Federal Court Finds False Claims Act Penalty Unconstitutionally Excessive

On February 26, 2025, the U.S. District Court for the Northern District of Texas issued a significant False Claims Act (FCA) ruling in United States of America ex rel. Cheryl Taylor v. Healthcare Associates of Texas, LLC, finding that the application of the FCA’s mandatory per-claim penalty violated the Eighth Amendment. The Court upheld the jury verdict finding the defendants liable under the FCA, but substantially reduced the $448 million in penalties imposed, citing the Eighth Amendment’s Excessive Fines Clause.
The relator-whistleblower alleged that the defendants employed fraudulent Medicare billing practices in violation of Medicare billing rules. After a two-week trial, the jury found that Healthcare Associates of Texas (HCAT) submitted 21,844 false or fraudulent claims and collected $2,753,641.86 in overpayments.
In assessing potential damages under the FCA, the overpayment amount—roughly $2.75 million in this case—is merely the starting point. The statute allows private whistleblowers or the Government to seek up to three times that amount and to impose penalties between $13,946 and $27,894 for every single false claim. As a practical matter, the Department of Justice often settles FCA cases by applying a multiplier between 1.25 and 2 times the amount of actual damages, while seeking per-claim penalties is far less common.
Relator sought treble damages as well as the maximum statutory penalties. Although the amount of the overpayment was less than $2.75 million, the jury imposed per-claim penalties and awarded Relator $448,817,000—more than 100 times the amount the Government actually reimbursed Defendants for the allegedly fraudulent claims.
HCAT argued that such an award would violate the Excessive Fines Clause, which prohibits “grossly disproportional” fines relative to the offense. The Court agreed, noting that the ratio of statutory to actual damages was over 100 to 1 and that the conduct at issue was based on rules violations as opposed to more egregious conduct like billing for fictitious services. Thus, based on constitutional concerns under the Excessive Fines Clause, the Court reduced the statutory damages to three times the actual damages, setting total liability at $16,521,851.16.
While the FCA mandates per-claim penalties, which often result in extraordinary damage calculations, courts increasingly ask whether they are constitutional and may reduce excessive fines when they result in disproportionate liability. Given these concerns, those facing disproportionally large FCA penalties may consider raising Eighth Amendment arguments early in the litigation, particularly when statutory fines vastly exceed actual damages.
This ruling highlights critical considerations for health care providers and their legal counsel navigating FCA enforcement actions. 

Navigating New Compliance Challenges for Financial Institutions and Payment Processors: The U.S. Treasury’s Enhanced Terrorist Finance Tracking Program

In a significant move to combat illicit financial activities focused on cartels, the U.S. government has intensified its scrutiny of cross-border payments, particularly those linked to Mexico. This development follows the designation of several Mexican cartels as Foreign Terrorist Organizations (“FTOs”) and Specially Designated Global Terrorists (“SDGTs”). These actions, coupled with the expanded use of the U.S. Treasury’s Terrorist Finance Tracking Program (“TFTP”), signal a new era of regulatory oversight for financial institutions and payment processors.
Key Developments

Cartel Designations and Legal Implications: On February 20, 2025, the U.S. Department of State designated eight cartels, including six based in Mexico, as FTOs and SDGTs. These designations expand criminal liability for knowingly providing material support to these organizations and authorize the U.S. Treasury to block financial transactions involving designated entities and their affiliates.
Southwest Border Geographic Targeting Order (“GTO”): The Financial Crimes Enforcement Network (“FinCEN”) has issued a Southwest Border GTO, requiring money services businesses (“MSBs”) in 30 ZIP codes across California and Texas to report cash transactions exceeding $200 but not more than $10,000 within 15 days effective from April 14 through September 9, 2025. This measure increases recordkeeping or reporting requirements and aims to enhance monitoring of financial flows near the United States-Mexico border. FinCEN also encourages the filing of SARs to report transactions conducted to evade the $200 threshold despite the SAR regulation dollar threshold (i.e., transactions that involve or aggregate to at least $2,000).
Enhanced Role of TFTP: The TFTP will play a pivotal role in monitoring and enforcing these new sanctions. By leveraging financial intelligence tools, U.S. regulators aim to identify potential sanctions violations, even in routine business transactions.
Penalties for Failing to Report: If a business or its representatives willfully violate a GTO as of March 14, 2025, they may face: (1) Civil Penalties: The higher of $71,545 or the transaction amount, up to $286,184, with separate penalties for each violation; or (2) Criminal Penalties: Fines up to $250,000 and/or up to five years of imprisonment.

FinCEN released FAQ’s on the GTO on April 16, 2025.
Implications for Financial Services and Payment Processors

Increased Recordkeeping or Reporting Requirements: Financial institutions are now required to block funds in which a designated cartel or its agents have an interest. This will test already existing compliance frameworks, including enhanced due diligence and transaction monitoring systems. The Southwest Border GTO further intensifies these requirements by mandating Currency Transaction Reports for cash transactions exceeding $200 in designated regions. Institutions also face strict liability for sanctions breaches under the SDGT designations.
Regulatory Risks: Companies engaged in cross-border transactions, particularly with Mexico, may face greater regulatory scrutiny. This includes industries or entities directly or indirectly linked to designated organizations. The TFTP enables regulators to flag routine transactions for additional review, increasing the risk of enforcement actions.
Technology: Payment processors and MSBs must adapt to new reporting requirements and should consider implementing advanced analytics to detect potential sanctions violations. This includes leveraging financial intelligence tools to identify suspicious patterns and mitigate risks.
Data Privacy and Security: The TFTP’s reliance on financial transaction data raises questions about data privacy and security. Institutions should balance compliance with privacy regulations while ensuring the integrity of their systems. 

To navigate the evolving regulatory landscape shaped by the U.S. Treasury’s Terrorist Finance Tracking Program (TFTP) and related measures, financial services and payment processing companies should take proactive steps to monitor and react to these changes. 

Court Affirms $1.6B Judgment in Baha Mar Investor Dispute

A New York appeals court has affirmed a $1.6 billion award for the developer of a Bahamas mega project against various subsidiaries of China State Construction Engineering Corporation, the world’s largest construction company by revenue (see BML Properties, Ltd. v. China Construction America, Inc. et al., No. 6567550/17, 2025 WL 1033736 (N.Y. App. Div. Apr. 8, 2025)). The dispute involves construction of the Baha Mar beach resort complex in Nassau. After a series of delays that prevented the resort from opening as planned in March 2015, the developer BML Properties, Ltd., filed for bankruptcy and sued various state-owned entities, including the minority investor, prime contractor, construction manager, and others for breach of contract, fraud, and alter ego theories. After an 11-day bench trial, the lower court pierced the defendants’ corporate veils and awarded the developer $845 million for the loss of its entire investment plus prejudgment interest of $830 million. 
The appellate court affirmed. As to veil piercing, the court held that the prime contractor entity exercised complete domination over the other defendants in order to breach the investor agreement, defraud the plaintiff, and cause the collapse of the project. The court also found that the minority investor entity failed to act in the best interests of the project. This included stripping manpower and resources from the project, diverting funds from the project that were meant for subcontractors, and causing or authorizing delays. These breaches of the investor agreement prevented the resort from opening and resulted in the loss of the developer’s entire investment. The appellate court also affirmed the lower court’s fraud finding based on internal communications showing that the construction manager entity knew that a March 2015 opening date – as represented to the developer – was impossible. The appellate court held that these misrepresentations regarding the defendants’ ability to perform were sufficient to support a finding a fraud.
A copy of the court’s decision is available here. The 2,200 room Baha Mar beach resort did eventually open in 2017 at a total estimated cost of $4 billion.

FHFA Has Fraud on Its Mind

In recent days, Federal Housing Finance Agency (FHFA) Director Bill Pulte has made it clear that he believes fraud is a rampant problem at FHFA. In a stream of related activities, Pulte has called on the public to report fraud via email and a new Hotline, terminated over 100 FHFA employees for alleged fraud, and taken aim at a political rival for alleged mortgage fraud.
Fraud Hotline Encourages Reporting of Fraud Concerns
On April 15, 2025, Pulte posted an invitation on X for any person to “Please submit any alleged criminal mortgage tips or mortgage fraud tips to [email protected].” This message coincides with FHFA’s new Hotline for Reporting Alleged Fraud, Waste, Abuse, or Mismanagement at Hotline | FHFA-OIG. The hotline website encourages federal employees and the public to “report information about those, whether inside or outside of the federal government, who waste, steal, or abuse government funds in connection with the Agency, Fannie Mae and Freddie Mac (the Enterprises), any of the Federal Home Loan Banks (FHLBanks), or the FHLBanks’ Office of Finance, or about mismanagement within FHFA.” The Hotline website is now seeking information on any of the following:

Possible waste, fraud, abuse, mismanagement, or other misconduct involving FHFA employees, programs, operations, contracts or subcontracts;
Possible violations of Federal laws, regulations, rules, or policies pertaining to FHFA or to any of the regulated entities; or
Possible unethical activities involving employees of FHFA or of the regulated entities.

This effort marks a significant step in Pulte’s broader campaign to foster transparency, accountability, and a culture of integrity across the federal housing finance system.
FHFA Cleans House
Following an internal investigation launched under Pulte’s anti-fraud campaign, Fannie Mae recently terminated over 100 employees for unethical behavior, including involvement in fraud. This internal investigation reflects Pulte’s zero-tolerance stance on fraud and commitment to restoring integrity at government-sponsored enterprises like Fannie Mae and Freddie Mac.
In a release by the Federal Housing Finance Agency on April 8, 2025, Pulte stressed that “there is no room for fraud, mortgage fraud, or any other deceitful act that can jeopardize the safety and soundness of the housing industry.” Further, Fannie Mae CEO Priscilla Almodovar thanked Pulte for “empowering of Fannie Mae to root out unethical conduct,” emphasizing that “we hold our employees to the highest standards, and we will continue to do so.”
Although the agencies have not released further details about the terminations, Pulte reaffirmed his commitment to combating misconduct in a post on his personal X account, stating, “We are turning around Fannie Mae and Freddie Mac, slowly but surely.”
Referral of New York Attorney General Letitia James for Mortgage Fraud
As a part of Pulte’s crackdown on alleged mortgage fraud, he has referred New York Attorney General Letitia James for federal prosecution for her alleged mortgage fraud. Pulte alleges James “has, in multiple instances, falsified bank documents and property records to acquire government-backed assistance and loans and more favorable loan terms.” Director Pulte alleges that most recently, James committed fraud by claiming a Virginia home would be her primary residence in 2023, while James is the sitting Attorney General of New York. James’s office has maintained that the Virginia residence is the primary residence of her niece, with whom she purchased the property.
Pulte further alleges fraud connected to a home purchase in Brooklyn in 2001, where James used a loan that was only available to purchase four-unit properties to purchase an alleged five-unit property. However, popular real estate sites such as StreetEasy, Trulia, and Redfin have categorized the property as a four-unit building. 
Lastly, Pulte has alleged fraud in connection with a 1983 home purchase by James’s father, where the mortgage states James is her father’s wife instead of his daughter. It is unclear whether or not this was a clerical error in drafting the Mortgage or whether it was an intentional act by James and her father. While the criminal referral references the 2001 and 1983 purchases, any alleged fraud in connection with these purchases appears to be well beyond the statute of limitations.
James has initially responded that the allegations are “baseless.” She has said the “allegations are nothing more than a revenge tour” related to his civil fraud case against President Trump, which resulted in a $454 judgment from a New York Court in 2024, which he is currently appealing.
Expect Fraud Related Repurchases
Pulte’s interest in fraud is also likely to trigger new repurchase demands to the industry. One of the critical representations and warranties that lenders make when selling loans to the GSEs is that the loan meets all the requirements of the Lender Contract, including that it has not been obtained via misrepresentation or fraud. “Because the selling warranties are not limited to matters within a seller/servicer’s knowledge… the action or inaction (including misrepresentation or fraud) of the borrower, or a third party, as well as the action or inaction (including misrepresentation or fraud) of the seller/servicer will constitute the seller/servicer’s breach of a selling warranty.” Fannie Mae Guide A1-1-02, Representation and Warranty Requirements (08/16/2017), see also Freddie Mac Guide 1301.8 – Warranties and representations by the Seller (8/2/2023).
The GSEs have always maintained the ability to demand repurchase of any mortgage loans that do not meet the many qualifications of their Seller Guidelines. See Freddie Mac Guide 3602.2 – Repurchases (8/17/2016) and Fannie Mae Guide A1-3-02, Fannie Mae-Initiated Repurchases, Indemnifications, Make Whole Payment Requests and Deferred Payment Obligations (10/11/2023). During the Biden Administration, the industry experienced a sharp uptick in repurchase demands from the GSEs. As a November 2023 white paper from the Urban Institute noted, the “GSEs have become more aggressive, forcing more repurchases earlier in the life of the loan than was the case in earlier vintages. In the first few years of the mortgages’ life, there have been more repurchases for the 2018–22 origination years than there were in the 2005–08 origination years.” GSE Repurchase Activity and its Chilling Effect on the Market. Overall, the GSEs have been proactive about their repurchase rights both in recent years and prior to the Trump Administration.
With that background in mind, Pulte’s April 16, 2025, post on X that “FHFA, Fannie Mae, and Freddie Mac will be evaluating ways to ‘recall loans’ that have been obtained fraudulently” is not groundbreaking news, but it does emphasize the recent focus on fraud. Pulte’s use of “recall” instead of “repurchase” may relate to his homebuilding background, but the intent is the same. Apparently, neither Pulte nor the FHFA have responded to the National Mortgage News’ request for clarification on the post. However, some believe the X post may directly relate to the FHFA referral to the U.S. Attorney General regarding Attorney General James.
This renewed emphasis on enforcing repurchase rights—particularly in cases involving fraud—signals that lenders should prepare for heightened scrutiny and further increase in repurchase demands as the FHFA doubles down on accountability under Pulte’s leadership.
Going Forward
Taken together, these actions paint a clear picture: under Bill Pulte’s leadership, the FHFA is aggressively pivoting toward a hardline stance on fraud, ethics, and accountability. From employee terminations and public tip lines to high-profile referrals and the reinforcement of repurchase remedies, Pulte is sending a strong message that misconduct at any level—whether inside the agency, among its regulated entities, or even among political figures—will be met with swift and serious consequences. As the housing finance system braces for increased oversight, stakeholders should expect this aggressive posture to define the agency’s direction for the foreseeable future.

In Welcome News for Tax Whistleblowers, IRS Whistleblower Office Releases Operating Plan

Today, the Internal Revenue Service (IRS) Whistleblower Office released its first-ever multi-year operating plan, “outlining guiding principles, strategic priorities, recent achievements and current initiatives to advance the IRS Whistleblower Program.”
“This is welcome news for IRS whistleblowers whose cases languish for years, sometimes up to a decade or more, before the whistleblower can be paid an award,” says David Colapinto.
“This is an important step forward,” adds Stephen M. Kohn. “This is a critical program that has been held back by antiquated regulations. It’s time to modernize the program and effectively prosecute tax evaders.”
The plan lays out six strategic priorities:

Enhance the claim submission process to promote greater efficiency.
Use high-value whistleblower information effectively.
Award whistleblowers fairly and as soon as possible.
Keep whistleblowers informed of the status of their claims and the basis for IRS decisions on claims.
Safeguard whistleblower and taxpayer information.
Ensure that our workforce is supported with effective tools, technology, training and other resources.

“Of particular interest to the whistleblower community is the IRS’ emphasis on increasing efficiencies to speed up the process and issuing whistleblower awards faster and as soon as possible,” Colapinto adds.
“While paying whistleblower awards can incentivize other whistleblowers to report major tax fraud by wealthy tax cheats, the failure to pay whistleblower awards timely by taking over a decade to make payments, can act as a disincentive to blowing the whistle,” Colapinto adds. “This is an important step towards making the IRS whistleblower program more effective. To date, the IRS reports that it has collected more than $7.4 billion in taxes attributable to whistleblowers reporting tax fraud and underpayments. The IRS Whistleblower Program has potential to collect even more if it improves its program to encourage more whistleblowers to come forward.”
Modernized in 2006, the IRS Whistleblower Program offers monetary awards to whistleblowers who voluntarily provide original information about tax noncompliance. While the program has resulted in the collection of billions of dollars, in recent years payouts to whistleblowers have dipped while the processing time for award payments have risen to over 11 years on average.
Since taking over as the Director of the IRS Whistleblower Office in 2022, John Hinman has overseen a number of administrative reforms aimed at making the program more efficient and effective, including increasing staffing at the office and disaggregating whistleblower claims to speed up award payouts.
While the newly released operating plan promises to make needed changes to the IRS Whistleblower Program, Congressional reforms are also needed. In January, Senators Ron Wyden (D-OR) and Mike Crapo (R-ID) unveiled a discussion draft of a bipartisan IRS reform bill which contains reforms to the IRS Whistleblower Program previously found in the IRS Whistleblower Improvement Act of 2023.
Geoff Schweller also contributed to this article.

A New Chapter in FCPA Enforcement: State Attorneys General Take Action to Enforce Violations

In a significant shift, California’s Attorney General announced his intention to enforce violations of the FCPA by businesses operating in California under the state’s Unfair Competition Law (UCL).

A cornerstone of U.S. anti-bribery and anti-corruption policy, the Foreign Corrupt Practices Act (FCPA) has for decades fallen exclusively to the U.S. Department of Justice (DOJ) to enforce, providing a relatively stable and predictable enforcement environment for corporations and individuals engaged in international business. However, this predictability was upended this past February.

In response to a February 10 executive order temporarily suspending federal enforcement of the FCPA — which prompted the DOJ to review active FCPA matters, postpone trial dates, and, in at least one case, voluntarily dismiss charges — California has moved swiftly to assert its own enforcement authority. On April 2, California Attorney General Rob Bonta issued a legal advisory signaling his office’s intent to enforce FCPA violations under California’s Unfair Competition Law (“UCL”) — the federal government’s temporary pause notwithstanding.
Specifically, the advisory explains that the FCPA continues to impose binding obligations on California businesses and that violations of the statute may give rise to liability under the UCL, which prohibits “unlawful, unfair, and fraudulent business acts and practices.” Cal. Bus. & Prof. Code § 17200 et seq. The UCL’s broad reach allows the Attorney General to “borrow” violations of other laws, including federal statutes like the FCPA, and pursue them as independently actionable violations under state law. The advisory underscores the range of remedies available to the California Attorney General in such cases, including civil penalties, restitution, injunctive relief, and disgorgement of ill-gotten gains.
State-Level FCPA Enforcement: California at the Forefront
While California is currently leading the way, the question remains whether other states will adopt a similar approach. Several factors suggest this could be the beginning of a broader trend:
 1. State attorneys general have increasingly positioned themselves as active enforcers in the face of shifting federal priorities.
This is particularly true when those shifts touch on matters of consumer protection, public integrity, and corporate accountability.
2. Many states possess statutes analogous to California’s UCL.
Commonly referred to as Unfair and Deceptive Acts and Practices (UDAP) laws, these provide state-level enforcement mechanisms against a broad range of unlawful or deceptive business practices. Some UDAP laws, such as New York’s General Business Law § 349, require a showing of consumer harm, while others (such as California’s UCL) allow enforcement actions without the need to demonstrate direct consumer injury. Enforcement authorities in states with laws similar to California’s UCL are well-positioned to leverage them against conduct traditionally addressed under the FCPA.
Whether other state attorneys general will follow California’s lead remains to be seen, but the shifting enforcement landscape demands careful attention, as scrutiny from state-level enforcement may soon fill the gaps left by the DOJ’s recalibrated approach.
3. Unlike the FCPA, private litigants have an independent, private right of action under California’s UCL that empowers them to bring civil actions — suggesting the potential viability of  leveraging FCPA violations as the predicate misconduct for UCL claims.
Indeed, Attorney General Bonta’s Advisory and accompanying press release may serve as such a signal to the UCL plaintiffs’ bar. This prospect may be particularly attractive in the current enforcement climate, where some federal FCPA actions are temporarily paused or dropped altogether.
Under the UCL, private plaintiffs who can demonstrate that they have “suffered injury in fact and lost money or property as a result of unfair competition” may pursue claims for relief if they can meet the necessary standing requirements, including demonstrating that an economic injury was causally linked to the alleged misconduct. But in certain circumstances, companies with international operations may be face significant financial exposure associated with alleged FCPA/UCL violations.
Against this backdrop, the most immediate and obvious targets for California state enforcement are likely to be companies with operations in California that were previously charged in federal FCPA cases but are now seeing their matters dismissed following DOJ’s ongoing review. In addition, any “whistleblower” allegations of foreign bribery may now grab the attention of state enforcement authorities.
Fragmented Authority and the Future of FCPA Enforcement
While California’s legal advisory signals a new direction for FCPA enforcement at the state level, the practical realities of international anti-corruption investigations raise significant questions about the scope and effectiveness of such efforts.
Unlike the DOJ, state attorneys general lack dedicated federal investigative resources such as the FBI and typically do not maintain established channels of communication and cooperation with foreign law enforcement agencies. These structural limitations could pose serious challenges for state-led enforcement of complex, cross-border bribery schemes.
At the same time, the federal enforcement landscape is also shifting. Under recently revised DOJ policy, each of the 94 U.S. Attorneys’ Offices throughout the country now have greater authority to initiate and prosecute FCPA-related matters without the need for oversight or direct involvement from DOJ’s Fraud Section, provided the conduct can be framed as “foreign bribery that facilitates the criminal operations of Cartels and Transnational Criminal Organizations (TCOs).”
Takeaways
This development marks a significant shift in the FCPA enforcement landscape, particularly in light of the current administration’s recent pronouncements and policies limiting federal enforcement of the statute. In this evolving environment, companies would be well-advised to reassess their anti-corruption compliance programs to ensure they account not only for federal enforcement risks, but also for the growing likelihood of state-level investigations, enforcement actions, and private causes of action.

Former Executive Secures $34.5 Million Settlement in Whistleblower Retaliation Case

On March 20, 2025, in Zornoza v. Terraform Global Inc. et al, No. 818-cv-02523 (D. Md. Apr. 4, 2025), a former executive of two SunEdison subsidiaries secured a $34.5 million settlement over his SOX whistleblower retaliation claims.
Background
Carlos Domenech Zornoza (the “Executive”), the former President and CEO of two SunEdison subsidiaries, filed a whistleblower retaliation complaint with the U.S. Department of Labor in May 2016.  He alleged under Section 806 of SOX that he had been terminated for raising, among other things, concerns about SunEdison’s allegedly false reporting of its projected cash holdings to company officers, directors, and the investing public, as well as potential self-dealing transactions between SunEdison and its subsidiaries.  In August 2018, the Executive asserted his claims against the two subsidiaries and SunEdison, as well as several individual officers and directors of the companies, in the U.S. District Court for the District of Maryland.  He sought damages exceeding $35 million, including for back pay, interest, benefits, and lost stock grants.
In January 2025, after a two-week bench trial and rounds of motion practice, the court found for the Executive on the issue of liability, and set the damages phase of the trial for a later date.
Settlement
Immediately prior to the commencement of the damages phase, the Executive’s counsel announced that the Executive had agreed to a whopping $34.5 million settlement, the largest documented settlement for a whistleblower retaliation claim under the statute.
Takeaway
The record-breaking settlement in this case, as well as the protracted length of the litigation, underscores the cost and potential damages implicated by alleged SOX violations. The settlement may also further embolden plaintiffs with purported SOX whistleblower claims to assert them in court, and inflate the value of such claims in the future.

Seventh Circuit Reverses Conviction in Landmark Anti-Kickback Case

In a pivotal decision on April 14, 2025, the Seventh Circuit Court of Appeals overturned the conviction of Mark Sorensen, owner of SyMed Inc. (SyMed), finding insufficient evidence to support a violation of the federal Anti-Kickback Statute (AKS).1 The Court’s ruling delineates the boundaries between lawful marketing practices and illegal kickbacks in the health care industry. It also underscores that compensation arrangements with non-physicians are not categorically prohibited under the AKS so long as they do not compromise the independent judgment of health care providers.
Mark Sorensen, owner and operator of a Chicago-based DME distributor, SyMed, was convicted of conspiracy and multiple counts of offering and paying kickbacks related to marketing orthopedic braces to Medicare beneficiaries and sentenced to 42 months in prison and a nearly $2 million forfeiture judgment. The government alleged that Mr. Sorensen paid illegal kickbacks to two marketing firms based on the number of leads generated, to a DME manufacturer based on the percentage of funds SyMed collected from Medicare and to a billing company with the funds SyMed retained. The business model included marketing firms publishing advertisements for orthopedic braces, and interested patients would respond via electronic forms providing their names, addresses and doctors’ contact information. That information was then sent to a call center where a sales agent would fax a prefilled but unsigned prescription form to the patient’s physician. When a physician signed the prescription, SyMed directed the manufacturer to ship the product and the billing agency billed Medicare for SyMed.
The Seventh Circuit unanimously reversed Sorensen’s criminal AKS conviction concluding Sorensen’s payments did not violate the AKS because there was insufficient evidence that any of the payees leveraged any influence or power over health care decisions or authorized any medical care. Focusing on the fact that 80% of the prescriptions were never signed and instead returned by physicians, the Court concluded that while “physicians and non-physicians alike may exert formal or informal influence on patients’ choice of health care providers” that was not the case in this instance as the physicians clearly retained independent decision-making authority over patient care. While the Court characterized Sorensen’s marketing tactics as “aggressive advertising efforts,” such efforts were not equivalent to unlawful referrals of patients.
The ruling highlights that the AKS is intended to primarily target payments to individuals who can influence patient decisions, such as physicians, underscoring the necessity for prosecutors to demonstrate actual influence over health care decisions when alleging AKS violations.
Key Takeaways:

Under the Court’s ruling: (1) a mere recommendation for health care services is not necessarily an illegal referral, and (2) percentage-based compensation structures or per lead compensation are not per se unlawful.
While this is a very significant decision and opens the door for nuanced arguments under the AKS, other Circuits have not adopted this narrow approach.
As such, health care providers should seek counsel on how they structure compensation arrangements, including those involving marketing and sales, in order to ensure compliance with the AKS and meet safe harbor protections where applicable.

[1] United States v. Sorensen, No. 24-1557, 2025 WL 1099080 (7th Cir. Apr. 14, 2025).

Combatting Scams in Australia, Singapore, China and Hong Kong

Key Points:

Singapore’s Shared Responsibility Framework
Comparing scams regulation in Australia, Singapore and the UK
China’s Anti-Telecom and Online Fraud Law
Hong Kong’s Anti-Scam Consumer Protection Charter and Suspicious Account Alert Regime

The increased reliance on digital communication and online banking has created greater potential for digitally-enabled scams. If not appropriately addressed, scam losses may undermine confidence in digital systems, resulting in costs and inefficiencies across industries. In response to increasingly sophisticated scam activities, countries around the world have sought to develop and implement regulatory interventions to mitigate growing financial losses from digital fraud. So far in our scam series, we have explored the regulatory responses in Australia and the UK. In this publication, we take a look at the regulatory environments in Singapore, China and Hong Kong, and consider how they might inform Australia’s industry-specific codes.
SINGAPORE
Shared Responsibility Framework
In December 2024, Singapore’s Shared Responsibility Framework (SRF) came into force. The SRF, which is overseen by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA), seeks to preserve confidence in digital payments and banking systems by strengthening accountability of the banking and telecommunications sectors while emphasising individuals’ responsibility for vigilance against scams. 
Types of Scams Covered
Unlike reforms in the UK and Australia, the SRF explicitly excludes scams involving authorised payments by the victim to the scammer. Rather, the SRF seeks to address phishing scams with a digital nexus. To fall within the scope of the SRF, the transaction must satisfy the following elements:

The scam must be perpetrated through the impersonation of a legitimate business or government entity;
The scammer (or impersonator) must use a digital messaging platform to obtain the account user’s credentials;
The account user must enter their credentials on a fabricated digital platform; and
The fraudulently obtained credentials must be used to perform transactions that the account user did not authorise.

Duties of Financial Institutions
The SRF imposes a range of obligations on financial institutions (FIs) in order to minimise customers’ exposure to scam losses in the event their account information is compromised. These obligations are detailed in table 1 below.

Table 1

Obligation  
Description

12-hour cooling off period

Where an activity is deemed “high-risk”, FIs must impose a 12-hour cooling off period upon activation of a digital security token. During this period, no high-risk activities can be performed.
An activity is deemed to be “high-risk” if it might enable a scammer to quickly transfer a large sum of money to a third party without triggering a customer alert. Examples include:

Addition of new payee to the customer’s account;
Increasing transaction limits;
Disabling transaction notification alerts; and
Changing contact information.

Notifications for activation of digital security tokens
FIs must provide real-time notifications when a digital security token is activated or a high-risk activity occurs. When paired with the cooling off period, this obligation increases the likelihood that unauthorised account access is brought to the attention of the customer before funds can be stolen.

Outgoing transaction alerts  
FIs must provide real-time alerts when outgoing transactions are made. 

24/7 reporting channels with self-service kill switch  
FIs must have in place 24/7 reporting channels which allow for the prompt reporting of unauthorised account access or use. This capability must include a self-service kill-switch enabling customers to block further mobile or online access to their account, thereby preventing further unauthorised transactions.

Duties of Telecommunications Providers
In addition to the obligations imposed on FIs, the SRF creates three duties for telecommunications service providers (TSPs). These duties are set out in table 2 below.

Table 2

Obligation    
Description

Connect only with authorised alphanumeric senders
In order to safeguard customers against scams, any organisation wishing to send short message service (SMS) messages using an alphanumeric sender ID (ASID) must be registered and licensed. TSPs must block the sending of SMS messages using ASIDs if the sending organisation is not appropriately registered and licensed.

Block any message sent using an unauthorised ASID
Where the ASID is not registered, the TSP must prevent the message from reaching the intended recipient by blocking the sender.

Implement anti-scam filters
TSPs must implement anti-scam filters which scan each SMS for malicious elements. Where a malicious link is detected, the system must block the SMS to prevent it from reaching the intended recipient.

Responsibility Waterfall
Similar to the UK’s Reimbursement Rules explored in our second article, the SRF provides for the sharing of liability for scam losses. However, unlike the UK model, the SRF will only require an entity to reimburse the victim where there has been a breach of the SRF. The following flowchart outlines how the victim’s loss will be assigned.

HOW DOES THE SRF COMPARE TO THE MODELS IN AUSTRALIA AND THE UK?
Scam Coverage
The type of scams covered by Singapore’s SRF differ significantly to those covered by the Australian and UK models. In Australia and the UK, scams regulation targets situations in which customers have been deceived into authorising the transfer of money out of their account. In contrast, Singapore’s SRF expressly excludes any scam involving the authorised transfer of money. The SRF instead targets phishing scams where the perpetrator obtains personal details in order to gain unauthorised access to the victim’s funds. 
Entities Captured
Australia’s Scams Prevention Framework (SPF) covers the widest range of sectors, imposing obligations on entities operating within the banking and telecommunications sectors as well as any digital platform service providers which offer social media, paid search engine advertising or direct messaging services. The explanatory materials note an intention to extend the application of the SPF to new sectors as the scams environment continues to evolve. 
In contrast, the UK’s Reimbursement Rules only apply to payment service providers using the faster payments system with the added requirement that the victim or perpetrator’s account be held in the UK. Any account provided by a credit union, municipal bank or national savings bank will be outside the scope of the Reimbursement Rules.  
Falling in-between these two models is Singapore’s SRF which applies to FIs and TSPs.
Liability for Losses
Once again, the extent to which financial institutions are held liable for failing to protect customers against scam losses in Singapore lies somewhere between the Australian and UK approaches. Similar to Singapore’s responsibility waterfall, a financial institution in Australia will be held accountable only if the institution has breached its obligations under the SPF. However, unlike the requirement to reimburse victims for losses in Singapore, Australia’s financial institutions will be held accountable through the imposition of administrative penalties. In contrast, the UK’s Reimbursement Rules provide for automatic financial liability for 100% of the customer’s scam losses, up to the maximum reimbursable amount, to be divided equally where two financial institutions are involved. 
CHINA 
Anti-Telecom and Online Fraud Law of the People’s Republic of China
China’s law on countering Telecommunications Network Fraud (TNF) requires TSPs, Banking FIs and internet service providers (ISPs) to establish internal mechanisms to prevent and control fraud risks. Entities failing to comply with their legal obligations may be fined the equivalent of up to approximately AU$1.05 million. In serious cases, business licences or operational permits may be suspended until an entity can demonstrate it has taken corrective action to ensure future compliance.
Scope
China’s anti-scam regulation defines TNF as the use of telecommunication network technology to take public or private property by fraud through remote and contactless methods. Accordingly, it extends to instances in which funds are transferred without the owner’s authorisation. To fall within the scope of China’s law, the fraud must be carried out in mainland China or externally by a citizen of mainland China, or target individuals in mainland China. 
Obligations of Banking FIs
Banking FIs are required to implement risk management measures to prevent accounts being used for TNF. Appropriate policies and procedures may include:

Conducting due diligence on all new clients;
Identifying all beneficial owners of funds:
Requiring frequent verification of identity for high-risk accounts:
Delaying payment clearance for abnormal or suspicious transactions: and
Limiting or suspending operation of flagged accounts.

The People’s Bank of China and the State Council body are responsible for the oversight and management of Banking FIs. The anti-scams law provides for the creation of inter-institutional mechanisms for the sharing of risk information. All Banking FIs are required to provide information on new account openings as well as any indicators of risk identified when conducting initial client due diligence.
Obligations of TSPs and ISPs
TSPs and ISPs are similarly required to implement internal policies and procedures for risk prevention and control in order to prevent TNF. This includes an obligation to implement a true identity registration system for all telephone/internet users. Where a subscriber identity module (SIM) card or internet protocol (IP) address has been linked to fraud, TSPs/ISPs must take action to verify the identity of the owner of the SIM/IP address.
HONG KONG
Hong Kong lacks legislation which specifically deals with scams. However, a range of non-legal strategies have been adopted by the Hong Kong Monetary Authority (HKMA) in order to address the increasing threat of digital fraud.
Anti-Scam Consumer Protection Charter
The Anti-Scam Consumer Protection Charter (Charter) was developed in collaboration with the Hong Kong Association of Banks. The Charter aims to guard customers against digital fraud such as credit card scams by committing to take protective actions. All 23 of Hong Kong’s card issuing banks are participating institutions.
Under the Charter, participating institutions agree to:

Refrain from sending electronic messages containing embedded hyperlinks. This allows customers to easily identify that any such message is a scam.
Raise public awareness of common digital fraud.
Provide customers with appropriate channels to allow them to make enquiries for the purpose of verifying the authenticity of communications and training frontline staff to provide such support.

More recently, the Anti-Scam Consumer Protection Charter 2.0 was created to extend the commitments to businesses operating in a wider range of industries including:

Retail banking;
Insurance (including insurance broking);
Trustees approved under the Mandatory Provident Fund Scheme; and
Corporations licensed under the Securities and Futures Ordinance.

Suspicious Account Alerts
In cooperation with Hong Kong’s Police Force and the Association of Banks, the HKMA rolled out suspicious account alerts. Under this mechanism, customers have access to Scameter which is a downloadable scam and pitfall search engine. After downloading the Scameter application to their device, customers will receive real-time alerts of the fraud risk of:

Bank accounts prior to making an electronic funds transfer;
Phone numbers based on incoming calls; and
Websites upon launch of the site by the customer.

In addition to receiving real-time alerts, users can also manually search accounts, numbers or websites in order to determine the associated fraud risk. 
Scameter is similar to Australia’s Scamwatch, which provides educational resources to assist individuals in protecting themselves against scams. Users can access information about different types of scams and how to avoid falling victim to these. Scamwatch also issues alerts about known scams and provides a platform for users to report scams they have come across.
KEY TAKEAWAYS
Domestic responses to the threat of scams appear to differ significantly. Legal approaches explored so far in this series target financial and telecommunications sectors, seeking to influence entities in these industries to adopt proactive measures to prevent, detect and respond to scams. While the UK aims to achieve this by placing the financial burden of scam losses on banks, China and Australia adopt a different approach by imposing penalties on entities failing to comply with their legal obligations. Singapore has opted for a blended approach whereby entities which have failed to comply with the legal obligations under the SRF will be required to reimburse customers who have fallen victim to a scam. However, where the entities involved have met their legal duties, the customer will continue to bear the loss.
Look out for our next article in our scams series.
The authors would like to thank graduate Tamsyn Sharpe for her contribution to this legal insight.

Fourth Circuit Rejects the Use of Short-Seller Report as a Basis for Satisfying Loss Causation Element in Securities Fraud Action

The United States Court of Appeals for the Fourth Circuit recently joined a growing consensus among federal appellate courts: short-seller reports, without more, rarely suffice to plead loss causation under the federal securities laws. In Defeo v. IonQ, Inc., 2025 U.S. App. LEXIS 8216, ___ F.4th ___ (4th Cir. Apr. 8, 2025), the Court held that a report by activist short-seller Scorpion Capital — which coincided with a significant stock price drop — did not constitute a corrective disclosure revealing previously concealed fraud to the market. The opinion aligns the Fourth Circuit with decisions from the Ninth Circuit, which have similarly found that loss causation cannot rest on short-seller publications that are speculative, anonymously sourced and heavily disclaimed.
IonQ is a publicly traded company operating in the quantum computing space. In Defeo, shareholder plaintiffs filed a complaint for violation of Sections 10(b), 14(a) and 20(a) of the Securities Exchange Act of 1934 accusing IonQ and certain insiders of the Company of making misstatements concerning the prospects for IonQ’s technology and the Company’s financial performance. Plaintiffs’ loss causation theory was premised on a May 3, 2022 report by a pseudonymous short-seller, which allegedly revealed the purported misrepresentations and caused the Company’s share price to fall from $7.86 to $4.34.
Defendants moved to dismiss the complaint arguing, among other things, that plaintiffs failed to adequately plead loss causation because plaintiffs loss causation allegations relied almost entirely on a short-seller report that was speculative, anonymous, and heavily disclaimed. The district court granted defendants’ motion to dismiss with prejudice, concluding that the report did not plausibly reveal new facts to the market sufficient to satisfy the standards necessary for pleading loss causation. After unsuccessfully seeking reconsideration and leave to amend, plaintiffs appealed the district court’s dismissal of their complaint.
On appeal, the Fourth Circuit affirmed the district court’s order dismissing plaintiffs’ complaint. In short, the short-seller report did not plausibly disclose new facts to the market because the report’s authors, held a short position in IonQ stock, expressly disclaimed the accuracy of their information, admitted to paraphrasing anonymous sources and conceded they could not verify the truth of their claims. The Court reiterated that a shareholder plaintiff seeking to plead loss causation must allege new facts — not mere allegations — entered the market and caused the decline in stock price.
The Fourth Circuit found the Ninth Circuit’s decisions in In re BofI Holding, Inc. Securities Litigation, 977 F.3d 781 (9th Cir. 2020), and In re Nektar Therapeutics Securities Litigation, 34 F.4th 828 (9th Cir. 2022), persuasive. In BofI, the Ninth Circuit held that blog posts authored by anonymous short-sellers who expressly disclaimed the accuracy of their content could not plausibly be understood by the market as revealing the truth of a company’s alleged misstatements. In Nektar, the Ninth Circuit extended the reasoning in BofI and held that a short-seller report relying on anonymous sources and speculative inference and without presenting new, independently verifiable facts failed to qualify as a corrective disclosure sufficient to satisfy the standard for pleading loss causation. The Fourth Circuit concluded that Scorpion Capital’s report on IonQ shared the same deficiencies highlighted by the Ninth Circuit in BofI and Nektar. 
The Fourth Circuit also held that IonQ’s own response to the Scorpion report — a press release issued the next day — did not salvage plaintiffs’ theory of loss causation. IonQ expressly denied the report’s accuracy, warned investors not to rely on the report and underscored the short-seller’s financial motivation for tarnishing the Company. The Court rejected plaintiffs’ contention that IonQ had a duty to specifically refute each allegation in the short-seller report. The Court further held that the handful of media articles cited by plaintiffs discussing the short-seller report did not affect the conclusion that plaintiffs failed to adequately plead loss causation. The articles merely noted the stock drop and the existence of the report, without confirming or endorsing the short-sellers’ claims.
Defeo confirms that courts will look past market reaction and instead focus on whether a disclosure plausibly revealed verifiable, new information to the market when evaluating whether a securities fraud action adequately pleads loss causation. The Fourth Circuit’s opinion does not impose a categorical bar on the use of short-seller reports to establish loss causation, but it makes clear that plaintiffs relying upon such reports must ensure that those reports meet a high standard of reliability. That standard is not met where the report disclaims its own accuracy, relies upon anonymous sources and offers only general accusations without offering independently verifiable facts. Allegations, even if market-moving, do not become revelations simply by appearing in a headline. For loss causation to be adequately pled, the law still requires facts, not just fallout.
Listen to this post

Whistleblower Alleges Disturbing Data Breach Risks at the NLRB Involving Musk-Linked “DOGE” Team

A recent report from National Public Radio (NPR) has detailed alarming allegations of data mishandling and security breaches at the National Labor Relations Board (NLRB). The whistleblower, Daniel Berulis, an information technology (IT) employee with the NLRB, alleges a series of alarming actions taken by Elon Musk’s “Department of Government Efficiency” (DOGE) team. Mr. Berulis’s complaint describes multiple instances of unauthorized system access, suspicious data exportation, and attempts to conceal DOGE’s activities within the NLRB systems. The allegations raise serious concerns about the security of sensitive labor data and the potential for conflicts of interest involving Mr. Musk.
Details of the Whistleblower Allegations
According to the whistleblower, the DOGE team arrived at the agency in March 2025 demanding and receiving “tenant owner level” access to the NLRB’s internal computer systems, granting them virtually unrestricted permission to view, copy, and alter data.
Mr. Berulis reports that this data includes “information about ongoing contested labor cases, lists of union activists, internal case notes, personal information from Social Security numbers to home addresses, proprietary corporate data and more information that never gets published openly.”
Because DOGE received this high-level access without the common security constraints that monitor network activity, Mr. Berulis had limited ability to track any potential breaches in real time. However, Mr. Berulis was later able to put together “puzzle pieces” to track a significant increase of data leaving the NLRB’s network, potentially including sensitive information about union organizing efforts, ongoing legal cases, and confidential corporate secrets. Even when external parties are granted access to such data, it almost never leaves the NLRB system. Additionally, the IT team detected suspicious login attempts from a Russian IP address using one of the newly created DOGE accounts “within minutes” of DOGE accessing the NLRB’s systems, raising further concerns about a potential breach.
Upon reporting his concerns to Congress, the U.S. Office of Special Counsel, which investigates complaints by federal government whistleblowers, and internally to the NLRB, Mr. Berulis experienced suspected acts of retaliation, including someone “physically taping a threatening note” to his door that included sensitive personal information and a photo of him walking his dog.
A Chilling Effect for Workers… and Employers
The possibility that NLRB records may have been copied and exported from the agency may create a severe chilling effect for employees everywhere who turn to the agency for protection.
One expert commented to NPR that these breaches were so severe that if this were “a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission. The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated. There is no reason to increase the security risk profile by disabling security controls and exposing them, less guarded, to the internet. They didn’t exercise the more prudent standard practice of copying the data to encrypted and local media for escort.”
The NPR report notes that in addition to creating risks for individuals trying to organize, leaked data may also reveal internal business planning for companies who are facing unfair labor practice complaints, or even trade secrets.
Potential Conflicts of Interest
The report raised that concerns of potential conflicts of interest between Musk and the NLRB, including an ongoing lawsuit between Musk’s company, SpaceX, and the agency in which SpaceX challenges the constitutionality of the NLRB’s structure.
Several lawsuits have been filed DOGE’s activities at other agencies related to its management of Americans’ data, including Social Security information, IRS records, and other agency records.
Help is available for whistleblowers
The Whistleblower Protection Act (WPA) protects federal government employees from certain adverse employment actions that occur because they disclosed information relating to unlawful activities or “gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.”

The More You Know Can Hurt You: Court Rules Financial Institutions Need ‘Actual Knowledge’ of Mismatches for ACH Scam Liability

On March 26, the US Court of Appeals for the Fourth Circuit issued a decision that has important ramifications for banks and credit unions that process millions of Automated Clearing House (ACH) and Electronic Funds Transfer (EFT) transactions daily, some of which are fraudulent or “phishing scams.” In Studco Buildings Systems US, LLC v. 1st Advantage Federal Credit Union, No. 23-1148, 2025 WL 907858 (4th Cir. amended Apr. 2, 2025), the Fourth Circuit held that financial institutions typically have no duty to investigate name and account number mismatches — commonly referred to as “misdescription of beneficiary.” Instead, they can rely strictly on the account number identified before disbursing the funds received. The financial institution will only face potential liability for the fraudulent transfer if it has “actual knowledge” that the name and the account number do not match the account into which funds are to be deposited.
A Phishing Scam Results in Misdirected Electronic Transfers
A metal fabricator (Studco) was the victim of a phishing scam in which hackers penetrated its email systems. Once inside, the scammers impersonated Studco’s metal supplier (Olympic Steel, Inc.) and sent an email with new ACH/EFT payment instructions purporting to be those of Olympic Steel. The instructions designated Olympic’s “new account” at 1st Advantage Credit Union for all future invoice payments. The new account number, however, had no association with Olympic and was controlled by scammers in Africa.
Studco failed to recognize certain red flags in the payment instructions and sent four payments totaling over $550,000. Studco sued 1st Advantage for reimbursement, alleging the credit union negligently “fail[ed] to discover that the scammers had misdescribed the account into which the ACH funds were to be deposited.” Studco claimed that 1st Advantage was liable under Virginia’s version of UCC § 4A-207 because it completed the transfer of funds to “an account for which the name did not match the account number.” Following a bench trial, the district court entered judgment in Studco’s favor for $558,868.71, plus attorneys’ fees and costs. It found that 1st Advantage “failed to act ‘in a commercially reasonable manner or exercise ordinary care'” in posting the transfers to the account in question.
UCC § 4A-207 and Financial Institution Duties and Liability
1st Advantage appealed, and the Fourth Circuit reversed. The Court began by noting that Studco itself failed to spot warning signs in the imposter’s emails: the domain did not match Olympic’s email domain; the new account was at a credit union in Virginia, not Ohio (where Olympic was based); and there were multiple grammatical and “non-sensical” errors contained in the imposter’s instructions.
The Court then turned to 1st Advantage and whether it had a duty to act on any mismatch between the name on the payment instructions (Olympic) and the account number (a credit union customer with no obvious association to Olympic). It first noted the absence of actual knowledge by the credit union. 1st Advantage used a system known as DataSafe that monitored ACH transfers. The Court observed that the “DataSafe system generated hundreds to thousands of warnings related to mismatched names on a daily basis, but the system did not notify anyone when a warning was generated, nor did 1st Advantage review the reports as a matter of course.” The Court further noted that the DataSafe system generated a “warning of the mismatch: ‘Tape name does not contain file last name TAYLOR'” which was the name of the credit union’s account holder, not Olympic.
The Court then assessed Virginia’s version of § 4A-207(b)(1), Va. Code Ann. § 8.4A-207(b)(1), which says in relevant part: “‘If a payment order received by the beneficiary’s bank identifies the beneficiary both by name and by an identifying or bank account number and the name and number identify different persons’ and if ‘the beneficiary’s bank does not know that the name and number refer to different persons,’ the beneficiary’s bank ‘may rely on the number as the proper identification of the beneficiary of the order.'” The Court further noted that the provision states that “[t]he beneficiary’s bank need not determine whether the name and number refer to the same person.” Based upon this, the Court concluded that it “protects the beneficiary’s bank from any liability when it deposits funds into the account for which a number was provided in the payment order, even if the name does not match, so long as it “does not know that the name and number refer to different persons.” [Emphasis added.] Studco argued that constructive knowledge was sufficient or could be imputed to 1st Advantage. The Court disagreed, concluding that “knowledge means actual knowledge, not imputed knowledge or constructive knowledge” and that a “beneficiary’s bank has ‘no duty to determine whether there is a conflict’ between the account number and the name of the beneficiary, and the bank ‘may rely on the number as the proper identification of the beneficiary.'”
In the concurring opinion, however, one judge disagreed that there was no evidence of actual knowledge because 1st Advantage may have received actual knowledge of the misdescription when an investigation of a Federal Office of Foreign Asset Control (OFAC) alert led to a review of the transfers at issue. Because the first two (of four) overseas transfers from the infiltrated 1st Advantage account triggered an OFAC alert, 1st Advantage opened an ongoing investigation into the wires, including a review of the member’s account history. Thus, the concurrence noted that a “factfinder could infer that [the officer’s] investigation led to a [credit union] employee obtaining actual knowledge of a misdescription between account name and number prior to Studco’s two November deposits.”
Lessons Learned Post-Studco
In the age of ubiquitous cyber and other sophisticated scams running throughout the US financial system, the financial services industry surely welcomes this Fourth Circuit decision. The trial court in Studco ruled that 1st Advantage was liable for scam-related ACH transfers in excess of a half-million dollars because 1st Advantage’s core system had triggered a warning regarding the name and account discrepancy, which 1st Advantage did not review or investigate. The fact that 1st Advantage did not undertake to review warnings from its core system appears to have saved 1st Advantage as the Court concluded that “actual knowledge” of the discrepancy was a prerequisite to liability. There was no proof of actual knowledge in this case.
On April 9, 2025, Studco petitioned the Fourth Circuit for rehearing, and alternatively, rehearing en banc with the full court. Studco argues that the panel erred in holding that there was no actual knowledge, pointing out that “1st Advantage opened the scammer’s account and reviewed the account at least 33 times over an approximate 40-day period – each time related to the scammers conducting a suspicious transaction.” Studco argues that a full en banc hearing should be permitted because the application of “UCC Article 4A-207 presents a question of exceptional importance.”
In the end, Studco stands as a warning to banks and credit unions alike that the more they know about the name mismatch issue for any particular transaction, the more liability they may take on. Banks and credit unions should consult their bank counsel to discuss their ACH and EFT review processes and ensure that their processes do not tip into “actual knowledge” and potential liability for transfers rooted in fraud.