Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident
In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).
The Incident
In a December 30, 2024 letter, Treasury Officials notified lawmakers of a “major incident” in which Chinese state-sponsored hackers stole Treasury documents. The letter explained that on December 8, 2024, the Treasury Department was notified by BeyondTrust, a CSP responsible for providing remote technical support to Treasury Departmental Offices (“DO”), that a threat actor had gained unauthorized access to a key used by BeyondTrust to secure its cloud service. With the stolen key, the threat actor was able to bypass security protocols to remotely access specific Treasury DO workstations, potentially exposing unclassified documents maintained by the users of those systems.
Interestingly, BeyondTrust holds a security authorization under the Federal Risk and Authorization Management Program (“FedRAMP”). FedRAMP is a government program designed to ensure that CSPs meet rigorous security requirements for the handling of federal data and includes similarly rigorous continuous monitoring and reporting requirements. BeyondTrust’s authorization indicates that it met these requirements.
However, this breach illustrates a critical point: meeting government security requirements does not guarantee invincibility to security incidents. Cybersecurity threats are constantly evolving, and no system—no matter how secure it may seem at a particular moment—can be completely free from risk. Companies must be continuously vigilant and proactive, even organizations that have been cleared through rigorous government-imposed security standards like FedRAMP.
Key Takeaways for Organizations Relying on Third-Party CSPs
Government Security Standards Are Not a Guarantee Against Breaches: While government security certifications such as FedRAMP provide an important benchmark for evaluating third-party vendors, they should not be seen as a one-and-done solution. Security threats are dynamic and evolve rapidly, meaning that entities must remain vigilant and continuously evaluate and update their security protocols. This particular incident serves as an important reminder that security is a continual process, not a final checkbox.
Thorough Vetting of Third-Party Providers Is Essential: The Treasury Department incident is also a reminder of the importance of thorough, ongoing vetting of third-party CSPs. Simply confirming a CSP’s compliance with FedRAMP (or other security standards) should not be the end of the due diligence process. Entities must assess whether their third-party providers have robust security measures in place, including continuous monitoring, rapid incident response protocols, and regular updates to their security infrastructure. This is especially important when the service provider holds access to critical systems or sensitive data.
Collaboration and Transparency Are Critical in the Event of a Breach: BeyondTrust’s prompt notification to the Treasury Department highlights the importance of transparency and communication between service providers and their clients when an incident occurs. Quick and clear communication can help mitigate the damage from a breach and allow organizations to respond more effectively. It also underscores the importance of ensuring that third-party vendors have comprehensive and well-practiced incident response protocols in place.
Conclusion
The recent breach of the Treasury Department’s technical support systems, facilitated by a compromised security key from BeyondTrust, serves as an important reminder of the ever-present risks in the cybersecurity supply chain. While third-party CSPs, such as BeyondTrust, may meet rigorous government standards, such actions reduce, but do not eliminate, risk.
Organizations must recognize that cybersecurity is not static, and the reliance on third-party providers necessitates thorough, ongoing risk assessments and proactive security measures. As cyber threats continue to evolve, so too must the strategies used to safeguard sensitive systems and data. Vetting CSPs should be a continuous process, and security should always be viewed as a shared responsibility between organizations and their third-party vendors.
Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern
On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.
We discussed the development of the new regulation in previous blogs (here and here), and the contours of the final rule are largely unchanged from the proposed rule. In this blog, we focus on some key clarifications and updates in the final rule. Then, we turn to what this final rule means for companies with operations in countries of concern and the questions every company with overseas IT infrastructure should be asking to know if these regulations might apply to them.
1. Updates in the Final Rule
There were no big surprises with the final rule, and it remains largely unchanged from the proposed rule. For the uninitiated, the rule prohibits or restricts a subset of covered transactions by U.S. persons involving covered data with covered persons.[1] The definitions of what is covered remain the same—even the bulk thresholds are the same as the proposed rule. However, below we highlight some of the key developments hidden among the minor clarifications and conforming edits.
1.1. Effective Date and Delayed Compliance Date. The rule sets an effective date of April 8, 2025 for every component of the rule except for specified compliance obligations. Those obligations, which include the due diligence and audit requirements from Subpart J and the reporting and recordkeeping requirements of Subpart K, do not require implementation until October 6, 2025. Those delayed compliance obligations do not encompass the security requirements required for restricted transactions and thus cybersecurity requirements established by CISA should be in place before engaging in any restricted transaction after April 8, 2025.
1.2. Expanded Government-Related Location Data List. The final rule substantially expands the Government-Related Location Data List from the 8 locations in the proposed rule to 736 locations in the final rule. These additional locations consist of commonly known Department of Defense sites and installations, such as bases, camps, posts, stations, yards, centers, or homeport facilities for any ship, ranges, and training areas in the United States and its territories. In its discussion of this list, DOJ acknowledges that it plans to provide this list in a format that would be easy for developers to access and implement (e.g., .csv, .json).
1.3. New definition of human ‘omic data. The final rule creates a new sub-definition of “human genomic data” for “human ‘omic data,” which includes human epigenomic data, human proteomic data, and human transcriptomic data. Those three data categories have a bulk threshold of data on more than 1,000 U.S. persons.[2] These new definitions will have an impact on clinical and predictive research, particularly those implementing AI within their research.
2. Effects of the Regulation
As Assistant Attorney General Matthew Olsen said last year, this regulation is built like sanctions and export controls and is expected to have “real teeth.” Any U.S. company with operations in the identified countries of concern, particularly with overseas IT infrastructure, will need to have a conversation about whether this regulation will affect their business. Companies need to know and understand the following:
What data the company has or collects that might constitute sensitive personal data and/or Government-related data as defined in the regulations;
What business relationships and transactions allow access to the data;
Who internally has access to the data; and
What security measures are in place to protect that data.
For companies impacted by this regulation, those companies will also need to understand how this regulation operates differently from other DOJ regulations and data privacy regulations. Here, DOJ has availed itself of IEEPA penalties, and this regulation operates more like sanctions and export controls. This means the regulation is very compliance-focused as opposed to using case-by-case approaches like CFIUS or Team Telecom. While corporate compliance is a key component of DOJ strategy, as we have seen with the Civil Cyber Fraud Initiative, DOJ is not shying away from enforcement. Further, the FIRS has developed the skillset and prosecutorial experience for reviewing corporate compliance programs. All to say, companies should take the April 8 and October 6, 2025 deadlines seriously.
Finally, companies should understand how this regulation operates differently from other data-related regulations. Chiefly, this is not a privacy regulation; it is a national security regulation. For that reason, the focus is not on the collection of data, but rather on the subsequent sale and/or accessibility of that data. Also, the scope of what is covered data is more limited than what companies may come to expect with state privacy laws. Rather than capture all personally identifiable information (PII), this regulation is concerned with sensitive information. That is to say, information that could be exploitable. However, because the data captured by the regulation is a national security concern, there is no consent exemption, meaning companies cannot have customers opt-out of the regulation’s protection.
While the programmatic compliance requirements (i.e., due diligence, auditing, reporting and recordkeeping) are not required until Q4 of this year, the effective date, and beginning of potential enforcement, is right around the corner on April 8. Additionally, companies will still need to implement the CISA security requirements by April 8 if they intend to continue with restricted transactions. Still, companies should not delay in beginning to build out and implement their compliance programs.
FOOTNOTES
[1] For more details, see our Data, Deal, and Diplomacy, Part II blog.
[2] Human genomic data’s bulk threshold remains the same at more than 100 U.S. persons.
Part one and part two of this series.
FCPA Year in Review 2024
The Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) obtained over $1.28 billion in total fines and penalties related to Foreign Corrupt Practices Act (FCPA) violations in 2024, making it one of the top 10 highest grossing years with regard to enforcement penalties in the FCPA’s nearly 50-year history. Foreign governments and other branches of the U.S. government recovered an additional $400 million in global settlement amounts related to those FCPA enforcement actions. The U.S. government also announced charges against 19 individuals for FCPA and FCPA-related conduct.
Beyond the enforcement cases, the DOJ issued both new guidance and updates to existing guidance regarding its approach to corporate crime and its expectations surrounding corporate compliance efforts. The DOJ’s recent updates to its Evaluation of Corporate Compliance Program guidance focuses on (1) the risks associated with emerging technology, such as AI; (2) the resource allocation and amount of access to data by the company’s compliance functions; (3) incentivizing whistleblowers; (4) the importance of post-acquisition compliance integration; and (5) ensuring companies incorporate lessons learned from misconduct. Furthermore, the DOJ launched a new pilot program for whistleblowers to report corporate misconduct and announced incentives for individuals who voluntarily self-disclose criminal conduct.
The following is a snapshot of 2024 FCPA enforcement:
Massachusetts Enhances Regulatory Oversight of Health Care Transactions on For-Profit and Private Equity Investments
Massachusetts has expanded regulatory oversight of health care transactions by imposing False Claims Act liability on health care owners and investors for changes including failure to disclose violations. On January 8, 2025, Governor Maura Healey signed into law H.5159, An Act enhancing the market review process (the Act). Among other matters, the Act aims to strengthen oversight of private equity investors and related entities in the health care industry, including the expansion of the investigatory and enforcement powers of the Massachusetts Attorney General as they relate to health care activities. The Act also intends to fill perceived gaps in regulatory oversight, that many view as contributors to the Steward Health Care bankruptcy and related hospital closures across Massachusetts, by directly addressing regulation of for-profit health care entities and private equity ownership.
The following Act provisions expand the authority of the Massachusetts Health Policy Commission (HPC), Center for Health Information and Analysis (CHIA), and Attorney General’s Office (AGO) to oversee private equity investors and related entities, including through expansions of HPC’s existing oversight authority and extension of the Commonwealth’s state False Claims Statute (MA FCA) to owners and investors of violators. The Act also contains myriad changes impacting the health care industry. It strengthens regulatory oversight over private equity, pharmacy benefit managers, real estate investment trusts (REITs), management service organizations (MSOs), and other industry participants.
Expansions of HPC and AGO authority under the Act:
Establish new definitions for entities involved in, or related to, private equity operations [1]:
“Health care real estate investment trust,” a real estate investment trust, as defined by 26 U.S.C § 856, whose assets consist of real property held in connection with the use or operations of a provider or provider organization.
“Private equity company,” any company that collects capital investments from individuals or entities and purchases, as a parent company or through another entity that the company completely or partially owns or controls, a direct or indirect ownership share of a provider, provider organization or management services organization; provided, however, that “private equity company” shall not include venture capital firms exclusively funding startups or other early-stage businesses.“Significant equity investor,” (i) any private equity company with a financial interest in a provider, provider organization, or management services organization; or (ii) an investor, group of investors, or other entity with a direct or indirect possession of equity in the capital, stock, or profits totaling more than ten percent of a provider, provider organization, or management services organization; provided, however, that “significant equity investor” shall not include venture capital firms exclusively funding startups or other early-stage businesses.“Management services organization,” a corporation that provides management or administrative services to a provider or provider organization for compensation.
Revise the composition, necessary expertise, and responsibility for appointments to the HPC Board [2]. While the Board will continue to consist of 11 members, the Commissioner of Insurance is now a required member, as are appointed individuals with expertise in representing hospitals and hospital systems and in health care innovation, including pharmaceuticals, biotechnology, or medical devices. However, the HPC will no longer require membership of the Secretary for Administration and Finance, a Primary Care Physician, and an individual with expertise as a health insurance purchaser representing management. Finally, the auditor is no longer responsible for appointments to the HPC Board; all members, other than the Secretary of Health and Human Services and Commissioner of Insurance, will now be appointed solely by the Governor or Attorney General. These changes may reflect a shift in priorities for regulatory oversight of hospital administration, health care innovation, and health care insurance.
Expand the HPC Notice of Material Change process [3]. As previously required, every provider or provider organization must provide notice of a “material change” not less than 60 days before the date of the proposed change.
The previous statutory Notice of Material Change reporting requirements only covered:
mergers or acquisitions of hospitals or hospital systems;
a corporate merger, acquisition or affiliation of a provider or provider organization and a carrier;
an acquisition of insolvent provider organizations; and
mergers or acquisitions of provider organizations which will result in a provider organization having a near-majority of market share in a given service or region [4].
The Act expands the above-referenced statute mandating the reporting of “material change” requiring notice to the applicable government agencies to also include the following as examples:
significant expansions in a provider or provider organization’s capacity;
transactions involving a significant equity investor which result in a change of ownership or control of a provider or provider organization;
significant acquisitions, sales, or transfers of assets including, but not limited to, real estate sale lease-back arrangements; and
conversion of a provider or provider organization from a non-profit entity to a for-profit entity.
The Act also changes the current material change reporting threshold for mergers or acquisitions of a provider organization, which will result in a provider organization having a near-majority market share in a given service or region to provide that the standard is whether the provider organization will have a “dominant market share in a given service or region” (and not a “near-majority”).
Adoption of implementing regulations. While the Act does not include financial thresholds for reporting, the Act does direct the HPC to adopt regulations for administering the section, conduct cost and market impact reviews, and allow filing thresholds to be adopted in the regulations, subject to annual adjustments based on inflation [5].
Expands the HPC Cost and Market Impact Review process as follows:
HPC may now require significant equity investors, as well as other parties involved, in a given transaction to submit documents and information in connection with a Notice of Material Change or Cost and Market Impact Review [6].
HPC may require submitting certain information regarding the significant equity investor’s capital structure, general financial condition, ownership and management structure, and audited financial statements.
HPC may require submitting certain post-transaction data and information for up to five years following the material change date. Such data collection significantly expands the power and task, including the ability to assess post-transaction impacts.
Expands the factors HPC may consider as part of the Cost and Market Impact Review by also reviewing [7]:
the size and market share of any corporate affiliates or significant equity investors of the provider or provider organization;
the inventory of health care resources maintained by the DPH; and
any related data or reports from the Office of Health Resource Planning.
Expands the scope of the HPC’s examination of costs, prices, and cost trends, as follows [8]:
The HPC cost trends hearings will include an examination of any relevant impacts of significant equity investors, health care REITs, and MSOs on costs, prices, and cost trends. Stakeholders from these organizations associated with a provider organization will now be required to testify at the HPC’s annual cost trends hearing concerning: “health outcomes, prices charged to insurers and patients, staffing levels, clinical workflow, financial stability and ownership structure of an associated provider or provider organization, dividends paid out to investors, compensation including, but not limited to, base salaries, incentives, bonuses, stock options, deferred compensations, benefits and contingent payments to officers, managers and directors of provider organizations in the commonwealth acquired, owned or managed, in whole or in part, by said significant equity investors, health care real estate investment trusts or management services organizations.”
The HPC will utilize new data collected as part of the Registered Provider Organization process. The Act revised this process to require submissions from significant equity investors, health care real estate investment trusts, and management services organizations regarding ownership, governance, and organizational information.
Given the broad, sweeping nature of the changes, additional regulations and guidance should be expected.
[1] To be codified at MGL 6D, s. 1.
[2] To be codified at MGL 6D, s. 2.
[3] To be codified at MGL 6D, § 13.
[4] CITE TO EXISTING NMC FORM
[5] To be codified at MGL 6D, s. 13.
[6] To be codified at MGL 6D, s. 13.
[7] To be codified at MGL 6D, s. 13.
[8] To be codified at MGL 6D, ss. 8 and11.
Pricing Considerations in the Aftermath of the California Wildfires
The devastating January 2025 wildfires in southern California prompted Governor Newsom to declare a state of emergency on January 7, 2025 for Los Angeles and Ventura counties. This triggered California laws around price gouging and pricing restrictions in the wake of the emergency. While other, overlapping states of emergency will impact how price restrictions are ultimately calculated and considered – including local emergencies, and a statewide emergency relating to the ongoing bird flu outbreak – that the unprecedented scale of the wildfires will undoubtedly lead to increased scrutiny of pricing practices during the immediate aftermath, recovery and rebuilding.
The California Penal Code prohibits selling, or offering for sale, covered products at a price more than 10% greater than the price offered for that good in the 30 days prior to the declaration of an emergency. While application and enforcement of the pricing restrictions can be complex, the key considerations to keep in mind are these.
When did price restrictions go into effect? January 7, 2025. The price restrictions immediately go into effect when the President of the United States, the Governor of California, or a city/county executive officer declare a state of emergency.
When do they expire? This will be a moving target in some places. The price limitations typically stay in effect for 30 days after the emergency declaration date, subject to extensions. For repair or reconstruction services or any services used in emergency cleanup, these typically stay in effect for an initial period of 180 days. Specifically for Los Angeles County, Governor Newson has already extended certain categories of pricing restrictions by executive order to remain in effect until January 7, 2026.
What is the price increase ceiling? 10% more than the price offered in the 30 days prior to the emergency declaration.
What if a seller starts selling a covered item only after a state of emergency is declared? That seller is prohibited from marking up the price of that item more than 50% of its costs.
Does this only apply to California-based businesses? No. The statute applies to all sellers, including manufacturers, wholesalers, individuals, distributors, and retailers, and to all kinds of sales.
What goods are covered? The statute covers a wide range of products such as: rental housing, building materials, gasoline, goods or services used for emergency cleanup, consumer food items, and medical supplies.
What are the potential consequences? Violations are criminally punishable by up to one year in jail and a fine up to $10,000 or civil penalties up to $2,500 per violation, injunctive relief, or mandatory restitution.
Where do they apply? Even when trigged by an emergency that is specifical to a particular geographic area, California Department of Justice interprets the statute to provide that the pricing restrictions are not restricted to the city or county where the emergency is declared, and that the statute is intended to prevent price gouging elsewhere in the state where this is increased consumer demand as a result of the emergency.
While the horizon for enforcement is long – the California statute provides a 4-year statute of limitations for bringing price gouging complaints – we have already seen the state eyeing enforcement opportunities. On January 22, 2025, the California Department of Justice (CDOJ) filed charges against a real estate agent. A couple who had lost their home in the wildfires applied to rent a property and were allegedly told the price would be raised 38% more than the prior advertised rate. The CDOJ has also announced that it has sent upwards of five hundred “warning letters” to hotels and landlords.
Considering the scope of pricing restrictions in place, and expected enforcement, businesses may want to consider additional diligence and documentation supporting compliance with pricing restrictions triggered by the California wildfires.
CTA Update: Enforcement Remains Suspended Despite U.S. Supreme Court Granting Stay of Preliminary Injunction
Go-To Guide:
On Jan. 23, 2025, the U.S. Supreme Court granted the U.S. government’s request for a stay of the nationwide preliminary injunction of the CTA issued in Texas Top Cop Shop, Inc. v. McHenry.
The Supreme Court was not asked to address an injunction issued by another federal judge, which ordered preliminary relief to prevent CTA enforcement on Jan. 7, 2025 (Smith v. U.S. Department of the Treasury).
FinCEN confirmed that reporting companies under the CTA rulemaking are not currently required to file BOI reports and are not subject to liability if they fail to do so while the Smith order remains in force.
Given the rapidly changing landscape, reporting companies under the CTA rulemaking should continue to monitor CTA developments so they can be prepared to file Beneficial Ownership Information (BOI) reports if the injunction is once again stayed, lifted, or otherwise made ineffective (e.g., via FinCEN reversing its position).
On Jan. 23, 2025, the U.S. Supreme Court granted the U.S. government’s request for a stay (SCOTUS Order) of the nationwide preliminary injunction of the Corporate Transparency Act (CTA) issued by the U.S. District Court for the Eastern District of Texas in Texas Top Cop Shop, Inc. v. McHenry.1 According to the brief order, the stay remains in effect pending disposition of the appeal before the Fifth Circuit and subsequent disposition of a petition for a writ of certiorari, if any.
Oral arguments for the expedited Fifth Circuit appeal are scheduled for March 25, 2025.
Background
The status of the CTA has shifted multiple times since Dec. 3, 2024, when a Texas district court in Texas Top Cop Shop, Inc. v. McHenry (formerly Texas Top Cop Shop, Inc. v. Garland), preliminarily enjoined the CTA and its BOI reporting rule (Reporting Rule) on a nationwide basis, approximately four weeks ahead of a key Jan. 1, 2025, deadline. As we previously reported, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) appealed that ruling, and on Dec. 23, 2024, a motions panel of the U.S. Court of Appeal for the Fifth Circuit stayed the injunction, allowing the CTA to go back into effect. Three days following the stay, on Dec. 26, 2024, a different Fifth Circuit panel issued an order to vacate the motion panel’s stay, effectively reinstating the nationwide preliminary injunction against the CTA and the Reporting Rule. On Dec. 31, 2024, the U.S. government filed an emergency application with the Supreme Court to stay the preliminary injunction once again.
On Jan. 7, 2025, another federal judge of the U.S. District Court for the Eastern District of Texas ordered preliminary relief barring CTA enforcement in Smith v. U.S. Department of the Treasury.2 To date, the government has not appealed the ruling in Smith.
The SCOTUS Order
In response to the SCOTUS Order, FinCEN updated its website on Jan. 24, 2024, noting:
As a separate nationwide order issued by a different federal judge in Texas (Smith v. U.S. Department of the Treasury) still remains in place, reporting companies are not currently required to file beneficial ownership information with FinCEN despite the Supreme Court’s action in Texas Top Cop Shop [emphasis added]. Reporting companies also are not subject to liability if they fail to file this information while the Smith order remains in force. However, reporting companies may continue to voluntarily submit beneficial ownership information reports.
Takeaways
No filings under the CTA are currently required by law, including the initial BOI reports that reporting companies formed or registered prior to 2024 would otherwise have been required to file by Jan. 13, 2025, pursuant to an extension that FinCEN granted on Dec. 27, 2024.
While enforcement of the CTA remains suspended, reporting companies and affected individuals should continue to monitor CTA developments and consider what steps they may need to take to be prepared to file their BOI reports in short order if the injunction is once again stayed, lifted, or otherwise made ineffective.
1 McHenry v. Texas Top Cop Shop, Inc., No. 24A653, 2025 WL 272062 (U.S. Jan. 23, 2025).
2 See Smith v. United States Dep’t of the Treasury, No. 6:24-CV-336-JDK, 2025 WL 41924 (E.D. Tex. Jan. 7, 2025)
DOJ Announces Largest Employee Retention Credit Fraud Indictment
Overview
On January 22, 2025, the US Department of Justice (DOJ) announced the indictment of seven individuals in the largest Employee Retention Credit (ERC) fraud scheme to date. According to the indictment, the defendants filed more than 8,000 refund claims for ERCs and Sick and Family Leave Credits (SFLCs), totaling more than $600 million.
In Depth
The ERC and SFLC programs were designed to help businesses retain employees on the payroll during the COVID-19 pandemic. Prosecutors allege that the defendants exploited these programs by submitting fraudulent claims on behalf of ineligible businesses, inflating employee numbers, and misrepresenting wages. DOJ asserted that the defendants concealed their involvement by not identifying themselves as preparers on the returns, using virtual private networks and through other means.
ERC fraud has been a top priority of DOJ and the Internal Revenue Service (IRS), and this indictment can be added to a growing list of ERC-related enforcement actions. As of October 2024, the IRS Criminal Investigation division initiated 504 criminal investigations involving more than $5.5 billion in ERC claims. There have been more than 45 cases resulting in federal charges, with 27 resulting in convictions. A specialized unit within DOJ, called the “Fraud Strike Force,” has also been initiating investigations into potential ERC fraud, stating that such enforcement will “occupy a substantial portion of DOJ attention for years to come.”
On the civil enforcement front, the IRS has strengthened its efforts to examine and disallow improper ERC claims. The IRS announced in mid-2024 that it had issued approximately 28,000 disallowance notices on claims aggregating $5 billion. According to the IRS, these claims “showed a high risk of being incorrect.” The IRS described these disallowances as the “first significant wave,” and with at least 1 million claims still outstanding, practitioners expect more disallowances. The IRS has also announced that it will be sending 30,000 “clawback” letters seeking to reclaim ERC funds that have already been paid.
We have seen an aggressive examination campaign from the IRS targeting ERC claims. These exams, numbering into the thousands, have often involved more typical questions of taxpayer eligibility (e.g., number of employees and wages amount) but have also inquired about whether there has been “double dipping” with respect to other COVID-19-era stimuli, such as the Paycheck Protection Program. The IRS is also focused on governmental orders and the effects these orders had on taxpayers’ business operations.
Besides taxpayers, accountants and other tax professionals have also been a target of IRS enforcement activity. The IRS Office of Promoter Investigations “has received hundreds of referrals from internal and external sources” concerning individuals and businesses that it deems as potentially having facilitated fraudulent ERC claims. The IRS has the authority to impose civil penalties on alleged promoters under Internal Revenue Code Section 6700. DOJ may pursue criminal cases against individuals and entities it believes are promoting false ERC claims. This enforcement activity may even target individuals or principals of a firm after it has long ceased operations.
Practice Point: DOJ’s announcement makes clear that ERC fraud remains an enforcement priority for 2025. Taxpayers and tax professionals should prepare now to defend their ERC claims, including by compiling and maintaining substantiation to support each claim, and be ready to take immediate steps should they receive an IRS audit notice, a request for documentation or information, or are otherwise contacted by the government.
How Risky Are DEI Programs Under Trump 2.0?
President Trump’s January 21, 2025, executive order titled “Ending Discrimination and Restoring Merit-Based Opportunity” (“Executive Order”) directs the termination of federal government practices and policies that protect and promote diversity and inclusion; the Executive Order also addresses diversity and inclusion initiatives in the private sector. Less than a week later, an internal memo from the White House budget office “temporarily paused” grants and loans by the federal government while the government assesses whether the distributions are consistent with certain executive orders and other Trump administration objectives.
The Executive Order specifically targets diversity, equity, and inclusion (DEI) and diversity, equity, inclusion, and accessibility (DEIA) programs, describing them as “dangerous, demeaning, and immoral,” which “violate the text and spirit of our longstanding Federal civil-rights laws” and “undermine our national unity, as they deny, discredit, and undermine the traditional American values of hard work, excellence, and individual achievement in favor of an unlawful, corrosive, and pernicious identity-based spoils system.” The Executive Order uses broad, sweeping language and does not describe the types of DEI or DEIA initiatives that violate existing federal civil rights laws, leaving uncertainty as to which programs the administration will target but leaving no uncertainty about the chilling effect the Executive Order will have.
The Executive Order Targets Large Companies
The Executive Order requires the attorney general to submit a report within 120 days (May 21, 2025) that includes a proposed strategic enforcement plan identifying, among other things, (i) key sectors of concern within each agency’s jurisdiction, (ii) the most egregious and discriminatory DEI practitioners in each sector of concern, and (iii) a plan of specific steps or measures to deter DEI programs or principles (whether specifically denominated “DEI” or otherwise) that constitute illegal discrimination or preferences. Moreover, the Executive Order directs, “As a part of this plan, each agency shall identify up to nine potential civil compliance investigations of publicly traded corporations, large non-profit corporations or associations, foundations with assets of 500 million dollars or more, State and local bar and medical associations, and institutions of higher education with endowments over 1 billion dollars.” As such, large or otherwise prominent organizations should be particularly on guard.
The Executive Order has immediately impacted the broader enforcement context. For example, on January 23, 2025, Texas Attorney General Ken Paxton and nine other state attorneys general warned several major financial institutions that DEI and environmental, social, and governance (ESG) commitments could lead to enforcement actions if they are found to violate state or federal laws. Following the release of the attorney general report described above, we may see an uptick in warnings made by other state attorneys general and/or similar warnings issued to organizations in sectors of concern identified in the forthcoming attorney general’s report.
To be sure, existing federal antidiscrimination law controls. That means while the Trump administration may view certain DEI programs as unlawful, it does not mean judges will. Read on for specific takeaways for entities with DEI programs.
The Executive Order Targets Recipients of Government Funding
Recipients of federal government funding already should be familiar with the False Claims Act (FCA), 31 U.S.C. §§ 3729 – 3733, which provides that any person who knowingly submits, or causes to submit, false claims to the federal government is liable for three times the government’s damages, plus penalties.
The Executive Order uses the FCA to target DEI initiatives of government funding recipients. First, federal contractors and subcontractors are prohibited from considering race, color, sex, sexual orientation, religion, or national origin in their employment, procurement, and contracting practices. Second, every contract or grant award issued by a federal agency — which will include government contractors as well as health care entities that participate in federal health care programs, and research institutions that receive federal grant money — must include the following provisions:
“A term requiring the contractual counterparty or grant recipient to agree that its compliance in all respects with all applicable Federal anti-discrimination laws is material to the government’s payment decisions for purposes of [the FCA];” and
“A term requiring such counterparty or recipient to certify that it does not operate any programs promoting DEI that violate any applicable Federal anti-discrimination laws.”
With these provisions, the Department of Justice or private qui tam relators could pursue an FCA case utilizing a false certification theory, meaning a party could be held liable under the FCA for submitting false or fraudulent claims to the government if the party falsely certifies that it has complied with federal requirements when, in fact, they have not. For a claim to be fraudulent under this theory, the false certification must be material to the government’s decision to pay the claim.
The Executive Order essentially requires parties who wish to do business with the government to agree that a violation of a federal antidiscrimination law — e.g., maintaining a DEI program that violates federal antidiscrimination laws — is material to the government’s decision to pay under the FCA. However, it is unclear that “agreeing” a requirement is material makes it so. For “materiality,” compliance with the provision actually must be material to the government’s decision to pay the claim or its decision to award the contract. In 2016, the Supreme Court held that “designating” a “legal requirement an express condition of payment” is not sufficient to establish materiality under the FCA. Universal Health Services, Inc. v. United States ex rel. Escobar, 579 U.S. 176, 192 (2016). However, the Trump administration will likely argue that its recent halting of federal funding, as the government takes stock of whether the spending complies with its executive orders and policies, is evidence that the antidiscrimination requirement is material to the government’s decision to pay. Crucially, however, the halt of federal funding does not apply to Medicare, nor does it direct that payment be terminated to a contractor for the reason of their DEI program. It does direct the termination of payment as related to DEI actions, initiatives, or programs.
As so often occurs in the FCA arena and elsewhere, many practices targeted by the Department of Justice or relators ultimately will be defensible. In the DEI context, absent a settlement, a court would have to determine the DEI program in question violates current federal antidiscrimination law, and the Department of Justice or relator would have to prove each element of an FCA violation, including materiality and scienter (that the defendant knew or recklessly disregarded or deliberately ignored in its certification that its representation of compliance with federal antidiscrimination laws was false).
As such, it is yet to be seen what kind of teeth the Executive Order will ultimately have. The administration could be counting on a chilling effect, with the potential costs of investigations, enforcement action, and litigation outweighing companies’ willingness to go to battle for their DEI programs in court.
Takeaways for Companies with DEI Programs
We expect more details from the administration, such as regulatory and sub-regulatory actions, in the days and months to come. In the meantime, we recommend companies take action now to mitigate potential risk, even if their programs are ultimately defensible. For example, we recommend the following immediately:
Companies — federal contractors and private sector alike — should consult DEI and labor and employment experts to assess whether their DEI policies and practices may be construed to be out of compliance with existingfederal antidiscrimination laws under a Trump-era lens and what changes (if any) in their policies and practices are necessary to ensure compliance or mitigate risk.
Companies should be cognizant of new developments as they arise under the Trump administration. To assist in this endeavor,
Companies should reach out to legal counsel to discuss how the Executive Order, and likely future orders, may impact their businesses and what specific steps should be taken now to best protect them from any future liability and enforcement actions.
How to Report Crypto Fraud and Qualify for a CFTC Whistleblower Award
CFTC Whistleblower Program Rewards Whistleblowers for Providing Original Information About Crypto Fraud
Crypto fraud schemes have caused investors to lose more than one billion dollars and undermine public confidence in the digital asset and cryptocurrency ecosystem. Indeed, the implosion of FTX led to a crypto winter in which the value of digital assets plummeted and several crypto lending firms went bankrupt. Whistleblowers can help the CFTC identify and combat crypto fraud schemes by promptly providing specific and credible information.
Crypto fraud whistleblowers are eligible to receive between 10% and 30% of the monetary sanctions collected in successful enforcement actions. The CFTC has issued more than $390 million in awards to whistleblowers. The largest CFTC whistleblower awards to date are $200 million, $45 million, $30 million, and $10 million. Whistleblower disclosures have enabled the CFTC to bring successful enforcement actions against wrongdoers with orders for more than $3.2 billion in monetary relief.
Whistleblowers that voluntarily provide the CFTC with original information about violations of the CEA that leads the CFTC to bring a successful enforcement action resulting in the imposition of monetary sanctions exceeding $1 million can qualify for a CFTC whistleblower award from CFTC collected monetary sanctions and from related actions brought by other governmental entities.
Crypto Fraud Schemes that the CFTC Combats
Wash trading of digital currencies or swaps or futures contracts. For example, CLS Global recently plead guilty to a fraudulent “wash trading” scheme whereby it attempted to manipulate the crypto market by inflating the value of various cryptocurrencies through wash trading – repeatedly buying and selling tokens to make them appear more valuable to investors. In particular, CLS Global used an algorithm that executed self-trades from multiple wallets to appear as organic buying and selling.
Pump and sump schemes, such as the CFTC’s action against Adam Todd and four companies he controlled for attempting to manipulate Digitex’s native utility token, DGTX, by allegedly pumping the token’s price through the use of a computerized bot on third-party exchanges he designed to be “always buying more than it was selling” and by filling large over-the-counter orders to purchase DGTX on third-party exchanges.
Pig butchering or relationship confidence schemes in which fraudsters build online relationships with unsuspecting individuals before convincing them to trade crypto assets or foreign currency on fake trading platforms. According to the FBI’s 2023 Cryptocurrency Report, losses from cryptocurrency-related investment fraud schemes reported to the FBI Internet Crime Complaint totaled $3.96 billion in 2023.
Crypto Ponzi schemes, such as Ikkurty Capital, LLC soliciting more than $40 million from investors by promising to invest the funds in a crypto hedge fund or a carbon offset bond and instead using the funds to pay off previous investors in another crypto hedge fund and investing a small portion in volatile digital tokens. The final order of judgment in that matter imposed over $209 million in monetary sanctions.
Violating rules that protect customers funds and require custodians to segregate and separately account for customer funds. For example, FTX and Alameda Research were required to pay $8.7 billion in restitution and $4 billion in disgorgement for commingling of customer funds, using customer funds to extend a line of credit to an affiliate, investing customer funds in non-permitted investments through an affiliate, and appropriating customer funds for luxury real estate purchases, political contributions, and high-risk, illiquid digital asset industry investments.
Operating an illegal commodity pool. For example, the CFTC obtained an order against Mirror Trading International Proprietary Limited (MTI) requiring it to pay $1.7 billion in restitution and a $1.7 billion civil penalty for failure to comply with commodity pool operator regulations. MTI solicited Bitcoin from investors for participation in an unregistered commodity pool that purportedly traded off-exchange, retail forex through a proprietary “bot” or software program, but in fact MTI misappropriated the Bitcoin that they accepted from the pool participants.
CFTC Whistleblower Reward Program
Under the CFTC Whistleblower Reward Program, the CFTC will issue rewards to whistleblowers who provide original information that leads to CFTC enforcement actions with total civil penalties in excess of $1 million (see how the CFTC calculates monetary sanctions). A whistleblower may receive an award of between 10% and 30% of the total monetary sanctions collected. Monetary sanctions includes restitution, disgorgement, and civil monetary penalties,
Reporting original information about cryptocurrency fraud “leads to” a successful enforcement action if either:
The original information caused the staff to open an investigation, reopen an investigation, or inquire into different conduct as part of a current investigation, and the Commission brought a successful action based in whole or in part on conduct that was the subject of the original information; or
The conduct was already under examination or investigation, and the original information significantly contributed to the success of the action.
In determining a reward percentage, the CFTC considers the particular facts and circumstances of each case. For example, positive factors may include the significance of the information, the level of assistance provided by the whistleblower and the whistleblower’s attorney, and the law enforcement interests at stake.
Awards are paid from the CFTC Customer Protection Fund, which is financed through monetary collected by the CFTC in any covered judicial or administrative action that is not otherwise distributed, or ordered to be distributed, to victims of a violation of the CEA underlying such action.
Crypto Fraud Whistleblowers Can Report Anonymously to the CFTC
If represented by counsel, a crypto fraud whistleblower may submit a tip anonymously to the CFTC. In certain circumstances, a whistleblower may remain anonymous, even to the CFTC, until an award determination. However, even at the time of a reward, a whistleblower’s identity is not made available to the public.
The confidentiality protections of the CEA require the CFTC not to disclose information that “could reasonably be expected to reveal the identity of the whistleblower.” According to a recent report of the CFTC Whistleblower Office, the Office takes steps to protect whistleblower confidentiality. For example, in a recent fiscal year the Office considered 267 requests to produce documents from the investigation and litigation files of the Enforcement Division and found 16 requests to implicate whistleblower-identifying information. The Office worked with the Enforcement Division to remove whistleblower-identifying information or otherwise take steps to preserve whistleblower confidentiality.
SEC Charges Navy Capital in AML Failures: Say What You Do and Do What You Say
The US Securities and Exchange Commission (SEC) released a press release on January 15 announcing that it had charged Navy Capital Green Management, LLC, an investment adviser, with violations of the Investment Advisers Act of 1940 related to its Anti-Money Laundering (AML) policies and procedures.
Navy Capital agreed to a settlement offer in which they did not admit or deny the SEC’s findings and agreed to pay a $150,000 civil penalty, to cease and desist from committing any further violations, and to be censured. The charges against Navy Capital emphasize the SEC’s priority in ensuring registered investment advisers (RIAs) say what they do and do what they say.
Read the SEC’s press release here.
Currently, RIAs do not have any affirmative duties under AML rules and regulations. RIAs may implement AML policies and procedures voluntarily. If an RIA does implement AML policies, then it must ensure that it follows through with its own policies and procedures.
AML-Related Charges Against Navy Capital
The SEC charged Navy Capital with making misrepresentations related to Navy Capital’s AML policies and procedures in various investor and prospective investor materials, and for and failing to ensure that its written investor materials accurately represented its AML policies and procedures. More generally, Navy Capital represented to its investors and prospective investors that it would follow certain procedures to mitigate AML risks.
The SEC’s findings were based on the relevant period of October 2018 through January 2022 when Navy Capital was registered with the SEC. Throughout this period, Navy Capital represented to its investors and prospective investors that it voluntarily maintained robust AML policies and procedures in accordance with the USA Patriot Act, even though it was not required to do so. Navy Capital published these representations in its offering memoranda, subscription booklets and agreements, due diligence questionnaires, and internal compliance manual, which was provided to prospective investors upon request.
In several of the written investor materials, Navy Capital claimed that investment into the funds would not be complete until investors satisfied all of Navy Capital’s AML requirements. However, in several separate instances described in the SEC’s order, Navy Capital approved investments — against its own policies and procedures — without (1) obtaining documents identifying an investor’s beneficial ownership, (2) investigating reported police suspicions that a foreign entity investor’s money was possibly connected to money laundering schemes, (3) resolving contradictory beneficial ownership documents, and (4) sufficiently confirming the source of funds. Also, in violation of its own policies, Navy Capital accepted funds from bank accounts not held in the name of the subscribing investor and from investors that disclosed they had zero assets.
Applicable SEC Rules
The SEC ultimately found that Navy Capital violated Section 206(4) of the Advisers Act and Rules 206(4)-7 and 206(4)-8. By way of background, Rule 206(4)-7 requires an investment adviser to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act. Rule 206(4)-8 makes it unlawful for any investment adviser of a pooled investment vehicle to “[m]ake any untrue statement of a material fact or to omit to state a material fact necessary to make the statements made, in the light of the circumstances under which they were made, not misleading, to any investor or prospective investor in the pooled investment vehicle; or [o]therwise engage in any act, practice, or course of business that is fraudulent, deceptive, or manipulative with respect to any investor or prospective investor in the pooled investment vehicle.”
The SEC held that Navy Capital misled investors about the level of risk they were taking by investing in Navy Capital’s funds.
New RIA AML Responsibilities
In August 2024, the Financial Crimes Enforcement Network (FinCEN) issued a rule that broadens the definition of “financial institution” as used in the Bank Secrecy Act to include RIAs and exempt reporting advisers (ERAs) (some exceptions apply). FinCEN’s new rule goes into effect on January 1, 2026, and will require all RIAs and ERAs under this rule to either implement an AML program, or if they already have one, to ensure their AML policies and procedures comply with the rule.
Briefly, the rule will require RIAs and ERAs to implement a risk-based and reasonably designed AML program, file certain reports with FinCEN, keep certain records, and fulfill certain other obligations applicable to financial institutions subject to the Bank Secrecy Act and FinCEN’s implementing regulations.
For more information on FinCEN’s new rule, see our recent client alert.
Key Takeaways
RIAs should note the distinction between SEC and FinCEN requirements. The SEC does not require RIAs to implement an AML policy. For SEC compliance, RIAs should ensure that they are abiding by their policies and procedures, particularly those that stand to impact funds raised from investors. However, for RIAs to comply with FinCEN rules, they will need to implement an AML policy according to the new rule by the effective date.
Additionally, although the new Administration has promised to repeal several SEC rules, the Trump Administration’s focus remains on repealing SEC rules related to environmental, social, and governance and crypto. At this time, it looks unlikely that any rules related to proper disclosure will be affected. FinCEN’s rule is also likely to be enforced. ArentFox Schiff attorneys are closely monitoring any developments that could impact the effectiveness of FinCEN’s new rule or could impact SEC compliance.
Listen to this article
CMS Publishes Final Rule, Effective January 1, 2025, Addressing the Requirements for Reporting and Returning Overpayments
The standard for an “identified overpayment” under Medicare Parts A–D now aligns with section 1128J(d)(4)(A) of the Social Security Act, which incorporates by reference the Federal False Claim Act’s (the “FCA”) “knowledge” standard. The previous “reasonable diligence” standard, which, as it related to Part C, had been struck down by a Federal court, no longer applies. Under the new standard, a provider, supplier, or Medicare Advantage Organization (“MAO”) has knowledge of an overpayment when it has been identified.
Additionally, the deadline for reporting and returning identified overpayments has also been finalized. An overpayment must be reported and returned by the later of:
The date which is 60 days after the date on which the overpayment was identified, or
The date any corresponding cost report is due, if applicable.
Any identified overpayment retained after the deadline to report and return may create FCA liability.
The foregoing was finalized, as proposed in 2022, pursuant to the Calendar Year 2025 Physician Fee Schedule (the “2025 PFS”). With respect to the timeframe to report and return overpayments, the 2025 PFS suspends a person’s 60-day obligation to report and return overpayments for up to 180 days if the person, after having identified an overpayment, conducts a timely, good-faith investigation to determine whether related overpayments exist. While the 2025 PFS did not expressly define the term “good-faith investigation”, persons “can rely upon [its] plain meaning.” See 2025 PFS at 98338.
Takeaways
This legal change creates new risks for providers who fail to investigate credible information about a potential overpayment. However, this should come as no surprise, as it aligns with what the U.S. Department of Justice may already pursue against a person under the FCA—a reverse false claim. As noted in the commentary of the 2025 PFS, the FCA, from which the “knowledge” qualifier originates, contains an existing body of case law and examples to guide stakeholders and their counsel regarding if a person has the requisite knowledge to have identified an overpayment based on the facts and circumstances presented. See 2025 PFS at 98335–8.
Additionally, once a person has identified an overpayment, the 60-day obligation to report and return such overpayment begins to run. And, that deadline exists regardless of whether the overpayment has been quantified. But, because quantification takes time, the 60-day deadline may be suspended if the person needs to dive deeper into its investigation to determine if related overpayments exist. The timeline to do so, however, is only 180 days. Thus, providers should make every effort to act with “all deliberate speed”, which, in turn, may require providers with fewer resources and expertise to expend a disproportionately high amount of effort. These rules apply across all of Medicare and, thus, are applicable to all providers, suppliers, and MAOs.
Corporate Transparency Act Reporting Remains Voluntary
This Corporate Advisory provides a brief update on recent litigation regarding the Corporate Transparency Act (CTA) and its reporting requirements. It is not intended to, and does not, provide legal, compliance or other advice to any individual or entity. For a general summary of the CTA, please refer to our prior CTA Corporate Advisories from November 8, 2023, and September 17, 2024. Please reach out to your Katten attorney for assistance regarding the application of the CTA to your specific situation.
As of January 24, 2025, the Corporate Transparency Act’s (CTA) reporting requirements remain voluntary. On January 23, 2025, the Supreme Court of the United States (SCOTUS) issued an order that granted the US government’s motion to stay the nationwide injunction issued by the US District Court of the Eastern District of Texas in the case of Texas Top Cop Shop, Inc. v. McHenry (formerly Texas Top Cop Shop, Inc. v. Garland). This headline appeared to have the effect of reinstating the CTA’s reporting requirements and deadlines. However, such SCOTUS order does not appear to impact a separate stay issued against the enforcement of the CTA’s reporting rules issued by the US District Court of the Eastern District of Texas in Smith v U.S. Department of the Treasury. The US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has interpreted the SCOTUS ruling similarly. Specifically, FinCEN noted: “On January 23, 2025, the Supreme Court granted the government’s motion to stay a nationwide injunction issued by a federal judge in Texas (Texas Top Cop Shop, Inc. v. McHenry—formerly, Texas Top Cop Shop v. Garland). As a separate nationwide order issued by a different federal judge in Texas (Smith v. U.S. Department of the Treasury) still remains in place, reporting companies are not currently required to file beneficial ownership information with FinCEN despite the Supreme Court’s action in Texas Top Cop Shop.” Accordingly, the CTA’s reporting requirements remain on hold, and reporting companies are not currently required to file Beneficial Ownership Information Reports with FinCEN, and FinCEN has stated that reporting companies are not subject to liability if they fail to file Beneficial Ownership Information Reports with FinCEN while the Smith order remains in force.
Note that this SCOTUS order relates solely on the nationwide injunction and was not a ruling on the constitutionality of the CTA.
The Supreme Court order is available here.
The FinCEN alert is available here.
Our updated CTA Corporate Advisory providing background on the Texas Top Cop Shop case is available here.