How to Report Cyber, AI, and Emerging Technologies Fraud and Qualify for an SEC Whistleblower Award
SEC Forms Cyber and Emerging Technologies Unit
On February 20, 2025, the SEC announced the creation of the Cyber and Emerging Technologies Unit (CETU) to focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space. In announcing the formation of the CETU, Acting Chairman Mark T. Uyeda said:
The unit will not only protect investors but will also facilitate capital formation and market efficiency by clearing the way for innovation to grow. It will root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies.
As detailed below, the SEC’s press release identifies CETU’s seven priority areas to combat fraud and misconduct. Whistleblowers can provide original information to the SEC about these types of violations and qualify for an award if their tip leads to a successful SEC enforcement action. The largest SEC whistleblower awards to date are:
$279 million SEC whistleblower award (May 5, 2023)
$114 million SEC whistleblower award (October 22, 2020)
$110 million SEC whistleblower award (September 15, 2021)
$104 million SEC whistleblower award (August 4, 2023)
$98 million SEC whistleblower award (August 23, 2024)
SEC Whistleblower Program
Under the SEC Whistleblower Program, the SEC will issue awards to whistleblowers who provide original information that leads to successful enforcement actions with total monetary sanctions in excess of $1 million. A whistleblower may receive an award of between 10% and 30% of the total monetary sanctions collected. The SEC Whistleblower Program allows whistleblowers to submit tips anonymously if represented by an attorney in connection with their disclosure.
In its short history, the SEC Whistleblower Program has had a tremendous impact on securities enforcement and has been replicated by other domestic and foreign regulators. Since 2011, the SEC has received an increasing number of whistleblower tips in nearly every fiscal year. In fiscal year 2024, the SEC received nearly 25,000 whistleblower tips and awarded over $225 million to whistleblowers.
The uptick in received tips, paired with the sizable awards given to whistleblowers, reflects the growth and continued success of the whistleblower program. See some of the SEC whistleblower cases that have resulted in large awards.
CETU Priority Areas for SEC Enforcement
The CETU will target seven areas of fraud and misconduct for SEC enforcement:
Fraud committed using emerging technologies, such as artificial intelligence (AI) and machine learning. For example, the SEC charged QZ Asset Management for allegedly falsely claiming that it would use its proprietary AI-based technology to help generate extraordinary weekly returns while promising “100%” protection for client funds. In a separate action, the SEC settled charges against investment advisers Delphia and Global Predictions for making false and misleading statements about their purported use of AI in their investment process.
Use of social media, the dark web, or false websites to perpetrate fraud. For example, the SEC charged Abraham Shafi, the founder and former CEO of Get Together Inc., a privately held social media startup known as “IRL,” for raising approximately $170 million from investors by allegedly fraudulently portraying IRL as a viral social media platform that organically attracted the vast majority of its purported 12 million users. In reality, IRL spent millions of dollars on advertisements that offered incentives to download the IRL app. Shafi hid those expenditures with offering documents that significantly understated the company’s marketing expenses and by routing advertising platform payments through third parties.
Hacking to obtain material nonpublic information. For example, the SEC brought charges against a U.K. citizen for allegedly hacking into the computer systems of public companies to obtain material nonpublic information and using that information to make millions of dollars in illicit profits by trading in advance of the companies’ public earnings announcements.
Takeovers of retail brokerage accounts. For example, the SEC charged two affiliates of JPMorgan Chase & Co. for failures including misleading disclosures to investors, breach of fiduciary duty, prohibited joint transactions and principal trades, and failures to make recommendations in the best interest of customers. According to the SEC’s order, a JP Morgan affiliate made misleading disclosures to brokerage customers who invested in its “Conduit” private funds products, which pooled customer money and invested it in private equity or hedge funds that would later distribute to the Conduit private funds shares of companies that went public. The order finds that, contrary to the disclosures, a JP Morgan affiliate exercised complete discretion over when to sell and the number of shares to be sold. As a result, investors were subject to market risk, and the value of certain shares declined significantly as JP Morgan took months to sell the shares.
Fraud involving blockchain technology and crypto assets. For example, the SEC brought charges against Terraform Labs and its founder Do Kwon for orchestrating a multi-billion dollar crypto asset securities fraud involving an algorithmic stablecoin and other crypto asset securities. In a separate action, the SEC brought charges against FTX CEO Samuel Bankman-Fried for a years-long fraud to conceal from FTX’s investors (1) the undisclosed diversion of FTX customers’ funds to Alameda Research LLC, his privately-held crypto hedge fund; (2) the undisclosed special treatment afforded to Alameda on the FTX platform, including providing Alameda with a virtually unlimited “line of credit” funded by the platform’s customers and exempting Alameda from certain key FTX risk mitigation measures; and (3) undisclosed risk stemming from FTX’s exposure to Alameda’s significant holdings of overvalued, illiquid assets such as FTX-affiliated tokens.
Regulated entities’ compliance with cybersecurity rules and regulations. For example, the SEC settled charges against transfer agent Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC, for failures to ensure that client securities and funds were protected against theft or misuse, which led to losses of millions of dollars in client funds.
Public issuer fraudulent disclosure relating to cybersecurity. For example, the SEC settled charges against software company Blackbaud Inc. for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers. Blackbaud agreed to pay a $3 million civil penalty to settle the charges. In a separate action, the SEC settled charges against The Intercontinental Exchange, Inc. and nine wholly owned subsidiaries, including the New York Stock Exchange, for failing to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity.
How to Report Fraud to the SEC and Qualify for an SEC Whistleblower Award
To report a fraud (or any other violations of the federal securities laws) and qualify for an award under the SEC Whistleblower Program, the SEC requires that whistleblowers or their attorneys report the tip online through the SEC’s Tip, Complaint or Referral Portal or mail/fax a Form TCR to the SEC Office of the Whistleblower. Prior to submitting a tip, whistleblowers should consult with an experienced whistleblower attorney and review the SEC whistleblower rules to, among other things, understand eligibility rules and consider the factors that can significantly increase or decrease the size of a future whistleblower award.
CTA UPDATE: US District Court Reinstates Reporting Requirement; FinCEN Grants 30-Day Filing Extension
Go-To Guide:
On Feb. 18, 2025, the U.S. District Court for the Eastern District of Texas granted the government’s motion to stay relief in Smith v. U.S. Department of the Treasury, thereby lifting the injunction against the Corporate Transparency Act (CTA) that had been in place in that case.
As a result, FinCEN confirmed that beneficial ownership information (BOI) reporting requirements under the CTA are once again back in effect, subject to a 30-day filing extension.
Most entities will have a reporting deadline of March 21, 2025 (except for reporting companies with later reporting deadlines under existing guidelines).
The CTA’s status has shifted multiple times1 since Dec. 3, 2024, when a Texas district court in Texas Top Cop Shop, Inc. v. McHenry (formerly Texas Top Cop Shop, Inc. v. Garland) preliminarily enjoined the CTA and its BOI reporting rule (Reporting Rule) on a nationwide basis.
On Jan. 7, 2025, a second federal judge of the U.S. District Court for the Eastern District of Texas (the District Court) ordered preliminary relief barring CTA enforcement in Smith v. U.S. Department of the Treasury.2 Then, notwithstanding the SCOTUS Order staying the injunction in Texas Top Cop Shop, on Jan. 24, 2025, FinCEN confirmed that reporting companies were not required to file BOI Reports with FinCEN due to the separate nationwide relief entered in Smith (and while the order in Smith remained in effect). On Feb. 5, 2025, the government appealed the ruling in Smith to the U.S. Court of Appeals for the Fifth Circuit (the Fifth Circuit) and asked the District Court to stay relief pending that appeal.
CTA Reporting Requirements Back in Effect
On Feb. 18, 2025, the District Court in Smith granted a stay of its preliminary injunction pending appeal, thereby reinstating BOI reporting requirements once again. On Feb. 19, 2025, FinCEN issued guidance on its website to reflect this update and to announce that companies have 30 days to submit BOI reports:
With the February 18, 2025, decision by the U.S. District Court for the Eastern District of Texas in Smith, et al. v. U.S. Department of the Treasury, et al., 6:24-cv-00336 (E.D. Tex.), beneficial ownership information (BOI) reporting requirements under the Corporate Transparency Act (CTA) are once again back in effect. However, because the Department of the Treasury recognizes that reporting companies may need additional time to comply with their BOI reporting obligations, FinCEN is generally extending the deadline 30 calendar days from February 19, 2025, for most companies.
New Filing Deadlines
Most reporting companies will be required to file BOI reports no later than March 21, 2025, as follows:
The new deadline to file an initial, updated, and/or corrected BOI report is generally now March 21, 2025.
Companies that were previously given a reporting deadline later than the March 21, 2025, deadline must file their initial BOI report by that later deadline (i.e., companies that qualify for certain disaster relief extensions and companies formed on or after Feb. 20, 2025).
Looking Ahead
In its guidance, FinCEN indicates that it will assess its options to further modify deadlines and initiate a process this year to revise the Reporting Rule to reduce burden for lower-risk entities, including many U.S. small businesses. How this will impact BOI reporting requirements remains to be seen.
Expedited oral arguments for the Fifth Circuit appeal in Texas Top Cop Shop are set for March 25, 2025. Unless the courts or Congress3 provide further relief, reporting companies should prepare to comply with the deadlines outlined above. Additionally, reporting companies should stay updated on FinCEN announcements, as further adjustments to reporting deadlines could be issued within the next 30 days.
1 On Dec. 3, 2024, the CTA and its BOI reporting rule were preliminary enjoined on a nationwide basis, approximately four weeks ahead of a key Jan. 1, 2025, deadline. FinCEN appealed that ruling, and on Dec. 23, 2024, a motions panel of the U.S. Court of Appeal for the Fifth Circuit stayed the injunction, allowing the CTA to go back into effect. Three days later, on Dec. 26, 2024, a merits panel of the Fifth Circuit vacated the motion panel’s stay, effectively reinstating the nationwide preliminary injunction against the CTA and the Reporting Rule. On Dec. 31, 2024, the government filed an emergency application with the U.S. Supreme Court to stay that preliminary injunction. On Jan. 23, 2025, the Supreme Court granted that application (the SCOTUS Order), staying the nationwide preliminary injunction in Texas Top Cop Shop, Inc. v. McHenry. McHenry v. Texas Top Cop Shop, Inc., No. 24A653, 2025 WL 272062 (U.S. Jan. 23, 2025).
2 See Smith v. United States Dep’t of the Treasury, No. 6:24-CV-336-JDK, 2025 WL 41924 (E.D. Tex. Jan. 7, 2025).
3 On Feb. 10, 2025, the House of Representatives unanimously passed the Protect Small Businesses from Excessive Paperwork Act (H.R. 736, 119th Cong. (2025)). The bill has moved to the Senate for consideration. If enacted, the bill will extend the reporting deadline for entities that qualify as “a small business concern” to Jan. 1, 2026.
The Return of the CTA: FinCEN Confirms that Beneficial Ownership Information Reporting Requirements are Back in Effect with a New Deadline of March 21, 2025
On February 19, 2025, the Financial Crimes Enforcement Network (“FinCEN”) announced that beneficial ownership information reporting requirements under the Corporate Transparency Act (“CTA”) are back in effect with a new deadline of March 21, 2025 for most reporting companies. This announcement came in response to the decision made on February 17, 2025 by the U.S. District for the Eastern District of Texas in Smith v. U.S. Department of the Treasury, No. 6:24-cv-336-JDK, 2025 WL 41924 (E.D. Tex.) to stay (lift) the preliminary injunction on enforcement of the CTA.
In addition to the deadline extension of 30 calendar days from February 19, 2025, FinCEN notably stated that “in keeping with Treasury’s commitment to reducing regulatory burden on businesses, during this 30-day period FinCEN will assess its options to further modify deadlines, while prioritizing reporting for those entities that pose the most significant national security risks. FinCEN also intends to initiate a process this year to revise the BOI reporting rule to reduce burden for lower-risk entities, including many U.S. small businesses.”
FinCEN did not provide any further details regarding how or when the BOI reporting rule would be revised. However, FinCEN did note that it would provide an update before the March 21, 2025 deadline “of any further modification of this deadline, recognizing that reporting companies may need additional time to comply with their BOI reporting obligations once this update is provided.” The full notice from FinCEN can be read here: FinCEN Notice, FIN-2025-CTA1, 2/18/2025.
Meanwhile, in Congress, several bills have been proposed that, if signed into law, would push the reporting deadline out still further. On February 10, 2025, the Protect Small Business from Excessive Paperwork Act of 2025, H.R. 736, co-lead by U.S. Representatives Zachary Nunn (R-IA), Sharice Davids (D-KS), Tom Emmer (R-MN) and Don Davis (D-NC), unanimously passed by the House. This bill, if passed into law, would modify the deadline for filing of initial BOI reports by reporting companies that existed before January 1, 2024 to not later than Jan. 1, 2026. On February 12, 2025, the Protect Small Business Excessive Paperwork Act of 2025 – companion legislation in the Senate that would likewise extend the filing deadline until January 1, 2026 – was introduced by U.S. Senators Katie Britt (R-AL) and Tim Scott (R-SC) and referred to the Committee on Banking, Housing and Urban Affairs.
Additionally, on January 15, 2025, another bill – the Repealing Big Brother Overreach Act – was introduced by U.S. Senator Tommy Tuberville (R-AL) in the Senate and re-introduced by U.S. Representative Warren Davidson (R-OH) in the House. This bill, if passed into law, would repeal the CTA entirely.
As noted above and in previous posts, the CTA landscape remains volatile. The Sheppard Mullin CTA Task Force will continue to monitor the various court cases, both in Texas and in other jurisdictions around the country, as well as the legislative bills that are making their way through the House and Senate, and will continue to provide updates as they become available. In the meantime, reporting companies are advised to comply with the law as it currently stands and, barring any further updates from FinCEN, should being filing BOI reports again if they have not already done so.
For background information about the CTA and its reporting requirements (including answers to several frequently asked questions), please refer to our previous blog post, dated November 5, 2024. For more information about the history of the CTA litigation mentioned above, please refer to our blog post, dated January 3, 2025.
Additional information about the CTA requirements can be found at the following FinCEN websites:
FinCEN’s website regarding beneficial ownership information
FinCEN’s Small Entity Compliance Guide
FinCEN’s BOIR Frequently Asked Questions (https://www.fincen.gov/boi-faqs)
Recent Developments: Nationwide CTA Injunction Lifted, New March 21, 2025, Reporting Deadline Set, and Reporting Rule May Be Modified
Key Takeaways:
The Corporate Transparency Act (CTA) reporting requirements are back in effect following a Texas district court decision entered on February 18.
According to the Financial Crime Enforcement Network (FinCEN), the new general deadline for most reporting companies filing initial, updated, and corrected BOI reports is March 21and the deadline for a reporting company with a previously given later deadline is the later deadline.
In the interim, FinCEN “will assess its options to further modify deadlines, while prioritizing reporting for those entities that pose the most significant national security risks.”
FinCEN also “intends to initiate a process this year to revise the BOI reporting rule to reduce burden for lower-risk entities, including many U.S. small businesses.”
Background:
On January 23, 2025, the United States Supreme Court (SCOTUS) reversed the U.S. district court’s preliminary injunction staying the Corporate Transparency Act (CTA) and the implementing Reporting Rule in Texas Top Cop Shop v McHenry (f/k/a Texas Top Cop Shop v Garland), Case No. 4:24-cv-00478 (E.D. Tex. 2024). For background, see our previous alerts describing the Texas Top Cop Shop district court’s December 3, 2024, opinion and order, and the Fifth Circuit’s decisions lifting and later reinstating the district court’s nationwide stay.[1]
A separate nationwide stay of the CTA Reporting Rule issued on January 7, 2025, by another Texas district court in Smith v U.S. Department of Treasury, Case No. 6:24-cv-00336 (E.D. Tex. Jan 7, 2025) was not affected by the SCOTUS order in Texas Top Cop Shop and remained in effect.[2]
On January 24, 2025, FinCEN published an updated alert acknowledging that, in light of the continuing effect of the nationwide stay in Smith, reporting companies were at that time not required to report beneficial ownership information but could do so voluntarily.[3]
On February 5, 2025, the Department of Justice (DOJ) appealed the Smith nationwide stay to the Fifth Circuit and filed a motion with the Smith district court asking it to lift that stay in view of the SCOTUS order in Texas Top Cop Shop. DOJ stated that, if lifted, FinCEN intended to extend reporting deadlines for 30 days and, during that period, evaluate whether to revise reporting requirements on “low-risk” entities and prioritize enforcement on the “most significant national security risks.”
On February 6, 2025, FinCEN published a new alert acknowledging the DOJ’s pending appeal in Smith and motion requesting the district court to lift the stay in Smith. FinCEN also confirmed its intention, if the stay was lifted, to extend the reporting deadline by 30 days and to assess options to modify further reporting deadlines for “lower-risk” entities during the 30-day period.
Smith District Court Lifts Stay of CTA Reporting Rule:
On February 18, 2025, the Smith district court stayed the preliminary relief granted in its January 5, 2025, order, including the nationwide stay of the CTA Reporting Rule, pending disposition of the Smith appeal to the Fifth Circuit.[4]
CTA Reporting Requirements Back in Effect:
On February 19, 2025, FinCEN published an updated alert stating that, in view of the Smith district court’s decision, “beneficial ownership information (BOI) reporting requirements under the Corporate Transparency Act (CTA) are once again back in effect.” FinCEN generally extended the deadline for most reporting companies filing initial, updated and corrected BOI reports to March 21, 2025 (30 calendar days from February 19, 2025). FinCEN also stated that “during this 30-day period, FinCEN will assess its options to further modify deadlines, while prioritizing reporting for those entities that pose the most significant national security risks” and that “FinCEN also intends to initiate a process this year to revise the BOI reporting rule to reduce burden for lower-risk entities, including many U.S. small businesses.” At the same time, FinCEN also updated two other alerts with respect to Texas Top Cop Shop and National Small Business United v Yellen.[5]
FinCEN Updated CTA Reporting Deadlines:
The updated deadlines, as set forth in the FinCEN updated alert, follow:
For the “vast majority” of reporting companies, the new deadline to file an initial, updated, and/or corrected BOI report is March 21, 2025. FinCEN also stated that it will provide an update before that deadline of any further deadline modifications, recognizing that more time may be needed to meet BOI reporting obligations.
For reporting companies that were previously given a reporting deadline later than the March 21, 2025, the applicable deadline is that later deadline. FinCEN included as an example, “if a company’s reporting deadline is in April 2025 because it qualifies for certain disaster relief extensions, it should follow the April deadline, not the March deadline.”
FinCEN also noted that the plaintiffs in National Small Business United v. Yellen are not currently required to report their beneficial ownership information to FinCEN. See FinCEN alert “Notice Regarding National Small Business United v. Yellen, No. 5:22-cv-01448 (N.D. Ala.)”.
For additional information, see the FinCEN February 19, 2025, updated Alert, Beneficial Ownership Information Reporting | FinCEN.gov], and FinCEN Notice, FIN-2025-CTA1, FinCEN Extends Beneficial Ownership Information Reporting Deadline by 30 Days; Announces Intention to Revise Reporting Rule (February 18, 2025).
If you have questions about your CTA-related engagement with the firm, please contact your Miller Canfield lawyer for further guidance.
[1] Corporate Transparency Act: Miller Canfield
[2] See the Smith district court’s opinion and order here: [Smith et al v. United States Department of The Treasury et al, No. 6:2024cv00336 – Document 30 (E.D. Tex. 2025).]
[3] The current FinCEN Alerts can be found here [Beneficial Ownership Information Reporting | FinCEN.gov.]
[4] gov.uscourts.txed.232897.39.0.pdf
[5] [Beneficial Ownership Information Reporting | FinCEN.gov]
The CTA Strikes Back
Following a cascade of developments, the Corporate Transparency Act (CTA) is back, but with some potential changes on the horizon. Most reporting companies that have not yet filed all required reports under the CTA should prepare to file their initial, updated, or corrected reports by March 21, 2025.
In our recent alert on the CTA, we noted that the US Court of Appeals for the Fifth Circuit on December 26 reinstated a nationwide injunction prohibiting the government from enforcing the CTA. That injunction was stayed by the US Supreme Court on January 23, but a district court order in another case, Smith v. US Department of the Treasury, kept the CTA offline.
Court Orders the CTA Back into Effect
By an order dated February 17, however, the final district court order in the Smith case that was preventing the CTA’s enforcement was lifted by the US District Court for the Eastern District of Texas. As a result, beneficial ownership information (BOI) reporting requirements under the CTA are now back in effect.
FinCEN’s Response
In response, the Financial Crimes Enforcement Network (FinCEN) issued a notice stating that the new deadline for most reporting companies to file an initial, updated, or corrected BOI report is now March 21, 2025. Reporting companies that were previously given a reporting deadline later than March 21 (such as those qualifying for certain disaster relief extensions or those that were formed in late December 2024) have until that later deadline to file their initial BOI reports.
FinCEN’s notice further states that the government, recognizing that reporting companies may need additional time to comply with their BOI reporting obligations, will provide an update before March 21 of any further modifications to this deadline. FinCEN also observes that it will initiate a process this year to revise the BOI reporting rule to reduce burdens for “lower-risk entities,” including many US small businesses, although the notice does not go into detail on what companies might fall within that category or what changes may be contemplated.
Potential Future Court Action?
While it is possible that a court may find the CTA to be unconstitutional or otherwise stay its enforcement once again, there are no guarantees that this will occur (if at all) before the new March 21 deadline.
Potential Legislative Action?
There also remains the possibility of legislative action. On February 10, the US House of Representatives unanimously passed a bill, H.R. 736 (the Protect Small Businesses from Excessive Paperwork Act of 2025), to extend the filing deadline to January 1, 2026, for reporting companies formed before January 1, 2024. That bill is now under consideration in the US Senate, although, as of the publication of this alert, there is no indication of whether or when there may be further action on the bill in the Senate.
What Now?
In light of these developments, reporting companies should resume their CTA compliance efforts to file the requisite BOI reports by March 21 (or, as applicable, a later reporting deadline for those reporting companies that were previously given a reporting deadline later than March 21).
Client Alert- Corporate Transparency Act Is Back in Effect – Another Major Update
As has now been well reported, in 2021 Congress enacted the Corporate Transparency Act (the “CTA”), which empowers the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) to collect information about “Beneficial Owners” of certain privately held entities for the purpose of deterring illicit activities through the operation of shell corporations and LLCs.
Entities formed on or after Jan. 1, 2024, that are subject to the CTA were to disclose to FinCEN information about their Beneficial Owners within 90 days of formation or any change for entities (Beneficial Ownership Interest Reports or “BOIR”). Entities formed prior to Jan. 1, 2024, were to have until Dec. 31, 2024, to file BOIRs. However, in the latter part of 2024, a series of lawsuits were brought challenging the constitutionality of the CTA; they have served to delay the reporting requirements of the CTA and have created confusion and uncertainty regarding the CTA for more than 30 million entities.
The most recent event occurred on Feb. 17, 2025, when the U.S. District Court for the Eastern District of Texas, Tyler Division issued a decision in Smith, et al. v. U.S. Department of the Treasury, et al., lifting the stay the Court had ordered on Jan. 7, 2025, that prevented FinCEN from enforcing the BOIR requirements on a nationwide basis.
In view of this decision, FinCEN issued guidance on Feb. 18, 2025, stating that the requirement to file BOIRs under the CTA is once again back in effect. For the vast majority of reporting companies, the new deadline to file an initial, updated, and/ or corrected BOIR is now March 21, 2025. FinCEN indicated that it will provide an update before then of any further modification of this deadline, recognizing that reporting companies may need additional time to comply with their reporting obligations once this update is provided.
The following chronology of events leading up to Feb. 18 underscores the confusion surrounding the CTA:
On Dec. 3, 2024, in the case of Texas Top Cop Shop, Inc., et al. Garland, et al., the U.S. District for the Eastern District of Texas, Sherman Division, issued an order prohibiting the federal government from enforcing the CTA anywhere in the country. The Court determined that the CTA was likely unconstitutional, and that its implementation would irreparably harm companies if they were forced to comply.
On Jan. 7, 2025, in the case of Smith case, the U.S. District Court for the Eastern District of Texas, Tyler Division, issued an order enjoining the government from enforcing the CTA against the plaintiffs and staying FinCEN’s regulations relating to the implementation of the CTA’s reporting requirements.
On Jan. 20, 2025, President Trump signed an Executive Order titled “Regulatory Freeze Pending Review,” which provides in part:
“I hereby order all executive departments and agencies to take the following steps:
(1) Do not propose or issue any rule in any manner, including by sending a rule to the Office of the Federal Register (the “OFR”), until a department or agency head appointed or designated by the President after noon on January 20, 2025, reviews and approves the rule.”
The impact of this Order on FinCEN’s ability to issue new filing deadlines is uncertain.
On Jan. 23, 2025, the U.S. Supreme Court stayed (i.e., halted) the injunction issued in the Texas Top Cop Shop decision but did not address the injunction in
On Jan. 24, FinCEN issued the following:
“In light of a recent federal court order, reporting companies are not currently required to file beneficial ownership information with FinCEN and are not subject to liability if they fail to do so while the order remains in force… However, reporting companies may continue to voluntarily submit beneficial ownership information reports.”
On Feb. 5, 2025, the federal government filed an appeal in the Eastern District of Texas challenging the injunction in Smith based on the Supreme Court’s ruling in Texas Top Cop Shop. FinCEN has indicated that if the remaining nationwide injunction in Smith is stayed, it intends to resume enforcement of the CTA and extend the reporting deadline by at least 30 days from the issuance of the stay.
On Feb. 10, 2025, the House of Representatives unanimously passed R. 736 — 119th Congress (2025-2026), the Protect Small Business from Excessive Paperwork Act of 2025. This bill would require reporting companies formed or registered before Jan. 1, 2024, to submit reports to FinCEN by Jan. 1, 2026, instead of by Jan. 1, 2025.
Prior to the above- mentioned Court decision on Feb. 17, some entities were taking take a “wait and see approach,” taking the risk of having to make a filing quickly. Other entities were more proactive and made a voluntary filing. With the February Court decision and FinCEN’s resulting position, a “wait and see approach” is no longer an option, at least not for now. But uncertainty regarding the ultimate fate of the CTA remains in view if the Executive Order described above and the possibility that the U.S. Supreme Court may rule on its constitutionality.
Stay tuned!
Joint Cybersecurity Advisory Released on Ghost (Cring) Ransomware
The Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center released an advisory on February 19, 2025, providing information on Ghost ransomware activity.
According to the advisory, “Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services.” They use publicly available code to exploit Common Vulnerability Exposures (CVE) that have not been patched. The CVEs used by Ghost include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.
The advisory urges organizations to:
Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
The advisory details how Ghost (Cring) is gaining initial access, executing applications, escalating privileges, obtaining credentials, evading defenses, moving laterally, and exfiltrating data. It also provides indicators of compromise and email addresses used by the threat actors.
Patching continues to be a crucial block-and-tackle technique, and timely patching is critical for mitigating exploitation. Blocking known malicious emails is a proven tactic to mitigate access. Review the advisory to ensure the applicable patches have been applied and the malicious emails associated with Ghost have been blocked.
Corporate Transparency Act Back in Effect and Extended Deadline
On February 18, 2025, the U.S. District Court for the Eastern District of Texas lifted the nationwide injunction it had previously issued against the enforcement of the Corporate Transparency Act (CTA).1 As a result, the CTA reporting requirements are effective again.
In response, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) has extended the deadline for most reporting companies by 30 days, moving the new deadline to March 21, 2025. Reporting companies that were granted later deadlines—such as those with disaster relief extensions to April 2025—should continue to follow their original deadlines. Unlike prior deadlines, there is no distinction between companies formed before or after January 1, 2024 in terms of the deadline.
During this 30-day period, FinCEN will assess the possibility of further deadline changes and focus on prioritizing reporting from entities that pose higher national security risks. Additionally, FinCEN plans to revise the BOI reporting rule later this year to reduce the administrative burden on lower-risk businesses, including many small U.S. businesses.
However, it is unclear whether any changes will occur before the March 21, 2025 deadline.
What This Means for Your Reporting Company:
The CTA reporting requirements are back in effect.
If you do not have significant business or privacy concerns, you should submit your filings now.
If you have concerns, prepare your materials to file closer to the deadline if no updated guidelines or deadlines are issued.
New deadline for companies: March 21, 2025 (unless your reporting company has a later deadline).2
1 Background on Court Cases:
On December 3, 2024, the U.S. District Court for the Eastern District of Texas issued a nationwide injunction in Texas Top Cop Shop, Inc., et al. v. Merrick Garland, et al. On January 23, 2025, the Supreme Court ordered that the injunction be lifted.
On January 7, 2025, the same U.S. District Court issued another nationwide injunction in Smith v. U.S. Department of the Treasury. On February 18, 2025, the court lifted its injunction. With no more nationwide injunctions in place, the CTA came back into effect. The Department of Justice has filed an appeal, and the injunction will remain lifted until the appeal is completed.
2 The CTA is still not being enforced against the plaintiffs in National Small Business United v. Yellen.
CTA Back in Action: FinCEN’s New BOI Report Deadline March 21, 2025
Highlights
The U.S. District Court for the Eastern District of Texas granted a stay of its earlier injunction that suspended enforcement of the Corporate Transparency Act (CTA) and its Beneficial Ownership Information (BOI) reporting rule
FinCEN is once again permitted to enforce reporting obligations under the CTA to file BOI reports
FinCEN providing a 30-day extension of BOI reporting deadline to March 21, 2025
Continuing a series of rapid-fire legal developments regarding the Corporate Transparency Act (CTA), on Feb. 18, 2025, the U.S. District Court for the Eastern District of Texas issued a stay of its own Jan. 7, 2025 injunction prohibiting the Financial Crimes Enforcement Network’s (FinCEN) implementation of Beneficial Ownership Information (BOI) reporting requirements, which precluded FinCEN from requiring BOI reporting or otherwise enforcing the CTA’s requirements.
As a result of the new stay, reporting obligations and deadlines under the CTA can be enforced by FinCEN.
FinCEN issued a Feb. 18 notice updating the BOI report filing deadlines, including an initial BOI report filing deadline of March 21, 2025. FinCEN clarified its various deadlines as follows:
For the vast majority of reporting companies, the new deadline to file an initial, updated, and/or corrected BOI report is now March 21, 2025.
Reporting companies previously given a reporting deadline later than the March 21, 2025, deadline are required to file their initial BOI report by such later deadline. For example, if a company’s reporting deadline was extended to April 2025 as a result of certain disaster relief extensions, it should continue to follow the April deadline.
Plaintiffs in National Small Business United v. Yellen are not currently required to report their beneficial ownership information to FinCEN.
FinCEN summarized the impact of the newest stay as follows: “Given this decision, FinCEN’s regulations implementing the BOI reporting requirements of the CTA are no longer stayed. Thus, subject to any applicable court orders, BOI reporting is now mandatory, but FinCEN is providing additional time for companies to report.” FinCEN is empowered to enforce the CTA, its BOI reporting rule and all applicable deadlines until the pending appeal is completed.
To recap recent developments:
Dec. 3, 2024 – The U.S. District Court for the Eastern District of Texas issued a nationwide injunction enjoining enforcement of the CTA, suspending all reporting obligations under the act (Texas Top Cop Shop, Inc. v. McHenry – formerly, Texas Top Cop Shop v. Garland). This order was amended Dec. 5, 2024.
Dec. 23, 2024 – The motions panel of the U.S. Court of Appeals for the Fifth Circuit granted a stay of the district court injunction. The stay by the Court of Appeals restored initial reporting deadlines for reporting companies. FinCEN responded by issuing an alert extending initial reporting deadlines.
Dec. 26, 2024 – The merits panel of the Fifth Circuit vacated the stay issued by its motions panel, restoring the district court’s injunction and suspending reporting obligations under the CTA pending resolution of the appeal.
Dec. 31, 2024 – The Department of Justice filed an application for stay with the U.S. Supreme Court requesting that the Dec. 5 injunction be stayed or narrowed while the case proceeds through the Fifth Circuit.
Jan. 7, 2025 – The U.S. District Court for the Northern District of Texas issued a second nationwide injunction enjoining enforcement of the CTA, suspending all reporting obligations under the CTA (Smith v. U.S. Department of the Treasury).
Jan. 23, 2025 – The U.S. Supreme Court granted a stay of the Dec. 3rd injunction pending the disposition of the Texas Top Cop Shop appeal before the Fifth Circuit and the disposition of a petition for a writ of certiorari and related final judgment.
Feb. 18, 2025, the U.S. District Court for the Eastern District of Texas agreed to stay its Jan. 7, 2025, order until the appeal in the Smith case is completed.
FinCEN, in its notice published Feb. 19, 2025, clarified that the agency may, nevertheless, extend certain deadlines and change the BOI reporting obligations for certain low-risk entities, like small businesses. FinCEN noted that, “in keeping with Treasury’s commitment to reducing regulatory burden on businesses, during this 30-day period FinCEN will assess its options to further modify deadlines, while prioritizing reporting for those entities that pose the most significant national security risks. FinCEN also intends to initiate a process this year to revise the BOI reporting rule to reduce burden for lower-risk entities, including many U.S. small businesses.”
It may be the case that in the coming month FinCEN again extends or modifies the applicable reporting deadlines for initial and updated BOI reports. In addition, the U.S. House of Representatives unanimously passed a bill that would extend the filing deadline for a majority of entities to Jan. 1, 2026. A similar Senate bill has been introduced but, as of the date of this alert, had not been passed.
CTA Reporting Requirements Reinstated and Beneficial Ownership Reports Due March 21, 2025 for Most Reporting Companies
The beneficial ownership information reporting requirements of the Corporate Transparency Act (CTA) are now back in force. As described in more detail below, the majority of Reporting Companies are required to file their initial, amended, or corrected beneficial ownership information reports (BOIRs) by March 21, 2025, absent any subsequent legal developments.
On February 17, 2025, the US District Court for the Eastern District of Texas in Smith, et al. v. U.S. Department of the Treasury, et al., Case No. 6:24-cv-00336 (E.D. Tex.), stayed a preliminary injunction enjoining the Reporting Rule containing compliance deadlines to file BOIRs. This order removed the final hurdle (for now) blocking the CTA’s reporting deadlines and requirements.
As previously indicated, the Financial Crimes Enforcement Network (FinCEN) extended a 30-day grace period for Reporting Companies to file BOIRs. Specifically, on February 19, 2025, FinCEN published an official notice stating that FinCEN is generally extending the reporting deadline for most Reporting Companies that were previously required to file BOIRs, but have not already done so, to March 21, 2025. FinCEN also noted that (a) during this period FinCEN would “assess its options to further modify deadlines, while prioritizing reporting for those entities that pose the most significant national security risks,” and (b) it intends to revise the CTA’s Reporting Rule to reduce burdens for lower-risk, small business entities. Note that, in parallel, there are several bills pending in Congress to repeal the CTA and to extend certain reporting deadlines to January 2026. As there can be no guarantee that FinCEN will further extend the grace period, or that a subsequent legal development will once again intervene with the enforcement of the CTA, Reporting Companies should prepare to file their BOIRs by March 21, 2025.
A copy of the official FinCEN notice may be accessed here.
Scott Vetri and Walter Weinberg contributed to this article
Anti-Kickback Statute Premised False Claims Cases: The “But For” Causation Standard Finds Support from First Circuit
It’s now 3–1, with the First Circuit (2025) aligning with the Sixth (2023) and Eighth (2022) Circuits finding the meaning of the words “resulting from” — as used in a 2010 amendment to the federal Anti-Kickback Statute (AKS) — to require “but for” causation in AKS-premised False Claims Act (FCA) cases. This is the third time a circuit court has diverged from the 2018 Third Circuit decision, which held that the phrase “resulting from” requires the government (or relator) to prove only a link “between the alleged kickbacks and the medical care received. . . .”
Notably, in October 2023, the Supreme Court declined to review the Sixth Circuit Court of Appeals case. As such, the circuit split on causation continues — and all parties should be aware of the applicable case law where they reside.
Background
In 2010, Congress amended the AKS to provide that any Medicare claim “that includes items or services resulting from a violation of [the AKS] constitutes a false or fraudulent claim for purposes of [the FCA].” Fifteen years later, the courts are still working through what this amendment means for FCA cases.
In the First Circuit case, United States v. Regeneron Pharmaceuticals, Inc., the complaint alleged Regeneron’s efforts to funnel money into Chronic Disease Fund — an independent charitable foundation — specifically to reimburse patients’ copays from one of Regeneron’s products, Eylea, violated the AKS, and the resulting claims to Medicare were allegedly tainted by these illegal kickbacks in violation of the FCA.
This case was before Chief Judge Saylor in the District of Massachusetts. Three months after a different District of Massachusetts court judge found “but for” causation is not the causation standard in AKS-premised FCA cases, Chief Judge Saylor wrote the opinion in Regeneron, finding the “but for” standard applicable in AKS-premised FCA cases and denied the government’s motion for summary judgment. Chief Judge Saylor explicitly called out that the Third Circuit case was not binding and that the “only a link” standard “is divorced from the actual language of the statute and from basic principles of statutory interpretation.” The case was then appealed to the First Circuit.
On July 22, 2024, the First Circuit heard oral argument on what the appropriate standard of causation is for AKS-premised FCA claims. The specific issue on appeal was whether a “claim” under the FCA “result[s] from” a kickback only if the claim would not have included the items or services but for the kickback. On February 18, 2025, the First Circuit released its opinion in United States v. Regeneron Pharma., Inc., finding against the government in holding an AKS violation must be a “but for” cause of the challenged claim.
But-For Causation in Regeneron
There is a default assumption derived from the Supreme Court that “resulting from” is read as calling for a but-for causation standard “in the usual course.” While this is not an immutable rule, there needs to be support for any deviation to the typical reading.
Regeneron argued that a but-for causation standard was appropriate, and there is no reason to deviate from the standard reading. Specifically, Regeneron argued that under the 2010 AKS amendment, the government bears the burden of proving an AKS violation actually caused a provider to provide different medical treatment (and thus caused the false claim). That is, the claim would not have been submitted but for the alleged kickback.
Meanwhile, the government argued that this is exactly this situation where the usual does not apply with three points:
The AKS itself requires no proof that the government would not have paid a claim but for the inducement of the offered kickback.
Congress did not intend to alter false-certification case law by imposing a but-for causation requirement in the 2010 AKS amendment.
Legislative history for the 2010 AKS amendment supports something other than the but-for causation.
None of these arguments were persuasive to the First Circuit, which found “no convincing ‘textual or contextual’ reason to deviate from the default presumption that the phrase ‘resulting from’ as used in the 2010 amendment imposes a but for causation standard.” As a result, the First Circuit held the government must show that an illicit kickback was the but-for cause of a submitted claim.
Looking Ahead
While the spoken Circuit Courts are generally finding in favor of “but for” causation for AKS-premised FCA cases, several circuit courts have yet to weigh in, and there is a split with the Third Circuit. Unless and until the Supreme Court grants certiorari on a causation case, we will continue to see differences on how courts approach these issues within district courts without controlling case law. Government attorneys and the relators’ bar may continue to try out different theories, hoping a court may find them persuasive, which could result in splits between district courts and a deeper divide at the circuit courts.
Observers and impacted parties will want to watch the developing case law in this area to see how courts square with this circuit split.
Want to learn more about recent FCA developments?
Renewed Prohibition on Use of Sub-Regulatory Guidance – Key to False Claims Act Cases
Medicare Advantage: A Circuit Court Addresses What is (or is not) Material in False Claims Act Cases
Chevron’s Demise Creates New False Claims Act Defenses
Loper Bright False Claims Act Developments
Online Advertisements Found to Monetize Piracy and Child Pornography
“Online Advertising Hits Rock Bottom” screams one recent headline, as reports from ad fraud researchers purportedly have found evidence that online ads for mainstream brands have appeared on websites dedicated to the display and sharing of child pornography. Some others have appeared on sites that facilitate sharing of video content. There is little doubt that the who’s who of major brands whose ads may have appeared on such sites were unaware of this and, had they known, would have objected. I have written about this before, and this keeps happening – despite the proliferation of ad tech vendors promising to prevent it.
Moreover, this is not a victimless crime. Placing ads on a website dedicated to sharing child pornography monetizes this horrific activity. Far from merely benefitting the proverbial “two guys in a Romanian basement,” monies generated from misspent digital advertising can be used to fund terrorism, human trafficking and all manner of abhorrent, criminal activity. This should be of keen interest to all advertisers, particularly public companies.
One estimate says that advertisers lost up to $1 billion to ad fraud in 2024 alone. The nature of online advertising, which has surpassed “traditional media,” lends itself to opacity. Simply put, the Internet is infinitely scalable. Billions of “impressions” are generated daily, and more are always available to the unscrupulous. Advertisers often lack the data needed to determine where every advertisement winds up, and even if they had such data, they lack the wherewithal to determine whether an appropriate price was paid, whether they received value, and whether they received rebates to which they were entitled. Indeed, recent news reports suggest that large-scale bribery has infected ad spending in some international markets.
So, one would think that advertisers would dedicate more resources to root out this fraud. To be sure, associational efforts have been undertaken and claim to have shown progress. However, the problem persists and is still quite substantial. What other industry would tolerate fraud on the order of magnitude of 10-40% of spend? Yet, it continues year after year.
What should a responsible advertiser do now?
Review relevant contracts to determine what audit rights exist;
Revise weak contracts;
Exercise relevant audit rights;
Deal with negligent or reckless vendors; and
Pursue recovery of lost funds.
The last item is sometimes tricky to accomplish and depends on the strength of rights embodied in the relevant contracts. However, the proper contracts can give advertisers the power to pursue a refund of misspent or overspent funds, provided that the audits are strong and demonstrate compensable issues exist. This need not always involve filing a lawsuit.
Pursuing recovery can take courage and surely can create tension in some ongoing relationships. However, can your company continue business as usual with the stakes as high as they are?