Lessons From 2024 Bank Secrecy Act: Anti-Money Laundering Enforcement Actions

In 2024, FinCEN and the federal bank regulators announced more than three dozen enforcement actions against banks and individuals arising from alleged Bank Secrecy Act (BSA), anti-money laundering (AML), and countering the financing of terrorism (CFT) compliance failures. One of these enforcement actions resulted in record-breaking civil and criminal monetary penalties. 
In this article, we summarize certain key compliance failures and issues indicated by these enforcement actions against banks. Rather than focusing on any specific institutions, we focus on broader industry issues. The aim of this article is to provide guidance to BSA officers and the boards of directors and senior management of banks as they consider ways in which their institution’s BSA/AML compliance program might need improvement.1
The Five Pillars 
BSA/AML enforcement actions typically cite failures with respect to one or more of the five “pillars” of an effective BSA/AML program: (1) a system of internal controls to assure ongoing compliance; (2) independent testing for compliance; (3) designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance; (4) training for appropriate personnel; and (5) appropriate risk-based procedures for conducting ongoing customer due diligence (CDD), including, but not limited to, (a) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (b) conducting ongoing monitoring to identity and report suspicious transactions and, on a risk basis, maintaining and updating customer information, including customer beneficial owner information. A significant portion of the 2024 enforcement actions cited deficiencies in all of the first four of these pillars, and in many other cases, the bank was required to adopt an improved CDD program. 
These are the pillars of an effective BSA/AML compliance program because a failure in any of them is likely to cause a failure in an institution’s overall BSA/AML compliance obligations. The whole foundation can collapse when any pillar is weak. Perhaps most important is the failure to file suspicious activity reports (SARs) when required, which in the end is the primary reason for many of the BSA’s regulatory requirements. 
The following discussion of compliance issues does not track the five pillars in the same order as listed in the applicable regulation, because we believe that results in a more logical flow. For example, a discussion of suspicious activity monitoring systems logically follows after discussing institutional risk assessments and customer due diligence because the activity monitoring systems should take these other requirements into account. 
Internal Controls 
When an examiner cites an institution for weak internal controls, that generally reflects a determination that the institution has weak policies, procedures, or processes to mitigate and manage money laundering and terrorist financing risks. This can mean anything from a poor reporting structure, unclear assignments of compliance responsibilities, poor risk assessments, failures to update policies and processes in response to regulatory changes or changes in the institution’s risk profile, weak suspicious activity monitoring systems, or weak risk rating of customers, among other issues. A bank’s system of internal controls, including the level and type, should be commensurate with the bank’s size, complexity, and organizational structure. When an institution is experiencing BSA/AML compliance weaknesses, that often reflects weak internal controls. In the summaries below, we note which of the deficiencies reflect an internal control weakness.
Board and Management Oversight 
The Examination Manual states that the board of directors of each bank is responsible for approving the institution’s BSA/AML compliance program and overseeing the structure and management of the institution’s BSA/AML compliance function. The boards of about half of the banks subject to enforcement actions in 2024 were directed to enhance their oversight of their bank’s BSA/AML compliance program. The board also is responsible for setting an appropriate “culture of compliance” with respect to BSA/AML matters, and when an institution is subject to a particularly serious enforcement action, the directors and senior managers may be fined individually. 
Oversight by the board requires that the board receive regular reports from compliance staff on the institution’s BSA/AML program, which reports are part of the institution’s internal controls. This would include, among other things, reports from the BSA officer as to SAR filings, reports on any negative findings in compliance audits, reports on remediation steps to address negative audit results, reports on any changes to the institution’s risk assessments, and reports on any deficiencies in the resources that are allocated to the compliance function.
BSA Officer Deficiencies 
The BSA officer is central to the effective function of a BSA/AML compliance program. A few of the enforcement actions in 2024 noted that the bank had designated an ineffective BSA officer or one with no prior banking or BSA officer experience. 
Other enforcement actions raised these concerns:

BSA/AML staffing that is not proportionate to the bank’s size, risk profile, and ongoing compliance concerns.
BSA officer without appropriate authority or independence. For example, one institution was criticized for having a BSA officer who did not have unilateral authority to file SARs, such as where a senior manager or a committee consisting of business managers made the ultimate decisions. This authority and independence is important to a sound compliance system, in part to avoid any conflicts of interest. 
AML monitoring and compliance staff reporting through business line management rather than directly to the BSA officer, thereby weakening the BSA officer’s authority and independence.

It also is important that all AML compliance staff, even if not designated as an “AML officer,” have appropriate experience in BSA and AML matters.
Training 
Banks must provide BSA/AML training to appropriate personnel, including all persons whose duties require knowledge or involve some aspect of BSA/AML compliance. This training should be tailored to the specific functions and positions of each individual within the institution. For example, the board of directors and certain staff may receive more general training than that provided to compliance staff and those individuals processing transactions or new accounts. Training generally should address higher-risk customers and activities, depending on the role of the individual to receive such training. In addition, targeted training may be necessary for specific money laundering, CFT, and other illicit financial activity risks for certain business lines or operational units. 
Many of the banks entering into consent orders in 2024 were required to develop and implement a new training program. Banks were cited in 2024 for failure to tailor training for frontline retail branch personnel, to train staff on the “AML typologies and risks” associated with the bank’s products and services, and to train on the specialized red flags for specific business lines or higher-risk activities. At least one bank was criticized for inadequate training on the completion and filing of currency transaction reports (CTRs), resulting in the filing of incomplete or inaccurate CTRs. A robust training program for all aspects of BSA/AML compliance is clearly required for every bank. 
Inadequate Compliance Resources 
A common finding when an institution is subject to an enforcement action is that the institution did not dedicate sufficient financial and personnel resources to BSA/AML compliance. Multiple institutions were cited in 2024 for this failure, and in at least one case for the failure to invest in improvements to address compliance gaps when those investments were deemed to be too costly. At least one institution was accused of maintaining a compensation system that appeared to provide a disincentive for the BSA officer to incur costs to ensure compliance.
AML staffing also should be proportionate to the bank’s size, risk profile, and any ongoing compliance concerns. When these factors change, an increase in staffing and other resources is often called for. 
Inadequate staffing and resources can result in failures in numerous areas of BSA/AML compliance. These failures can include having significant backlogs in addressing suspicious activity alerts, an inability to adequately investigate alerts, and backlogs of customers for whom their relationship with the bank should be severed.
Initial and Ongoing Risk Assessments 
Banks’ BSA/AML compliance programs should be risk-based. A well-developed BSA/AML risk assessment assists the bank in identifying its money laundering, CFT, and other illicit financial activity risks and then developing and maintaining appropriate internal controls to address the identified risks. A risk assessment generally involves the identification of specific risk categories (e.g., products, services, customers, and geographic locations) unique to the bank and the bank’s analysis of such risks.
A bank should update its risk assessment from time to time, particularly when there are changes in the bank’s products, services, customers, or geographic locations, when the bank expands through mergers or acquisitions, and in response to regulatory changes, alerts, or negative compliance findings. 
Many of the recent enforcement actions directed the bank to develop, implement, and adhere to a revised and ongoing BSA risk assessment methodology. Those risk assessments were to address the risks outlined above and include an analysis of the volumes and types of transactions and service by geographic location and the numbers of customers that typically pose higher or elevated BSA risk for the institution. 
All risk assessments then should be used by the institution to develop and implement appropriate risk-mitigating strategies and internal controls. The results of each risk assessment should be reported to the board and appropriate senior management, and they then should require progress reports from the BSA officer with respect to any steps needed to reduce risks to appropriate levels. 
Customer Due Diligence, Risk Assessments, and Monitoring
The Examination Manual notes that “[t]he cornerstone of a strong BSA/AML compliance program is the adoption and implementation of risk-based CDD policies, procedures, and processes for all customers….” Conducting ongoing CDD is the fifth pillar of an effective BSA/AML compliance program. Its objective is to enable a bank to understand the nature and purpose of customer relationships, including understanding the types of transactions in which a customer is likely to engage. These processes assist the institution in determining when transactions are suspicious and when a SAR might need to be filed. 
CDD should enable the bank to assign risk ratings to each customer, and those risk ratings then should be taken into account when establishing customer transaction monitoring systems, with higher risk customers being subject to more stringent transaction monitoring. Customer risk ratings also should be taken into account in the institution’s overall BSA/AML compliance risk assessments. 
If a bank determines through ongoing CDD and transaction monitoring that its information on a particular customer has materially changed, that customer information and risk rating should be updated accordingly. In the event a bank discovers that it failed to identify a customer as being a higher risk customer, the bank should revise its risk rating of the customer and consider conducting a transaction review to determine if suspicious activities were not identified. 
A large majority of the banks subject to enforcement actions in 2024 were required to develop and implement a new CDD program. The actions often stated that the CDD program must ensure appropriate collection and analysis of customer information when opening new accounts, when renewing or modifying existing accounts, and when the bank obtains “event-driven information” indicating that it should obtain updated information to better understand the nature and purpose of its customer relationships and generate and maintain an accurate customer risk profile. 
Suspicious Activity Monitoring Systems and Processes 
Having an effective suspicious activity monitoring system and reporting system is a critical internal control and essential to ensuring that a bank has an adequate and effective BSA/AML compliance program. Without such, an institution is more likely to miss suspicious activities and file appropriate SARs. 
Per the Examination Manual, the sophistication of a monitoring system should be dictated by the bank’s risk profile, with particular emphasis on the composition of higher-risk products, services, customers, entities, and geographies. It likely would be inappropriate, however, to use a monitoring system that wholly disregards domestic and supposedly lower-risk transactions, and at least one institution was criticized for that in 2024. 
The five key components to an effective monitoring and reporting system are:

Identification or alert of unusual activity, which may include employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output.
Managing alerts.
SAR decision making.
SAR completion and filing.
Monitoring and SAR filing on continuing suspicious activity.

A transaction monitoring system may have manual elements. These systems may target specific types of transactions, such as large cash transactions or transactions from foreign geographies, with a manual review of reports generated by the bank’s systems. The type and frequency of reviews and resulting reports used should be commensurate with the bank’s BSA/AML risk profile and appropriately cover its higher-risk products, services, customers, entities, geographic locations, and methods of delivering its products and services. 
Automated monitoring systems also are appropriate for most or all banks. These systems, sometimes called “surveillance monitoring systems,” include rule-based systems that apply transaction parameters, scenarios, and filters. In all cases, however, those parameters, scenarios, and filters should be tailored to the bank’s risks, and they should be tested periodically to ensure that they are effective. 
We therefore have seen enforcement actions criticizing banks for relying on “off-the-shelf” scenarios provided by its vendor without consideration as to whether those scenarios needed to be tailored to the bank’s business. Some enforcement actions also criticized the bank for failure to conduct appropriate testing and gap assessments of their transaction monitoring system.
Finally, we should note that at least one institution was criticized for appearing to have designed at least portions of its monitoring system to focus more on operational burdens and risks rather than BSA/AML compliance. 
Failures to File SARs; Potential Consequences
Not surprisingly, those institutions that were cited for having weak CDD or transaction monitoring programs also were often cited for failures to identify suspicious transactions and file SARs as warranted. At least 16 banks were ordered in 2024 to conduct reviews of prior transactions to determine if any SAR filing might have been missed, sometimes referred to as a “look back” review. 
When a look back is required, the institution generally must hire an independent consultant to conduct a review and provide a written report on the bank’s suspicious activity monitoring, investigation, decisioning and reporting, identifying any instances in which the bank failed to file a SAR. The regulator then uses this information to decide what fines it will impose and whether to increase any prior fines. If the results of the look back are very negative, the regulator might also order an expanded look back, going further back in time. 
Independent Testing 
Banks are required to conduct independent testing or audits (the Examination Manual uses these terms interchangeably) of the bank’s BSA/AML compliance program. The testing can be conducted by the bank’s internal audit department or by qualified third parties, but the auditor never should be involved in business operations or BSA-related functions due to the potential for conflicts of interest or lack of independence. The results of all independent testing should be reported directly to the board of directors or a designated committee thereof that is composed primarily or completely of outside directors. 
The Examination Manual directs examiners to obtain and review the independent testing reports, including any scope and workpapers. If the examiner finds that the testing was adequate given the bank’s risk profile, that can comfort the examiner and might lead to a softer-touch examination. If the examiner concludes that the testing was deficient, the bank can expect a rigorous examination. 
Several of the banks subject to enforcement actions in 2024 were found by the examiner to have deficient independent testing. In one instance, the examiner concluded that the testing was insufficient in scope given the institution’s risk profile and that it only determined whether controls existed and not if they were in fact being used. In certain other instances when the enforcement action did not specifically criticize prior testing, the bank still was required to perform new independent testing and provide the results to the examiner. 
Many other banks were directed to establish a new independent audit program that would address and determine, among other things, the bank’s money laundering, terrorist financing, and other illicit financial activity risks; whether the bank’s policies, procedures, and processes for BSA/AML compliance were appropriate for the bank’s risk profile; whether the bank actually adhered to such policies, procedures, and processes; and whether management took appropriate and timely action to address any deficiencies. 
Next Steps 
In light of these enforcement actions, there are a number of steps that a bank might want to consider and questions that it might want to ask of itself. 
Risk Assessments
Is the assessment of your institution’s money laundering, CFT, and sanctions risks appropriately tailored to your products, services, customers, geographic locations, and your methods of delivering your products and services? Have any of these factors changed since your last risk assessment such that a new risk assessment is advisable? Some institutions might decide that it is appropriate to engage a third party to conduct a new risk assessment, both to obtain an independent view of your risk assessment and so as not to over-burden internal resources who need to focus on day-to-day compliance matters.
Customer Due Diligence
Is your customer due diligence thorough and ongoing? Are customers appropriately risk rated, and is that risk rating adjusted when new information about the customer is obtained? Is customer information and their risk rating incorporated into your transaction monitoring systems? If you rely on a fintech partner or other third party for customer due diligence, you might want to confirm that they are obtaining and updating customer information as needed to ensure BSA/AML compliance. 
Transaction Monitoring
Are your transaction monitoring thresholds, filters, and scenarios appropriately tailored to your products, services, customers, geographic locations, and your methods of delivering your products and services? If you are relying on third-party monitoring systems, have you reviewed their thresholds, filters, and scenarios and confirmed that they are appropriate for your institution? Have these thresholds, filters, and scenarios been tested recently? 
Independent Testing
Unless your institution recently performed or had performed thorough independent testing, you might want to consider new testing. As with your risk assessments, it might be best to engage a third party to conduct this testing, both to obtain an independent opinion of your organization and so as not to overburden your internal resources who need to focus on day-to-day compliance matters.
Resources
Has your BSA officer or any independent testing provider suggested that additional resources are needed, and have these suggestions been heeded? 
Voluntary SAR Look Back
If the results of independent testing or testing of your transaction monitoring system suggests that the institution might have failed to identify suspicious transactions or file SARs, you might want to consider voluntarily conducting a SAR look back. In this way, you might be able to reduce the negative impacts of your next BSA/AML compliance program. 
BSA/AML compliance is not inexpensive, but enforcement actions can cost far more. In addition to needing to spend time and money to address the issues raised in the action, and potentially paying fines, banks with serious BSA/AML compliance deficiencies may be blocked for a period of time from offering new products or services, opening new branches, or engaging in acquisitions. A bank that is subject to a consent order or a formal written agreement with its regulator also generally is not an “eligible bank” for purposes of corporate applications, meaning that expedited treatment of those applications is unavailable. For all of these reasons, we recommend that banks take heed to the lessons that can be gleaned from 2024’s round of enforcement actions so as to avoid being a target in 2025 or beyond. 
Footnotes

1 This article focuses only on the compliance issues that were raised by the 2024 enforcement actions. We are not attempting to provide a complete guide to BSA/AML compliance, but only to highlight areas in which an examiner concluded an institution was deficient. In order to provide regulatory background, we sometimes draw from the Bank Secrecy Act/Anti-Money Laundering Examination Manual of the Federal Financial Institutions Examination Council, often without attribution but sometimes by referring to the “Examination Manual.”

Corporate Transparency Act Compliance Still on Hold, For Now

On January 23, the U.S. Supreme Court lifted a nationwide preliminary injunction on the enforcement of the Corporate Transparency Act (the CTA), a law requiring millions of business entities to report information about their individual beneficial owners (including the individual persons who control them) to the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury. The preliminary injunction was originally issued by the U.S. District Court for the Eastern District of Texas in the case of Texas Top Cop Shop, Inc. v. Bondi—formerly, Texas Top Cop Shop v. Garland.
Despite the Supreme Court’s decision in Texas Top Cop Shop, the CTA reporting obligations are still on hold due to a separate nationwide injunction that remains in place. The second nationwide injunction was issued by a different judge of the U.S. District Court for the Eastern District of Texas in the case of Smith v. U.S. Department of the Treasury. The federal government has filed an appeal to the U.S. Court of Appeals for the Fifth Circuit seeking to lift the Smith injunction. This appeal represents the first action taken by the federal government in a CTA court proceeding since January 20, 2025, when the new administration took office.
If the injunction in the Smith case is lifted, the reporting obligations under the CTA would resume and all non-exempt reporting companies would be required to file beneficial ownership information reports (“BOIRs”) within a deadline to be determined by FinCEN. Notably, the government’s request for a stay in the Smith case pending appeal stated that FinCEN intends to extend the CTA compliance deadline for 30 days if the stay is granted. The government also implied that FinCEN is considering changes to the CTA’s reporting requirements to alleviate the burden on low-risk entities while prioritizing enforcement to address the most significant risks to U.S. national security. 
Background
See below to view a timeline of notable developments.
What Might Happen Next
The future of the CTA remains in limbo. For now, FinCEN has acknowledged that a nationwide preliminary injunction in the Smith case remains in place, meaning that reporting companies are not currently required to file BOIRs with FinCEN, and further, that reporting companies are not currently subject to liability if they fail to do so. FinCEN has stated that reporting companies may continue to voluntarily submit BOIRs.1
Neither the Supreme Court nor any lower court has made a determination on the merits of the constitutionality of the CTA; the rulings to date have only concerned whether the CTA may be enforced while litigation over the validity of the CTA continues. 
As stated above, CTA reporting obligations will likely resume if the Smith injunction is lifted (presumably, within 30 days of such decision), and also could resume in the future depending on the final outcomes in the Smith and Texas Top Cop Shop cases. While new developments may arise in the ongoing litigation over the CTA, Congress could also settle the debate by repealing the CTA.
Given the uncertain landscape, reporting companies who have yet to file their initial BOIRs should consider whether to continue reviewing their reporting obligations under the CTA, as such reporting companies may be required to file BOIRs within 30 days if the government’s request for a stay in the Smith case is granted. Likewise, reporting companies that have already filed should consider whether any changes have occurred to information previously reported, and should be ready to file updated or corrected reports relating to such changes or developments that occur during the pendency of the preliminary injunction. Reporting companies may also choose to voluntarily file initial or updated reports at any time despite the preliminary injunction.

Timeline
Below is a timeline of notable developments since the original nationwide preliminary injunction was issued.

December 3, 2024 – U.S. District Court for the Eastern District of Texas issued a nationwide preliminary injunction against enforcement of the CTA in the Texas Top Cop Shop case.
December 5, 2024 – The government appealed the ruling in the Texas Top Cop Shop case to U.S. Court of Appeals for the Fifth Circuit.
December 6, 2024 – FinCEN issued a statement that it will not enforce the reporting requirements while the injunction is in place and that filing BOIRs during such period is voluntary.
December 13, 2024 – The government filed a motion with the Fifth Circuit seeking an emergency stay of the injunction in the Texas Top Cop Shop case.
December 23, 2024 – A motions panel of the Fifth Circuit granted the government’s emergency motion, issuing a stay of the injunction in the Texas Top Cop Shop case pending the Fifth Circuit’s review of the merits of the appeal. Shortly thereafter, FinCEN reinstated the CTA reporting obligations and extended the reporting deadline from January 1 to January 13, 2025
December 26, 2024 – A separate panel of judges on the Fifth Circuit vacated the stay and reinstated the injunction originating in the Texas Top Cop Shop case, effectively suspending enforcement of the CTA reporting requirements under the CTA. In doing so, the merits panel reasoned that the constitutional status quo needs to be preserved while it considers the parties’ substantive arguments. The Fifth Circuit issued an expedited briefing and oral argument schedule under which briefing is to be completed by February 28, 2025, and oral arguments to occur on March 25, 2025.
December 27, 2024 – FinCEN issued a new statement that it will not enforce the reporting requirements while the reinstated Texas Top Cop Shop injunction is in place and that filing BOIRs during such period is voluntary. 
December 31, 2024 – The government filed an emergency application with the Supreme Court for a stay of the injunction originating in the Texas Top Cop Shop case.
January 7, 2025 – U.S. District Court for the Eastern District of Texas issued a separate nationwide preliminary injunction against enforcement of the CTA in the Smith case.
January 15, 2025 – U.S. Senator Tommy Tuberville and Congressman Warren Davidson re-introduced the Repealing Big Brother Overreach Act in Congress seeking to overturn the CTA.
January 23, 2025 – Supreme Court lifted the nationwide injunction originating in the Texas Top Cop Shop case; the Supreme Court’s order did not address the separate nationwide injunction originating in the Smith case.
January 24, 2025 – FinCEN issued a statement that, despite the Supreme Court’s order, reporting companies are still not required to file BOIRs due to the Smith injunction.
February 5, 2025 – The government filed an appeal case seeking a stay of the injunction originating in the Smith case. 

1 Further updates from FinCEN can be found at https://fincen.gov/boi. 
Scott D. DeWald, Andrew F. Dixon, Laura A. Lo Bianco, Mark Patton, Mark D. Patton, Matthew C. Sweger, Amanda L. Thatcher, and Karen L. Witt

FINRA Facts and Trends: February 2025

Welcome to the latest issue of Bracewell’s FINRA Facts and Trends, a monthly newsletter devoted to condensing and digesting recent FINRA developments in the areas of enforcement, regulation and dispute resolution. We dedicate this month’s issue to FINRA’s 2025 Annual Regulatory Oversight Report. Read about the Report’s findings and observations, below.
FINRA Issues 2025 Regulatory Oversight Report
On January 28, 2025, FINRA published its 80-page 2025 Regulatory Oversight Report (the Report), offering insights and observations on key regulatory topics and emerging risks that firms should consider when evaluating their compliance programs and procedures. Broadly speaking, the Report identifies relevant rules, summarizes noteworthy findings, highlights key considerations for member firms’ compliance programs, and provides helpful and practical considerations as member firms analyze their existing procedures and controls.
The 2025 Report discusses 24 topics relevant to the securities industry. While many of these are perennially important topics, the Report also includes two new sections: third-party risk landscape and extended hours trading. Below, we provide an overview of the Report’s new priorities, together with certain continuing priorities highlighted in the Report.
A FINRA Unscripted podcast episode about the report — featuring Executive Vice President and Head of Member Supervision, Greg Ruppert, Executive Vice President and Head of Market Regulation and Transparency Services, Stephanie Dumont, and Executive Vice President and Head of Enforcement, Bill St. Louis — is available on FINRA’s website.
Newly Identified Priorities

Third-Party Risk Landscape: The most significant addition to the Report is a new top-level section on Third-Party Risk Landscape. Firms’ reliance on third parties for many of their day-to-day functions create risks, and, as the Report indicates, this new section was prompted by “an increase in cyberattacks and outages at third-party vendors” firms use.
As the broad heading indicates, the newly added material outlines effective practices and general steps to be taken by firms, including: 

maintaining a list of all third-party vendor-provided services, systems and software components that the firm can leverage to assess the impact on the firm in the event of a cybersecurity incident or technology outage at a third-party vendor;
adopting supervisory controls and establishing contingency plans in the event of a third-party vendor failure;
affirmatively inquiring if potential third-party vendors incorporate generative AI into their products or services, and evaluating and reviewing contracts with these third parties to ensure they comply with the firms’ regulatory obligations, i.e., adding contractual language that prohibits firm or customer information from being ingested into the vendor’s open-source generative AI tool;
assessing third-party vendors’ ability to protect sensitive firm and customer non-public information and data;
ensuring that a vendor’s access to a firm’s systems and data is revoked when the relationship ends; and
periodically reviewing the third party’s vendor tool default features and settings.
 

Extended Hours Trading: In recent years, trading in National Market System stocks and other securities has extended beyond regular trading hours. In its other new section, FINRA reminds firms that offer extended hours trading that they must comply with FINRA Rule 2265, which requires that these firms provide their customers with a risk disclosure statement. Importantly, if a firm allows its customers to participate in extended hours trading online, the firm must be sure to post a risk disclosure statement on the firm’s website “in a clear and conspicuous manner.” In addition to Rule 2265, firms participating in extended hours trading must also comply with FINRA Rule 5310 (Best Execution and Interpositioning) and Rule 3110 (Supervision).
The Report recommends the following best practices to address any perceived risks associated with extended hours trading: 

conducting best execution reviews geared toward evaluating how extended hours orders are handled, routed and executed;
reviewing customer disclosures to ensure they address the risks associated with extended hours trading;
establishing and maintaining supervisory processes designed to address the “unique characteristics or risks” of extended hours trading; and
evaluating the operational readiness and customer support needs during extended hours trading.

Continuing Priorities
In addition to the Report’s new topics, each of the Report’s sections — Financial Crimes Prevention, Firm Operations, Member Firms’ Nexus to Crypto, Communications and Sales, Market Integrity, and Financial Management — places special emphasis on certain continuing priorities that will remain key focus areas for FINRA in 2025:

Reg BI and Form CRS: Reg BI and Form CRS have been perennial areas of focus for FINRA since they first became effective in 2020. The 2025 Report details a number of new findings and observations for each of the four component obligations of Reg BI (Care, Conflict of Interest, Disclosure, and Compliance).
With respect to the Care Obligation, many of FINRA’s latest findings and observations center around firms’ obligations with respect to recommendations of complex or risky products. FINRA reminds firms making such recommendations to consider whether the investments align with the customer’s overall investment profile, and whether the investment would result in concentrations that exceed the firm’s policies or the customer’s risk tolerance, or that represent an inappropriate portion of a retail customer’s liquid net worth.
The primary addition to the Report concerning firms’ Conflict of Interest Obligation is a finding that firms may violate Reg BI by failing to identify all material conflicts of interest that may incentivize an associated person to make a particular recommendation, such as a financial incentive to recommend the opening of an account with the firm’s affiliate, or to invest in securities tied to a company in which the associated person has a personal ownership stake.
The Report also contains a new finding related to the Compliance Obligation, noting that firms must have written policies and procedures that address account recommendations (as distinct from investment recommendations), including transfers of products between brokerage and advisory accounts, rollover recommendations, and potentially fraudulent patterns of account switches by the same associate person. 
While the Report contains no new findings or observations related to the Disclosure Obligation, FINRA continues to remind firms of their obligation to provide customers “full and fair” disclosures of all material facts related to the scope of their relationship and any conflicts of interest.
As it relates to Form CRS, the Report’s findings included failures to properly deliver Form CRS and to properly post Form CRS — including posting Form CRS on any websites maintained by financial professionals who offer the firm’s services through a separate “doing business as” website.
 
Cybersecurity and Cyber-Enabled Fraud: The Report’s section on Cybersecurity and Cyber-Enabled Fraud — titled Cybersecurity and Technology Management in previous years’ reports — includes several important additions in 2025.
Most prominently, the Report highlights the emerging risks associated with quantum computing, a new technology that relies on quantum mechanics to perform functions not possible for more traditional forms of technology. Noting that many financial institutions have recently begun exploring use of quantum computing in their business operations, the Report warns that these technologies could be exploited by threat actors. Among other things, quantum computing has the potential to quickly break current encryption methods utilized by firms in the financial services industry. FINRA recommends that firms considering the use of quantum computers place a particular emphasis on ensuring cybersecurity, third-party vendor management, data governance and supervision.
The Report also discusses a variety of cybersecurity threats and attacks that financial institutions must be prepared to counter. First, the Report observes an increase in the variety, frequency and sophistication of many common threats, including new account fraud, account takeovers, data breaches, imposter sites, and “quishing” (an attack that uses QR codes to redirect victims to phishing URLs). In addition to these more conventional threats, the Report also describes several emerging threats, including: Quasi-Advanced Persistent Threats (Quasi-APTs) (sophisticated cyberattacks intended to gain prolonged network or system access); Generative AI-Enabled Fraud (attacks that make use of emerging generative AI technology to enhance cyber-related crimes); and Cybercrime-as-a-Service (attacks perpetrated by criminals with technical expertise on a for-hire basis, or by selling cyber-attack tools to third parties).
Among the effective practices recommended by FINRA to combat these threats, the Report highlights two new practices: tabletop exercises, in which firms bring internal and external stakeholders together to ensure cyber threats are appropriately identified, mitigated and managed; and lateral movement, a method of subdividing a firm’s networks into various sections to make it more difficult for threat actors to gain access to a network in its entirety.
 
Senior Investors and Trusted Contact Persons: FINRA remains keenly focused on preventing the financial exploitation of senior investors. The Report reminds members of their regulatory obligations under FINRA Rule 4512 with respect to “Trusted Contact Persons” (TCPs) and FINRA Rule 2165 (Financial Exploitation of Specified Adults).
FINRA Rule 4512(a)(1)(F) requires FINRA members to make reasonable efforts to obtain the name of and contact information for a TCP for non-institutional customer accounts to address possible financial exploitation, to confirm the specifics of the customer’s current contact information, health status, or the identity of any legal guardian, executor, trustee, or holder of a power of attorney; or take other steps permitted by Rule 2165. In particular, Rule 2165 permits firms to place temporary holds on securities transactions and account disbursements if the member reasonably believes that financial exploitation of a Specified Adult has occurred, is occurring, has been attempted, or will be attempted. “Specified Adult” means (A) a natural person age 65 and older; or (B) a natural person age 18 and older who the member reasonably believes has a mental or physical impairment that renders the individual unable to protect his or her own interests.
In the “Findings and Effective Practices” section of the Report, FINRA notes that recent examinations and investigation focus on firms not making reasonable attempts to obtain the name and contact information of a TCP; not providing written disclosures explaining when a firm may contact a TCP; not developing training policies reasonably designed to ensure compliance with the requirement of Rule 2165; and not retaining records that document the firm’s internal review underlying any decision to place a temporary hold on a transaction.
As for suggested effective practices, the Report recommends, among other things: implementing a process to track whether customer accounts have designated TCPs, establishing specialized groups to handle situations involving elder abuse or diminished capacity, and hosting conferences or participating in industry groups focused on the protection of senior customers.
 
Anti-Money Laundering (AML) and Fraud: FINRA Rule 3310 requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act and its implementing regulations.
As for recommended effective practices, the Report recommends:

conducting thorough inquiries when customers — particularly the elderly — request an unusually significant amount of funds to be disbursed to a personal bank account;
conducting formal, written AML risk assessments;
incorporating additional methods for verifying customer identities when establishing online accounts;
delegating AML duties to specific business units that are best positioned to monitor and identify suspicious activity; and
establishing an AML training program for personnel that is tailored to the individuals’ roles and responsibilities.
The Report highlights one emerging risk: FINRA has observed an increase in investment fraud committed by those that engage directly with investors. This can include persuading victims to withdraw funds from their accounts as part of a fraudulent scheme. The FBI’s Internet Crime Report notes that “investment fraud is the costliest type of crime tracked by the FBI’s Internet Crime Complaint Center.” To help mitigate this threat, FINRA recommends: monitoring for sudden changes in a customer’s behavior, including withdrawal requests that are out of character for the customer; educating firm personnel that are in contact with customers on how to recognize red flags; and developing clear response plans for when the firm identifies a customer that has been victimized.
 

Private Placements: The Report’s section on private placements does not stray far from previous years’ reports, and primarily re-emphasizes a key area of focus for FINRA’s Enforcement division over the past two years, first highlighted in Regulatory Notice 23-08. As we reported at the time, Regulatory Notice 23-08 reminded member firms of their obligation to conduct a reasonable investigation of private placement investments prior to making any recommendation — including, most particularly, conducting an investigation of the issuer, its management and its business prospects, the assets held or to be acquired by the issuer, and the issuer’s intended use of proceeds from the offering. In its discussion of findings from targeted exams, FINRA further notes that firms fail to satisfy this obligation when, among other things, they do not conduct adequate research into issuers that have a lack of operating history, or where they rely solely on the firm’s past experience with an issuer based on previous offerings. FINRA’s findings offer a reminder to firms to apply scrutiny to all offerings, whether or not the issuer is a known quantity — and to be especially vigilant when an issuer is new to the space.
The Report’s findings also provide another cautionary tale: FINRA warns that firms fail to comply with Reg BI’s care obligation when they take the position that the firm is not making recommendations, even though the firms’ representatives have made communications to customers that include a “call to action” and are individually tailored to the customer. Firms should remain aware that these types of communications are likely to be viewed as investment recommendations, and ensure that they conduct reasonable diligence before making any such communication to a customer.
The Report also discusses an emerging trend concerning firms that have made material misrepresentations and omissions related to recommendations of private placement offerings of pre-IPO securities. As examples, FINRA cites firms that have failed to disclose potential selling compensation, and that have failed to conduct reasonable due diligence to confirm that the issuer actually held or had access to the shares it purported to sell.
 
Manipulative Trading: Member firms are prohibited, pursuant to a series of FINRA Rules, from engaging in impermissible trading practices. The relevant rules include FINRA Rule 2010 (Standards of Commercial Honor and Principles of Trade); FINRA Rule 5230 (Payments Involving Publications that Influence the Market Price of a Security); and FINRA Rule 5210 (Publication of Transactions and Quotations), which FINRA has relied on in pursuing enforcement actions accusing member firms of publicizing or circulating inflated trading activity.
The Report highlights certain recent findings, including firms having inadequate WSPs, not establishing surveillance controls designed to capture manipulative trading, and not establishing and maintaining a surveillance system reasonably designed to monitor for potentially manipulative trading.
 
Communications With the Public: As in previous years, the Report details the content standards prescribed for three categories of firm written communications: correspondence, retail communications and institutional communications. 
The Report also presents findings on an emerging trend: retail communications focused on registered index-linked annuities (RILAs). FINRA’s findings concerning firms’ communications related to RILAs mirror many of the common findings in connection with other types of investments. For example, FINRA has found that firms have failed to adequately explain how RILAs function and the meaning of specialized terms that are specific to RILAs, as well as finding that firms have made inadequate disclosures of the risks, fees and charges associated with RILAs.
The Report also contains a new focus on firms’ communications made through social media and generative AI. In particular, it recommends that firms ensure that communications made with the assistance of generative AI (including chatbot communications used with investors) are appropriately supervised and retained. Similarly, the Report cautions that firms must maintain systems, including WSPs, reasonably designed to supervise communications disseminated on the firm’s behalf by influencers on social media.
The Report’s findings and observations are intended to serve as a guide for member firms to assess their current compliance, supervisory, and risk management programs and note any perceived deficiencies that could result in scrutiny by FINRA. Member firms are encouraged to focus on the findings, observations and effective practices relevant to their respective business models.

Australia’s Proposed Scams Prevention Framework

In response to growing concerns regarding the financial and emotional burden of scams on the community, the Australian government has developed the Scams Prevention Framework Bill 2024 (the Bill). Initially, the Scams Prevention Framework (SPF) will apply to banks, telecommunications providers, and digital platform service providers offering social media, paid search engine advertising or direct messaging services (Regulated Entities). Regulated Entities will be required to comply with obligations set out in the overarching principles (SPF Principles) and sector-specific codes (SPF Codes). Those failing to comply with their obligations under the SPF will be subject to harsh penalties under the new regime.
Why Does Australia Need a SPF?
Australian customers lost AU$2.7 billion in 2023 from scams. Whilst the monetary loss from scams is significant, scams also have nonfinancial impacts on their victims. Scams affect the mental and emotional wellbeing of victims—victims may suffer trauma, anxiety, shame and helplessness. Scams also undermine the trust customers may have in utilising digital services. 
Currently, scam protections are piecemeal, inconsistent or non-existent across the Australian economy. The SPF is an economy-wide initiative which aims to:

Halt the growth in scams;
Safeguard the digital economy; 
Provide consistent customer protections for customers engaging with Regulated Entities; and
Be responsive and adaptable to the scams environment. 

What is a Scam?
A scam is an attempt to cause loss or harm to an individual or entity through the use of deception. For example, a perpetrator may cause a target to transfer funds into a specified bank account by providing the target with what appears to be a parking fine. However, financial loss caused by illegal cyber activity such as hacking would not be a scam as it does not involve the essential element of deception.
SPF Principles
The Bill sets out six SPF Principles which Regulated Entities must comply with. The SPF Principles will be enforced by the Australian Competition and Consumer Commission (ACCC) as the SPF General Regulator. 
The SPF Principles are outlined in table 1 below.

SPF Principle
Description

1. Governance
Regulated Entities are required to ‘develop and implement governance policies, procedures, metrics and targets to combat scams’. In discharging their obligations under this principle, entities must develop and implement a range of policies and procedures which set out the steps taken to comply with the SPF Principles and SPF Codes. The ACCC is expected to provide guidance on how an entity can ensure compliance with their governance obligations under the SPF.

2. Prevent
Regulated Entities must take reasonable steps to prevent scams on or relating to the service they provide. Such steps should aim to prevent people from using the Regulated Entity’s service to commit a scam, as well as prevent customers from falling victim to a scam. This includes publishing accessible resources which provide customers with information on how to identify scams and minimise their risk of harm.

3. Detect
Regulated Entities must take reasonable steps to detect scams by ‘identifying SPF customers that are, or could be, impacted by a scam in a timely way’. 

4. Report

Where a Regulated Entity has reasonable grounds to suspect that a ‘communication, transaction or other activity on, or relating to their regulated service, is a scam’, it must provide the ACCC with a report of any information relevant to disrupting the scam activity. Such information is referred to as ‘actionable scam intelligence’ in the SPF.
Additionally, if requested by an SPF regulator, an entity will be required to provide a scam report. The appropriate form and content of the report is intended to be detailed in each SPF Code.

5. Disrupt

A Regulated Entity is required to take ‘reasonable steps to disrupt scam activity on or related to its service’. Any such steps must be proportionate to the actionable scam intelligence held by the entity. As an example, for banks, appropriate disruptive activities may include:

Contacting customers to warn them of popular scams;
Introducing confirmation of payee features on electronic banking services; and
Placing a hold on payments directed to an account associated with scam activity to allow the bank time to contact the customer and provide them with information about the suspected scam. 

6. Respond
Regulated Entities are required to implement accessible mechanisms which allow customers to report scams and establish accessible and transparent internal dispute resolution processes to deal with any complaints. Additionally, Regulated Entities must be a member of an external dispute resolution scheme authorised by a Treasury Minister for their sector. The purpose of such an obligation is to provide an independent dispute resolution mechanism for customers whose complaints have not been resolved through initial internal dispute resolution processes, or where the internal dispute resolution outcome is unsatisfactory.

Table 1
What are ‘Reasonable Steps’?
We expect that SPF Codes will provide further clarification regarding what will be considered ‘reasonable steps’ for the purposes of discharging an obligation under the SPF Principles. From the explanatory materials, it is evident that whether reasonable steps have been taken will depend on a range of entity-specific factors including, but not limited to:

The size of the Regulated Entity;
The services of the Regulated Entity;
The Regulated Entity’s customer base; and
The specific types of scam risk faced by the Regulated Entity and their customers.

Disclosure of Information Under the Reporting Principle
As indicated in table 1 above, the SPF reporting principle requires disclosure of information to the SPF regulator. It is clear from the explanatory materials that, to the extent this reporting obligation is inconsistent with a legal duty of confidence owed under any ‘agreement or arrangement’ entered into by the Regulated Entity, the SPF obligation will prevail. However, it is not expressly stated how this obligation will interact with statutory protections of personal information.
The Privacy Act 1988 (Cth) (Privacy Act) imposes obligations regarding the collection, use and disclosure of personal information. Paragraph 6.2(b) of Schedule 1 to the Privacy Act allows an entity to use or disclose information for a purpose other than which it was collected where the use or disclosure is required by an Australian law. Arguably, once the SPF is enacted, disclosure of personal information in accordance with the obligations under the reporting principle will be ‘required by an Australian law’ and therefore not in breach of the Privacy Act. 
Safe Harbour Protection for Disruptive Actions
As noted in table 1, SPF Principle 5 requires entities to take disruptive actions in response to actionable scam intelligence. This may leave Regulated Entities vulnerable to actions for breach of contractual obligations. For example, where a bank places a temporary hold on a transaction, the customer might lodge a complaint for failure to follow payment instructions. To prevent the risk of such liability from deterring entities from taking disruptive actions, the SPF provides a safe harbour protection whereby a Regulated Entity will not be liable in a civil action or proceeding where they have taken action to disrupt scams (including suspected scams) while investigating actionable scam intelligence. 
In order for the safe harbour protection to apply, the following requirements must be met:

The Regulated Entity acted in good faith and in compliance with the SPF;
The disruptive action was reasonable and proportionate to the suspected scam;
The action was taken during the period starting on the day that the information became actionable scam intelligence, and ending when the Regulated Entity identified whether or not the activity was a scam, or after 28 days, whichever was earlier; and
The action was promptly reversed if the Regulated Entity identified the activity was not a scam and it was reasonably practicable to reverse the action.

The assessment of whether disruptive actions were proportionate will be determined on a case-by-case basis. However, relevant factors may include:

The volume of information received or available;
The source of that information; and
The apparent likelihood that the activity is associated with a scam.

SPF Codes
As a ‘one-size-fits-all’ approach across the entire scams ecosystem is not appropriate, the SPF provides for the creation of sector-specific codes. These SPF Codes will set out ‘detailed obligations’ and ‘consistent minimum standards’ to address scam activity within each regulated sector. The SPF Codes are yet to be released.
It is not clear whether the SPF Codes will interact with other industry codes and, if so, how and which codes will prevail. 
It appears from the explanatory materials that the SPF Codes are intended to impose consistent standards across the regulated sectors. It is unclear whether this will be achieved in practice or whether there will be a disproportionate compliance burden placed on one regulated sector in comparison to other regulated sectors. For example, because banks are often the ultimate sender/receiver of funds, will they face the most significant compliance burden? 
SPF Regulators
The SPF is to be administered and enforced through a multiregulator framework. The ACCC, as the General Regulator, will be responsible for overseeing the SPF provisions across all regulated sectors. In addition, there will be sector-specific regulators responsible for the administration and enforcement of SPF Codes. 
Enforcement
The proposed Bill sets out the maximum penalties for contraventions of the civil penalty provisions of the SPF. 
There are two tiers of contraventions, with a tier 1 contravention attracting a higher maximum penalty in order to reflect that some breaches would ‘be the most egregious and have the most significant impact on customers’. A breach will be categorised based on the SPF Principle contravened as indicated in table 2 below.

Tier 1 Contravention
Tier 2 Contravention

SPF principle 2: prevent
SPF principle 4: detect
SPF principle 5: disrupt
SPF principle 6: respond

An SPF Code
SPF principle 1: governance
SPF principle 3: report

Table 2
In addition to the civil penalty regime, other administrative enforcement tools will be available including:

Infringement notices;
Enforceable undertakings;
Injunctions;
Actions for damages;
Public warning notices;
Remedial directions;
Adverse publicity orders; and
Other punitive and nonpunitive orders.

DOJ Narrows FCPA Enforcement Focus

Attorney General (AG) Pam Bondi has issued a directive that both: (1) effectively shifts the DOJ’s FCPA enforcement focus towards those cases related to foreign bribery involving cartels and transnational criminal organizations (TCOs); and (2) expands the DOJ’s ability to prosecute certain types of FCPA violations.
Questions around how and to what extent FCPA enforcement will be impacted under the current Trump administration have been swirling. While early into President Trump’s second term, his administration has already taken steps aimed at implementing substantive changes throughout the Executive Branch, reforming the DOJ, as well as reducing the size of the federal workforce. This has led many to anticipate the potential scaling back of FCPA enforcement efforts in the near future.
Shift in FCPA Enforcement Focus
AG Bondi has recently issued fourteen memos, addressed to all DOJ employees, detailing new policies and priorities for the DOJ across a range of enforcement activities. The FCPA was specifically named in the “Total Elimination of Cartels and Transnational Criminal Organizations” directive (the “Directive”). The Directive provides more insight as to the DOJ’s priorities around FCPA enforcement going forward.
Specifically, the Directive states that “[t]he Criminal Division’s FCPA Unit shall prioritize investigations related to foreign bribery that facilitates the criminal operations of Cartels and TCOs, and shift focus away from investigations and cases that do not involve such a connection.”
The Directive also overrides certain sections of the Justice Manual, as it relates to foreign bribery involving cartels or TCOs, that required FCPA cases to be either conducted by Fraud Section prosecutors or approved by the Criminal Division. In other words, U.S. Attorney Offices are now empowered to also pursue criminal FCPA cases involving foreign bribery and cartels or TCOs – no longer requiring approval to bring such matters – having provided 24 hours notice to the Criminal Division before proceeding.
FCPA Background
The FCPA is a two-pronged federal statute that contains anti-bribery provisions as well as accounting provisions; the accounting provisions address both internal controls (e.g., maintaining robust internal systems designed to prevent and identify corrupt activities) and books and records (e.g., maintaining accurate records that make it challenging to hide improper payments). The DOJ and SEC have dual enforcement authority over the FCPA, with the DOJ pursuing criminal violations of the FCPA and the SEC handling civil matters pertaining to publicly traded companies.
Since the FCPA was enacted in 1977, enforcement has focused on targeting corporate corruption where companies – including through, indirectly or directly, their third-party intermediaries (e.g., consultants, distributors, sales agents, etc.) – have improperly gained or retained unfair business advantages in exchange for providing something of value to foreign government officials. With the current shift in FCPA enforcement priorities, the DOJ is anticipated to redirect efforts away from targeting bribery in the context of legitimate corporate industries to focusing on bribery schemes in connection with organized crime and cartels.
It will be interesting to see how objectives under the Directive play out, given the logistics of the FCPA. For instance, the FCPA’s scope covers issuers (publicly traded companies with securities listed on a national securities exchange in the U.S.), domestic concerns (U.S. companies or U.S. persons), as well as any other persons that engage in acts furthering corruption while in the U.S. These limitations may exclude many individuals and entities involved in cartels or TCOs. In other words, the FCPA’s design – considering its jurisdictional reach and entity-focus – may limit its effectiveness as a tool against organized crime.
Why Compliance Still Matters
While DOJ’s FCPA enforcement priorities may be shifting under the Trump Administration to focus on cartels and TCOs, this should not be read as DOJ will no longer pursue other forms of foreign corruption. The Directive does not suggest any plans to repeal or even weaken the FCPA, rather the Directive refocuses DOJ’s FCPA enforcement priorities.
For nearly two decades, the FCPA has been a cornerstone of DOJ’s corporate enforcement efforts. This continued focus has resulted in steady and substantial financial recoveries – with penalties exceeding one billion dollars in some cases – over the course of several presidential terms spanning both Democratic and Republican leadership, including President Trump’s first term. Precedent suggests that FCPA enforcement is an entrenched priority for the DOJ and SEC, transcending individual administrations and political affiliations. Further, several countries have also enacted similar anti-bribery and anti-corruption regulations. When pursuing FCPA resolutions, international cooperation between the U.S. and foreign authorities has been essential in order to navigate the complexities of FCPA cases, which usually involve international transactions, multiple actors, and diverse legal frameworks.
Regarding corporate compliance programs, the DOJ will frequently give credit when considering the appropriate resolution, monetary penalty, and subsequent compliance obligations, if the company is able to demonstrate it has a robust and well-designed compliance program, including having made improvements to the program in response to the investigated misconduct. In other words, a company may be able to secure a more favorable outcome if it maintains a strong compliance program, which may ultimately result in the DOJ determining not to prosecute.
There are other benefits for companies that invest in their compliance programs:

Risk Management: Robust compliance programs help prevent potential compliance issues before they occur. Further, early detection of potential violations allows for timely intervention, remediation, and disclosure, if necessary.
Informed Decision-Making: Companies are better positioned to make strategic business decisions with a strong compliance foundation. This includes evaluating and responding to potential enforcement-related situations.
Long-Term Business Integrity: Maintaining high compliance standards fosters a culture of ethical business practices, which can enhance a company’s reputation and promote stakeholder confidence.
Adaptability to Regulatory Changes: A well-designed and effective compliance program is more easily adaptable to shifting regulatory landscapes and emerging risks, enabling companies to more efficiently respond to new enforcement trends.

Takeaway
Regardless of the DOJ’s FCPA enforcement priorities shifting, companies will continue to meaningfully benefit from maintaining and investing in their compliance programs. Further, the Directive does not impact SEC enforcement of FCPA violations; in other words, issuers that fall under the SEC’s jurisdiction will need to continue to comply with the FCPA regardless of DOJ’s shift in FCPA enforcement focus. Moreover, the applicable statute of limitations for FCPA violations generally extends beyond the current administration. Ultimately, companies would be well advised to continue to ensure that their compliance programs are effective and well-resourced in order to mitigate risks.

Attorney General Bondi’s Day One Orders for DOJ

Shortly after her confirmation, and just after her swearing-in by Associate Justice Clarence Thomas, U.S. Attorney General Pamela Bondi issued fourteen memoranda that seek to reform the Department of Justice by rescinding prior guidance, issuing new guidance, and establishing new priorities for the nation’s chief law enforcement and prosecuting agency. We examine below the actions taken by Attorney General Bondi. 

“Elimination of Diversity, Equity, and Inclusion” (DEI): Two of the memos focus on the elimination of prior Diversity Equity and Inclusion (DEI) efforts at the Department and in the private sector. These directives stem from President Trump’s executive order on January 21, 2025 concerning “Ending Illegal Discrimination and Restoring Merit-Based Opportunity”. The first memo requires “[a]ll Department materials that encouraged or permitted race- or sex-based preferences as a method of compliance with federal civil rights laws” to be rescinded and replaced with new guidance. The second memo directs theDOJ’s Civil Rights Division to “investigate, eliminate, and penalize illegal DEI and DEIA preferences, mandates, policies, programs, and activities in the private sector and in educational institutions that receive federal funds.” For a full summary of the DOJ’s focus on DEI, go to the blog post by our colleagues in Labor and Employment.
Immigration. This memo directs the DOJ to withhold federal funding from, and pursue enforcement actions against, sanctuary cities. The memo cites 8 U.S.C. § 1373which provides that state or location jurisdictions “may not prohibit, or in any way restrict, any government entity or official from sending to, or receiving from, the Immigration and Naturalization Service information regarding the citizenship or immigration status, lawful or unlawful, of any individual.” The memo warns that any sanctuary cities that violate this statute will receive a cut in federal funding cuts.
Elimination of Cartels. This memo directs DOJ personnel to focus its efforts to eliminate cartels and transnational criminal organizations (TCOs). The memo identifies various enforcement mechanisms and resources that may be used in carrying out the directive. Notably, the memo calls for the Department to shift the focus of its prosecutions under the Foreign Corrupt Practices Act (FCPA) to “the criminal operations of Cartels and TCO”. Additionally, the memo removes the requirement that the Fraud Section of the Criminal Division handle all investigations and prosecutions under the FCPA, now permitting any U.S. Attorney’s Office to initiate charges with only 24 hours of advance notice to Main Justice required. It is unclear whether, and to what degree, DOJ will continue its pending corporate investigations and prosecutions and/ or initiate new ones. 
Joint Task Force October 7. This memo focuses on the creation of the Joint Tasks Force October 7 to “seek[] justice for victims of the October 7, 2023 terrorist attack in Israel” and address ongoing antisemitic threats in the United States.
Charging, Pleas Negotiations, Etc. This memo outlines general policy regarding charging, plea negotiations, and sentencing for prosecutors. It lays out the Department’s criminal enforcement including immigration enforcement; human trafficking and smuggling; transnational organized crime, cartels, and gangs; and protection of law enforcement personnel. The memo also disbands the Foreign Influence Task Force and the National Security Division’s Corporate Enforcement Unit. [I think we should also note that the guidance is now to charge the most serious, readily provable crime, with the highest “recommended” sentence under the guidelines. Quote the language.]
“Zealous” Advocacy on Behalf of the U.S. This memo directs DOJ to “zealously defend the interest of the United States.” The memo emphasizes the responsibilities DOJ attorneys have to enforce the laws of the United States, but also highlights their responsibility to “vigorously defend[] presidential policies and actions against legal challenges on behalf of the United States.” This memo suggests discipline for DOJ attorneys that decline to sign briefs or appear in court on personal grounds or “otherwise delay or impede the Department’s mission.”
Recession of Biden Administration Guidance. Three of the memos roll back specific directives made by former Attorney General Merrick Garland who served in the Biden Administration, including those that pertained to the interpretation of guidance documents, third-party settlements to non-governmental, third-party organizations, and the prioritization of environmental prosecutions.
Death Penalty. Two memos focus on the death penalty—one memo directs U.S. Attorney’s Offices “to assist local prosecutors in pursuing death sentences under state law against the 37 commuted inmates” who’s sentence former President Joe Biden previously commuted, while the other memo revives the federal death penalty by lifting the moratorium on federal executions and provides for the re-review of pending cases potentially eligible for death.
DOJ Employees Back to the Office. This memo directs DOJ employees to return to work in-person by February 24, 2025 and reinforces President Trump’s January 20, 2025 Presidential Memorandum on the same matter. 
Weaponization Work Group. This memo targets “abuses of the criminal justice process, coercive behavior, and other forms of misconduct.” The directive addresses Trump’s January 20 Executive Order concerning “Ending the Weaponization of The Federal Government” by establishing a “Weaponization Work Group,” tasked with reviewing criminal and civil enforcement over the last 4 years, and reporting to the White House “instances where a department’s or agency’s conduct appears to have been designed to achieve political objectives or other improper aims rather than pursuing justice or legitimate governmental objectives.”

Bad News & Good News: Ransomware Up, Payments Down in 2024

American blockchain analysis firm Chainalysis reports that ransomware payments declined significantly in 2024, dropping to $813 million from $1.25 billion in 2023 – a 35% decrease. The company’s sleuthing also revealed that only 30% of victims who entered negotiations with ransomware actors ultimately paid a ransom. That’s big. And this downward payment trend occurred despite 2024 being a record year for ransomware attacks overall.
This work reveals a disconnect between attack volume and successful extortion, suggesting organizations are becoming more resilient to ransomware pressure tactics. Some of the possible factors contributing to the decrease in ransomware payments include:

Law Enforcement and International Collaboration: Increased law enforcement actions and improved international collaboration have been effective in disrupting ransomware operations. For example, the takedown of LockBit by the UK’s National Crime Agency (NCA) and the US FBI led to a 79% decrease in payments. 
Increased Gap Between Demands and Payments: The difference between ransom demands and actual payments is increasing. Incident response data shows that a majority of clients do not pay at all.
Shift in Ransomware Ecosystem: The collapse of LockBit and BlackCat led to a rise in lone actors and smaller groups that focus on small to mid-size markets with more modest ransom demands.
Illegitimate Victims on Data Leak Sites (more on this below): Some threat actors have been caught overstating or lying about victims, or reposting claims by old victims. LockBit has been known to publish as high as 68% repeat or fabricated victims on its data leak site after being ostracized by the underground community following law enforcement action.
Ransomware Actors Abstaining From Cashing Out: Ransomware operators are increasingly abstaining from cashing out their funds (such that the funds flow isn’t tracked), likely due to uncertainty and caution amid law enforcement actions targeting individuals and services facilitating ransomware laundering.
Victim Refusal to Pay: More victims are choosing not to pay ransoms due to improved cyber hygiene and overall resiliency. 

Chainalysis also gives a summary of the data leak trends in 2024:

unprecedented growth in ransomware data leak sites, with 56 new sites emerging in 2024 – more than twice the number identified in 2023
researchers note significant concerns about the accuracy of these reported leaks:

many leaks overstated their impact, claiming entire multinational organizations when only small subsidiaries were affected
over 100 organizations appeared on multiple leak sites
ransomware gang LockBit, following law enforcement disruption, artificially inflated their numbers by reposting old victims and fabricating new ones – with up to 68% of their posts being repeat or false claims

This analysis suggests that while data leak sites showed record numbers in 2024, the actual scope of successful ransomware attacks may be significantly lower than the raw numbers indicate. 

Attorney General Pam Bondi Narrows FCPA Enforcement Focus

Attorney General (AG) Pam Bondi has issued a directive that both: (1) effectively shifts the DOJ’s FCPA enforcement focus towards those cases related to foreign bribery involving cartels and transnational criminal organizations (TCOs); and (2) expands the DOJ’s ability to prosecute certain types of FCPA violations.
Questions around how and to what extent FCPA enforcement will be impacted under the current Trump administration have been swirling. While early into President Trump’s second term, his administration has already taken steps aimed at implementing substantive changes throughout the Executive Branch, reforming the DOJ, as well as reducing the size of the federal workforce. This has led many to anticipate the potential scaling back of FCPA enforcement efforts in the near future.
Shift in FCPA Enforcement Focus
AG Bondi has recently issued fourteen memos, addressed to all DOJ employees, detailing new policies and priorities for the DOJ across a range of enforcement activities. The FCPA was specifically named in the “Total Elimination of Cartels and Transnational Criminal Organizations” directive (the “Directive”). The Directive provides more insight as to the DOJ’s priorities around FCPA enforcement going forward.
Specifically, the Directive states that “[t]he Criminal Division’s FCPA Unit shall prioritize investigations related to foreign bribery that facilitates the criminal operations of Cartels and TCOs, and shift focus away from investigations and cases that do not involve such a connection.”
The Directive also overrides certain sections of the Justice Manual, as it relates to foreign bribery involving cartels or TCOs, that required FCPA cases to be either conducted by Fraud Section prosecutors or approved by the Criminal Division. In other words, U.S. Attorney Offices are now empowered to also pursue criminal FCPA cases involving foreign bribery and cartels or TCOs – no longer requiring approval to bring such matters – having provided 24 hours notice to the Criminal Division before proceeding.
FCPA Background
The FCPA is a two-pronged federal statute that contains anti-bribery provisions as well as accounting provisions; the accounting provisions address both internal controls (e.g., maintaining robust internal systems designed to prevent and identify corrupt activities) and books and records (e.g., maintaining accurate records that make it challenging to hide improper payments). The DOJ and SEC have dual enforcement authority over the FCPA, with the DOJ pursuing criminal violations of the FCPA and the SEC handling civil matters pertaining to publicly traded companies.
Since the FCPA was enacted in 1977, enforcement has focused on targeting corporate corruption where companies – including through, indirectly or directly, their third-party intermediaries (e.g., consultants, distributors, sales agents, etc.) – have improperly gained or retained unfair business advantages in exchange for providing something of value to foreign government officials. With the current shift in FCPA enforcement priorities, the DOJ is anticipated to redirect efforts away from targeting bribery in the context of legitimate corporate industries to focusing on bribery schemes in connection with organized crime and cartels.
It will be interesting to see how objectives under the Directive play out, given the logistics of the FCPA. For instance, the FCPA’s scope covers issuers (publicly traded companies with securities listed on a national securities exchange in the U.S.), domestic concerns (U.S. companies or U.S. persons), as well as any other persons that engage in acts furthering corruption while in the U.S. These limitations may exclude many individuals and entities involved in cartels or TCOs. In other words, the FCPA’s design – considering its jurisdictional reach and entity-focus – may limit its effectiveness as a tool against organized crime.
Why Compliance Still Matters
While DOJ’s FCPA enforcement priorities may be shifting under the Trump Administration to focus on cartels and TCOs, this should not be read as DOJ will no longer pursue other forms of foreign corruption. The Directive does not suggest any plans to repeal or even weaken the FCPA, rather the Directive refocuses DOJ’s FCPA enforcement priorities.
For nearly two decades, the FCPA has been a cornerstone of DOJ’s corporate enforcement efforts. This continued focus has resulted in steady and substantial financial recoveries – with penalties exceeding one billion dollars in some cases – over the course of several presidential terms spanning both Democratic and Republican leadership, including President Trump’s first term. Precedent suggests that FCPA enforcement is an entrenched priority for the DOJ and SEC, transcending individual administrations and political affiliations. Further, several countries have also enacted similar anti-bribery and anti-corruption regulations. When pursuing FCPA resolutions, international cooperation between the U.S. and foreign authorities has been essential in order to navigate the complexities of FCPA cases, which usually involve international transactions, multiple actors, and diverse legal frameworks.
Regarding corporate compliance programs, the DOJ will frequently give credit when considering the appropriate resolution, monetary penalty, and subsequent compliance obligations, if the company is able to demonstrate it has a robust and well-designed compliance program, including having made improvements to the program in response to the investigated misconduct. In other words, a company may be able to secure a more favorable outcome if it maintains a strong compliance program, which may ultimately result in the DOJ determining not to prosecute.
There are other benefits for companies that invest in their compliance programs:

Risk Management: Robust compliance programs help prevent potential compliance issues before they occur. Further, early detection of potential violations allows for timely intervention, remediation, and disclosure, if necessary.
Informed Decision-Making: Companies are better positioned to make strategic business decisions with a strong compliance foundation. This includes evaluating and responding to potential enforcement-related situations.
Long-Term Business Integrity: Maintaining high compliance standards fosters a culture of ethical business practices, which can enhance a company’s reputation and promote stakeholder confidence.
Adaptability to Regulatory Changes: A well-designed and effective compliance program is more easily adaptable to shifting regulatory landscapes and emerging risks, enabling companies to more efficiently respond to new enforcement trends.

Takeaway
Regardless of the DOJ’s FCPA enforcement priorities shifting, companies will continue to meaningfully benefit from maintaining and investing in their compliance programs. Further, the Directive does not impact SEC enforcement of FCPA violations; in other words, issuers that fall under the SEC’s jurisdiction will need to continue to comply with the FCPA regardless of DOJ’s shift in FCPA enforcement focus. Moreover, the applicable statute of limitations for FCPA violations generally extends beyond the current administration. Ultimately, companies would be well advised to continue to ensure that their compliance programs are effective and well-resourced in order to mitigate risks.

Key Takeaways on New U.S. Tariffs on Canada, China and Mexico Imports

On Feb. 1, 2025, the White House published new executive orders imposing tariffs on goods imported from Canada, Mexico and China citing national security threats of illegal immigration and drugs and statutory authority under the International Emergency Economic Powers Act (IEEPA). 
Specifically, the executive orders impose a 10 percent tariff on imports from China and a 25 percent tariff on imports from Mexico and Canada, excluding Canadian energy imports, which will carry a 10 percent tariff. Below are initial highlights from the orders and from the Federal Register notices published shortly after the orders:

The effective date and time of the tariff actions is on or after 12:01 a.m. Eastern time on Feb. 4, 2025, except for tariffs on Mexico and Canada, which have been deferred for one month, until March 4, 2025.
The IEEPA tariffs appear to cover every imported commodity from Canada, Mexico, and China, with the exception of limited statutory exclusions on personal communications, donated articles, informational materials (e.g., certain publications, films, and artwork), and transactions ordinarily incident to travel
The executive orders are silent on whether there will be a product exclusion process, akin to the exclusions for Section 301 and Section 232 tariffs
The executive orders include a retaliation clause that should Canada/Mexico/China retaliate against the U.S. in response (i.e. tariffs on U.S. exports), then the “President may increase or expand in scope the duties imposed under this Executive Order to ensure the efficacy of this action.” 
Drawback (refund) claims and the $800 de minimis exclusion are not available under these IEEPA tariffs

In a prior post on potential tariffs, we had noted the possible use of IEEPA to impose immediate tariffs. No president has used IEEPA to impose tariffs, although President Richard Nixon used a predecessor statute to IEEPA to impose a 10 percent tariff on all imports in 1971.
What does this all mean, and what is next for importers and stakeholders affected by these tariffs? Below are a few issues and questions to keep in mind:

What exactly will be the U.S. response to the announcement of retaliatory measures? Canada announced tariffs of 25 percent on $155 billion worth of American goods. These tariffs target products such as orange juice, peanut butter, wine, spirits, beer, coffee, appliances, apparel, footwear, motorcycles, cosmetics, and pulp and paper. Mexico initially announced plans to impose retaliatory measures. But since that time, Mexico and Canada have agreed to take action at the border, resulting in a one-month deferral of the application of IEEPA duties against Mexico and Canada and suspension of any reciprocal tariffs.
IEEPA tariffs on China are 10 percent, but these are on top of existing Section 301 tariffs that are 25 percent on most goods from China. Interestingly, there will now be a smaller group of products from China that are subject to lower Section 301 duties (List 4A, 7.5 percent) or even no Section 301 duties. Thus, if the suspended Canada and Mexico tariffs ultimately go into effect, imports of those products from China may actually be subject to lower duties than imports of the same products from Canada and Mexico.
For China, the Federal Register is silent on the applicable rule of origin, although it is anticipated that “substantial transformation” will be the applicable rule.  For Canada, there will actually be two applicable rules of origin for IEEPA tariffs – USMCA marking rules of origin and the “substantial transformation” legal standard. This will have particularly interesting implications for importers of goods produced in Canada from Chinese-origin materials. Indeed, an FAQ released by the White House states that IEEPA tariffs will be in addition to any other tariffs imposed under other authorities. 

Tayo Osuntogun, Michelle Rosario, and Yusra Siddique contributed to this article

It Lives: Trump Administration Defends Corporate Transparency Act; May Modify its Application

On February 5, 2025, the Trump administration added a new chapter to the saga that has been implementation of the Corporate Transparency Act (CTA), filing a notice of appeal and motion for stay against an Eastern District of Texas injunction in Smith v. United States Department of the Treasury on enforcement of the CTA’s filing deadline.
In its filing, the Treasury Department stated that it would extend the filing deadline for 30 days if the stay is granted, and would use those 30 days to determine if lower-risk categories of entities should be excluded from the reach of the filing requirements. In light of the Supreme Court’s stay of the injunction in Texas Top Cop Shop, Inc., et al. v. Merrick Garland, et al., also from the Eastern District of Texas, it is likely that stay will be granted.
Passed in the first Trump administration but implemented during the Biden presidency, the CTA – an anti-money laundering law designed to combat terrorist financing, seize proceeds of drug trafficking, and root out illicit assets of sanctioned parties and foreign criminals in the United States – has faced legal challenges around the country.
The constitutionality of the CTA was challenged in several cases, with most courts upholding the law, but some issuing either preliminary injunctions or determining that the law is unconstitutional. In addition to the appeals of Texas Top Cop Shop and Smith, both before the Fifth Circuit, appeals are currently pending in the Fourth, Ninth, and Eleventh Circuits.
Although enforcement of the CTA deadline is currently paused, the granting of a stay in Smith, or a ruling by one of the circuits, could reinstate the deadline at any time, triggering the start of the 30-day clock to file. Entities may file now notwithstanding the injunction if they choose to do so, and entities may wish to complete the filing so that they do not need to monitor the situation and to avoid high traffic to the filing website in the event a deadline is reimposed.
Please note that if you file or have already filed and the law is ultimately found unconstitutional or otherwise overturned or rescinded, you will not be under any continuing obligation regarding that filing.
Entities can, of course, choose not to file or to keep filings updated. However, be aware that in addition to the potential need to file on short notice should the preliminary injunction be limited, stayed, or overturned, financial institutions may inquire as to whether the entity has filed a CTA and could require filing as part of the financial institution’s anti-money laundering program.

Colorado’s AI Task Force Proposes Updates to State’s AI Law

Stemming from Colorado’s Concerning Consumer Protections in Interactions with Artificial Intelligence Systems Act (the Act), which will impose obligations on developers and deployers of artificial intelligence (AI), the Colorado Artificial Intelligence Impact Task Force recently issued a report outlining potential areas where the Act can be “clarified, refined[,] and otherwise improved.”
The Task Force’s mission is to review issues related to AI and automated detection systems (ADS) affecting consumers and employees. The Task Force met on several occasions and prepared a report summarizing their findings:

Revise the Act’s definition of the types of decisions that qualify as “consequential decisions,” as well as the definition of “algorithmic discrimination,” “substantial factor,” and “intentional and substantial modification;”
Revamp the list of exemptions to what qualifies as a “covered decision system;”
Change the scope of the information and documentation that developers must provide to deployers;
Update the triggering events and timing for impact assessments as well as changes to the requirements for deployer risk management programs;
Possible replacement of the duty of care standard for developers and deployers (i.e., consider whether such standard should be more or less stringent);
Consider whether to minimize or expand the small business exemption (the current exemption under the Act is for businesses with less than 50 employees);
Consider whether businesses should be provided a cure period for certain types of non-compliance before Attorney General enforcement under the Act; and,
Revise the trade secret exemptions and provisions related to a consumer’s right to appeal.

As of today, the requirements for AI developers and deployers under the Act go into effect on February 1, 2026. However, the Task Force recommends reconsidering the law’s implementation timing. We will continue to track this first-of-its-kind AI law. 

The BR Privacy & Security Download: February 2025

STATE & LOCAL LAWS & REGULATIONS
New York Legislature Passes Comprehensive Health Privacy Law: The New York state legislature passed SB-929 (the “Bill”), providing for the protection of health information. The Bill broadly defines “regulated health information” as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Regulated health information includes location and payment information, as well as inferences derived from an individual’s physical or mental health. The term “individual” is not defined. Accordingly, the Bill contains no terms restricting its application to consumers acting in an individual or household context. The Bill would apply to regulated entities, which are entities that (1) are located in New York and control the processing of regulated health information, or (2) control the processing of regulated health information of New York residents or individuals physically present in New York. Among other things, the Bill would restrict regulated entities to processing regulated health information only with a valid authorization, or when strictly necessary for certain specified activities. The Bill also provides for individual rights and requires the implementation of reasonable administrative, physical, and technical safeguards to protect regulated health information. The Bill would take effect one year after being signed into law and currently awaits New York Governor Kathy Hochul’s signature.
New York Data Breach Notification Law Updated: Two bills, SO2659 and SO2376, that amended the state’s data breach notification law were signed into law by New York Governor Kathy Hochul. The bills change the timing requirement in which notice must be provided to New York residents, add data elements to the definition of “private information,” and adds the New York Department of Financial Services to the list of regulators that must be notified. Previously, New York’s data breach notification statute did not have a hard deadline within which notice must be provided. The amendments now require affected individuals to be notified no later than 30 days after discovery of the breach, except for delays arising from the legitimate needs of law enforcement. Additionally, as of March 25, 2025, “private information” subject to the law’s notification requirements will include medical information and health insurance information.
California AG Issues Legal Advisory on Application of California Law to AI: California’s Attorney General has issued legal advisories to clarify that existing state laws apply to AI development and use, emphasizing that California is not an AI “wild west.” These advisories cover consumer protection, civil rights, competition, data privacy, and election misinformation. AI systems, while beneficial, present risks such as bias, discrimination, and the spread of disinformation. Therefore, entities that develop or use AI must comply with all state, federal, and local laws. The advisories highlight key laws, including the Unfair Competition Law and the California Consumer Privacy Act. The advisories also highlight new laws effective on January 1, 2025, which include disclosure requirements for businesses, restrictions on the unauthorized use of likeness, and regulations for AI use in elections and healthcare. These advisories stress the importance of transparency and compliance to prevent harm from AI.
New Jersey AG Publishes Guidance on Algorithmic Discrimination: On January 9, 2025, New Jersey’s Attorney General and Division on Civil Rights announced a new civil rights and technology initiative to address the risks of discrimination and bias-based harassment in AI and other advanced technologies. The initiative includes the publication of a Guidance Document, which addresses the applicability of New Jersey’s Law Against Discrimination (“LAD”) to automated decision-making tools and technologies. It focuses on the threats posed by automated decision-making technologies in the housing, employment, healthcare, and financial services contexts, emphasizing that the LAD applies to discrimination regardless of the technology at issue. Also included in the announcement is the launch of a new Civil Rights Innovation lab, which “will aim to leverage technology responsibly to advance [the Division’s] mission to prevent, address, and remedy discrimination.” The Lab will partner with experts and relevant industry stakeholders to identify and develop technology to enhance the Division’s enforcement, outreach, and public education work, and will develop protocols to facilitate the responsible deployment of AI and related decision-making technology. This initiative, along with the recently effective New Jersey Data Protection Act, shows a significantly increased focus from the New Jersey Attorney General on issues relating to data privacy and automated decision-making technologies.
New Jersey Publishes Comprehensive Privacy Law FAQs: The New Jersey Division of Consumer Affairs Cyber Fraud Unit (“Division”) published FAQs that provide a general summary of the New Jersey Data Privacy Law (“NJDPL”), including its scope, key definitions, consumer rights, and enforcement. The NJDPL took effect on January 15, 2025, and the FAQs state that controllers subject to the NJDPL are expected to comply by such date. However, the FAQs also emphasize that until July 1, 2026, the Division will provide notice and a 30-day cure period for potential violations. The FAQs also suggest that the Division may adopt a stricter approach to minors’ privacy. While the text of the NJDPL requires consent for processing the personal data of consumers between the ages of 13 and 16 for purposes of targeted advertising, sale, and profiling, the FAQs state that when a controller knows or willfully disregards that a consumer is between the ages of 13 and 16, consent is required to process their personal data more generally.
CPPA Extends Formal Comment Period for Automated Decision-Making Technology Regulations: The California Privacy Protection Agency (“CPPA”) extended the public comment period for its proposed regulations on cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies under the California Privacy Rights Act. The public comment period opened on November 22, 2024, and was set to close on January 14, 2025. However, due to the wildfires in Southern California, the public comment period was extended to February 19, 2025. The CPPA will also be holding a public hearing on that date for interested parties to present oral and written statements or arguments regarding the proposed regulations.
Oregon DOJ Publishes Toolkit for Consumer Privacy Rights: The Oregon Department of Justice announced the release of a new toolkit designed to help Oregonians protect their online information. The toolkit is designed to help families understand their rights under the Oregon Consumer Privacy Act. The Oregon DOJ reminded consumers how to submit complaints when businesses are not responsive to privacy rights requests. The Oregon DOJ also stated it has received 118 complaints since the Oregon Consumer Privacy Act took effect last July and had sent notices of violation to businesses that have been identified as non-compliant.
California, Colorado, and Connecticut AGs Remind Consumers of Opt-Out Rights: California Attorney General Rob Bonta published a press release reminding residents of their right to opt out of the sale and sharing of their personal information. The California Attorney General also cited the robust privacy protections of Colorado and Connecticut laws that provide for similar opt-out protections. The press release urged consumers to familiarize themselves with the Global Privacy Control (“GPC”), a browser setting or extension that automatically signals to businesses that they should not sell or share a consumer’s personal information, including for targeted advertising. The Attorney General also provided instructions for the use of the GPC and for exercising op-outs by visiting the websites of individual businesses.

FEDERAL LAWS & REGULATIONS
FTC Finalizes Updates to COPPA Rule: The FTC announced the finalization of updates to the Children’s Online Privacy Protection Rule (the “Rule”). The updated Rule makes a number of changes, including requiring opt-in consent to engage in targeted advertising to children and to disclose children’s personal information to third parties. The Rule also adds biometric identifiers to the definition of personal information and prohibits operators from retaining children’s personal information for longer than necessary for the specific documented business purposes for which it was collected. Operators must maintain a written data retention policy that documents the business purpose for data retention and the retention period for data. The Commission voted 5-0 to adopt the Rule, but new FTC Chair Andrew Ferguson filed a separate statement describing “serious problems” with the rule. Ferguson specifically stated that it was unclear whether an entirely new consent would be required if an operator added a new third party with whom personal information would be shared, potentially creating a significant burden for businesses. The Rule will be effective 60 days after its publication in the Federal Register.
Trump Rescinds Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence: President Donald Trump took action to rescind former President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“AI EO”). According to a Biden administration statement released in October, many action items from the AI EO have already been completed. Recommendations, reports, and opportunities for research that were completed prior to revocation of the AI EO may continue in place unless replaced by additional federal agency action. It remains unclear whether the Trump Administration will issue its own executive orders relating to AI.
U.S. Justice Department Issues Final Rule on Transfer of Sensitive Personal Data to Foreign Adversaries: The U.S. Justice Department issued final regulations to implement a presidential Executive Order regarding access to bulk sensitive personal data of U.S. citizens by foreign adversaries. The regulations restrict transfers involving designated countries of concern – China, Cuba, Iran, North Korea, Russia, and Venezuela. At a high level, transfers are restricted if they could result in bulk sensitive personal data access by a country of concern or a “covered person,” which is an entity that is majority-owned by a country of concern, organized under the laws of a country of concern, has its principle place of business in a country of concern, or is an individual whose primary residence is in a county of concern. Data covered by the regulation includes precise geolocation data, biometric identifiers, genetic data, health data, financial data, government-issued identification numbers, and certain other identifiers, including device or hardware-based identifiers, advertising identifiers, and demographic or contact data.
First Complaint Filed Under Protecting Americans’ Data from Foreign Adversaries Act: The Electronic Privacy Information Center (“EPIC”) and the Irish Counsel for Civil Liberties (“ICCL”) Enforce Unit filed the first-ever complaint under the Protecting Americans’ Data from Foreign Adversaries Act (“PADFAA”). PADFAA makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals residing in the United States to North Korea, China, Russia, Iran, or an entity controlled by one of those countries. The complaint alleges that Google’s real-time bidding system data includes personally identifiable sensitive data, that Google executives were aware that data from its real-time bidding system may have been resold, and that Google’s public list of certified companies that receive real-time bidding bid request data include multiple companies based in foreign adversary countries.
FDA Issues Draft Guidance for AI-Enabled Device Software Functions: The U.S. Food and Drug Administration (“FDA”) published its January 2025 Draft Guidance for Industry and FDA Staff regarding AI-enabled device software functionality. The Draft provides recommendations regarding the contents of marketing submissions for AI-enabled medical devices, including documentation and information that will support the FDA’s evaluation of their safety and effectiveness. The Draft Guidance is designed to reflect a “comprehensive approach” to the management of devices through their total product life cycle and includes recommendations for the design, development, and implementation of AI-enabled devices. The FDA is accepting comments on the Draft Guidance, which may be submitted online until April 7, 2025.
Industry Coalition Pushes for Unified National Data Privacy Law: A coalition of over thirty industry groups, including the U.S. Chamber of Commerce, sent a letter to Congress urging it to enact a comprehensive national data privacy law. The letter highlights the urgent need for a cohesive federal standard to replace the fragmented state laws that complicate compliance and stifle competition. The letter advocates for legislation based on principles to empower startups and small businesses by reducing costs and improving consumer access to services. The letter supports granting consumers the right to understand, correct, and delete their data, and to opt out of targeted advertising, while emphasizing transparency by requiring companies to disclose data practices and secure consent for processing sensitive information. It also focuses on the principles of limiting data collection to essential purposes and implementing robust security measures. While the principles aim to override strong state laws like that in California, the proposal notably excludes data broker regulation, a previous point of contention. The coalition cautions against legislation that could lead to frivolous litigation, advocating for balanced enforcement and collaborative compliance. By adhering to these principles, the industry groups seek to ensure legal certainty and promote responsible data use, benefiting both businesses and consumers.
Cyber Trust Mark Unveiled: The White House launched a labeling scheme for internet-of-things devices designed to inform consumers when devices meet certain government-determined cybersecurity standards. The program has been in development for several months and involves collaboration between the White House, the National Institute of Standards and Technology, and the Federal Communications Commission. UL Solutions, a global safety and testing company headquartered in Illinois, has been selected as the lead administrator of the program along with 10 other firms as deputy administrators. With the main goal of helping consumers make more cyber-secure choices when purchasing products, the White House hopes to have products with the new cyber trust mark hit shelves before the end of 2025.

U.S. LITIGATION
Texas Attorney General Sues Insurance Company for Unlawful Collection and Sharing of Driving Data: Texas Attorney General Ken Paxton filed a lawsuit against Allstate and its data analytics subsidiary, Arity. The lawsuit alleges that Arity paid app developers to incorporate its software development kit that tracked location data from over 45 million consumers in the U.S. According to the lawsuit, Arity then shared that data with Allstate and other insurers, who would use the data to justify increasing car insurance premiums. The sale of precise geolocation data of Texans violated the Texas Data Privacy and Security Act (“TDPSA”) according to the Texas Attorney General. The TDPSA requires the companies to provide notice and obtain informed consent to use the sensitive data of Texas residents, which includes precise geolocation data. The Texas Attorney General sued General Motors in August of 2024, alleging similar practices relating to the collection and sale of driver data. 
Eleventh Circuit Overturns FCC’s One-to-One Consent Rule, Upholds Broader Telemarketing Practices: In Insurance Marketing Coalition, Ltd. v. Federal Communications Commission, No. 24-10277, 2025 WL 289152 (11th Cir. Jan. 24, 2025), the Eleventh Circuit vacated the FCC’s one-to-one consent rule under the Telephone Consumer Protection Act (“TCPA”). The court found that the rule exceeded the FCC’s authority and conflicted with the statutory meaning of “prior express consent.” By requiring separate consent for each seller and topic-related call, the rule was deemed unnecessary. This decision allows businesses to continue using broader consent practices, maintaining shared consent agreements. The ruling emphasizes that consent should align with common-law principles rather than be restricted to a single entity. While the FCC’s next steps remain uncertain, the decision reduces compliance burdens and may challenge other TCPA regulations.
California Judge Blocks Enforcement of Social Media Addiction Law: The California Protecting Our Kids from Social Media Addiction Act (the “Act”) has been temporarily blocked. The Act was set to take effect on January 1, 2025. The law aims to prevent social media platforms from using algorithms to provide addictive content to children. Judge Edward J. Davila initially declined to block key parts of the law but agreed to pause enforcement until February 1, 2025, to allow the Ninth Circuit to review the case. NetChoice, a tech trade group, is challenging the law on First Amendment grounds. NetChoice argues that restricting minors’ access to personalized feeds violates the First Amendment. The group has appealed to the Ninth Circuit and is seeking an injunction to prevent the law from taking effect. Judge Davila’s decision recognized the “novel, difficult, and important” constitutional issues presented by the case. The law includes provisions to restrict minors’ access to personalized feeds, limit their ability to view likes and other feedback, and restrict third-party interaction.

U.S. ENFORCEMENT
FTC Settles Enforcement Action Against General Motors for Sharing Geolocation and Driving Behavior Data Without Consent: The Federal Trade Commission (“FTC”) announced a proposed order to settle FTC allegations against General Motors that it collected, used, and sold driver’s precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent. The FTC specifically alleged General Motors used a misleading enrollment process to get consumers to sign up for its OnStar-connected vehicle service and Smart Driver feature without proper notice or consent during that process. The information was then sold to third parties, including consumer reporting agencies, according to the FTC. As part of the settlement, General Motors will be prohibited from disclosing driver data to consumer reporting agencies, required to allow consumers to obtain and delete their data, required to obtain consent prior to collection, and required to allow consumers to limit data collected from their vehicles.
FTC Releases Proposed Order Against GoDaddy for Alleged Data Security Failures: The Federal Trade Commission (“FTC”) has announced it had reached a proposed settlement in its action against GoDaddy Inc. (“GoDaddy”) for failing to implement reasonable and appropriate security measures, which resulted in several major data breaches between 2019 and 2022. According to the FTC’s complaint, GoDaddy misled customers of its data security practices, through claims on its websites and in email and social media ads, and by representing it was in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. However, the FTC found that GoDaddy failed to inventory and manage assets and software updates, assess risks to its shared hosting services, adequately log and monitor security-related events, and segment its shared hosting from less secure environments. The FTC’s proposed order against GoDaddy prohibits GoDaddy from misleading its customers about its security practices and requires GoDaddy to implement a comprehensive information security program. GoDaddy must also hire a third-party assessor to conduct biennial reviews of its information security program.
CPPA Reaches Settlements with Additional Data Brokers: Following their announcement of a public investigative sweep of data broker registration compliance, the CPPA has settled with additional data brokers PayDae, Inc. d/b/a Infillion (“Infillion”), The Data Group, LLC (“The Data Group”), and Key Marketing Advantage, LLC (“KMA”) for failing to register as a data broker and pay an annual fee as required by California’s Delete Act. Infillion will pay $54,200 for failing to register between February 1, 2024, and November 4, 2024. The Data Group will pay $46,600 for failing to register between February 1, 2024, and September 20, 2024. KMA will pay $55,800 for failing to register between February 1, 2024, and November 5, 2024. In addition to the fines, the companies have agreed to injunctive terms. The Delete Act imposes fines of $200 per day for failing to register by the deadline.
Mortgage Company Fined by State Financial Regulators for Cybersecurity Breach: Bayview Asset Management LLC and three affiliates (collectively, “Bayview”) agreed to pay a $20 million fine and improve their cybersecurity programs to settle allegations from 53 state financial regulators. The Conference of State Bank Supervisors (“CSBS”) alleged that the mortgage companies had deficient cybersecurity practices and did not fully cooperate with regulators after a 2021 data breach. The data breach compromised data for 5.8 million customers. The coordinated enforcement action was led by financial regulators in California, Maryland, North Carolina, and Washington State. The regulators said the companies’ information technology and cybersecurity practices did not meet federal or state requirements. The firms also delayed the supervisory process by withholding requested information and providing redacted documents in the initial stages of a post-breach exam. The companies also agreed to undergo independent assessments and provide three years of additional reporting to the state regulators.
SEC Reaches Settlement over Misleading Cybersecurity Disclosures: The SEC announced it has settled charges with Ashford Inc., an asset management firm, over misleading disclosures related to a cybersecurity incident. This enforcement action stemmed from a ransomware attack in September 2023, compromising over 12 terabytes of sensitive hotel customer data, including driver’s licenses and credit card numbers. Despite the breach, Ashford falsely reported in its November 2023 filings that no customer information was exposed. The SEC alleged negligence in Ashford’s disclosures, citing violations of the Securities Act of 1933 and the Exchange Act of 1934. Without admitting or denying the allegations, Ashford agreed to a $115,231 penalty and an injunction. This case highlights the critical importance of accurate cybersecurity disclosures and demonstrates the SEC’s commitment to ensuring transparency and accountability in corporate reporting.
FTC Finalizes Data Breach-Related Settlement with Marriott: The FTC has finalized its order against Marriott International, Inc. (“Marriott”) and its subsidiary Starwood Hotels & Resorts Worldwide LLC (“Starwood”). As previously reported, the FTC entered into a settlement with Marriott and Starwood for three data breaches the companies experienced between 2014 and 2020, which collectively impacted more than 344 million guest records. Under the finalized order, Marriott and Starwood are required to establish a comprehensive information security program, implement a policy to retain personal information only for as long as reasonably necessary, and establish a link on their website for U.S. customers to request deletion of their personal information associated with their email address or loyalty rewards account number. The order also requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points. The companies are further prohibited from misrepresenting their information collection practices and data security measures.
New York Attorney General Settles with Auto Insurance Company over Data Breach: The New York Attorney General settled with automobile insurance company, Noblr, for a data breach the company experienced in January 2021. Noblr’s online insurance quoting tool exposed full, plaintext driver’s license numbers, including on the backend of its website and in PDFs generated when a purchase was made. The data breach impacted the personal information of more than 80,000 New Yorkers. The data breach was part of an industry-wide campaign to steal personal information (e.g., driver’s license numbers and dates of birth) from online automobile insurance quoting applications to be used to file fraudulent unemployment claims during the COVID-19 pandemic. As part of its settlement, Noblr must pay the New York Attorney General $500,000 in penalties and strengthen its data security measures such as by enhancing its web application defenses and maintaining a comprehensive information security program, data inventory, access controls (e.g., authentication procedures), and logging and monitoring systems.
FTC Alleges Video Game Maker Violated COPPA and Engaged in Deceptive Marketing Practices: The Federal Trade Commission (“FTC”) has taken action against Cognosphere Pte. Ltd and its subsidiary Cognosphere LLC, also known as HoYoverse, the developer of the game Genshin Impact (“HoYoverse”). The FTC alleges that HoYoverse violated the Children’s Online Privacy Protection Act (“COPPA”) and engaged in deceptive marketing practices. Specifically, the company is accused of unfairly marketing loot boxes to children and misleading players about the odds of winning prizes and the true cost of in-game transactions. To settle these charges, HoYoverse will pay a $20 million fine and is prohibited from allowing children under 16 to make in-game purchases without parental consent. Additionally, the company must provide an option to purchase loot boxes directly with real money and disclose loot box odds and exchange rates. HoYoverse is also required to delete personal information collected from children under 13 without parental consent. The FTC’s actions aim to protect consumers, especially children and teens, from deceptive practices related to in-game purchases.
OCR Finalizes Several Settlements for HIPAA Violations: Prior to the inauguration of President Trump, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) brought enforcement actions against four entities, USR Holdings, LLC (“USR”), Elgon Information Systems (“Elgon”), Solara Medical Supplies, LLC (“Solara”) and Northeast Surgical Group, P.C. (“NESG”), for potential violations of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Rule due to the data breaches the entities experienced. USR reported that between August 23, 2018, and December 8, 2018, a database containing the electronic protected health information (“ePHI”) of 2,903 individuals was accessed by an unauthorized third party who was able to delete the ePHI in the database. Elgon and NESG each discovered a ransomware attack in March 2023, which affected the protected health information (“PHI”) of approximately 31,248 individuals and 15,298 individuals, respectively. Solara experienced a phishing attack that allowed an unauthorized third party to gain access to eight of Solara’s employees’ email accounts between April and June 2019, resulting in the compromise of 114,007 individuals’ ePHI. As part of their settlements, each of the entities is required to pay a fine to OCR: USR $337,750, Elgon $80,000, Solara $3,000,000, and NESG $10,000. Additionally, each of the entities is required to implement certain data security measures such as conducting a risk analysis, implementing a risk management plan, maintaining written policies and procedures to comply with HIPAA, and distributing such policies or providing training on such policies to its workforce.  
Virgina Attorney General Sues TikTok for Addictive Fees and Allowing Chinese Government to Access Data: Virginia Attorney General Jason Miyares announced his office had filed a lawsuit against TikTok and ByteDance Ltd, the Chinese-based parent company of TikTok. The lawsuit alleges that TikTok was intentionally designed to be addictive for adolescent users and that the company deceived parents about TikTok content, including by claiming the app is appropriate for children over the age of 12 in violation of the Virginia Consumer Protection Act. 

INTERNATIONAL LAWS & REGULATIONS
UK ICO Publishes Guidance on Pay or Consent Model: On January 23, the UK’s Information Commissioner’s Office (“ICO”) published its Guidance for Organizations Implementing or Considering Implementing Consent or Pay Models. The guidance is designed to clarify how organizations can deploy ‘consent or pay’ models in a manner that gives users meaningful control over the privacy of their information while still supporting their economic viability. The guidance addresses the requirements of applicable UK laws, including PECR and the UK GDPR, and provides extensive guidance as to how appropriate fees may be calculated and how to address imbalances of power. The guidance includes a set of factors that organizations can use to assess their consent models and includes plans to further engage with online consent management platforms, which are typically used by businesses to manage the use of essential and non-essential online trackers. Businesses with operations in the UK should carefully review their current online tracker consent management tools in light of this new guidance.
EU Commission to Pay Damages for Sending IP Address to Meta: The European General Court has ordered the European Commission to pay a German citizen, Thomas Bindl, €400 in damages for unlawfully transferring his personal data to the U.S. This decision sets a new precedent regarding EU data protection litigation. The court found that the Commission breached data protection regulations by operating a website with a “sign in with Facebook” option. This resulted in Bindl’s IP address, along with other data, being transferred to Meta without ensuring adequate safeguards were in place. The transfer happened during the transition period between the EU-U.S. Privacy Shield and the EU-U.S. Data Protection Framework. The court determined that this left Bindl in a position of uncertainty about how his data was being processed. The ruling is significant because it recognizes “intrinsic harm” and may pave the way for large-scale collective redress actions.
European Data Protection Board Releases AI Bias Assessment and Data Subject Rights Tools: The European Data Protection Board (“EDPB”) released two AI tools as part of the AI: Complex Algorithms and effective Data Protection Supervision Projects. The EDPB launched the project in the context of the Support Pool of Experts program at the request of the German Federal Data Protection Authority. The Support Pool of Experts program aims to help data protection authorities increase their enforcement capacity by developing common tools and giving them access to a wide pool of experts. The new documents address best practices for bias evaluation and the effective implementation of data subject rights, specifically the rights to rectification and erasure when AI systems have been developed with personal data.
European Data Protection Board Adopts New Guidelines on Pseudonymization: The EDPB released new guidelines on pseudonymization for public consultation (the “Guidelines”). Although pseudonymized data still constitutes personal data under the GDPR, pseudonymization can reduce the risks to the data subjects by preventing the attribution of personal data to natural persons in the course of the processing of the data, and in the event of unauthorized access or use. In certain circumstances, the risk reduction resulting from pseudonymization may enable controllers to rely on legitimate interests as the legal basis for processing personal data under the GDPR, provided they meet the other requirements, or help guarantee an essentially equivalent level of protection for data they intend to export. The Guidelines provide real-world examples illustrating the use of pseudonymization in various scenarios, such as internal analysis, external analysis, and research.
CJEU Issues Ruling on Excessive Data Subject Requests: On January 9, the Court of Justice of the European Union (“CJEU”) issued its ruling in the case Österreichische Datenschutzbehörde (C‑416/23). The primary question before the Court was when a European data protection authority may deny consumer requests due to their excessive nature. Rather than specifying an arbitrary numerical threshold of requests received, the CJEU found that authorities must consider the relevant facts to determine whether the individual submitting the request has “an abusive intention.” While the number of requests submitted may be a factor in determining this intention, it is not the only factor. Additionally, the CJEU emphasized that Data Protection Authorities should strongly consider charging a “reasonable fee” for handling requests they suspect may be excessive prior to simply denying them.
Daniel R. Saeedi, Rachel L. Schaller Gabrielle N. Ganz, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin contributed to this article