (c)(10); City of Garden Grove v. Superior Court (2007) 157 Cal.App.4th 355, 377, 68 Cal.Rptr.3d 656.) Article VI, paragraph 2 of the United States Constitution, known as the Supremacy Clause, provides in part, “The Constitution, and the Laws of the United States . . . shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.”
Therefore, any Delaware corporation engaged in the cannabis trade is potentially violating the law. Are the directors and officers of these corporation breaching their fiduciary duties when they allow the corporation to engage in the business for which it was formed?
It might be argued that Vice Chancellor Strine was referring only to Delaware law, but the Massey case involved violations of federal law. Thus, it cannot be said that he was referring only to state laws. Does this mean that Delaware charters the breakers of some laws? If so, how do directors and officers know which violations will support a breach of fiduciary duty claim and which will not?
More fundamentally, the immensity and complexity of state and federal laws and regulations mean that it impossible for most corporations to comply fully with all laws and regulations. Therefore, Delaware does indeed charter law breakers. This is most certainly true.
What California Employers Should Consider When Buying or Selling a Business
The purchase or sale of a business in California involves intricate legal considerations, particularly regarding the rights of and responsibilities to employees. Both the buyer and seller need to consider employment ramifications.
For Buyers:
As the new employer, the buyer will need to comply with a host of California requirements and disclosures. Employers new to California should pay special attention to regulatory requirements and may wish to consider arbitration agreements, employee handbooks, meal and rest break policies, timekeeping requirements, and other California-specific obligations. If the acquisition involves a reduction in force, additional considerations will be necessary. Finally, the acquirer may inherit existing policies and practices that could subject them to liability.
For Sellers:
Sellers also need to consider their obligations. Sellers of a business with employees should carefully manage the transition to ensure compliance with state requirements. This involves:
Providing written notices to employees about the sale and its implications.
Ensuring clear communication regarding any termination of employment.
Securing express written consent from employees if there is any intention to transfer obligations to the new business owner.
It is essential, whether buying or selling a business with employees, for business owners to consult with experienced employment lawyers. This ensures compliance with employment laws and helps mitigate potential risks.
A Delay in Exit Plans
There was much hope going into 2025 that we would see a rebound in the IPO market after a bit of a drought over the past few years. We left the uncertainty of the election behind us, and good news on the inflation and interest rate fronts were fueling a sense of hope that 2025 was going to be a great year for the IPO market. However, at almost three months into the new year, it is looking like that rebound might be delayed a little longer.
The Wall Street Journal reports that the market volatility we are currently seeing is going to make IPO pricing a “monumental challenge,” and the IPO recovery that venture investors have been waiting on is on hold. The market is reacting to the threats of tariffs and a trade war, as well as recent talks of a recession, and the WSJ says this is keeping some companies on the sidelines as they delay their exit plans.
Yahoo! Finance cites data from Dealogic indicating that the total value of US IPOs is up 62%, coming in at $10 billion as of March 11 – almost double the number of deals compared to the same period in 2024. However, this is still well lower than the kinds of numbers we were seeing in the boom of 2021.
There are some companies who have already gone public this year, with six venture backed IPO’s as of mid-March. And there are still some on track, at least as of now, for the second quarter. Klarna and CoreWeave both filed an IPO prospectus this month, but those plans could be derailed if the market continues its roller coaster ride. Others have already put their plans on hold.
And it is not just IPOs that are delayed – mergers & acquisitions (M&A) are also off to an extremely slow start this year despite expectations that there would be more robust activity this year. PitchBook data show that “US M&A volumes in January were the lowest they’ve been in 10 years, and February wasn’t rosy either.” They point to antitrust policy, market turmoil, and “price mismatches” as contributing factors here. The leadership at the DOJ and FTC also remains critical of Big Tech, so many of those players are sitting on the sidelines which has slowed down dealmaking considerably.
Only time will tell how the back and forth on tariffs will play out, but they are certainly having an impact on the market now and could have longer term impacts that further delay exit plans. A recent article in Forbes notes that the “market’s long-term response to tariffs depends largely on adaptability—how quickly companies can adjust supply chains, pass costs to consumers, or find alternative markets.” But how quickly companies can pivot remains to be seen, and timing will be critical for market stability and for transactions to resume.
There is certainly still hope that successful trade negotiations could end this tariff battle, but there are still fears about the current state of the economy and the potential for a recession. The world is watching closely to see how all of this shakes out, as is everyone sitting on the sidelines planning their next move.
Given that the pre-IPO planning process can be lengthy, and we know that better planning leads to better performance (and that lack of planning leads to poor results), companies and financial sponsors should be getting their ducks in a row for an anticipated IPO market window opening soon, perhaps as early as May 2025.
Australia: APRA Proposes Reforms to Strengthen Governance Standards
The Australian Prudential Regulation Authority (APRA) has proposed reforms to strengthen core prudential standards and guidance on governance, currently set out in SPS 510 Governance, SPS 520 Fit and Proper, and SPS 521 Conflicts of Interest.
The proposals come after APRA chairman, John Lonsdale, witnessed “entities treating compliance with some requirements, as a box-ticking exercise”. Lonsdale also stated that “international best practice on governance has progressed, and we want to ensure that our framework reflects that evolution”.
The proposed reforms include:
Introducing a 10-year tenure limit for non-executive directors at regulated entities;
Extending the current RSE licensee conflict management requirements to banks and insurers;
Strengthening board independence, particularly for entities which are part of a larger group structure;
Clarifying expectations around the roles of boards, the chair and senior management;
Lifting requirements for boards to ensure they have appropriate skills and capabilities to deliver an entity’s strategy;
Raising minimum standards for the fitness and propriety of responsible persons of regulated entities;
Requiring significant financial institutions to have separate audit and risk committees; and
Engaging a third-party performance assessment of the board, committees and individual directors at least every three years.
What’s Next?
APRA has confirmed the changes would be applied proportionately, with less complex institutions facing lower compliance expectations. APRA also aims to lift standards without adding undue cost burden, with Lonsdale stating that “most proposals will involve little change for entities with mature governance practices”.
Over the next three months, the industry will have the opportunity to comment on APRA’s proposals, with submissions required by 6 June 2025. The regulator intends to release updated prudential standards and guidance for formal consultation in early 2026, with the revised framework scheduled to come into force in 2028.
While noting that APRA’s Discussion Paper discloses APRA’s preliminary views, we suggest Australian banks, insurers, and superannuation trustees should review their current governance framework in anticipation of the direction of the regulator’s future expectations.
Amazon Files Suit against CPSC, Challenging CPSC’s Determination That Amazon Is a Distributor
On March 14, 2025, Amazon filed suit against the Consumer Product Safety Commission (CPSC) in the U.S. District Court for the District of Maryland, challenging CPSC’s July 29, 2024, and January 16, 2025, orders determining that Amazon is “a ‘distributor’ of certain products that are defective or fail to meet federal consumer product safety standards, and therefore bears legal responsibility for their recall.” According to CPSC’s January 17, 2025, announcement, “[m]ore than 400,000 products are subject to this Order: specifically, faulty carbon monoxide (CO) detectors, hairdryers without electrocution protection, and children’s sleepwear that violated federal flammability standards.” CPSC determined that the products, listed on Amazon.com and sold by third-party sellers using the Fulfillment by Amazon (FBA) program, pose a “substantial product hazard” under the Consumer Product Safety Act (CPSA). In its complaint, Amazon argues that CPSC “overstepped” the statutory limits of the CPSA by ordering “a wide-ranging recall of products that were manufactured, owned, and sold by third parties,” not Amazon itself. Amazon states that CPSC’s recall order “relies on an unprecedented legal theory that stretches the [CPSA] beyond the breaking point and fails to discharge” CPSC’s obligations under the Administrative Procedure Act (APA).
Amazon argues that it “falls within the definition of third-party logistics provider with respect to products sold using the FBA service because it does not manufacture, own, or sell those products, but instead stores and ships them on behalf of third-party sellers who retain title throughout the transaction.” Amazon notes that CPSC’s July 2021 administrative complaint was the “first of its kind” in seeking to label an online marketplace as a distributor under the CPSA, holding it responsible for recalling products “because it provided the third-party sellers with logistics services.” Amazon cites a statement by Robert S. Adler, then Acting Chair of CPSC, “admitt[ing] that the ‘statute is not perfectly clear on’ whether the Commission’s authority extends to Amazon’s FBA service.”
Amazon also argues that CPSC violated the APA in requiring a new round of recall notices, despite Amazon “having already twice notified every individual who purchased the products” and that Amazon “issue new refunds to purchasers (despite having already provided a full refund to every customer in 2021 or 2022).” According to Amazon, CPSC’s typical product recall practices require only a single round of notices, and binding precedent holds that CPSC “acknowledge and provide a ‘reasoned explanation for’” departing from its past practice.
According to Amazon, the CPSA vests CPSC Commissioners “with a potent combination of governmental functions, authorizing them to act as judge, jury, and prosecutor in the same proceeding.” Amazon notes that the body that voted to file the complaint against it — the Commissioners — “also has the power to hear the evidence, decide factual disputes, interpret and apply the law to the facts, and fashion the remedy.” Amazon states that this arrangement “contravenes Amazon’s Fifth Amendment rights because it ‘violates the [Supreme] Court’s longstanding teaching that ordinarily ‘no man can be a judge in his own case’ consistent with the Due Process Clause.’”
Amazon asks the court to:
Vacate CPSC’s January 16, 2025, Final Order, as well as all earlier orders, “as arbitrary and capricious, contrary to law, in excess of statutory authority, and contrary to constitutional right”;
Declare that Amazon is a third-party logistics provider, not a distributor, with regards to its FBA logistics service; and
Declare the Commissioners’ statutory removal protections unconstitutional.
More information on CPSC’s July 29, 2024, Decision and Order is available in our August 5, 2024, blog item.
Fourth Circuit Stays Preliminary Injunction of Executive Orders Related to DEI Programs
On March 14, 2025, the US Court of Appeals for the Fourth Circuit issued a stay on the US District Court for the District of Maryland’s nationwide preliminary injunction of US President Donald Trump’s executive orders (EOs) that target diversity, equity, and inclusion (DEI) programs – namely, EO Nos. 14151 and 14173 – which allows the government to implement and enforce the EOs while litigation continues.
In Depth
In granting the stay, each member of the three-judge panel issued a concurring opinion explaining their reasoning. Chief Judge Albert Diaz and Judge Pamela Harris agreed that the government showed a sufficient likelihood that it will succeed in demonstrating that the EOs are not unconstitutional, in part because the EOs are limited in scope. For example, the EOs do not state that all efforts to advance DEI are illegal; rather, the “certification” and “enforcement threat” provisions apply only to conduct that violates existing anti-discrimination laws. Additionally, the “termination” provision directs the termination of grants based on the nature of the grant-funded activity, not the grantee’s external speech or activities, which both judges noted might implicate First and Fifth Amendment concerns. Judge Diaz further hinted that the anti-DEI EOs may be unconstitutionally vague as they lack clear definitions of what types of programs the Trump administration seeks to eliminate. Judge Allison Jones Rushing considered the injunction overbroad and believes the government is likely to demonstrate that the anti-DEI EOs are constitutional directives by the president to his officers. Judge Rushing also noted that the case may not be ripe for review because there is no specific agency action being challenged.
The ruling is not a final decision on the legality of the EOs. It merely allows the government to administer the policy while litigation continues. The Fourth Circuit will retain jurisdiction to hear the case on the merits and has agreed to an expedited briefing.
A final ruling on the merits is expected in the next three to six months. In the meantime, employers should keep working with legal counsel to proactively audit their DEI policies to ensure compliance with existing laws while maintaining alignment with company values.
Alivia Combe-DuQuet contributed to this article
FBI Warns of Hidden Threats in Remote Hiring: Are North Korean Hackers Your Newest Employees?
The Federal Bureau of Investigation (FBI) recently warned employers of increasing security risks from North Korean workers infiltrating U.S. companies by obtaining remote jobs to steal proprietary information and extort money to fund activities of the North Korean government. Companies that rely on remote hires face a tricky balancing act between rigorous job applicant vetting procedures and ensuring that new processes are compliant with state and federal laws governing automated decisionmaking and background checks or consumer reports.
Quick Hits
The FBI issued guidance regarding the growing threat from North Korean IT workers infiltrating U.S. companies to steal sensitive data and extort money, urging employers to enhance their cybersecurity measures and monitoring practices.
The FBI advised U.S. companies to improve their remote hiring procedures by implementing stringent identity verification techniques and educating HR staff on the risks posed by potential malicious actors, including the use of AI to disguise identities.
Imagine discovering your company’s proprietary data posted publicly online, leaked not through a sophisticated hack but through a seemingly legitimate remote employee hired through routine practices. This scenario reflects real threats highlighted in a series of recent FBI alerts: North Korean operatives posing as remote employees at U.S. companies to steal confidential data and disrupt business operations.
On January 23, 2025, the FBI issued another alert updating previous guidance to warn employers of “increasingly malicious activity” from the Democratic People’s Republic of Korea, or North Korea, including “data extortion.” The FBI said North Korean information technology (IT) workers have been “leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”
Specifically, the FBI warned that “[a]fter being discovered on company networks, North Korean IT workers” have extorted companies, holding their stolen proprietary data and code for ransom and have, in some cases, released such information publicly. Some workers have opened user accounts on code repositories, representing what the FBI described as “a large-scale risk of theft of company code.” Additionally, the FBI warned such workers “could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities.”
The alert came the same day the U.S. Department of Justice (DOJ) announced indictments against two North Korean nationals and two U.S. nationals alleging they engaged in a “fraudulent scheme” to obtain remote work and generate revenue for the North Korean government, including to fund its weapons programs.
“FBI investigation has uncovered a years-long plot to install North Korean IT workers as remote employees to generate revenue for the DPRK regime and evade sanctions,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement. “The indictments … should highlight to all American companies the risk posed by the North Korean government.”
Data Monitoring
The FBI recommended that companies take steps to improve their data monitoring, including:
“Practice the Principle of Least Privilege” on company networks.
“Monitor and investigate unusual network traffic,” including remote connections and remote desktops.
“Monitor network logs and browser session activity to identify data exfiltration.”
“Monitor endpoints for the use of software that allows for multiple audio/video calls to take place concurrently.”
Remote Hiring Processes
The FBI further recommended that employers strengthen their remote hiring processes to identify and screen potential bad actors. The recommendations come amid reports that North Korean IT workers have used strategies to defraud companies in hiring, including stealing the identities of U.S. individuals, hiring U.S. individuals to stand in for the North Korean IT workers, or using artificial intelligence (AI) or other technologies to disguise their identities. These techniques include “using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.”
The FBI recommended employers:
implement processes to verify identities during interviews, onboarding, and subsequent employment of remote workers;
educate human resources (HR) staff and other hiring managers on the threats of North Korean IT workers;
review job applicants’ email accounts and phone numbers for duplicate contact information among different applicants;
verify third-party staffing firms and those firms’ hiring practices;
ask “soft” interview questions about specific details of applicants’ locations and backgrounds;
watch for typos and unusual nomenclature in resumes; and
complete the hiring and onboarding process in person as much as possible.
Legal Considerations
New vendors have entered the marketplace offering tools purportedly seeking to solve such remote hiring problems; however, companies may want to consider the legal pitfalls—and associated liability—that these processes may entail. These considerations include, but are not limited to:
Fair Credit Reporting Act (FCRA) Implications: If a third-party vendor evaluates candidates based on personal data (e.g., scraping public records or credit history), it may be considered a “consumer report.” The Consumer Financial Protection Bureau (CFPB) issued guidance in September 2024 taking that position as well, and to date, that guidance does not appear to have been rolled back.
Antidiscrimination Laws: These processes, especially as they might pertain to increased scrutiny or outright exclusion of specific demographics or countries, could disproportionately screen out protected groups in violation of Title VII of the Civil Rights Act of 1964 (e.g., causing disparate impact based on race, sex, etc.), even if unintentional. This risk exists regardless of whether the processes involve automated or manual decisionmaking; employers may be held liable for biased outcomes from AI just as if human decisions caused them—using a third-party vendor’s tool is not a defense.
Privacy Laws: Depending on the jurisdiction, companies’ vetting processes may implicate transparency requirements under data privacy laws, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Economic Area (EEA), when using third-party sources for candidate screening. Both laws require clear disclosure to applicants about the types of personal information collected, including information obtained from external background check providers, and how this information will be used and shared.
Automated Decisionmaking Laws: In the absence of overarching U.S. federal legislation, states are increasingly filling in the gap with laws regarding automated decisionmaking tools, covering everything from bias audits to notice, opt-out rights, and appeal rights. If a candidate is located in a foreign jurisdiction, such as in the EEA, the use of automated decisionmaking tools could trigger requirements under both the GDPR and the recently enacted EU Artificial Intelligence Act.
It is becoming increasingly clear that multinational employers cannot adopt a one-size-fits-all vetting algorithm. Instead, companies may need to calibrate their hiring tools to comply with the strictest applicable laws or implement region-specific processes. For instance, if a candidate is in the EEA, GDPR and EU AI Act requirements (among others) apply to the candidate’s data even if the company is U.S.-based, which may necessitate, at a minimum, turning off purely automated rejection features for EU applicants and maintaining separate workflows and/or consent forms depending on the candidate’s jurisdiction.
Next Steps
The FBI’s warning about North Korean IT workers infiltrating U.S. companies is the latest involving security risks from foreign governments and foreign actors to companies’ confidential data and proprietary information. Earlier this year, the U.S. Department of Homeland Security published new security requirements restricting access to certain transactions by individuals or entities operating in six “countries of concern,” including North Korea.
Employers, particularly those hiring remote IT workers, may want to review their hiring practices, identity-verification processes, and data monitoring, considering the FBI’s warnings and recommendations. Understanding and addressing these risks is increasingly vital, especially as remote hiring continues to expand across industries.