Privacy Tip #468 – KnowBe4 Detects Phishing Campaign Targeting Microsoft 365 Users
In a recent blog post, KnowBe4 reported that it has “uncovered an emerging advanced phishing campaign targeting Microsoft 365 users globally to steal their credentials. The attackers are wielding a powerful new tool that’s completely changing the game for cybercriminals—turning what used to be complex, technical phishing setups into simple one-click launches that can bypass certain technical controls.”
The tool is called “Quantum Route Redirect” KnowBe4 has observed attacks using Quantum Route Redirect since August 2025, and a new phishing kit is for sale that “comes with a pre-configured set up and phishing domains that significantly simplifies a once technically complex campaign flow, further ‘democratizing’ phishing for less skilled cybercriminals.”
The threat actors start the campaign with a phishing email using:
Docusign and other service agreement impersonation;
Payroll impersonation;
Payment notification emails;
“Missed voicemail messages”; and
QR code phishing (quishing)
Once the victim clicks on the malicious message, the threat actors download Quantum Route Redirect to host credential harvesting pages to attempt to steal credentials from users to be used to attack the victim company. As of the date of the blog post, KnowBe4 had identified approximately 1,000 domains hosting the tool.
One important observation is that there will soon be an upgrade for the kit “that will include QR code generation capabilities to enable Quantum Route Redirect users to significantly scale quishing attacks linked to the campaign.” We have been warning readers about malicious QR code attacks for several years, and these attacks continue to be effectively used by threat actors. KnowBe4’s prediction that threat actors will be able to “significantly scale” QRishing attacks using the Quantum Route Redirect tool emphasizes the continued need to educate users on the risk of QR codes and the technology behind QR codes so users will understand to never click on a QR code presented in an email.
The KnowBe4 blog post outlines the details of how threat actors are effectively using Quantum Route Redirect, which is helpful in developing user education materials. It is a good reminder to all of us to continue to be vigilant about suspicious requests contained in emails.
The Rising Threats of Multi-Modal and Agentic AI in Cyber Attacks
The digital transformation has led to significant advancements in authentication and identity verification technologies and other cyber defenses.
From biometrics to multi-factor authentication (MFA) to use of Artificial Intelligence (AI) enhanced detection and response tools, these systems are the first line of critical defense against unauthorized access in critical sectors such as finance, healthcare, manufacturing and government. However, with the rapid development of Multi-Modal AI and agentic AI, a new challenge has emerged—one that may compromise the very systems designed to protect us. By integrating multiple forms of data (e.g., voice, video, text) in multi-modal AI and use of agentic AI (automated decision-making with little or no human intervention), malicious actors are increasingly capable of bypassing authentication and identity verification security and other defenses, thereby posing a new level of cybersecurity threat. The rapid deployment of AI integrated into a wide variety of commercial products, platforms and workflows has dramatically expanded the potential attack surface.
Indeed, on November 13, 2025, Anthropic reported how its AI-powered Claude Code tool was leveraged for a fully automated sophisticated attack targeting large technology companies, financial institutions, manufacturing and government agencies: “We believe this the first documented case of a large-scale cyberattack executed without substantial human intervention.” Similarly, researchers recently reported the discovery of a strain of ransomware that used large language models to autonomously implement ransomware attacks by generating malicious code in real time. We have previously highlighted in our blogs the escalating threats to employees from DeepFake technologies and AI augmented phishing attacks.
What is Multi-Modal AI?
Multi-modal AI refers to systems that can process and combine information from diverse sources to understand and respond to inputs in ways that are more holistic and human-like. For example, rather than relying on just one modality, such as voice recognition or facial recognition, multi-modal systems can integrate text, video, and other sensory data for improved accuracy and flexibility. While these advancements offer immense potential in fields like healthcare and customer service, they also raise serious concerns when leveraged maliciously.
As more organizations implement biometric authentication, such as facial recognition and voice biometrics, multi-modal AI offers attackers a new arsenal for bypassing these security measures. By synthesizing data from multiple sources—such as voice recordings, photos, and even social media interactions—an attacker can create a comprehensive digital identity profile that closely mirrors the real thing. This new breed of attack can go beyond traditional hacking methods, using AI to trick systems that once seemed impenetrable.
What is Agentic AI?
Agentic AI generally refers to artificial intelligence systems that are capable of operating and developing autonomously and independently with little or no human oversight. Agentic AI may be integrated into systems through Application Programming Interfaces (APIs). Gartner reports that “[b]y 2028, 33% of enterprise software applications will include agentic AI, up from less than 1% in 2024, enabling 15% of day-to-day work decisions to be made autonomously.”
The AI-Powered Deepfake Threat
One immediate concern is the rise of AI-driven deepfakes. Deepfakes—hyper-realistic media created through AI that can mimic someone’s appearance, voice, and behavior—have already made waves in the world of media and politics. However, these technologies are increasingly being adapted for malicious purposes, particularly in the realm of identity fraud.
An attacker could use multi-modal AI to create a convincing deepfake that mimics not just one, but several facets of an individual’s identity. For instance, by combining a victim’s facial data and voice samples with text-based information (like emails or social media posts), an AI could generate an extremely accurate imitation of the individual. This synthetic identity could then be used to bypass security systems, such as voice-activated banking systems, facial recognition used for mobile authentication, or even online verification processes employed by financial institutions.
As noted by the Center for Cybersecurity Policy and Law, deepfakes and other AI-powered impersonation techniques are particularly dangerous in financial services. Systems that rely on voice recognition or facial biometrics are becoming increasingly vulnerable to attacks that could potentially manipulate the very data they rely on for authentication. As acknowledged by the U.S. Treasury, AI has the capability to mimic biometrics (such as photos/video or a customer or the customer’s voice). As discussed further below, this capability is a growing concern, especially in the context of digital identities in the financial sector, where the consequences of breaches could be severe.
Erosion of Trust in Biometric Authentication
Biometric authentication, once hailed as a more secure alternative to traditional passwords, is being challenged by the rapid advancements in AI. Unlike passwords, which can be changed if compromised, biometric traits—such as fingerprints or facial features—are permanent and unique. Once an individual’s biometric data is compromised, it cannot be reset or changed.
As AI technologies become more adept at replicating biometric traits, attackers are finding it easier to spoof security systems that were once considered highly reliable. The sophistication of multi-modal AI means that attackers no longer need access to a single biometric data point; they can instead leverage a combination of video, audio, and textual information to create a full profile of a target. This makes traditional authentication methods increasingly vulnerable, especially in high-risk sectors like banking and government services, where security is paramount.
Implications for Financial Services
In financial services, the stakes are particularly high. As digital identities become more integrated into online banking, digital wallets, and payment systems, the attack surface for malicious actors expands significantly. Multi-modal AI allows cybercriminals to craft more convincing and nuanced impersonations of customers or employees, potentially leading to financial fraud, data breaches, or even systemic risks. This poses a grave challenge for financial institutions, which must find ways to bolster the security of their identity verification systems while also maintaining a seamless user experience.
Accordingly, use of multi-modal AI in financial services could lead to a significant erosion of trust in digital identity systems. If individuals and organizations can no longer trust that their biometric data is safe, they may hesitate to adopt or fully integrate these technologies, potentially disrupting the growth of digital economies.
The Risks of Agentic AI
The Anthropic report highlights the significant escalation in AI attacks: “This campaign demonstrated unprecedented integration and autonomy of AI throughout the attack lifecycle, with the threat actor manipulating Claude Code to support reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations largely autonomously. The human operator tasked instances of Claude Code to operate in groups as autonomous penetration testing orchestrators and agents, with the threat actor able to leverage AI to execute 80-90% of tactical operations independently at physically impossible request rates.” The risks to the wider business community are clear, as highlighted by the attack recently featured on the front page of the Wall Street Journal.
Mitigating the Risk of Multi-Modal AI and Agentic AI
Cybersecurity compliance (including under HIPAA, the Gramm Leach Bliley Act, the FTC Safeguards Rule, and state laws such as the NY SHIELD Act, NYSDFS Cybersecurity Regulation, and Illinois Personal Information Protection Act) requires organizations to consider the risks from emerging cybersecurity threats and to implement reasonable risk based safeguards. As the above discussion indicates, these threats are not hypothetical, and as the threat landscape evolves, the need for more robust authentication and defensive systems becomes increasingly urgent. Organizations must look beyond traditional authentication methods and adopt multi-layered strategies to defend against AI-powered attacks. Some key strategies to mitigate the risks posed by multi-modal AI and Agentic AI include:
AI Governance: Maintain an AI System governance, compliance and internal audit program that conducts risk assessments and considers the cyber threats in connection with the use of AI, including addressing threats highlighted by the Open Worldwide Application Security Project (OWASP) (such as Agentic AI, LLMs) and the National Institute of Standards and Technology (NIST).
Multi-Factor Authentication: Combining several forms of authentication—such as biometrics, passwords, and device-based security—can provide a much stronger defense against AI-driven attacks. Adding multiple layers of protection significantly complicates the process for attackers trying to spoof a user’s identity.
Behavioral Biometrics: Moving beyond static biometrics, such as fingerprints or facial recognition, behavioral biometrics monitors user behavior patterns, such as how they type or interact with a device. These dynamic identifiers are much harder to replicate, making them a useful complement to traditional biometric systems.
Continuous Authentication: Instead of relying on a one-time authentication process, continuous authentication tracks user behavior in real time. By monitoring factors like typing speed, mouse movements, or even voice inflections during a session, systems can detect anomalies that indicate fraud.
AI Detection Tools: As deepfakes become more sophisticated, financial institutions and other organizations can invest in AI systems designed to detect synthetic media. These tools can identify inconsistencies or abnormalities in audio, video, and text data that are often present in AI-generated content.
User Education and Awareness: Organizations must educate their users on the potential risks of multi-modal AI, especially as it relates to identity theft and fraud. Awareness programs can help users recognize phishing attempts and other forms of social engineering that exploit AI-driven impersonations.
Secure APIs: Inventory and protect APIs.
Conclusion
The rapid development of multi-modal AI and agentic AI represents both an opportunity and a threat in the world of cybersecurity. While these technologies offer exciting advancements in fields like customer service, healthcare, manufacturing and finance, they also present a new class of risks—particularly in the realm of authentication and identity verification, ransomware and data theft. As cybercriminals become more adept at leveraging AI to bypass security systems, it is crucial that organizations and individuals adopt a multi-faceted approach to digital identity security. With the right safeguards in place, the promise of AI can be harnessed while mitigating its associated risks.
2025 Update to the U.S. Sentencing Guidelines- A Streamlined Two-Step Process
On November 1, 2025, the most recent amendments to the U.S. Sentencing Guidelines Manual went into effect. Among other changes, the amendments streamline the sentencing process from three steps to two by eliminating the requirement that sentencing courts consider departures, which have now been removed from the operative text of the guidelines. As amended, the guidelines manual provides a two-step process whereby the sentencing court must (1) calculate the applicable advisory guidelines range, and (2) determine an appropriate sentence upon consideration of all the factors set forth by Congress in Title 18, U.S. Code, Section 3553(a).
In enacting this change, the U.S. Sentencing Commission acknowledged and conformed the guidelines to reality; variances account for the vast majority of non-guidelines range sentences. While the Sentencing Commission anticipates that this amended two-step process will be outcome neutral, it should simplify sentencing for all parties.
Background
In response to concerns over inconsistency in federal sentencing practices, the Commission was established by the Sentencing Reform Act of 1984. Among several responsibilities, the Commission was charged with developing sentencing guidelines for offenders convicted of federal crimes. The Commission first promulgated the guidelines in 1987 to promote fairness, transparency, and consistency in federal sentencing proceedings. These mandatory guidelines required federal judges to impose sentences within a prescribed range, with limited discretion to account for aggravating or mitigating factors not addressed by the guidelines.
This framework was upended by the U.S. Supreme Court’s 2005 decision in U.S. v. Booker, which held that the guidelines were advisory, not mandatory. Judges were thus directed to consult the guidelines, but also to impose sentences that consider the factors set forth in Section 3553(a), including the nature and circumstances of the offense and the history and characteristics of the defendant, to ensure that a sentence is “sufficient, but not greater than necessary.”
In the two decades following Booker, the distinction between departures, which are based on specific provisions in the guidelines, and variances, which are authorized by Section 3553(a), was often blurry. Increasingly, courts shifted toward applying variances rather than departures, relying on the discretion afforded by Section 3553(a) to tailor sentences to the unique facts of each case. The Supreme Court’s 2008 decision in Irizarry v. United States, which held that variances, unlike departures, did not trigger the notice requirement under Federal Rule of Criminal Procedure 32(h), further motivated the shift. As an example, for fiscal year 2024, sentencing data collected and analyzed by the Commission demonstrated that courts applied variances in 32% of sentencing proceedings. By comparison, courts applied departures (including government-sponsored departures) in only 4% of sentencing proceedings.
The 2025 Amendments
Prior to the 2025 amendments to the guidelines, sentencing courts followed a three-step process:
Calculate the applicable advisory guidelines range;
Consider the departure provisions scattered throughout the guidelines; and
Consider the Section 3553(a) factors to decide whether a variance should apply.
As mentioned above, sentencing data showed that sentencing courts increasingly eschewed departures, applying Section 3553(a) variances instead. The 2025 amendments to the guidelines recognize this trend by collapsing the second and third steps into a single step. Under this simplified two-step process, courts calculate the guidelines range as the “starting point and initial benchmark,” and then consider the Section 3553(a) factors in determining whether a variance from the guidelines is warranted.
The remainder of the guidelines conform to this simplified two-step process; the words “departure” and “depart” have been removed from the operative text, as have policy statements relating to specific personal characteristics. Several former downward departure provisions remain in a different form: (1) Section 5K1.1 (substantial assistance to authorities) no longer states that courts “may depart from the guidelines” where a defendant provides substantial assistance, but rather that “a sentence below the otherwise applicable guideline range may be appropriate,” and (2) Section 5K3.1 (early-disposition programs) is now Section 3F1.1 and provides that a court “may decrease” a defendant’s offense level pursuant to an early disposition program.
The deleted departure provisions are preserved in Appendix B of the guidelines, recognizing that the rationales underlying the deleted departure provisions remain informative when evaluating variances. The amended guidelines manual’s introductory commentary makes clear that judges who would have relied upon facts previously identified as a basis for a departure continue to have the authority to rely upon such facts, or any other relevant factors, to impose a sentence outside of the applicable guidelines range as a variance under 18 U.S.C. § 3553(a).
Practical Effect
This new two-step approach is designed to make the sentencing process more streamlined and transparent. Judges and parties no longer need to spend time analyzing whether a particular circumstance qualifies as a departure or a variance. Rather, the entire assessment is conducted at once pursuant to Section 3553(a). The Commission envisions that the removal of departures will be “outcome neutral” and sentencing proceedings more straightforward.
Listen to this post
Akira Ransomware Continues to Hit Hard
A November 13, 2025, Cybersecurity Advisory warned that new activity by the Akira ransomware variant “presents an imminent threat to critical infrastructure.” The Advisory was jointly issued by four U.S. agencies, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency, the Department of Defense Cyber Crime Center, and the Department of Health and Human Services, and five international agencies, Europol’s European Cybercrime Centre, France’s Office Anti-Cybercriminalite – French Cybercrime Central Office, Germany’s Generalstaatsanwaltschaft Karlsruhe – Cybercrime-Zentrum Baden-Württemberg and Landeskriminalamt Baden-Württemberg, and the Netherlands’s National Cyber Security Centre.
Akira has been attacking organizations since March 2023, and the most recent Advisory updates an initial alert published in April 2024 warning organizations about Akira, including providing information about observed tactics, techniques, and procedures (TTPs) that organizations can be aware of to protect themselves against an attack.
Since its inception in approximately March 2023, it is reported that Akira has “pocketed $244 million as of late September.” The FBI calls Akira one of the top five ransomware variants currently attacking companies.
According to the Advisory, Akira is primarily targeting “small- and medium-sized businesses, but have also impacted larger organizations across various sectors, with a notable preference for organizations in the manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors.”
The Joint Advisory recommends that organizations:
Prioritize remediating known exploited vulnerabilities;
Enable and enforce phishing-resistant multifactor authentication (MFA); and
Maintain regular backups of critical data, ensure backups are stored offline, and regularly test the restoration process.
The Advisory provides useful information worthy of your consideration about measures to take to harden defenses against an attack.
Spain’s Wavering Commitment to Anti-Corruption Enforcement
The Organisation for Economic Co-Operation and Development (OECD) recently released a Phase Four Follow-Up report assessing Spain’s implementation of the 70 recommendations outlined in the OECD’s original report published in 2022.
In each of their reports, the OECD scrutinizes a country’s adherence to anti-bribery conventions, homing in on the detection, enforcement, and liability of corruption.
Out of the 70 recommendations the OECD put forth, Spain has fully integrated 15, partially implemented 21, and completely failed to address 34 (4).
Training and Investigation: Slipping Through the Gaps
A key area urgently needing improvement in Spain’s last report concerned deficient training. While Spain mentioned the implementation of training courses specify “economic crime and corruption,” their response failed to address whether the courses focus specifically on “foreign bribery cases” (10). It is also unclear to whom, if anyone, the course has been administered (10). Similarly, the training for law enforcement authorities covers the confiscation of assets involved in financial crimes. However, it crucially omits situating the conversation within the scope of foreign bribery (11). Spain’s omission of foreign bribery has become a notable trend in its initiatives for training.
Coupled with inadequately trained “public officials” and “investigating judges,” Spain’s passive investigative procedures evoke skepticism over the nation’s ability to effectively respond to foreign bribery (5; 7). To begin with, the OECD questions whether the Special Public Prosecutor’s Office against Corruption and Organised Crime (ACPO) has “sufficient resources to investigate foreign bribery allegations,” to which Spain responds that it does (6). Spain even boasts of the “79 new prosecutor positions in the local prosecution offices” (6). However, as the OECD points out, local prosecutors “are not directly responsible for foreign bribery cases” (6). Instead, the OECD recommends that Spain bolsters investigative staff and resources “dedicated to foreign bribery” (6). Spain’s response to OECD’s concerns thus fails to adequately address the issue at stake.
Moreover, the OECD discovered an overwhelming amount of “prosecutorial investigations of foreign bribery” relied on mutual legal assistance (MLA) and, in doing so, “made limited use of other investigative means” (8). In fact, 42 out of the 46 cases opened since 2012 have exclusively depended on MLA. This trend has only accumulated as, out of the 19 ongoing foreign bribery cases, only two have “employed a broad range of investigative techniques” (8). Because of Spain’s reliance “on the investigation by authorities of foreign countries,” many investigations were terminated simply because MLA proved unavailable (16).
While the procedures of ongoing investigations lack thoroughness and care, the OECD extends such characterization to the very opening of cases. Notably, the OECD asked Spain to “ensure that the threshold for opening a judicial investigation allows for the effective investigation and prosecution of foreign bribery allegations,” however, Spain concedes that “no particular established threshold exists” (9; 42). Spain reveals that “any [sufficient] piece of information that provides notice of a crime” can result in the opening of an investigation; the definition of “sufficient” is missing (42). While appearing lenient, Spain’s ambiguity regarding crucial cases, such as those involving foreign bribery, is troubling as it raises the question of whether effective investigations can ever ensue.
In addition to permitting its own foreign bribery cases to slip through the gaps, Spain contributes nothing to the prevention of corruption in neighboring territories. Alarmingly, the Spanish Agency for Development Cooperation (AECID) does not “consider” a country’s “risk of corruption” before awarding it official development assistance (15). By failing to perform their “due diligence” and vet a country’s corruption, Spain irresponsibly enables corrupt practices (15). Their enabling role raises questions about whether Spain even has a desire to combat foreign bribery.
Map of countries that Spain has allegedly bribed
In fact, almost all successful anti-corruption prosecutions arising from Spain have been brought to justice by the United States under its Foreign Corrupt Practices Act (FCPA); in one major case alone, a Spanish company was fined over $85 million by the U.S.
The Faulty System of Conformidad
A means of resolution that Spain commonly resorts to for foreign bribery prosecutions is the use of conformidads. As defined in the 2022 report, this type of guilty plea allows judges to dictate a defendant’s sentence before the production of evidence during trial (57). In other words, conformidads are a form of plea bargaining. This method can only be employed in cases where the offense does not exceed a six-year sentence and must be agreed upon by the prosecution and the defense counsel (57; 46).
The OECD, in its 2022 report, requested more transparency on the use of conformidads (58). In the follow-up report, the OECD specifically asked that “all the elements related to the acceptance of the facts and penalties in the accusation” for conformidad cases be disclosed (10). However, Spain “has not taken any steps” to fulfill this request (10). Instead, Spain responded by merely referencing the legality of the conformidad procedure, appealing to the Criminal Procedure Code (46).
Additionally, the OECD stressed that cases resolved through confromidads must ensure that sanctions remain “effective, proportionate and dissuasive” (10). Spain fails to verify the effectiveness of sanctions, merely listing two instances in which defendants paid “the full amount of the fines” (50). In turn, the OECD widens its scope by assessing whether any case involving “sentence suspension,” “conversion,” or “sentence mitigating factors” imposes effective, proportionate, and dissuasive sanctions (10). Again, Spain fails to address the concern, concluding that “there is no risk of arbitrariness” that would prevent the imposition of sanctions (50).
Upon the OECD’s recommendation that Spain “actively seek confiscation in corruption cases,” confiscation “was not imposed” in cases resulting in “a conformidad” (11). Spain’s conformidad system ultimately lies in opposition to the effective prosecution of foreign bribery. After being faced with its shortcomings, Spain’s adamancy on its continued use speaks to its unwillingness to enforce effective anti-corruption practices.
A Small Step Toward Whistleblower Protection
On a promising note, Spain recently enacted what the OECD terms “a long-awaited law” protecting whistleblowers (4). The law, mirroring the EU Directive, “seeks to provide adequate protection against reprisals that may be suffered” by those who report “infringements of Union Law” and “of the legal system” (20).
While a step in the right direction, the EU Directive, and thus Spain’s newly imposed law, falls short of the OECD’s Anti-Bribery Recommendation XXII for whistleblowers. In another OECD audit, Denmark asserted that its whistleblower protections comply with the EU Directive; however, the OECD states that these protections are “not in line with” the OECD’s Anti-Bribery Recommendation XXII (7). The same shortcoming, inevitably, applies to Spain.
Languid Progress
While implementing new legislation, Spain’s nominal prosecutions reflect the nation’s slow progress. Since the OECD’s last report, Spain has “successfully concluded two additional foreign bribery cases” (16). Even after taking the two cases into consideration, though, Spain “only has convictions in three foreign bribery cases to date” (16). Moreover, Spain prosecuted its first case as late as 2023 (16).
Understandably, the OECD expresses surprise at the figure “given Spain’s economy and the international reach of its companies” (16). Elucidating the murky statistic, the OECD disclosed that Spain has declined to investigate seven allegations (16). In doing so, Spain argues the seven cases possess “no grounds and no evidence to initiate an investigation” (16). Thus, the problem of Spain’s unestablished threshold again comes to light.
At the root of Spain’s anti-corruption practices is a languid approach, as the 13 ongoing cases have each awaited years for resolution, some even nearing nine years (16).
U.S. whistleblower attorney Stephen M. Kohn, who specializes in transnational corruption cases, echoed the OECD’s concern:
“Spain’s failure to police foreign bribery is radically deficient and undermines the rule of law and democracies of all countries with which Spain is engaged. The fact that their development agency turns a blind eye to corruption is a license to steal.”
When Spain addresses the OECD’s concerns with the gravity they deserve, it may finally be seen as a participant in the global fight against corruption.
FINRA Case Involving Gifts and Entertainment
On October 21, the Financial Industry Regulatory Authority (FINRA) filed a settled enforcement action involving allegedly improper gifts and entertainment in connection with sales of mutual fund shares. The $10 million fine was particularly noteworthy. According to the FINRA press release announcing this action:
“First Trust provided gifts, meals and entertainment to representatives of retail broker-dealers (client firms) that sold First Trust investment company securities, which significantly exceeded FINRA limits for non-cash compensation. In certain instances, First Trust preconditioned the non-cash compensation on client firm representatives achieving sales targets with respect to First Trust products (e.g., exchange-traded funds and unit investment trusts). In addition, First Trust wholesalers, who are generally responsible for marketing and selling financial products to client firms, falsified internal expense records, and First Trust sent client firms reports containing inaccurate information about the value, nature and frequency of non-cash compensation that First Trust provided to client firm representatives.”
The Case for Regular Legal Maintenance: A Litigation Readiness Mindset for Modern Health Care Organizations
Health care organizations operate under constant scrutiny from government regulators and the threat of potential whistleblowers.
Even in a time of government downsizing, the Trump administration has consistently publicized its intent to pursue vigorous prosecutions under the False Claims Act. And, according to U.S. Department of Justice annual fraud statistics, of the 455 new health care-related fraud matters in FY2024, 370 (or more than 81 percent) were filed by whistleblowers. On top of that, data security risks are becoming, potentially, an even greater threat. Put mildly, litigation exposure is a daily reality for health care organizations. Yet, one of the most common challenges organizations face during a legal crisis is not the merits of the inquiry but operational readiness.
When a subpoena arrives or an investigation begins, the very first hurdle is rarely legal strategy. Instead, it is organizational: Who internally has access to the information needed to respond with authority? Where is information stored? What is our retention policy? How long will it take to assemble defensible records? These should be simple questions. Too often, they are not. While health care organizations routinely invest in compliance programs, workforce safety, and quality systems, legal infrastructure—the ability to respond confidently to litigation, government inquiries, or high-stakes events—often receives far less attention.
Legal Maintenance: A Business Imperative, Not a Luxury
Savvy health care organizations must invest in regular legal maintenance—a structured, recurring review of internal systems, policies, data governance, and response protocols designed to ensure operational readiness. Like commercial pilots conducting a thorough pre-flight inspection, in-house legal, compliance, and/or operational departments should routinely review policies and protocols before they are ever tested, especially as employee handbooks age, policies fall behind evolving regulations, technology outpaces data retention practices, and internal knowledge is lost through natural turnover. Proactive review not only promotes preparedness, but it also helps organizations identify and remediate issues long before they become costly problems.
For that reason, dusty policy binders alone are insufficient. At a minimum, every organization should maintain an annual roster of internal stakeholders along with the “short list” of outside legal counsel and experts who are responsible for specific areas that include:
Litigation and/or government inquiry response and legal holds
IT and electronic data preservation, document retention, and forensic data extraction
Org structure / internal reporting systems
HR, employment relations / issues and disputes
Compensation evaluation
Financial data and accounting reports
Security incident and data breach response
Legal/regulatory compliance
Public relations crisis management
Crisis Response Begins Long Before the Crisis
A critical period in responding to any subpoena, investigation, preservation request or demand letter is often the first few hours. The right early actions can achieve the following:
Calm markets, directors, and employees;
Set the tone and shape of the opposing party’s or the government’s perception of the organization (and, where applicable, the government’s view of cooperation);
Influence litigation posture; and
Preserve critical evidence.
Opposing counsel and judges also recognize that a prompt and accurate response is a telltale sign of a prepared organization and a solid defense. Organizations that struggle to identify the right points of contact or authorization channels during the immediate response lose valuable time and credibility.
In contrast, experienced legal teams know exactly who to collaborate with and how to securely preserve and acquire digital evidence, such that the response is a natural reflex. This proficiency enables the legal team to focus on crafting arguments, preparing witnesses, and advancing litigation. Routine legal maintenance builds operational muscle memory—ensuring readiness when it matters most.
Is Your Organization Ready?
In today’s complex and fast-paced landscape, preparedness is key. The following questions are designed to assess your company’s readiness to respond. Can your leadership team immediately answer the following questions?
Who oversees legal holds at your company, and where is the template located?
Who handles electronic data preservation and document and data retention at your company?
How fast can you collect emails, instant messages, or text messages for litigation? Will it require vendor engagement?
Who are the key contacts for major data maintained by the organization, such as sales data, claims data, purchasing data, etc.?
Which outside counsel, vendors, and public relations experts are pre-cleared for emergency engagement?
When was your last litigation response exercise, and did you debrief what went right and what could be improved?
If your team hesitates while answering any of these questions, then your organization may be at risk—not of wrongdoing, but of being unprepared.
Next Steps
Virtually all institutions that operate in the health care industry would benefit from a legal maintenance assessment or the development of a Litigation Response Program to ensure coordinated, efficient action during a crisis. Well-run organizations recognize that waiting for a crisis to expose weaknesses can be costly and damaging. Instead, these organizations proactively identify risks, strengthen their legal infrastructure, and prepare their teams in advance of any emergency.
A Legal Inspection Checklist (Legal Inspection Checklist) offers a practical, diagnostic framework to evaluate whether a company’s legal infrastructure is crisis-ready—or in need of urgent review and improvement. The checklist can help pinpoint gaps in data management, policy updates, stakeholder readiness and communication channels before a crisis occurs. If you identify areas where your organization may be lacking, or simply want to ensure your current processes are optimal, consider engaging in a formal legal maintenance review. If you have questions about legal maintenance assessments, or need assistance developing a comprehensive Litigation Response Program, please reach out to the authors of this blog post who can assist in evaluating your current state, identifying vulnerabilities, and building a resilient framework that keeps your organization prepared for whatever challenges may arise.
State Regulators Announce Enforcement Priorities
On October 16, the North American Securities Administrators Association (NASAA) published the enforcement priorities for state securities regulators. Key highlights of the 2025 NASAA Enforcement Report are the following:
State enforcement continues to set records for the number of cases filed and penalties imposed.
“Rapid advancements in the capability and accessibility of artificial intelligence tools, along with increasing reliance on social media, have coincided with the continued proliferation of impersonation and pig butchering scams. The international and anonymous nature of many of these schemes frequently makes them difficult to prosecute. State and provincial regulators have responded by using technology and other methods to disrupt and promote awareness of fraudulent schemes.”
State enforcement remains focused on fraud involving cryptocurrencies.
Fraud targeting the elderly remains a top enforcement priority.
How to Choose a Healthcare Whistleblower Attorney
Healthcare fraud whistleblowers play an important role in exposing providers and other entities in the healthcare sector that improperly bill the government under Medicare, Medicaid, and other programs. Estimates put the cost of healthcare fraud at more than $100 billion per year, and the federal government relies on whistleblowers to report healthcare billing fraud so that it can take legal action when warranted.
In healthcare fraud cases, it is important for whistleblowers to have experienced legal representation. While hiring an experienced whistleblower attorney is not legally required, if you are thinking about coming forward, there are several important reasons to talk to an experienced attorney before doing so.
“The federal government relies on healthcare providers to accurately bill for services and items provided to Medicare and Medicaid patients. Unfortunately, far too often, this reliance is misplaced. As a result, the federal government also relies on whistleblowers within the healthcare industry to expose violations of the law.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
In many cases, serving as a healthcare fraud whistleblower involves filing a qui tam lawsuit under the False Claims Act. The False Claims Act prohibits fraudulent billings under Medicare, Medicaid, and other programs, and filing a qui tam lawsuit can help the government recover fraudulent billings from unscrupulous healthcare providers and other entities in court. But, there are other options as well. With this in mind, one of the first—and most important—reasons to contact a healthcare whistleblower law firm is to ensure that you make an informed decision about how to come forward.
10 Key Considerations for Choosing a Healthcare Whistleblower Lawyer
Here are 10 key considerations for choosing a whistleblower lawyer if you are thinking about reporting fraudulent billings to the federal government:
1. Is the Lawyer Familiar with the Laws Governing Medicare Fraud and Other Forms of Healthcare Billing Fraud?
While Medicare fraud and other forms of healthcare billing fraud are clear violations of federal law, the laws governing federal reimbursement of patients’ medical expenses are extremely complex. As a result, it is important to choose a lawyer who is intimately familiar with all applicable laws and regulations. A lawyer who has a clear understanding of when billing fraud allegations are warranted will be able to help you make an informed decision about whether to pursue a False Claims Act case or provide a protected whistleblower disclosure through other means.
2. Is the Lawyer Familiar with the Procedures for Filing Whistleblower Complaints Under the False Claims Act?
As mentioned above, reporting healthcare fraud to the federal government often involves filing a complaint under the False Claims Act. These qui tam complaints are subject to strict substantive and procedural requirements. If it makes sense for you to file a qui tam complaint under the false claims act, any prospective attorney you contact should have extensive experience handling False Claims Act litigation.
Not only will a lawyer who has successfully represented clients in False Claims Act litigation be able to help you file your complaint correctly, but he or she will be able to effectively represent you throughout the process as well. In False Claims Act cases, the U.S. Department of Justice (DOJ) investigates whistleblowers’ allegations before deciding whether to intervene. An experienced lawyer will be able to communicate with the DOJ on your behalf during this process—and will be able to work with the DOJ to secure your whistleblower reward should you become entitled to one.
3. Is the Lawyer Familiar with the Procedures for Filing Complaints Under Other Federal Whistleblower Laws?
While reporting healthcare fraud to the federal government often involves filing a complaint under the False Claims Act, there are other options as well. A lawyer who has experience representing whistleblowers in healthcare fraud cases will be able to help you make an informed decision about how best to proceed (if you decide to come forward). For example, in some cases, rather than filing a qui tam complaint in federal court, it will make sense for healthcare fraud whistleblowers to file a complaint with the U.S. Department of Health and Human Services’ Office of Inspector General (HHS OIG) or another government agency.
4. Does the Lawyer Have Extensive Experience and a Proven Track Record of Helping Healthcare Personnel Blow the Whistle?
Beyond familiarity with the relevant whistleblowing procedures, it is also important to choose a lawyer who has extensive experience helping healthcare personnel blow the whistle on billing fraud. Hiring a lawyer who has a proven track record of helping whistleblowers report billings for medically unnecessary services, billings for services provided to ineligible patients, and other forms of financial fraud can make all the difference in your case. With this in mind, during your free, confidential consultation, you should feel free to ask about the lawyer’s experience representing whistleblower clients in the past.
5. Is the Lawyer Affiliated with a Law Firm that Handles Federal Healthcare Whistleblower Cases Nationwide?
Due to the complexity of federal healthcare fraud whistleblower cases, only a small percentage of law firms help courageous clients come forward with information about fraud under government healthcare programs. With this in mind, it is important to choose a lawyer who is affiliated with a law firm that handles federal healthcare whistleblower cases nationwide. In these types of cases, it is much more important to choose a lawyer based on experience than to choose a particular lawyer simply because his or her offices are located near your home or office.
6. Will You Have Access to the Law Firm’s Entire Legal Team During Your Healthcare Whistleblower Case?
Because federal healthcare whistleblower fraud cases are so complex, it is important to choose not just a lawyer, but an experienced legal team. While you should have one lawyer who is your primary point of contact, you should have access to the law firm’s other counsel on an as-needed basis as well. This will help ensure that your case proceeds as efficiently as possible and that you have the best chance of helping the federal government achieve justice.
7. Will the Lawyer Help You Make an Informed Decision About Reporting Fraud Without Pressuring You to Come Forward?
When it comes to how to choose a healthcare whistleblower attorney, another key factor is whether you will feel pressured to come forward. If you are thinking about blowing the whistle, you have a big decision to make, and it is important that you have the opportunity to make this decision on your own terms. An experienced and reputable healthcare whistleblower attorney will not pressure you to hire him or her to blow the whistle on your behalf, but instead will focus on making sure you have all of the information you need to make an informed and confident decision.
8. Does the Lawyer (or Do Any of the Firm’s Other Lawyers) Have Prior Experience at the U.S. Department of Justice (DOJ)?
Since reporting healthcare fraud involves working with government attorneys and government agents, it can be helpful to have a lawyer on your side who has prior experience at the DOJ. A lawyer who has worked at the DOJ will be familiar with the department’s procedures for evaluating and investigating healthcare fraud complaints from whistleblowers. These can be valuable insights when deciding whether to come forward and when working with the DOJ (or other federal authorities) if you decide to file.
9. Can You Schedule a Free and Confidential Consultation Promptly?
Timing can be important in federal whistleblower cases, so it is important that you are able to schedule a free and confidential consultation promptly. As a prospective whistleblower, you should not have to pay any attorney fees out-of-pocket. Whistleblower lawyers generally represent employees and other individuals on a contingency-fee basis, which means that their legal fees (if any) are calculated as a percentage of any financial rewards they help their clients recover. In some cases, whistleblowers can seek to recover their fees separately from their clients’ financial rewards as well.
10. Do You Feel Confident in the Lawyer’s Ability to Handle Your Federal Healthcare Whistleblower Case Effectively?
Finally, when choosing a lawyer to represent you, it is critical that you feel confident in the lawyer’s ability to handle your whistleblower case effectively. If you speak with a lawyer and you are not confident in his or her abilities, you should not hesitate to schedule another free consultation with a different whistleblower lawyer. You have the right to make an informed decision about your legal representation; and, again, under no circumstances should you feel pressured to hire a lawyer to file a whistleblower complaint on your behalf.
In the end, the lawyer you choose should be able to help you work with the government to seek accountability for fraud, secure the legal protections afforded to federal whistleblowers, and collect your whistleblower reward if you become eligible to receive one. Your choice of legal representation matters for lots of reasons, and it will be well worth putting in the effort to ensure that you feel confident in your decision.
OIG Greenlights Sponsored Diagnostic Testing in Advisory Opinion 25-07
On July 2, 2025, the Department of Health and Human Services Office of Inspector General (OIG) published Advisory Opinion 25-07, which concluded that a pharmaceutical manufacturer’s proposed arrangement to sponsor a free, FDA-approved companion diagnostic test for eligible patients would not implicate the Federal Anti-Kickback Statute (AKS) or the Beneficiary Inducements civil monetary penalties (CMP).
Background
The requestor (a pharmaceutical manufacturer) produces an FDA-approved enzyme inhibitor. Treatment with the inhibitor is only appropriate with specific genetic deficiencies. A clinical laboratory developed an FDA-approved companion diagnostic test which is required to determine patient eligibility for the inhibitor. The two wished to work together.
The Arrangement
Under the parties’ proposed arrangement, the requestor pays the lab a fixed fee for each test performed on an eligible patient, and prohibits the lab from billing any patients, or payors other than the requestor for the testing. The test is offered to patients who: (i) have a prior negative result for a related genetic mutation; (ii) have previously collected tumor samples available for testing; (iii) have not previously received the test; and, in addition, (iv) the test must be used in accordance with FDA labeling. According to the requestor, this arrangement is designed to better identify patients whose deficiency has gone undetected and to determine whether use of the inhibitor would be appropriate.
The requestor certified that the lab is contractually prohibited from: (i) referencing any of the lab’s other products on their “provider facing webpage;” (ii) promoting any of the lab’s or requestor’s other products in any “lab developed communications” to ordering providers or patients; and (iii) communicating with patients regarding the Arrangement unless required by law.
Additionally, the requestor certified that it would only receive “limited aggregated de-identified date” relating to the test through monthly reports. According to the requestor the reports would include: (i) the number of tests performed under the arrangement; (ii) the cumulative results of all tests performed under the arrangement, and (iii) digital awareness results including the source and number of visits to the the parties’ dedicated website and the clicks on the QR code in pamphlets that were left behind at the provider’s office . The requestor further certified that this data will only be used to: (i) better understand the number of patients with the condition which was missed by standard testing; (ii)verify the amount invoiced the requestor; and (iii) ensure that the parties’ arrangement is “being conducted in accordance with the terms of the agreement between the lab and the requestor.”
OIG Analysis
Anti-Kickback Statute
The OIG acknowledged that the arrangement could implicate the AKS by offering remuneration (i.e., the free test) that may induce referrals for federally reimbursable items or services and the safe harbor would not apply in this situation. However, OIG concluded that it would not impose sanctions for several reasons:
The arrangement presents little risk of overutilization or skewing clinical decision making. The test determines whether the inhibitor would be an appropriate method of treatment for patients and would only be appropriate for patients presenting with the deficiency. The test may also show the drug is not indicated in approximately half the cases.
Providers do not receive any remuneration from the requestor for prescribing the drug. Additionally, the requestor’s field personnel are prohibited from discussing the drug in relation to the arrangement.
The requestor will only receive de-identified data which it certifies will not be used for sales or marketing purposes including sales targeting or incentives.
The agreement prohibits the lab from promoting the arrangement to patients and providers and the requestor certified that it will not provide information about the arrangement to patients or providers directly.
There are various safeguards in place to prevent this being used as a marketing or sales tool to steer providers to order any items or services from requestor or the lab, including the drug.
Beneficiary Inducements CMP
OIG also concluded that the parties’ arrangement does not violate the Beneficiary Inducements CMP. Although providing a free test constitutes remuneration, OIG found that the arrangement meets the statutory exception for promoting access to care with a low risk of harm. Specifically, the arrangement:
May improve a beneficiary’s ability “to obtain items and services payable by Medicare or Medicaid” in instances when the inhibitor is covered by those programs.
Is unlikely to interfere with clinical decision making because the test only confirms whether the inhibitor can be prescribed for a particular patient which a provider may already be considering.
Does not raise quality of care or patient safety concerns because it is used to determine whether the inhibitor would be an effective treatment for a specific patient.
Is unlikely to increase costs to federal health care programs because the inhibitor may be a life-extending treatment that is already under consideration by the provider. Additionally, the test will determine the appropriateness of prescribing the inhibitor and nearly 50% of patients will be ineligible for the inhibitor after testing. Finally, the arrangement does not incentivize providers to prescribe the inhibitor in any way.
As is standard, OIG cautioned that its advisory opinion is limited to the proposed arrangement only and does not cover any other arrangements. OIG further cautioned that the opinion does not provide any opinion on liability in relation to the False Claims Act and, finally, that the opinion is only binding on the Department of Health and Human Services but no other government agencies.
Takeaways
The advisory opinion provides valuable insight into how OIG evaluates pharmaceutical manufacturer sponsored diagnostic testing programs under the AKS and CMP. By imposing certain structural safeguards including clear eligibility criteria, de-identified data sharing, and marketing restrictions manufacturers may be able to establish programs that increase access to care without implicating the AKS or CMP. The advisory opinion may provide a potential model for other labs and pharmaceutical manufacturers to enter into agreements where the manufacturer would sponsor companion laboratory tests. We will continue to monitor for additional guidance that OIG may issue on this and related topics.
Paul Palma contributed to this article
As the (Customs and Trade) World Turns: November 2025
Welcome to the November 2025 issue of “As the (Customs and Trade) World Turns,” our monthly newsletter where we compile essential updates from the customs and trade world over the past month. We bring you the most recent and significant insights in an accessible format, concluding with our main takeaways — aka “And the Fox Says…” — on what you need to know.
This edition provides essential insights for sectors including international trade, national security, aluminum, steel, and copper industries, fashion and retail, automotive, life sciences, electronics, artificial intelligence, transportation, electric mobility, e-commerce, shipping and logistics, and compliance, as well as for in-house counsel, importers, and compliance professionals.
In this November 2025 edition, we cover:
DOJ intensifies FCA enforcement against transshipment-related tariff evasion and implements AI tool to increase detection across CBP.
The United States and China agree to de-escalatory measures impacting IEEPA tariffs, export controls, Section 301 exclusions, and shipbuilding measures.
Developments of trade frameworks with various Southeast Asian and Latin American countries.
New Section 232 tariffs on medium and heavy-duty trucks.
Canada provides relief for certain US-origin steel and aluminum imports by extending the United States Surtax Remission Order.
BIS suspends for one year the implementation of export control restrictions under the “Affiliates Rule.”
US Supreme Court hears oral arguments on IEEPA trafficking and reciprocal tariffs.
State Department eases export controls on Cambodia.
1. FCA Heat on Transshipment: DOJ Ramps Enforcement as CBP Deploys AI, Elevating Tariff Evasion Risk for Importers
Recent reporting indicates a sustained ramp-up by the US Department of Justice (DOJ) in claims and enforcement under the False Claims Act (FCA) to pursue alleged tariff evasion tied to transshipment schemes. The FCA permits qui tam actions, meaning anyone, including private citizens, with knowledge of a potential violation can file suit on the government’s behalf. Additionally, under the FCA, the DOJ can recover penalties and triple the value of the government’s losses from the fraudulent transaction(s). This trend reflects a broader shift towards treating import-related statements as fraud, not just compliance errors, especially where transshipment may be involved.
In parallel, the US Customs and Border Protection (CBP) has awarded an exclusive and lucrative contract to Exiger AI to deploy artificial intelligence (AI)-driven transshipment detection across CBP. The platform is designed to score shipments in real time based on risk, map multi-tier supply chains, and validate origin, classification, and value. While the software will be utilized by CBP, its data and analytics capabilities will likely bolster interagency scrutiny of possible tariff evasion and, in turn, support FCA-based theories of liability when importers’ statements to the government are alleged to be false or misleading.
Importantly, FCA exposure is in addition to CBP’s own penalty regime. Companies with potential compliance issues now face overlapping risk, including administrative penalties, liquidated damages, and seizures from CBP, and parallel FCA investigations and civil fraud remedies from the DOJ.
And the Fox Says… Importers should increase focus on diligence and compliance efforts, especially where supply chains touch higher-risk transshipment hubs such as Vietnam or Thailand. Additionally, like CBP, importers should consider leveraging advanced screening and supply chain mapping solutions to further support origin determinations, monitor supplier routings, and document compliance measures.
2. China Tariffs: What Changed, What’s Paused, and What’s Next
The United States and China agreed to a number of trade adjustments that ease tensions while negotiations continue. Below, we summarize these actions.
IEEPA Fentanyl and Reciprocal Tariffs: Effective November 10, the International Emergency Economic Powers Act (IEEPA) fentanyl tariffs for imports from China and Hong Kong were lowered from 20% to 10%. At the same time, the IEEPA reciprocal duties for Chinese-origin goods (including products from Hong Kong and Macau) will remain at 10% until November 10, 2026, following a one-year extension of the suspension of the heightened reciprocal rate.
Section 301 Shipbuilding Actions Suspended:The United States proposed a one-year suspension of the ship-related fees adopted in the Section 301 action against China’s dominance of the maritime, logistics, and shipbuilding sectors, effective November 10.
Section 301 Exclusion Extended: While there is no formal publication in the Federal Register yet, the United States agreed to extend certain Section 301 exclusions that were set to expire on November 29, until November 10, 2026 (see here). It is still unclear at this time whether all current Section 301 exclusions will be extended through November 2026.
Relief for Export Controls: The US Department ofCommerce’s Bureau of Industry and Security (BIS) published a final rule, “One Year Suspension of Expansion of End-User Controls for Affiliates of Certain Listed Entities.” Effective November 10, the final rule suspends the implementation of the interim final rule “Expansion of End-User Controls to Cover Affiliates of Certain Listed Entities” (the BIS Affiliates Rule). We discussed the suspension of the BIS Affiliates Rule in further detail in our alert.
Chinese Commitments: China will suspend rare‑earth export controls announced October 9 and issue general licenses for rare earths and other minerals for US end users; halt shipments of fentanyl‑related chemicals to North America and tighten controls globally; suspend certain retaliatory tariffs and non‑tariff actions against companies on the end user and unreliable entity lists, including those tied to Section 301 shipbuilding actions; resume purchases of various US exports; extend its tariff‑exclusion process for US imports through December 31, 2026; and terminate antitrust, anti‑monopoly, and anti‑dumping investigations targeting US semiconductor supply chain companies.
And the Fox Says… The Administration’s tariff and trade policy for China remains dynamic and subject to rapid reversal. Importers should assume continued fluidity in tariff rates, exclusions, and enforcement priorities, and build contingency plans that account for periodic resets in policy and implementation.
3. Southeast Asian Trade Deals and Frameworks Offer Insights Into US Trade Priorities
The United States announced headline trade deals and frameworks of deals with four Southeast Asian partners on October 26, including trade deals with Malaysia and Cambodia, and frameworks of deals with Thailand and Vietnam. On November 13, the White House announced additional frameworks of agreements with Argentina, Guatemala, El Salvador, and Ecuador. We expect that additional frameworks and agreements will be announced in the coming months. Please look for further updates on the November 13 frameworks in our December newsletter.
Reciprocal Tariff Rate
The agreements and frameworks of agreements provide for the following reciprocal rates, which maintain the rates that were previously announced in August 2025.
Country
New US Reciprocal Rate on Partner-Origin Goods
Effective Date
Previous Reciprocal Rate
Malaysia
19% with limited exemptions
60 days after exchange of notifications certifying completion of procedures under the agreement
19%
Cambodia
19% with limited exemptions
Upon exchange of notifications for entry into force
19%
Thailand
19% (framework; to be finalized)
Upon conclusion and entry into force of final agreement
19%
Vietnam
20% (framework; to be finalized)
Upon conclusion and entry into force of final agreement
20%
Origin and Transshipment
Both the Malaysia and Cambodia agreements contemplate alternative rules of origin to ensure that the benefits of the agreements would not accrue to third countries. These alternative rules of origin have not been published and could be agreed upon at a later date. The rules of origin may provide an increased duty rate for products that do not meet certain thresholds, and we have heard rumors of regional value content requirements or maximum foreign content ceilings.
Export Controls
The agreements also require the trade partners to develop export controls. Malaysia will align with US unilateral controls, restrict dealings with BIS/ Office of Foreign Assets Control (OFAC)‑listed parties, and also explore investment security review. Cambodia will cooperate with multilateral and US controls on a case‑by‑case basis, restrict transactions with BIS/OFAC‑listed parties, and increase transparency into third‑country investment activity.
Forced Labor
The current US agreements with Malaysia and Cambodia also require those countries to adopt and implement prohibitions on forced labor, similar to the requirements that were in the United States-Mexico-Canada Agreement (USMCA).
And the Fox Says… Importers should assess the tariff implications of recent reciprocal tariff agreements and frameworks with ASEAN countries and prepare for heightened scrutiny and compliance obligations related to sourcing, transshipment, export controls, and labor risk. Fashion and retail companies that shifted supply chains away from China to other Southeast Asian countries may be particularly impacted.
4. A Heavy Lift: Section 232 Tariffs Arrive for Trucks and Parts
Effective November 1, new Section 232 tariffs are rolling out on trucks and their parts. Under Presidential Proclamation 10984, imports of medium- and heavy-duty vehicles (MHDVs) and MHDV parts (MHDVPs) are now subject to an additional 25% duty, while buses and similar vehicles under Harmonized Tariff Schedule 8702 face a 10% duty.
As with the auto tariffs announced earlier this year, the Administration cited national security concerns tied to supply chain dependence on foreign truck and bus parts. Imports of subject vehicles and parts from all countries are covered, with no special rates (yet) for any countries with which the United States has struck a trade deal, such as the United Kingdom, Japan, or the European Union.
Several key flexibilities stand out.
USMCA Relief: Following the framework of the Section 232 auto tariff, for MHDVs that qualify under the USMCA, the 25% tariff will only apply to its non-US content, while USMCA-qualifying MHDVPs will have a full tariff exemption until Commerce comes up with a process to apply the tariff to their non-US content.
Offset Program: Through 2030, original equipment manufacturers (OEMs) assembling trucks in the United States can earn credits — equal to 3.75% of the value of US-assembled trucks — to offset the impact of MHDVP tariffs. The offset can only be used by an importer of record authorized by the OEM. Changes were also made to the Section 232 auto tariff version of this program to harmonize both programs.
Self-Certification: Imports may be classified by importers as “auto” or “MHDV” components and are therefore subject to Section 232 auto or truck tariffs, making such parts eligible for the offset program or potentially avoiding other applicable tariffs, such as the Section 232 steel or aluminum tariffs.
Potential Steel and Aluminum Tariff Relief: The proclamation established a new program which may lower Section 232 tariffs on steel or aluminum produced in Canada or Mexico and supplied to auto or MHDV manufacturers in the United States.
And the Fox Says… Presidential Proclamation 10984 did more than simply set a new tariff on trucks and their parts. It introduced a whole host of new complexities and potential new tariff relief measures into the already multifaceted tariff landscape that impact automobiles and their parts and the steel and aluminum industry, among other country and commodity issues. Many of these programs will require more implementing guidance from Commerce and CBP to be fully operational, so importers of MHDVs and their parts should continue to monitor development closely. For other impacted products, there are actionable benefits to consider.
5. Canadian Government Extends Surtax Relief
The Canadian government has extended, for an additional two months, the relief available under the United States Surtax Remission Order (2025) to mitigate the impact of the 25% surtax on certain US-origin steel and aluminum imports imposed since March 13.
Key Change
The eligibility period for remission and refunds now expires on December 16. Administrative guidance can be found in Customs Notice 25-19.
Eligibility Criteria
For use in Canadian manufacturing, processing, agricultural production (added October 15), and food and beverage packaging.
Goods imported on behalf of certain public sector entities: public health, safety, or national security.
In limited circumstance and upon approval, relief may be obtained for goods in short supply within Canada.
Compliance Considerations
There is no administrative appeal. Canada Border Services Agency (CBSA) decisions are final. Judicial review in the Federal Court of Canada may be initiated within 30 days where serious errors are alleged.
Accuracy and completeness of documentation are critical. Applications and supporting materials must be submitted through CBSA’s Assessment and Revenue Management electronic portal.
Action Steps for Importers
Confirm eligibility based on end-user and end-use requirements set out in the order.
Track deadlines. December 16 for remission, and within two years of importation for refunds. This is critical given the absence of appeal rights, and any judicial review challenge has to be based on documentation provided to the CBSA.
And the Fox Says… Seek relief against the 25% surtax by ensuring that accurate and complete documentation is provided to the CBSA at the time of importation or when seeking refunds. Full compliance at the outset with the legal requirements is essential, as a rejection will not be appealable. Judicial review, while available, will be limited to serious errors on the part of the CBSA in the face of a complete record consisting of cogent evidence to support the claim for remission or refund.
6. BIS Affiliates Rule: Partially Suspended, But Not Settled
On September 29, BIS issued an “Affiliates Rule” extending export control restrictions applicable to Entity List parties, Military End Users (MEUs), and certain Specially Designated Nationals (SDNs) to all non‑US entities owned 50% or more, directly or indirectly, by such parties, worldwide. We discussed the rule at length here and here.
Just one month later, on October 30, the US Secretary of the Treasury announced that the rule would be suspended for one year, which was also reflected in a fact sheet published by the White House on November 1. BIS did not officially acknowledge the suspension until November 10 when it published a final rule suspending the implementation of the Affiliates Rule through November 9, 2026, absent further extension.
What Is Suspended … and What Is Not
While the final rule suspending the Affiliates Rule states that the rule “imposes a one-year suspension of the Affiliates Rule,” the text of the rule creates some uncertainty in that it states that “amendatory instructions 3, 6, 9, 12, 14, 16, 18, 20, 22, 24, 27, and 29 are effective November 10, 2026… . All other amendatory instructions become effective November 10, 2025.”
This creates a puzzle. The Affiliates Rule as published contained only 17 amendatory instructions. On review, instruction 12, covering Entity List amendments, and instruction 14, setting 50% ownership guidelines, are suspended, which tracks the policy rationale. But instruction 8, concerning the SDN List amendment, and instruction 13, concerning the MEU List amendment, are apparently not suspended. Likewise, instruction 2, which adds Red Flag 29, and instruction 4, which changes the Foreign Direct Product Rule, are not listed as suspended.
As a result, serious questions remain about the implementation of the BIS Affiliates Rule and its subsequent suspension.
Practical Takeaways
Near‑term priorities include assessing sunk costs and seeking contractual mitigation; maintaining operations where tools are deployed and using the pause to refine procedures, controls, and documentation; briefly deferring new purchases while vendors integrate affiliate screening and harden features; and monitoring for editorial corrections to reconcile the numbering mismatch.
And the Fox Says… The suspension is temporary and could be rescinded. Use this window to map risk, tighten contracting and timelines, and operationalize controls to be ready if — and when — the Affiliates Rule returns.
7. SCOTUS Shows Skepticism and Flags a Potential Refund “Mess” on the IEEPA Tariffs
On November 5, the US Supreme Court held oral arguments in Learning Resources Inc. v. Trump and V.O.S. Selections, Inc. v. Trump on the legality of tariffs imposed earlier this year under the IEEPA to address declared national emergencies for persistent trade deficits and fentanyl trafficking.
The Court probed several legal frameworks, including close textual readings of “regulate,” separation of powers concerns, statutory and legislative history, reviewability of the emergency declarations, and the implications of relief. The justices largely avoided questioning the emergency findings themselves, focusing instead on whether the IEEPA authorized tariff imposition. Several justices discussed that none of the actions listed in the IEEPA refer to revenue generation, except perhaps the word “license,” calling into question the ability to impose these tariffs through the IEEPA. Other justices noted a potential contradiction in conferring on the president’s powers such as quotas or bans but not tariffs, a lesser action.
Justice Amy Coney Barrett suggested that reimbursement, should the challengers prevail, seems “like it could be a mess.” The government stipulated that the plaintiff parties would get refunded, but the Court’s decision would also implicate billions in tariff revenue for thousands of importers. Respondents’ counsel acknowledged the difficulty in processing refunds but noted several options, like (1) class action suits, (2) existing administrative procedures, (3) stay pending congressional action, or (4) limited prospective relief.
And the Fox Says… Although several justices appeared skeptical of the IEEPA tariffs, no one legal theory carried the day. Justice Barrett’s willingness to engage with practical implications of invalidating the tariffs underscores the potential challenges for importers seeking a refund –– even if the Court issues a favorable decision. It is also possible that the decision will be limited in scope, or that relief will be granted only to the plaintiffs, but we remain cautiously optimistic. In the interim, we are counseling our clients to take proactive steps to preserve rights to refunds in the event the IEEPA tariffs are overturned. We will provide additional guidance when the Supreme Court issues its final decision, which may be in the first quarter of 2026.
8. State Department Lifts Arms Embargo on Cambodia
In a final rule issued on November 7, the US Department of State announced that it would amend the International Traffic in Arms Regulations (ITAR) to remove Cambodia from the list of proscribed countries at Section 126.1. The rule, which cites Cambodia’s “diligent pursuit of peace and security,” follows the October 26 agreement between the United States and Cambodia on reciprocal trade which provided that the United States would “work with Cambodia to streamline and enhance defense trade.”
This change means that applications to export or temporarily import defense articles and services to or from Cambodia will be considered on a case-by-case basis going forward. Previously, these requests were subject to a policy of denial unless they were related to conventional weapons destruction or clearing mines. The new rule also means that a number of ITAR license exemptions are now available for Cambodia.
Corresponding changes to the Export Administration Regulations (EAR) have not yet been made but presumably would include the removal of Cambodia from Country Group D:5, which is tied to Section 126.1’s proscribed countries list. Certain export licensing requirements related to semiconductors and advanced computing, as well as requirements for 600-series and 9×515 items, will be loosened as a result. Importantly, this loosening will not occur until the EAR is amended, and even then, Cambodia’s removal from Country Group D:5 would not affect the applicability of the EAR’s restrictions on MEUs and military-intelligence end use or users in Cambodia.
And the Fox Says… These changes may offer some increased opportunities for favorable disposition of ITAR licenses for Cambodia, as such applications will no longer be subject to a policy of denial. Other controls remain in place (at least for the time being), so exporters exploring new opportunities in Cambodia should make sure all their ducks are in a row before proceeding.
Additional Authors: James Kim* , Mario A. Torrico , Lucas A. Rock , Maya S. Cohen , Christian L. Bush , Derek Ha , Andrew McArthur , Yusra H. Siddique , Joy Marie Virga , and Riyaz Dattu*
Clean Slate- San Antonio Lab Executives Exonerated in Health Care Fraud Case
Earlier this year, a Florida jury fully acquitted two owners of an independent clinical laboratory located in San Antonio, Texas accused of conspiring to commit health care fraud and wire fraud. Defendants Diego Sanchez Chocron and Gregory “Milo” Caskey were charged alongside their laboratory co-owner Enrique Perez-Paris and two patient recruiters to whom they were accused of paying kickbacks. The Department of Justice alleged that Sanchez Chocron, Caskey, and Perez-Paris conspired to falsely bill Medicare and the Health Resources and Services Administration (HRSA) COVID-19 Uninsured Program $44 million for COVID-19 and genetic testing during the COVID-19 pandemic. Prosecutors alleged that the laboratory owner defendants paid kickbacks, that the tests were medically unnecessary, and that the defendants billed for tests not approved by the US Food and Drug Administration (FDA) for emergency-use authorization. Perez-Paris (and the two alleged kickback recipients) pleaded guilty to conspiracy to commit health care fraud in the weeks leading up to the trial and he testified against his former partners.
Perez-Paris pleaded guilty in February 2025 to one count of the superseding indictment that he “knowingly and willfully combined, conspired, confederated, and agreed with others, in violation of Title 18, United States Code, Section 1349, to commit health care fraud….including Medicare and the COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment and Vaccine Administration for the Uninsured Program (“HRSA COVID-19 Uninsured Program”).”
Unlike Perez-Paris, Sanchez Chocron and Caskey proceeded to trial. While their acquittals may be relatively rare, particularly in light of their alleged co-conspirator’s guilty plea and testimony, the jury’s verdict was foreshadowed by a pair of rulings from the bench.
First, Judge Rodolfo A. Ruiz II granted in part the two defendants’ motion to strike certain portions of the superseding indictment, agreeing with the defendants that HRSA did not incorporate Medicare coverage rules requiring provider authorization for a COVID-19 test, and holding that “the Government may not argue that a failure to procure authorization from a healthcare provider for a COVID-19 test automatically constitutes a violation of the HRSA Terms and Conditions.” Judge Ruiz further held that “failure to procure authorization from a healthcare provider for a COVID-19 test under the HRSA Terms and Conditions does not automatically establish a violation of the criminal statutes set forth in the Superseding Indictment.” Judge Ruiz was careful to note that the government could use the fact that tests were not ordered by a healthcare provider as evidence of defendants’ knowledge and intent, as well as in connection with the materiality of defendants’ alleged representations to the HRSA uninsured program.
Second, Judge Ruiz also granted the defendants’ motion for acquittal on charges that they conspired to pay kickbacks and commit money laundering.
The jury appears to have agreed with the arguments made by defense counsel who argued that the evidence presented established their clients’ good faith beliefs that their actions were legal, and that the tests were not medically unnecessary, as demonstrated by the defendants’ actions in consulting with counsel and other experts.
The full acquittal of Sanchez Chocron and Caskey underscores the importance of the intent elements of the Anti-Kickback Statute and other fraud statutes. Despite the government’s reliance on co-defendant testimony and allegations of widespread misconduct, the jury found the evidence insufficient to convict. Key rulings by Judge Rodolfo A. Ruiz II—particularly those limiting the government’s interpretation of HRSA requirements and dismissing kickback and money laundering charges—significantly shaped the trial’s trajectory. Ultimately, the verdict affirms that, even in high-stakes federal prosecutions, defendants who act in good faith and seek appropriate legal guidance can prevail when they have the facts and the law on their side.