Trump Pauses FCPA Enforcement and Resets Priorities
On February 10, 2025, President Donald Trump issued an executive order titled, “Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security” (“FCPA EO”) that directs the Department of Justice (“DOJ”) to pause enforcement of the Foreign Corrupt Practices Act (15 U.S.C. 78dd-1 et seq.) (“FCPA”) for 180 days until new Attorney General (“AG”) Pam Bondi issues new FCPA guidelines and policies on enforcement. The FCPA EO seeks to eliminate “excessive barriers to American commerce abroad,” states that current FCPA enforcement has been “stretched beyond proper bounds and abused in a manner that harms the interests of the United States,” and states that “overexpansive and unpredictable FCPA enforcement against American citizens and businesses . . . actively harms American economic competitiveness and, therefore, national security.”
For the uninitiated, the FCPA is a criminal statute enacted in 1977, which the DOJ and U.S. Securities & Exchange Commission (“SEC”) have employed to impose over $31 billion in penalties over the last 48 years, as well as secure scores of criminal convictions. During the Biden Administration alone, the DOJ and SEC imposed total penalties over $4 billion under the FCPA, so the fact that President Trump just stopped the DOJ from enforcing the FCPA with a stroke of a pen was a change in the enforcement landscape to say the least.
Trump’s FCPA EO follows a wave of fourteen memoranda issued by AG Bondi last week, aimed at overhauling the DOJ’s enforcement priorities. As part of her first day directives, AG Bondi issued a memorandum titled, “Total Elimination of Cartels and Transnational Criminal Organizations,” (“Total Elimination Memo”) which outlines the DOJ’s “fundamental change in mindset and approach” with the goal of the “total elimination” of Cartels and Transnational Criminal Organizations (“TCOs”).[1] The Total Elimination Memo immediately ends the kleptocracy task forces and shifts the DOJ’s enforcement priority to Cartels and TCOs, including redirecting the DOJ’s FCPA Unit and Money Laundering and Asset Recovery Section (“MLARS”) to prioritize cases involving Cartels and TCOs.
Key Takeaways from the FCPA EO and Total Elimination Memo
The FCPA still remains a valid statute, even though the DOJ is pausing criminal enforcement of it for at least 180 days.
The FCPA’s statute of limitations is 5 years, and the EO does not provide violators any legal defense.
It is unclear if the SEC will follow the DOJ’s lead or continue to enforce the civil provisions of the FCPA against US issuers.
Private lawsuits with an FCPA nexus (typically shareholder suits) are not impacted.
The overall risk of FCPA criminal enforcement under the new Trump Administration just decreased significantly. The many pundits who opined that FCPA enforcement would continue unabated in 2025 were wrong.
After AG Bondi issues the new FCPA guidelines, companies should review and revise their compliance programs to comport with the new DOJ guidance.
Given Trump’s stated view that the FCPA “actively harms American economic competitiveness,” the door may be open for a “Trump discount” on penalties, and companies should seriously consider whether to attempt to resolve any potential FCPA liabilities during the current administration once the new guidelines are issued.
Detailed summaries of the FCPA EO and Total Elimination Memo are below.
FCPA EO
The FCPA EO specifically orders the following:
For a period of 180 days following the date of this order, the Attorney General shall review guidelines and policies governing investigations and enforcement actions under the FCPA. During the review period, the Attorney General shall:
cease initiation of any new FCPA investigations or enforcement actions, unless the Attorney General determines that an individual exception should be made;
review in detail all existing FCPA investigations or enforcement actions and take appropriate action with respect to such matters to restore proper bounds on FCPA enforcement and preserve Presidential foreign policy prerogatives; and
issue updated guidelines or policies, as appropriate, to adequately promote the President’s Article II authority to conduct foreign affairs and prioritize American interests, American economic competitiveness with respect to other nations, and the efficient use of Federal law enforcement resources.
Further, the FCPA EO provides that the AG may extend the review period for an additional 180 days and that any FCPA investigations and enforcement actions initiated or continued after the revised guidelines or policies are issued under subsection (a) must be governed by such guidelines or policies and specifically authorized by the AG. The FCPA EO mandates that after the revised guidelines or policies are issued, the AG must determine “whether additional actions, including remedial measures with respect to inappropriate past FCPA investigations and enforcement actions, are warranted and shall take any such appropriate actions or, if Presidential action is required, recommend such actions to the President.”
Total Elimination Memo
AG Bondi mandates that for a period of 90 days—to be renewed or made permanent thereafter—the FCPA Unit must prioritize investigations related to foreign bribery that facilitates criminal operations of Cartels and TCOs (e.g., bribery of foreign officials to facilitate trafficking of narcotics and firearms) and “shift focus away from investigations and cases that do not involve such a connection.” The memorandum also suspends the FCPA Unit’s exclusive requirement to authorize, prosecute, and try these bribery FCPA cases and opens the door for U.S. Attorney’s Offices (“USAOs”) nationwide to bring such cases. USAOs need only to provide the FCPA Unit with a “24-hours’ advance notice of the intention to seek charges” and provide any existing memoranda to the FCPA Unit in advance of seeking charges.
Similarly, under the same 90-day constraint, AG Bondi directed MLARS to prioritize investigations, prosecutions, and asset forfeiture actions that target Cartels and TCOs. The memorandum also disbands the Department’s Task Force KleptoCapture, the Department’s Kleptocracy Team, and the Kleptocracy Asset Recovery Initiative within MLARS and redirects their resources towards the total elimination of Cartels and TCOs. Recently, the Task Force KleptoCapture and Kleptocracy Asset Recovery Initiative targeted Russian oligarchs’ assets and enforced sanctions following Russia’s invasion of Ukraine.
The memorandum also:
Elevates two joint task forces, Joint Task Force Vulcan and Joint Task Alpha, to the Office of the AG to focus efforts on enforcing against Cartels and TCOs, such as Tren de Aragua and La Mara Salvatrucha;
Proposes legislative reforms to control the manufacture and distribution of fentanyl and counterfeit pills; and
Suspends approval or authorization requirements for capital-eligible offenses, terrorism and International Emergency Economic Powers Act charges, and racketeering charges related to Cartels and TCOs for a period of 90 days, potentially to be renewed or made permanent thereafter.
[1] The memorandum incorporates elements of President Donald Trump’s January 20, 2025, Executive Order, “Organizations as Foreign Terrorist Organizations and Specially Designated Global Terrorists,” which designates certain Cartels as Foreign Terrorist Organizations or Specially Designated Global Terrorists, finding that Cartels “institute a national-security threat beyond that posed by traditional organized crime.” See generally, The White House, Executive Order: Designating Cartels And Other Organizations As Foreign Terrorist Organizations And Specially Designated Global Terrorists (Jan. 20, 2025), https://www.whitehouse.gov/presidential-actions/2025/01/designating-cartels-and-other-organizations-as-foreign-terrorist-organizations-and-specially-designated-global-terrorists/?utm_source=sfmc&utm_medium=email&utm_campaign=701cx000002bYOAAA2&utm_content=Alert&utm_id=101800&sfmc_id=00Q4W00001dLmZJUA0&subscriber_id=6548422.
President Trump Orders FCPA Freeze; DOJ Announces Major Policy Realignment De-Emphasizing Corporate Investigations and Enforcement
The much-heralded end to prosecutions brought pursuant to the Foreign Corrupt Practices Act (FCPA)1 never materialized during the first Donald Trump administration, but the second Trump administration has the potential to bring major change to the US Department of Justice’s (DOJ) approach to FCPA enforcement.
On 10 February 2025, President Trump issued an executive order2 freezing the initiation of all new FCPA investigations and enforcement actions for 180 days. The executive order also instructs newly confirmed Attorney General (AG) Pam Bondi to promulgate guidelines on FCPA enforcement and conduct a comprehensive review of existing and historical FCPA investigations and resolutions.
President Trump’s directive comes on the heels of more than a dozen policy memoranda3 issued by AG Bondi on 5 February 2025, that will fundamentally realign DOJ’s operations and enforcement priorities during the second Trump administration. Two key DOJ directives—the memorandum on “Total Elimination of Cartels and Transnational Criminal Organizations” (TCO Memo) and DOJ’s new “General Policy Regarding Charging, Plea Negotiations, and Sentencing” (General Policy Memo)—when taken in concert with the new executive order, have the potential to bring about a seismic shift in DOJ’s approach to corporate investigations and enforcement.
What will the new FCPA guidelines look like? How will DOJ implement the FCPA guidelines and its other recent policy announcements? How will DOJ integrate them into forthcoming changes to the DOJ’s Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy? The answers to these questions will largely define the corporate enforcement landscape for the second Trump administration and beyond.
Freezing FCPA Enforcement
The 10 February 2025, executive order, entitled “Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security,” rests on two fundamental claims: (1) “Current FCPA enforcement impedes the United States’ foreign policy objectives and therefore implicates the President’s Article II authority over foreign affairs;” and (2) “[O]verexpansive and unpredictable FCPA enforcement against American citizens and businesses…actively harms American economic competitiveness and, therefore, national security.” According to the fact sheet accompanying the executive order, aggressive FCPA enforcement has imposed “a growing cost on our Nation’s economy” and harmed the ability of US companies to obtain “[s]trategic advantages in critical minerals, deep-water ports, and other key infrastructure or assets around the world [that] are critical to American national security.” Given the weighty constitutional, economic, and national security implications at stake, the executive order directs DOJ to:
Immediately cease initiation of any new FCPA investigations or enforcement actions for the next 180 days, unless the Attorney General determines that an individual exception should be made;
Review in detail all existing FCPA investigations or enforcement actions and take appropriate action with respect to such matters to restore proper bounds on FCPA enforcement and preserve presidential foreign policy prerogatives; and
Within 180 days, adopt a “Policy of Enforcement Discretion” by issuing updated guidelines or policies, as appropriate, to adequately promote the president’s Article II authority to conduct foreign affairs and prioritize American interests, American economic competitiveness with respect to other nations, and the efficient use of federal law enforcement resources.
The executive order then prescribes that FCPA investigations and enforcement actions initiated or continued after issuance of the revised guidelines or policies “must be specifically authorized by the Attorney General.” The Attorney General also must comprehensively review DOJ’s FCPA enforcement actions from a historical perspective in order to “determine whether additional actions, including remedial measures with respect to inappropriate past FCPA investigations and enforcement actions, are warranted and shall take any such appropriate actions or, if Presidential action is required, recommend such actions to the President.”
Shifting Enforcement Priorities From Corporates to Cartels
A few days before issuance of the executive order on the FCPA, DOJ issued the TCO Memo and General Policy Memo, which aim to implement President Trump’s goal of attacking the operation of cartels and transnational criminal organizations (TCOs) in the United States and abroad by shifting DOJ’s priorities away from corporate enforcement to four new areas of focus: (1) illegal immigration; (2) transnational organized crime, cartels, and gangs; (3) human trafficking and smuggling; and (4) protecting law enforcement personnel.
Narrowing and Shifting FCPA Enforcement
The TCO Memo also orders a major redirection of resources and focus at DOJ’s FCPA Unit, perhaps the preeminent weapon in DOJ’s corporate enforcement arsenal.
The TCO Memo directs FCPA Unit prosecutors to “prioritize investigations related to foreign bribery that facilitates the criminal operations of Cartels and TCOs, and shift focus away from investigations and cases that do not involve such a connection.” For example, the TCO Memo describes hypothetical cases in which bribery of foreign officials occurs to facilitate human smuggling or narcotrafficking. Historically, such cases represent a tiny minority of DOJ’s overall anti-corruption enforcement activity. In instances where the underlying investigations and prosecutions are related to cartels and TCOs, the TCO Memo suspends the requirement that FCPA investigations and prosecutions, as well as those under the newly enacted Foreign Extortion Prevention Act (FEPA),4 be led by Fraud Section prosecutors.
Deprioritizing Antikleptocracy
The operational and policy shifts at another key DOJ corporate enforcement component, the Criminal Division’s Money Laundering and Asset Recovery Section, are even more drastic. The TCO Memo shutters various high-profile antikleptocracy initiatives, including the Kleptocracy Asset Recovery Initiative5 and Task Force KleptoCapture,6 DOJ’s marquee unit tasked with enforcing sanctions on Russian oligarchs in response to the 2022 Ukraine invasion. Federal prosecutors assigned to those initiatives are instructed to return to their prior posts, and resources formerly devoted to those initiatives will be redirected to the “total elimination of Cartels and TCOs.”
Expanding Corporate Enforcement Authority for US Attorney’s Offices Nationwide
The TCO Memo also authorizes US attorney’s offices nationwide to independently initiate FCPA/FEPA investigations and prosecutions in matters related to cartels and TCOs as part of an effort to remove “bureaucratic impediments” to implementation of DOJ’s new policy objectives. Other bureaucratic impediments removed by AG Bondi include the elimination of the preindictment review requirement for capital-eligible offenses for cases where the defendants are alleged to be members or associates of cartels or TCOs.7 Similarly, approval requirements from DOJ’s National Security Division (NSD) for terrorism and International Emergency Economic Powers Act (IEEPA) charges,8 search warrants, and material witness warrants are also suspended when the matter involves members or associates of any cartel or TCO designated as a foreign terrorist organization. Approval requirements for the filing of racketeering charges9 are likewise suspended for matters involving cartels and TCOs.
Analysis
The executive order and the Bondi policy memoranda are high-level directives that prescribe an unmistakable shift in DOJ’s programmatic focus away from anti-corruption and antikleptocracy enforcement—at least for now. If taken at face value, the actions mandated by the executive order are comprehensive: DOJ must not only promulgate new enforcement guidelines but must also systematically review all historical FCPA resolutions and determine whether any “remedial measures with respect to inappropriate past FCPA investigations and enforcement actions” are warranted.
How Will the Forthcoming DOJ Guidelines Define the “Proper Bounds” on FCPA Enforcement?
The executive order is predicated on the dual imperatives to “preserve Presidential foreign policy prerogatives” and return US companies to a globally competitive footing. Accordingly, the forthcoming guidelines will undoubtedly contain a requirement to consider and analyze the potential foreign policy implications of a proposed FCPA enforcement action—a constitutional “deconfliction” provision of sorts. Where the Bondi DOJ views a prior FCPA action brought forth by the prior administration’s DOJ to have significant geopolitical sensitivities, don’t be surprised if these matters are restructured or even dismissed under this executive order. The guidelines can also be expected to incorporate DOJ’s new enforcement priorities related to elimination of TCOs and cartels. Federal prosecutors will also likely be directed to consider any potentially adverse consequences to US national security like access to critical rare-earth minerals, deep-water ports, and the other key strategic and infrastructural considerations similar to those enumerated in the fact sheet.
The “Pipeline Effect”
Federal corporate investigations typically take many years from initiation to resolution, a timeline that can be significantly dilated by DOJ’s use of mutual legal assistance requests to its international partner agencies. Per the executive order, the dozens of FCPA investigations currently in the “pipeline” will be re-evaluated and are all potentially subject to discontinuation and declination. It is unclear what proportion of ongoing FCPA investigations and enforcement actions will be deemed incompatible with the forthcoming guidelines and discontinued after expiration of the 180-day freeze.
Whither the SEC?
Conspicuously absent from the executive order is any directive to the US Securities and Exchange Commission (SEC) related to its civil enforcement jurisdiction over the FCPA for issuers.10 The fact sheet accompanying the executive order mentions the SEC only once when citing statistics for investigations and enforcement actions initiated in 2024. As of this writing, it is unclear whether the SEC will receive an analogous directive to fundamentally re-evaluate its application of the statute and remediate any “inappropriate” FCPA resolutions from years past.
Who Will Exercise Enforcement Authority?
The executive order specifies that the Attorney General must authorize all FCPA investigations that are initiated or continued following promulgation of the new guidelines. This directive is seemingly at odds with the TCO Memo’s grant of authority to each of DOJ’s 94 US attorney’s offices to independently investigate and charge FCPA/FEPA cases related to TCOs and cartels. It is worth noting that similar requirements have been relaxed for preclearance of IEEPA and Racketeer Influenced and Corrupt Organizations Act (RICO) cases, too, a move that could expand the kinds of charges DOJ brings in corporate enforcement investigations with a cartel or TCO nexus. Time will tell how tight the nexus between the alleged foreign bribery and the cartel or TCO must be, but it is possible that unleashing hundreds of additional federal prosecutors on the FCPA and FEPA statutes will lead to a more robust—albeit significantly modified—enforcement landscape. Ironically, the TCO Memo’s loosening of approval requirements in FCPA and FEPA cases may have the effect of increasing the volume of FCPA enforcement across DOJ’s many subdivisions in this administration’s new priority areas of focus.
Global Enforcement Activity Remains Strong
DOJ routinely works its cross-border investigations with international partner agencies, some of whom have already signaled11 that they will continue their aggressive enforcement posture irrespective of DOJ’s policy realignment. Over the years, the United States has worked closely with partner nations and international organizations, like the Organization for Economic Co-operation and Development, to persuade countries around the world to enact and enforce domestic bribery laws. And even if US enforcers take their foot off the anti-corruption gas pedal, global enforcement of similar anti-corruption laws from authorities like the UK Serious Fraud Office, India’s Central Bureau of Investigation, Brazil’s Federal Prosecution Office, Singapore’s Corrupt Practices Investigation Bureau, and others will continue.
Key Takeaways
Prudent companies should not take the recent executive order and DOJ memoranda as an invitation to relax antibribery and other forms of corporate compliance. Despite the ostensible shift at DOJ, regulators and enforcement agencies across the federal government will continue work in related areas, like economic sanctions and export controls that present complex regulatory and enforcement risks. And even in the FCPA space, certain core prosecutions will likely continue following the review mandated by the executive order, especially in cases where significant violative conduct is directed from the United States.
Additionally, the statute of limitations for a violation of the FCPA is five years, which can be extended by up to three years in instances where DOJ is pursuing evidence from a foreign authority by way of a mutual legal assistance treaty request. In other words, a bribe paid today could ultimately be prosecuted under future administrations well after President Trump has left office. Moreover, the scope and nature of DOJ’s policy shift remains to be seen, and the nexus to cartels and TCOs that DOJ will regard as sufficient to warrant bringing FCPA, FEPA, and RICO charges against companies may be quite attenuated. Accordingly, companies doing business in jurisdictions with a higher presence of cartels and other forms of transnational organized crime should consider stepping up their compliance and due diligence efforts, especially with respect to third-party engagements to ensure no direct or indirect links to problematic entities.
More broadly, effective compliance programs can be an especially powerful prophylactic tool, even given the coming shift in DOJ’s priorities and resource allocation. In enforcement areas that are being deprioritized by DOJ, companies may now enjoy unprecedentedly favorable odds of avoiding prosecutions if they can demonstrate that allegedly problematic conduct was an isolated incident that the company promptly investigated and effectively remediated. As always, robust and proactive compliance policies that are regularly tested and improved can pay huge dividends over the long haul.
Footnotes
1 Renae Merle, Trump called global anti-bribery law ‘horrible.’ His administration is pursuing fewer new investigations, WASHINGTON POST (Jan. 31, 2020), https://www.washingtonpost.com/business/2020/01/31/trump-fcpa/.
2 Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security, THE WHITE HOUSE (Feb. 10, 2025), https://www.whitehouse.gov/presidential-actions/2025/02/pausing-foreign-corrupt-practices-act-enforcement-to-further-american-economic-and-national-security/. The accompanying fact sheet issued by the White House in conjunction with the executive order, Fact Sheet: President Donald J. Trump Restores American Competitiveness and Security in FCPA Enforcement, THE WHITE HOUSE (Feb. 10, 2025), https://www.whitehouse.gov/fact-sheets/2025/02/fact-sheet-president-donald-j-trump-restores-american-competitiveness-and-security-in-fcpa-enforcement/.
3 AG Bondi’s memoranda involve a wide range of topics, including: reviving the federal death penalty and supporting state prosecutions of death row inmates commuted by former President Biden; establishing an October 7th task force; establishing a “Weaponization Working Group” to review DOJ investigations into, and prosecutions of, President Trump and January 6th; implementing requirements for all DOJ personnel to “zealously” defend, advance, and protect the interests of the United States; returning all DOJ employees to in-person work; prohibiting DOJ from issuing “improper” guidance documents instead of conducting rulemaking; ending “illegal DEI and DEIA discrimination and preferences” and “internal discriminatory practices”; reinstating prohibitions on third-party settlements; rescinding DOJ’s environmental justice memorandum; and ending federal support for sanctuary jurisdictions. The complete list of the memoranda is available at https://www.justice.gov/ag/select-publications.
4 For more on FEPA, see our prior alert: Criminalizing the “Quo:” The New Foreign Extortion Prevention Act Targets the Demand Side of Bribery | HUB | K&L Gates.
5 The Kleptocracy Asset Recovery Initiative prioritized recovering assets misappropriated by corrupt foreign officials, particularly through bribery and embezzlement schemes. One of its most prominent enforcement actions includes the recovery of over US$1.5 billion in misappropriated funds tied to the Malaysian sovereign wealth fund 1Malaysia Development Berhad, including a recent additional recovery of US$20 million.
6 Task Force KleptoCapture, established in March 2022, was created to enforce sanctions, export restrictions, and economic countermeasures by prosecuting violators and seizing assets. Since its launch, the task force has pursued numerous high-profile cases, leading to asset seizures, criminal charges, and forfeiture proceedings against individuals and entities attempting to circumvent US sanctions and launder illicit proceeds.
7 U.S. Dep’t of Just., Just. Manual § 9-10.060 (2023).
8 The policy exempts NSD approval and concurrence requirements for cases involving 18 U.S.C. §§ 2332a, 2332b, 2339A, 2339B, 2339C, 2339D, 21 U.S.C. § 960A, and 50 U.S.C. § 1705.
9 18 U.S.C. §§ 1961–1968.
10 CRIMINAL DIV., U.S. DEP’T OF JUSTICE & ENF’T DIV., U.S. SEC. & EXCH. COMM’N, FCPA: A RESOURCE GUIDE TO THE U.S. FOREIGN CORRUPT PRACTICES ACT 20 (2d ed. 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.
11 Mohamad Al As and Austin Camoens, MACC: 1MDB asset recovery to continue despite shake-up at US DoJ, NEW STRAITS TIMES (Feb. 9, 2025), https://www.nst.com.my/news/nation/2025/02/1172739/macc-1mdb-asset-recovery-continue-despite-shake-us-doj.
Lessons From 2024 Bank Secrecy Act: Anti-Money Laundering Enforcement Actions
In 2024, FinCEN and the federal bank regulators announced more than three dozen enforcement actions against banks and individuals arising from alleged Bank Secrecy Act (BSA), anti-money laundering (AML), and countering the financing of terrorism (CFT) compliance failures. One of these enforcement actions resulted in record-breaking civil and criminal monetary penalties.
In this article, we summarize certain key compliance failures and issues indicated by these enforcement actions against banks. Rather than focusing on any specific institutions, we focus on broader industry issues. The aim of this article is to provide guidance to BSA officers and the boards of directors and senior management of banks as they consider ways in which their institution’s BSA/AML compliance program might need improvement.1
The Five Pillars
BSA/AML enforcement actions typically cite failures with respect to one or more of the five “pillars” of an effective BSA/AML program: (1) a system of internal controls to assure ongoing compliance; (2) independent testing for compliance; (3) designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance; (4) training for appropriate personnel; and (5) appropriate risk-based procedures for conducting ongoing customer due diligence (CDD), including, but not limited to, (a) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (b) conducting ongoing monitoring to identity and report suspicious transactions and, on a risk basis, maintaining and updating customer information, including customer beneficial owner information. A significant portion of the 2024 enforcement actions cited deficiencies in all of the first four of these pillars, and in many other cases, the bank was required to adopt an improved CDD program.
These are the pillars of an effective BSA/AML compliance program because a failure in any of them is likely to cause a failure in an institution’s overall BSA/AML compliance obligations. The whole foundation can collapse when any pillar is weak. Perhaps most important is the failure to file suspicious activity reports (SARs) when required, which in the end is the primary reason for many of the BSA’s regulatory requirements.
The following discussion of compliance issues does not track the five pillars in the same order as listed in the applicable regulation, because we believe that results in a more logical flow. For example, a discussion of suspicious activity monitoring systems logically follows after discussing institutional risk assessments and customer due diligence because the activity monitoring systems should take these other requirements into account.
Internal Controls
When an examiner cites an institution for weak internal controls, that generally reflects a determination that the institution has weak policies, procedures, or processes to mitigate and manage money laundering and terrorist financing risks. This can mean anything from a poor reporting structure, unclear assignments of compliance responsibilities, poor risk assessments, failures to update policies and processes in response to regulatory changes or changes in the institution’s risk profile, weak suspicious activity monitoring systems, or weak risk rating of customers, among other issues. A bank’s system of internal controls, including the level and type, should be commensurate with the bank’s size, complexity, and organizational structure. When an institution is experiencing BSA/AML compliance weaknesses, that often reflects weak internal controls. In the summaries below, we note which of the deficiencies reflect an internal control weakness.
Board and Management Oversight
The Examination Manual states that the board of directors of each bank is responsible for approving the institution’s BSA/AML compliance program and overseeing the structure and management of the institution’s BSA/AML compliance function. The boards of about half of the banks subject to enforcement actions in 2024 were directed to enhance their oversight of their bank’s BSA/AML compliance program. The board also is responsible for setting an appropriate “culture of compliance” with respect to BSA/AML matters, and when an institution is subject to a particularly serious enforcement action, the directors and senior managers may be fined individually.
Oversight by the board requires that the board receive regular reports from compliance staff on the institution’s BSA/AML program, which reports are part of the institution’s internal controls. This would include, among other things, reports from the BSA officer as to SAR filings, reports on any negative findings in compliance audits, reports on remediation steps to address negative audit results, reports on any changes to the institution’s risk assessments, and reports on any deficiencies in the resources that are allocated to the compliance function.
BSA Officer Deficiencies
The BSA officer is central to the effective function of a BSA/AML compliance program. A few of the enforcement actions in 2024 noted that the bank had designated an ineffective BSA officer or one with no prior banking or BSA officer experience.
Other enforcement actions raised these concerns:
BSA/AML staffing that is not proportionate to the bank’s size, risk profile, and ongoing compliance concerns.
BSA officer without appropriate authority or independence. For example, one institution was criticized for having a BSA officer who did not have unilateral authority to file SARs, such as where a senior manager or a committee consisting of business managers made the ultimate decisions. This authority and independence is important to a sound compliance system, in part to avoid any conflicts of interest.
AML monitoring and compliance staff reporting through business line management rather than directly to the BSA officer, thereby weakening the BSA officer’s authority and independence.
It also is important that all AML compliance staff, even if not designated as an “AML officer,” have appropriate experience in BSA and AML matters.
Training
Banks must provide BSA/AML training to appropriate personnel, including all persons whose duties require knowledge or involve some aspect of BSA/AML compliance. This training should be tailored to the specific functions and positions of each individual within the institution. For example, the board of directors and certain staff may receive more general training than that provided to compliance staff and those individuals processing transactions or new accounts. Training generally should address higher-risk customers and activities, depending on the role of the individual to receive such training. In addition, targeted training may be necessary for specific money laundering, CFT, and other illicit financial activity risks for certain business lines or operational units.
Many of the banks entering into consent orders in 2024 were required to develop and implement a new training program. Banks were cited in 2024 for failure to tailor training for frontline retail branch personnel, to train staff on the “AML typologies and risks” associated with the bank’s products and services, and to train on the specialized red flags for specific business lines or higher-risk activities. At least one bank was criticized for inadequate training on the completion and filing of currency transaction reports (CTRs), resulting in the filing of incomplete or inaccurate CTRs. A robust training program for all aspects of BSA/AML compliance is clearly required for every bank.
Inadequate Compliance Resources
A common finding when an institution is subject to an enforcement action is that the institution did not dedicate sufficient financial and personnel resources to BSA/AML compliance. Multiple institutions were cited in 2024 for this failure, and in at least one case for the failure to invest in improvements to address compliance gaps when those investments were deemed to be too costly. At least one institution was accused of maintaining a compensation system that appeared to provide a disincentive for the BSA officer to incur costs to ensure compliance.
AML staffing also should be proportionate to the bank’s size, risk profile, and any ongoing compliance concerns. When these factors change, an increase in staffing and other resources is often called for.
Inadequate staffing and resources can result in failures in numerous areas of BSA/AML compliance. These failures can include having significant backlogs in addressing suspicious activity alerts, an inability to adequately investigate alerts, and backlogs of customers for whom their relationship with the bank should be severed.
Initial and Ongoing Risk Assessments
Banks’ BSA/AML compliance programs should be risk-based. A well-developed BSA/AML risk assessment assists the bank in identifying its money laundering, CFT, and other illicit financial activity risks and then developing and maintaining appropriate internal controls to address the identified risks. A risk assessment generally involves the identification of specific risk categories (e.g., products, services, customers, and geographic locations) unique to the bank and the bank’s analysis of such risks.
A bank should update its risk assessment from time to time, particularly when there are changes in the bank’s products, services, customers, or geographic locations, when the bank expands through mergers or acquisitions, and in response to regulatory changes, alerts, or negative compliance findings.
Many of the recent enforcement actions directed the bank to develop, implement, and adhere to a revised and ongoing BSA risk assessment methodology. Those risk assessments were to address the risks outlined above and include an analysis of the volumes and types of transactions and service by geographic location and the numbers of customers that typically pose higher or elevated BSA risk for the institution.
All risk assessments then should be used by the institution to develop and implement appropriate risk-mitigating strategies and internal controls. The results of each risk assessment should be reported to the board and appropriate senior management, and they then should require progress reports from the BSA officer with respect to any steps needed to reduce risks to appropriate levels.
Customer Due Diligence, Risk Assessments, and Monitoring
The Examination Manual notes that “[t]he cornerstone of a strong BSA/AML compliance program is the adoption and implementation of risk-based CDD policies, procedures, and processes for all customers….” Conducting ongoing CDD is the fifth pillar of an effective BSA/AML compliance program. Its objective is to enable a bank to understand the nature and purpose of customer relationships, including understanding the types of transactions in which a customer is likely to engage. These processes assist the institution in determining when transactions are suspicious and when a SAR might need to be filed.
CDD should enable the bank to assign risk ratings to each customer, and those risk ratings then should be taken into account when establishing customer transaction monitoring systems, with higher risk customers being subject to more stringent transaction monitoring. Customer risk ratings also should be taken into account in the institution’s overall BSA/AML compliance risk assessments.
If a bank determines through ongoing CDD and transaction monitoring that its information on a particular customer has materially changed, that customer information and risk rating should be updated accordingly. In the event a bank discovers that it failed to identify a customer as being a higher risk customer, the bank should revise its risk rating of the customer and consider conducting a transaction review to determine if suspicious activities were not identified.
A large majority of the banks subject to enforcement actions in 2024 were required to develop and implement a new CDD program. The actions often stated that the CDD program must ensure appropriate collection and analysis of customer information when opening new accounts, when renewing or modifying existing accounts, and when the bank obtains “event-driven information” indicating that it should obtain updated information to better understand the nature and purpose of its customer relationships and generate and maintain an accurate customer risk profile.
Suspicious Activity Monitoring Systems and Processes
Having an effective suspicious activity monitoring system and reporting system is a critical internal control and essential to ensuring that a bank has an adequate and effective BSA/AML compliance program. Without such, an institution is more likely to miss suspicious activities and file appropriate SARs.
Per the Examination Manual, the sophistication of a monitoring system should be dictated by the bank’s risk profile, with particular emphasis on the composition of higher-risk products, services, customers, entities, and geographies. It likely would be inappropriate, however, to use a monitoring system that wholly disregards domestic and supposedly lower-risk transactions, and at least one institution was criticized for that in 2024.
The five key components to an effective monitoring and reporting system are:
Identification or alert of unusual activity, which may include employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output.
Managing alerts.
SAR decision making.
SAR completion and filing.
Monitoring and SAR filing on continuing suspicious activity.
A transaction monitoring system may have manual elements. These systems may target specific types of transactions, such as large cash transactions or transactions from foreign geographies, with a manual review of reports generated by the bank’s systems. The type and frequency of reviews and resulting reports used should be commensurate with the bank’s BSA/AML risk profile and appropriately cover its higher-risk products, services, customers, entities, geographic locations, and methods of delivering its products and services.
Automated monitoring systems also are appropriate for most or all banks. These systems, sometimes called “surveillance monitoring systems,” include rule-based systems that apply transaction parameters, scenarios, and filters. In all cases, however, those parameters, scenarios, and filters should be tailored to the bank’s risks, and they should be tested periodically to ensure that they are effective.
We therefore have seen enforcement actions criticizing banks for relying on “off-the-shelf” scenarios provided by its vendor without consideration as to whether those scenarios needed to be tailored to the bank’s business. Some enforcement actions also criticized the bank for failure to conduct appropriate testing and gap assessments of their transaction monitoring system.
Finally, we should note that at least one institution was criticized for appearing to have designed at least portions of its monitoring system to focus more on operational burdens and risks rather than BSA/AML compliance.
Failures to File SARs; Potential Consequences
Not surprisingly, those institutions that were cited for having weak CDD or transaction monitoring programs also were often cited for failures to identify suspicious transactions and file SARs as warranted. At least 16 banks were ordered in 2024 to conduct reviews of prior transactions to determine if any SAR filing might have been missed, sometimes referred to as a “look back” review.
When a look back is required, the institution generally must hire an independent consultant to conduct a review and provide a written report on the bank’s suspicious activity monitoring, investigation, decisioning and reporting, identifying any instances in which the bank failed to file a SAR. The regulator then uses this information to decide what fines it will impose and whether to increase any prior fines. If the results of the look back are very negative, the regulator might also order an expanded look back, going further back in time.
Independent Testing
Banks are required to conduct independent testing or audits (the Examination Manual uses these terms interchangeably) of the bank’s BSA/AML compliance program. The testing can be conducted by the bank’s internal audit department or by qualified third parties, but the auditor never should be involved in business operations or BSA-related functions due to the potential for conflicts of interest or lack of independence. The results of all independent testing should be reported directly to the board of directors or a designated committee thereof that is composed primarily or completely of outside directors.
The Examination Manual directs examiners to obtain and review the independent testing reports, including any scope and workpapers. If the examiner finds that the testing was adequate given the bank’s risk profile, that can comfort the examiner and might lead to a softer-touch examination. If the examiner concludes that the testing was deficient, the bank can expect a rigorous examination.
Several of the banks subject to enforcement actions in 2024 were found by the examiner to have deficient independent testing. In one instance, the examiner concluded that the testing was insufficient in scope given the institution’s risk profile and that it only determined whether controls existed and not if they were in fact being used. In certain other instances when the enforcement action did not specifically criticize prior testing, the bank still was required to perform new independent testing and provide the results to the examiner.
Many other banks were directed to establish a new independent audit program that would address and determine, among other things, the bank’s money laundering, terrorist financing, and other illicit financial activity risks; whether the bank’s policies, procedures, and processes for BSA/AML compliance were appropriate for the bank’s risk profile; whether the bank actually adhered to such policies, procedures, and processes; and whether management took appropriate and timely action to address any deficiencies.
Next Steps
In light of these enforcement actions, there are a number of steps that a bank might want to consider and questions that it might want to ask of itself.
Risk Assessments
Is the assessment of your institution’s money laundering, CFT, and sanctions risks appropriately tailored to your products, services, customers, geographic locations, and your methods of delivering your products and services? Have any of these factors changed since your last risk assessment such that a new risk assessment is advisable? Some institutions might decide that it is appropriate to engage a third party to conduct a new risk assessment, both to obtain an independent view of your risk assessment and so as not to over-burden internal resources who need to focus on day-to-day compliance matters.
Customer Due Diligence
Is your customer due diligence thorough and ongoing? Are customers appropriately risk rated, and is that risk rating adjusted when new information about the customer is obtained? Is customer information and their risk rating incorporated into your transaction monitoring systems? If you rely on a fintech partner or other third party for customer due diligence, you might want to confirm that they are obtaining and updating customer information as needed to ensure BSA/AML compliance.
Transaction Monitoring
Are your transaction monitoring thresholds, filters, and scenarios appropriately tailored to your products, services, customers, geographic locations, and your methods of delivering your products and services? If you are relying on third-party monitoring systems, have you reviewed their thresholds, filters, and scenarios and confirmed that they are appropriate for your institution? Have these thresholds, filters, and scenarios been tested recently?
Independent Testing
Unless your institution recently performed or had performed thorough independent testing, you might want to consider new testing. As with your risk assessments, it might be best to engage a third party to conduct this testing, both to obtain an independent opinion of your organization and so as not to overburden your internal resources who need to focus on day-to-day compliance matters.
Resources
Has your BSA officer or any independent testing provider suggested that additional resources are needed, and have these suggestions been heeded?
Voluntary SAR Look Back
If the results of independent testing or testing of your transaction monitoring system suggests that the institution might have failed to identify suspicious transactions or file SARs, you might want to consider voluntarily conducting a SAR look back. In this way, you might be able to reduce the negative impacts of your next BSA/AML compliance program.
BSA/AML compliance is not inexpensive, but enforcement actions can cost far more. In addition to needing to spend time and money to address the issues raised in the action, and potentially paying fines, banks with serious BSA/AML compliance deficiencies may be blocked for a period of time from offering new products or services, opening new branches, or engaging in acquisitions. A bank that is subject to a consent order or a formal written agreement with its regulator also generally is not an “eligible bank” for purposes of corporate applications, meaning that expedited treatment of those applications is unavailable. For all of these reasons, we recommend that banks take heed to the lessons that can be gleaned from 2024’s round of enforcement actions so as to avoid being a target in 2025 or beyond.
Footnotes
1 This article focuses only on the compliance issues that were raised by the 2024 enforcement actions. We are not attempting to provide a complete guide to BSA/AML compliance, but only to highlight areas in which an examiner concluded an institution was deficient. In order to provide regulatory background, we sometimes draw from the Bank Secrecy Act/Anti-Money Laundering Examination Manual of the Federal Financial Institutions Examination Council, often without attribution but sometimes by referring to the “Examination Manual.”
Corporate Transparency Act Compliance Still on Hold, For Now
On January 23, the U.S. Supreme Court lifted a nationwide preliminary injunction on the enforcement of the Corporate Transparency Act (the CTA), a law requiring millions of business entities to report information about their individual beneficial owners (including the individual persons who control them) to the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury. The preliminary injunction was originally issued by the U.S. District Court for the Eastern District of Texas in the case of Texas Top Cop Shop, Inc. v. Bondi—formerly, Texas Top Cop Shop v. Garland.
Despite the Supreme Court’s decision in Texas Top Cop Shop, the CTA reporting obligations are still on hold due to a separate nationwide injunction that remains in place. The second nationwide injunction was issued by a different judge of the U.S. District Court for the Eastern District of Texas in the case of Smith v. U.S. Department of the Treasury. The federal government has filed an appeal to the U.S. Court of Appeals for the Fifth Circuit seeking to lift the Smith injunction. This appeal represents the first action taken by the federal government in a CTA court proceeding since January 20, 2025, when the new administration took office.
If the injunction in the Smith case is lifted, the reporting obligations under the CTA would resume and all non-exempt reporting companies would be required to file beneficial ownership information reports (“BOIRs”) within a deadline to be determined by FinCEN. Notably, the government’s request for a stay in the Smith case pending appeal stated that FinCEN intends to extend the CTA compliance deadline for 30 days if the stay is granted. The government also implied that FinCEN is considering changes to the CTA’s reporting requirements to alleviate the burden on low-risk entities while prioritizing enforcement to address the most significant risks to U.S. national security.
Background
See below to view a timeline of notable developments.
What Might Happen Next
The future of the CTA remains in limbo. For now, FinCEN has acknowledged that a nationwide preliminary injunction in the Smith case remains in place, meaning that reporting companies are not currently required to file BOIRs with FinCEN, and further, that reporting companies are not currently subject to liability if they fail to do so. FinCEN has stated that reporting companies may continue to voluntarily submit BOIRs.1
Neither the Supreme Court nor any lower court has made a determination on the merits of the constitutionality of the CTA; the rulings to date have only concerned whether the CTA may be enforced while litigation over the validity of the CTA continues.
As stated above, CTA reporting obligations will likely resume if the Smith injunction is lifted (presumably, within 30 days of such decision), and also could resume in the future depending on the final outcomes in the Smith and Texas Top Cop Shop cases. While new developments may arise in the ongoing litigation over the CTA, Congress could also settle the debate by repealing the CTA.
Given the uncertain landscape, reporting companies who have yet to file their initial BOIRs should consider whether to continue reviewing their reporting obligations under the CTA, as such reporting companies may be required to file BOIRs within 30 days if the government’s request for a stay in the Smith case is granted. Likewise, reporting companies that have already filed should consider whether any changes have occurred to information previously reported, and should be ready to file updated or corrected reports relating to such changes or developments that occur during the pendency of the preliminary injunction. Reporting companies may also choose to voluntarily file initial or updated reports at any time despite the preliminary injunction.
Timeline
Below is a timeline of notable developments since the original nationwide preliminary injunction was issued.
December 3, 2024 – U.S. District Court for the Eastern District of Texas issued a nationwide preliminary injunction against enforcement of the CTA in the Texas Top Cop Shop case.
December 5, 2024 – The government appealed the ruling in the Texas Top Cop Shop case to U.S. Court of Appeals for the Fifth Circuit.
December 6, 2024 – FinCEN issued a statement that it will not enforce the reporting requirements while the injunction is in place and that filing BOIRs during such period is voluntary.
December 13, 2024 – The government filed a motion with the Fifth Circuit seeking an emergency stay of the injunction in the Texas Top Cop Shop case.
December 23, 2024 – A motions panel of the Fifth Circuit granted the government’s emergency motion, issuing a stay of the injunction in the Texas Top Cop Shop case pending the Fifth Circuit’s review of the merits of the appeal. Shortly thereafter, FinCEN reinstated the CTA reporting obligations and extended the reporting deadline from January 1 to January 13, 2025
December 26, 2024 – A separate panel of judges on the Fifth Circuit vacated the stay and reinstated the injunction originating in the Texas Top Cop Shop case, effectively suspending enforcement of the CTA reporting requirements under the CTA. In doing so, the merits panel reasoned that the constitutional status quo needs to be preserved while it considers the parties’ substantive arguments. The Fifth Circuit issued an expedited briefing and oral argument schedule under which briefing is to be completed by February 28, 2025, and oral arguments to occur on March 25, 2025.
December 27, 2024 – FinCEN issued a new statement that it will not enforce the reporting requirements while the reinstated Texas Top Cop Shop injunction is in place and that filing BOIRs during such period is voluntary.
December 31, 2024 – The government filed an emergency application with the Supreme Court for a stay of the injunction originating in the Texas Top Cop Shop case.
January 7, 2025 – U.S. District Court for the Eastern District of Texas issued a separate nationwide preliminary injunction against enforcement of the CTA in the Smith case.
January 15, 2025 – U.S. Senator Tommy Tuberville and Congressman Warren Davidson re-introduced the Repealing Big Brother Overreach Act in Congress seeking to overturn the CTA.
January 23, 2025 – Supreme Court lifted the nationwide injunction originating in the Texas Top Cop Shop case; the Supreme Court’s order did not address the separate nationwide injunction originating in the Smith case.
January 24, 2025 – FinCEN issued a statement that, despite the Supreme Court’s order, reporting companies are still not required to file BOIRs due to the Smith injunction.
February 5, 2025 – The government filed an appeal case seeking a stay of the injunction originating in the Smith case.
1 Further updates from FinCEN can be found at https://fincen.gov/boi.
Scott D. DeWald, Andrew F. Dixon, Laura A. Lo Bianco, Mark Patton, Mark D. Patton, Matthew C. Sweger, Amanda L. Thatcher, and Karen L. Witt
FINRA Facts and Trends: February 2025
Welcome to the latest issue of Bracewell’s FINRA Facts and Trends, a monthly newsletter devoted to condensing and digesting recent FINRA developments in the areas of enforcement, regulation and dispute resolution. We dedicate this month’s issue to FINRA’s 2025 Annual Regulatory Oversight Report. Read about the Report’s findings and observations, below.
FINRA Issues 2025 Regulatory Oversight Report
On January 28, 2025, FINRA published its 80-page 2025 Regulatory Oversight Report (the Report), offering insights and observations on key regulatory topics and emerging risks that firms should consider when evaluating their compliance programs and procedures. Broadly speaking, the Report identifies relevant rules, summarizes noteworthy findings, highlights key considerations for member firms’ compliance programs, and provides helpful and practical considerations as member firms analyze their existing procedures and controls.
The 2025 Report discusses 24 topics relevant to the securities industry. While many of these are perennially important topics, the Report also includes two new sections: third-party risk landscape and extended hours trading. Below, we provide an overview of the Report’s new priorities, together with certain continuing priorities highlighted in the Report.
A FINRA Unscripted podcast episode about the report — featuring Executive Vice President and Head of Member Supervision, Greg Ruppert, Executive Vice President and Head of Market Regulation and Transparency Services, Stephanie Dumont, and Executive Vice President and Head of Enforcement, Bill St. Louis — is available on FINRA’s website.
Newly Identified Priorities
Third-Party Risk Landscape: The most significant addition to the Report is a new top-level section on Third-Party Risk Landscape. Firms’ reliance on third parties for many of their day-to-day functions create risks, and, as the Report indicates, this new section was prompted by “an increase in cyberattacks and outages at third-party vendors” firms use.
As the broad heading indicates, the newly added material outlines effective practices and general steps to be taken by firms, including:
maintaining a list of all third-party vendor-provided services, systems and software components that the firm can leverage to assess the impact on the firm in the event of a cybersecurity incident or technology outage at a third-party vendor;
adopting supervisory controls and establishing contingency plans in the event of a third-party vendor failure;
affirmatively inquiring if potential third-party vendors incorporate generative AI into their products or services, and evaluating and reviewing contracts with these third parties to ensure they comply with the firms’ regulatory obligations, i.e., adding contractual language that prohibits firm or customer information from being ingested into the vendor’s open-source generative AI tool;
assessing third-party vendors’ ability to protect sensitive firm and customer non-public information and data;
ensuring that a vendor’s access to a firm’s systems and data is revoked when the relationship ends; and
periodically reviewing the third party’s vendor tool default features and settings.
Extended Hours Trading: In recent years, trading in National Market System stocks and other securities has extended beyond regular trading hours. In its other new section, FINRA reminds firms that offer extended hours trading that they must comply with FINRA Rule 2265, which requires that these firms provide their customers with a risk disclosure statement. Importantly, if a firm allows its customers to participate in extended hours trading online, the firm must be sure to post a risk disclosure statement on the firm’s website “in a clear and conspicuous manner.” In addition to Rule 2265, firms participating in extended hours trading must also comply with FINRA Rule 5310 (Best Execution and Interpositioning) and Rule 3110 (Supervision).
The Report recommends the following best practices to address any perceived risks associated with extended hours trading:
conducting best execution reviews geared toward evaluating how extended hours orders are handled, routed and executed;
reviewing customer disclosures to ensure they address the risks associated with extended hours trading;
establishing and maintaining supervisory processes designed to address the “unique characteristics or risks” of extended hours trading; and
evaluating the operational readiness and customer support needs during extended hours trading.
Continuing Priorities
In addition to the Report’s new topics, each of the Report’s sections — Financial Crimes Prevention, Firm Operations, Member Firms’ Nexus to Crypto, Communications and Sales, Market Integrity, and Financial Management — places special emphasis on certain continuing priorities that will remain key focus areas for FINRA in 2025:
Reg BI and Form CRS: Reg BI and Form CRS have been perennial areas of focus for FINRA since they first became effective in 2020. The 2025 Report details a number of new findings and observations for each of the four component obligations of Reg BI (Care, Conflict of Interest, Disclosure, and Compliance).
With respect to the Care Obligation, many of FINRA’s latest findings and observations center around firms’ obligations with respect to recommendations of complex or risky products. FINRA reminds firms making such recommendations to consider whether the investments align with the customer’s overall investment profile, and whether the investment would result in concentrations that exceed the firm’s policies or the customer’s risk tolerance, or that represent an inappropriate portion of a retail customer’s liquid net worth.
The primary addition to the Report concerning firms’ Conflict of Interest Obligation is a finding that firms may violate Reg BI by failing to identify all material conflicts of interest that may incentivize an associated person to make a particular recommendation, such as a financial incentive to recommend the opening of an account with the firm’s affiliate, or to invest in securities tied to a company in which the associated person has a personal ownership stake.
The Report also contains a new finding related to the Compliance Obligation, noting that firms must have written policies and procedures that address account recommendations (as distinct from investment recommendations), including transfers of products between brokerage and advisory accounts, rollover recommendations, and potentially fraudulent patterns of account switches by the same associate person.
While the Report contains no new findings or observations related to the Disclosure Obligation, FINRA continues to remind firms of their obligation to provide customers “full and fair” disclosures of all material facts related to the scope of their relationship and any conflicts of interest.
As it relates to Form CRS, the Report’s findings included failures to properly deliver Form CRS and to properly post Form CRS — including posting Form CRS on any websites maintained by financial professionals who offer the firm’s services through a separate “doing business as” website.
Cybersecurity and Cyber-Enabled Fraud: The Report’s section on Cybersecurity and Cyber-Enabled Fraud — titled Cybersecurity and Technology Management in previous years’ reports — includes several important additions in 2025.
Most prominently, the Report highlights the emerging risks associated with quantum computing, a new technology that relies on quantum mechanics to perform functions not possible for more traditional forms of technology. Noting that many financial institutions have recently begun exploring use of quantum computing in their business operations, the Report warns that these technologies could be exploited by threat actors. Among other things, quantum computing has the potential to quickly break current encryption methods utilized by firms in the financial services industry. FINRA recommends that firms considering the use of quantum computers place a particular emphasis on ensuring cybersecurity, third-party vendor management, data governance and supervision.
The Report also discusses a variety of cybersecurity threats and attacks that financial institutions must be prepared to counter. First, the Report observes an increase in the variety, frequency and sophistication of many common threats, including new account fraud, account takeovers, data breaches, imposter sites, and “quishing” (an attack that uses QR codes to redirect victims to phishing URLs). In addition to these more conventional threats, the Report also describes several emerging threats, including: Quasi-Advanced Persistent Threats (Quasi-APTs) (sophisticated cyberattacks intended to gain prolonged network or system access); Generative AI-Enabled Fraud (attacks that make use of emerging generative AI technology to enhance cyber-related crimes); and Cybercrime-as-a-Service (attacks perpetrated by criminals with technical expertise on a for-hire basis, or by selling cyber-attack tools to third parties).
Among the effective practices recommended by FINRA to combat these threats, the Report highlights two new practices: tabletop exercises, in which firms bring internal and external stakeholders together to ensure cyber threats are appropriately identified, mitigated and managed; and lateral movement, a method of subdividing a firm’s networks into various sections to make it more difficult for threat actors to gain access to a network in its entirety.
Senior Investors and Trusted Contact Persons: FINRA remains keenly focused on preventing the financial exploitation of senior investors. The Report reminds members of their regulatory obligations under FINRA Rule 4512 with respect to “Trusted Contact Persons” (TCPs) and FINRA Rule 2165 (Financial Exploitation of Specified Adults).
FINRA Rule 4512(a)(1)(F) requires FINRA members to make reasonable efforts to obtain the name of and contact information for a TCP for non-institutional customer accounts to address possible financial exploitation, to confirm the specifics of the customer’s current contact information, health status, or the identity of any legal guardian, executor, trustee, or holder of a power of attorney; or take other steps permitted by Rule 2165. In particular, Rule 2165 permits firms to place temporary holds on securities transactions and account disbursements if the member reasonably believes that financial exploitation of a Specified Adult has occurred, is occurring, has been attempted, or will be attempted. “Specified Adult” means (A) a natural person age 65 and older; or (B) a natural person age 18 and older who the member reasonably believes has a mental or physical impairment that renders the individual unable to protect his or her own interests.
In the “Findings and Effective Practices” section of the Report, FINRA notes that recent examinations and investigation focus on firms not making reasonable attempts to obtain the name and contact information of a TCP; not providing written disclosures explaining when a firm may contact a TCP; not developing training policies reasonably designed to ensure compliance with the requirement of Rule 2165; and not retaining records that document the firm’s internal review underlying any decision to place a temporary hold on a transaction.
As for suggested effective practices, the Report recommends, among other things: implementing a process to track whether customer accounts have designated TCPs, establishing specialized groups to handle situations involving elder abuse or diminished capacity, and hosting conferences or participating in industry groups focused on the protection of senior customers.
Anti-Money Laundering (AML) and Fraud: FINRA Rule 3310 requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act and its implementing regulations.
As for recommended effective practices, the Report recommends:
conducting thorough inquiries when customers — particularly the elderly — request an unusually significant amount of funds to be disbursed to a personal bank account;
conducting formal, written AML risk assessments;
incorporating additional methods for verifying customer identities when establishing online accounts;
delegating AML duties to specific business units that are best positioned to monitor and identify suspicious activity; and
establishing an AML training program for personnel that is tailored to the individuals’ roles and responsibilities.
The Report highlights one emerging risk: FINRA has observed an increase in investment fraud committed by those that engage directly with investors. This can include persuading victims to withdraw funds from their accounts as part of a fraudulent scheme. The FBI’s Internet Crime Report notes that “investment fraud is the costliest type of crime tracked by the FBI’s Internet Crime Complaint Center.” To help mitigate this threat, FINRA recommends: monitoring for sudden changes in a customer’s behavior, including withdrawal requests that are out of character for the customer; educating firm personnel that are in contact with customers on how to recognize red flags; and developing clear response plans for when the firm identifies a customer that has been victimized.
Private Placements: The Report’s section on private placements does not stray far from previous years’ reports, and primarily re-emphasizes a key area of focus for FINRA’s Enforcement division over the past two years, first highlighted in Regulatory Notice 23-08. As we reported at the time, Regulatory Notice 23-08 reminded member firms of their obligation to conduct a reasonable investigation of private placement investments prior to making any recommendation — including, most particularly, conducting an investigation of the issuer, its management and its business prospects, the assets held or to be acquired by the issuer, and the issuer’s intended use of proceeds from the offering. In its discussion of findings from targeted exams, FINRA further notes that firms fail to satisfy this obligation when, among other things, they do not conduct adequate research into issuers that have a lack of operating history, or where they rely solely on the firm’s past experience with an issuer based on previous offerings. FINRA’s findings offer a reminder to firms to apply scrutiny to all offerings, whether or not the issuer is a known quantity — and to be especially vigilant when an issuer is new to the space.
The Report’s findings also provide another cautionary tale: FINRA warns that firms fail to comply with Reg BI’s care obligation when they take the position that the firm is not making recommendations, even though the firms’ representatives have made communications to customers that include a “call to action” and are individually tailored to the customer. Firms should remain aware that these types of communications are likely to be viewed as investment recommendations, and ensure that they conduct reasonable diligence before making any such communication to a customer.
The Report also discusses an emerging trend concerning firms that have made material misrepresentations and omissions related to recommendations of private placement offerings of pre-IPO securities. As examples, FINRA cites firms that have failed to disclose potential selling compensation, and that have failed to conduct reasonable due diligence to confirm that the issuer actually held or had access to the shares it purported to sell.
Manipulative Trading: Member firms are prohibited, pursuant to a series of FINRA Rules, from engaging in impermissible trading practices. The relevant rules include FINRA Rule 2010 (Standards of Commercial Honor and Principles of Trade); FINRA Rule 5230 (Payments Involving Publications that Influence the Market Price of a Security); and FINRA Rule 5210 (Publication of Transactions and Quotations), which FINRA has relied on in pursuing enforcement actions accusing member firms of publicizing or circulating inflated trading activity.
The Report highlights certain recent findings, including firms having inadequate WSPs, not establishing surveillance controls designed to capture manipulative trading, and not establishing and maintaining a surveillance system reasonably designed to monitor for potentially manipulative trading.
Communications With the Public: As in previous years, the Report details the content standards prescribed for three categories of firm written communications: correspondence, retail communications and institutional communications.
The Report also presents findings on an emerging trend: retail communications focused on registered index-linked annuities (RILAs). FINRA’s findings concerning firms’ communications related to RILAs mirror many of the common findings in connection with other types of investments. For example, FINRA has found that firms have failed to adequately explain how RILAs function and the meaning of specialized terms that are specific to RILAs, as well as finding that firms have made inadequate disclosures of the risks, fees and charges associated with RILAs.
The Report also contains a new focus on firms’ communications made through social media and generative AI. In particular, it recommends that firms ensure that communications made with the assistance of generative AI (including chatbot communications used with investors) are appropriately supervised and retained. Similarly, the Report cautions that firms must maintain systems, including WSPs, reasonably designed to supervise communications disseminated on the firm’s behalf by influencers on social media.
The Report’s findings and observations are intended to serve as a guide for member firms to assess their current compliance, supervisory, and risk management programs and note any perceived deficiencies that could result in scrutiny by FINRA. Member firms are encouraged to focus on the findings, observations and effective practices relevant to their respective business models.
Australia’s Proposed Scams Prevention Framework
In response to growing concerns regarding the financial and emotional burden of scams on the community, the Australian government has developed the Scams Prevention Framework Bill 2024 (the Bill). Initially, the Scams Prevention Framework (SPF) will apply to banks, telecommunications providers, and digital platform service providers offering social media, paid search engine advertising or direct messaging services (Regulated Entities). Regulated Entities will be required to comply with obligations set out in the overarching principles (SPF Principles) and sector-specific codes (SPF Codes). Those failing to comply with their obligations under the SPF will be subject to harsh penalties under the new regime.
Why Does Australia Need a SPF?
Australian customers lost AU$2.7 billion in 2023 from scams. Whilst the monetary loss from scams is significant, scams also have nonfinancial impacts on their victims. Scams affect the mental and emotional wellbeing of victims—victims may suffer trauma, anxiety, shame and helplessness. Scams also undermine the trust customers may have in utilising digital services.
Currently, scam protections are piecemeal, inconsistent or non-existent across the Australian economy. The SPF is an economy-wide initiative which aims to:
Halt the growth in scams;
Safeguard the digital economy;
Provide consistent customer protections for customers engaging with Regulated Entities; and
Be responsive and adaptable to the scams environment.
What is a Scam?
A scam is an attempt to cause loss or harm to an individual or entity through the use of deception. For example, a perpetrator may cause a target to transfer funds into a specified bank account by providing the target with what appears to be a parking fine. However, financial loss caused by illegal cyber activity such as hacking would not be a scam as it does not involve the essential element of deception.
SPF Principles
The Bill sets out six SPF Principles which Regulated Entities must comply with. The SPF Principles will be enforced by the Australian Competition and Consumer Commission (ACCC) as the SPF General Regulator.
The SPF Principles are outlined in table 1 below.
SPF Principle
Description
1. Governance
Regulated Entities are required to ‘develop and implement governance policies, procedures, metrics and targets to combat scams’. In discharging their obligations under this principle, entities must develop and implement a range of policies and procedures which set out the steps taken to comply with the SPF Principles and SPF Codes. The ACCC is expected to provide guidance on how an entity can ensure compliance with their governance obligations under the SPF.
2. Prevent
Regulated Entities must take reasonable steps to prevent scams on or relating to the service they provide. Such steps should aim to prevent people from using the Regulated Entity’s service to commit a scam, as well as prevent customers from falling victim to a scam. This includes publishing accessible resources which provide customers with information on how to identify scams and minimise their risk of harm.
3. Detect
Regulated Entities must take reasonable steps to detect scams by ‘identifying SPF customers that are, or could be, impacted by a scam in a timely way’.
4. Report
Where a Regulated Entity has reasonable grounds to suspect that a ‘communication, transaction or other activity on, or relating to their regulated service, is a scam’, it must provide the ACCC with a report of any information relevant to disrupting the scam activity. Such information is referred to as ‘actionable scam intelligence’ in the SPF.
Additionally, if requested by an SPF regulator, an entity will be required to provide a scam report. The appropriate form and content of the report is intended to be detailed in each SPF Code.
5. Disrupt
A Regulated Entity is required to take ‘reasonable steps to disrupt scam activity on or related to its service’. Any such steps must be proportionate to the actionable scam intelligence held by the entity. As an example, for banks, appropriate disruptive activities may include:
Contacting customers to warn them of popular scams;
Introducing confirmation of payee features on electronic banking services; and
Placing a hold on payments directed to an account associated with scam activity to allow the bank time to contact the customer and provide them with information about the suspected scam.
6. Respond
Regulated Entities are required to implement accessible mechanisms which allow customers to report scams and establish accessible and transparent internal dispute resolution processes to deal with any complaints. Additionally, Regulated Entities must be a member of an external dispute resolution scheme authorised by a Treasury Minister for their sector. The purpose of such an obligation is to provide an independent dispute resolution mechanism for customers whose complaints have not been resolved through initial internal dispute resolution processes, or where the internal dispute resolution outcome is unsatisfactory.
Table 1
What are ‘Reasonable Steps’?
We expect that SPF Codes will provide further clarification regarding what will be considered ‘reasonable steps’ for the purposes of discharging an obligation under the SPF Principles. From the explanatory materials, it is evident that whether reasonable steps have been taken will depend on a range of entity-specific factors including, but not limited to:
The size of the Regulated Entity;
The services of the Regulated Entity;
The Regulated Entity’s customer base; and
The specific types of scam risk faced by the Regulated Entity and their customers.
Disclosure of Information Under the Reporting Principle
As indicated in table 1 above, the SPF reporting principle requires disclosure of information to the SPF regulator. It is clear from the explanatory materials that, to the extent this reporting obligation is inconsistent with a legal duty of confidence owed under any ‘agreement or arrangement’ entered into by the Regulated Entity, the SPF obligation will prevail. However, it is not expressly stated how this obligation will interact with statutory protections of personal information.
The Privacy Act 1988 (Cth) (Privacy Act) imposes obligations regarding the collection, use and disclosure of personal information. Paragraph 6.2(b) of Schedule 1 to the Privacy Act allows an entity to use or disclose information for a purpose other than which it was collected where the use or disclosure is required by an Australian law. Arguably, once the SPF is enacted, disclosure of personal information in accordance with the obligations under the reporting principle will be ‘required by an Australian law’ and therefore not in breach of the Privacy Act.
Safe Harbour Protection for Disruptive Actions
As noted in table 1, SPF Principle 5 requires entities to take disruptive actions in response to actionable scam intelligence. This may leave Regulated Entities vulnerable to actions for breach of contractual obligations. For example, where a bank places a temporary hold on a transaction, the customer might lodge a complaint for failure to follow payment instructions. To prevent the risk of such liability from deterring entities from taking disruptive actions, the SPF provides a safe harbour protection whereby a Regulated Entity will not be liable in a civil action or proceeding where they have taken action to disrupt scams (including suspected scams) while investigating actionable scam intelligence.
In order for the safe harbour protection to apply, the following requirements must be met:
The Regulated Entity acted in good faith and in compliance with the SPF;
The disruptive action was reasonable and proportionate to the suspected scam;
The action was taken during the period starting on the day that the information became actionable scam intelligence, and ending when the Regulated Entity identified whether or not the activity was a scam, or after 28 days, whichever was earlier; and
The action was promptly reversed if the Regulated Entity identified the activity was not a scam and it was reasonably practicable to reverse the action.
The assessment of whether disruptive actions were proportionate will be determined on a case-by-case basis. However, relevant factors may include:
The volume of information received or available;
The source of that information; and
The apparent likelihood that the activity is associated with a scam.
SPF Codes
As a ‘one-size-fits-all’ approach across the entire scams ecosystem is not appropriate, the SPF provides for the creation of sector-specific codes. These SPF Codes will set out ‘detailed obligations’ and ‘consistent minimum standards’ to address scam activity within each regulated sector. The SPF Codes are yet to be released.
It is not clear whether the SPF Codes will interact with other industry codes and, if so, how and which codes will prevail.
It appears from the explanatory materials that the SPF Codes are intended to impose consistent standards across the regulated sectors. It is unclear whether this will be achieved in practice or whether there will be a disproportionate compliance burden placed on one regulated sector in comparison to other regulated sectors. For example, because banks are often the ultimate sender/receiver of funds, will they face the most significant compliance burden?
SPF Regulators
The SPF is to be administered and enforced through a multiregulator framework. The ACCC, as the General Regulator, will be responsible for overseeing the SPF provisions across all regulated sectors. In addition, there will be sector-specific regulators responsible for the administration and enforcement of SPF Codes.
Enforcement
The proposed Bill sets out the maximum penalties for contraventions of the civil penalty provisions of the SPF.
There are two tiers of contraventions, with a tier 1 contravention attracting a higher maximum penalty in order to reflect that some breaches would ‘be the most egregious and have the most significant impact on customers’. A breach will be categorised based on the SPF Principle contravened as indicated in table 2 below.
Tier 1 Contravention
Tier 2 Contravention
SPF principle 2: prevent
SPF principle 4: detect
SPF principle 5: disrupt
SPF principle 6: respond
An SPF Code
SPF principle 1: governance
SPF principle 3: report
Table 2
In addition to the civil penalty regime, other administrative enforcement tools will be available including:
Infringement notices;
Enforceable undertakings;
Injunctions;
Actions for damages;
Public warning notices;
Remedial directions;
Adverse publicity orders; and
Other punitive and nonpunitive orders.
DOJ Narrows FCPA Enforcement Focus
Attorney General (AG) Pam Bondi has issued a directive that both: (1) effectively shifts the DOJ’s FCPA enforcement focus towards those cases related to foreign bribery involving cartels and transnational criminal organizations (TCOs); and (2) expands the DOJ’s ability to prosecute certain types of FCPA violations.
Questions around how and to what extent FCPA enforcement will be impacted under the current Trump administration have been swirling. While early into President Trump’s second term, his administration has already taken steps aimed at implementing substantive changes throughout the Executive Branch, reforming the DOJ, as well as reducing the size of the federal workforce. This has led many to anticipate the potential scaling back of FCPA enforcement efforts in the near future.
Shift in FCPA Enforcement Focus
AG Bondi has recently issued fourteen memos, addressed to all DOJ employees, detailing new policies and priorities for the DOJ across a range of enforcement activities. The FCPA was specifically named in the “Total Elimination of Cartels and Transnational Criminal Organizations” directive (the “Directive”). The Directive provides more insight as to the DOJ’s priorities around FCPA enforcement going forward.
Specifically, the Directive states that “[t]he Criminal Division’s FCPA Unit shall prioritize investigations related to foreign bribery that facilitates the criminal operations of Cartels and TCOs, and shift focus away from investigations and cases that do not involve such a connection.”
The Directive also overrides certain sections of the Justice Manual, as it relates to foreign bribery involving cartels or TCOs, that required FCPA cases to be either conducted by Fraud Section prosecutors or approved by the Criminal Division. In other words, U.S. Attorney Offices are now empowered to also pursue criminal FCPA cases involving foreign bribery and cartels or TCOs – no longer requiring approval to bring such matters – having provided 24 hours notice to the Criminal Division before proceeding.
FCPA Background
The FCPA is a two-pronged federal statute that contains anti-bribery provisions as well as accounting provisions; the accounting provisions address both internal controls (e.g., maintaining robust internal systems designed to prevent and identify corrupt activities) and books and records (e.g., maintaining accurate records that make it challenging to hide improper payments). The DOJ and SEC have dual enforcement authority over the FCPA, with the DOJ pursuing criminal violations of the FCPA and the SEC handling civil matters pertaining to publicly traded companies.
Since the FCPA was enacted in 1977, enforcement has focused on targeting corporate corruption where companies – including through, indirectly or directly, their third-party intermediaries (e.g., consultants, distributors, sales agents, etc.) – have improperly gained or retained unfair business advantages in exchange for providing something of value to foreign government officials. With the current shift in FCPA enforcement priorities, the DOJ is anticipated to redirect efforts away from targeting bribery in the context of legitimate corporate industries to focusing on bribery schemes in connection with organized crime and cartels.
It will be interesting to see how objectives under the Directive play out, given the logistics of the FCPA. For instance, the FCPA’s scope covers issuers (publicly traded companies with securities listed on a national securities exchange in the U.S.), domestic concerns (U.S. companies or U.S. persons), as well as any other persons that engage in acts furthering corruption while in the U.S. These limitations may exclude many individuals and entities involved in cartels or TCOs. In other words, the FCPA’s design – considering its jurisdictional reach and entity-focus – may limit its effectiveness as a tool against organized crime.
Why Compliance Still Matters
While DOJ’s FCPA enforcement priorities may be shifting under the Trump Administration to focus on cartels and TCOs, this should not be read as DOJ will no longer pursue other forms of foreign corruption. The Directive does not suggest any plans to repeal or even weaken the FCPA, rather the Directive refocuses DOJ’s FCPA enforcement priorities.
For nearly two decades, the FCPA has been a cornerstone of DOJ’s corporate enforcement efforts. This continued focus has resulted in steady and substantial financial recoveries – with penalties exceeding one billion dollars in some cases – over the course of several presidential terms spanning both Democratic and Republican leadership, including President Trump’s first term. Precedent suggests that FCPA enforcement is an entrenched priority for the DOJ and SEC, transcending individual administrations and political affiliations. Further, several countries have also enacted similar anti-bribery and anti-corruption regulations. When pursuing FCPA resolutions, international cooperation between the U.S. and foreign authorities has been essential in order to navigate the complexities of FCPA cases, which usually involve international transactions, multiple actors, and diverse legal frameworks.
Regarding corporate compliance programs, the DOJ will frequently give credit when considering the appropriate resolution, monetary penalty, and subsequent compliance obligations, if the company is able to demonstrate it has a robust and well-designed compliance program, including having made improvements to the program in response to the investigated misconduct. In other words, a company may be able to secure a more favorable outcome if it maintains a strong compliance program, which may ultimately result in the DOJ determining not to prosecute.
There are other benefits for companies that invest in their compliance programs:
Risk Management: Robust compliance programs help prevent potential compliance issues before they occur. Further, early detection of potential violations allows for timely intervention, remediation, and disclosure, if necessary.
Informed Decision-Making: Companies are better positioned to make strategic business decisions with a strong compliance foundation. This includes evaluating and responding to potential enforcement-related situations.
Long-Term Business Integrity: Maintaining high compliance standards fosters a culture of ethical business practices, which can enhance a company’s reputation and promote stakeholder confidence.
Adaptability to Regulatory Changes: A well-designed and effective compliance program is more easily adaptable to shifting regulatory landscapes and emerging risks, enabling companies to more efficiently respond to new enforcement trends.
Takeaway
Regardless of the DOJ’s FCPA enforcement priorities shifting, companies will continue to meaningfully benefit from maintaining and investing in their compliance programs. Further, the Directive does not impact SEC enforcement of FCPA violations; in other words, issuers that fall under the SEC’s jurisdiction will need to continue to comply with the FCPA regardless of DOJ’s shift in FCPA enforcement focus. Moreover, the applicable statute of limitations for FCPA violations generally extends beyond the current administration. Ultimately, companies would be well advised to continue to ensure that their compliance programs are effective and well-resourced in order to mitigate risks.
Attorney General Bondi’s Day One Orders for DOJ
Shortly after her confirmation, and just after her swearing-in by Associate Justice Clarence Thomas, U.S. Attorney General Pamela Bondi issued fourteen memoranda that seek to reform the Department of Justice by rescinding prior guidance, issuing new guidance, and establishing new priorities for the nation’s chief law enforcement and prosecuting agency. We examine below the actions taken by Attorney General Bondi.
“Elimination of Diversity, Equity, and Inclusion” (DEI): Two of the memos focus on the elimination of prior Diversity Equity and Inclusion (DEI) efforts at the Department and in the private sector. These directives stem from President Trump’s executive order on January 21, 2025 concerning “Ending Illegal Discrimination and Restoring Merit-Based Opportunity”. The first memo requires “[a]ll Department materials that encouraged or permitted race- or sex-based preferences as a method of compliance with federal civil rights laws” to be rescinded and replaced with new guidance. The second memo directs theDOJ’s Civil Rights Division to “investigate, eliminate, and penalize illegal DEI and DEIA preferences, mandates, policies, programs, and activities in the private sector and in educational institutions that receive federal funds.” For a full summary of the DOJ’s focus on DEI, go to the blog post by our colleagues in Labor and Employment.
Immigration. This memo directs the DOJ to withhold federal funding from, and pursue enforcement actions against, sanctuary cities. The memo cites 8 U.S.C. § 1373which provides that state or location jurisdictions “may not prohibit, or in any way restrict, any government entity or official from sending to, or receiving from, the Immigration and Naturalization Service information regarding the citizenship or immigration status, lawful or unlawful, of any individual.” The memo warns that any sanctuary cities that violate this statute will receive a cut in federal funding cuts.
Elimination of Cartels. This memo directs DOJ personnel to focus its efforts to eliminate cartels and transnational criminal organizations (TCOs). The memo identifies various enforcement mechanisms and resources that may be used in carrying out the directive. Notably, the memo calls for the Department to shift the focus of its prosecutions under the Foreign Corrupt Practices Act (FCPA) to “the criminal operations of Cartels and TCO”. Additionally, the memo removes the requirement that the Fraud Section of the Criminal Division handle all investigations and prosecutions under the FCPA, now permitting any U.S. Attorney’s Office to initiate charges with only 24 hours of advance notice to Main Justice required. It is unclear whether, and to what degree, DOJ will continue its pending corporate investigations and prosecutions and/ or initiate new ones.
Joint Task Force October 7. This memo focuses on the creation of the Joint Tasks Force October 7 to “seek[] justice for victims of the October 7, 2023 terrorist attack in Israel” and address ongoing antisemitic threats in the United States.
Charging, Pleas Negotiations, Etc. This memo outlines general policy regarding charging, plea negotiations, and sentencing for prosecutors. It lays out the Department’s criminal enforcement including immigration enforcement; human trafficking and smuggling; transnational organized crime, cartels, and gangs; and protection of law enforcement personnel. The memo also disbands the Foreign Influence Task Force and the National Security Division’s Corporate Enforcement Unit. [I think we should also note that the guidance is now to charge the most serious, readily provable crime, with the highest “recommended” sentence under the guidelines. Quote the language.]
“Zealous” Advocacy on Behalf of the U.S. This memo directs DOJ to “zealously defend the interest of the United States.” The memo emphasizes the responsibilities DOJ attorneys have to enforce the laws of the United States, but also highlights their responsibility to “vigorously defend[] presidential policies and actions against legal challenges on behalf of the United States.” This memo suggests discipline for DOJ attorneys that decline to sign briefs or appear in court on personal grounds or “otherwise delay or impede the Department’s mission.”
Recession of Biden Administration Guidance. Three of the memos roll back specific directives made by former Attorney General Merrick Garland who served in the Biden Administration, including those that pertained to the interpretation of guidance documents, third-party settlements to non-governmental, third-party organizations, and the prioritization of environmental prosecutions.
Death Penalty. Two memos focus on the death penalty—one memo directs U.S. Attorney’s Offices “to assist local prosecutors in pursuing death sentences under state law against the 37 commuted inmates” who’s sentence former President Joe Biden previously commuted, while the other memo revives the federal death penalty by lifting the moratorium on federal executions and provides for the re-review of pending cases potentially eligible for death.
DOJ Employees Back to the Office. This memo directs DOJ employees to return to work in-person by February 24, 2025 and reinforces President Trump’s January 20, 2025 Presidential Memorandum on the same matter.
Weaponization Work Group. This memo targets “abuses of the criminal justice process, coercive behavior, and other forms of misconduct.” The directive addresses Trump’s January 20 Executive Order concerning “Ending the Weaponization of The Federal Government” by establishing a “Weaponization Work Group,” tasked with reviewing criminal and civil enforcement over the last 4 years, and reporting to the White House “instances where a department’s or agency’s conduct appears to have been designed to achieve political objectives or other improper aims rather than pursuing justice or legitimate governmental objectives.”
Bad News & Good News: Ransomware Up, Payments Down in 2024
American blockchain analysis firm Chainalysis reports that ransomware payments declined significantly in 2024, dropping to $813 million from $1.25 billion in 2023 – a 35% decrease. The company’s sleuthing also revealed that only 30% of victims who entered negotiations with ransomware actors ultimately paid a ransom. That’s big. And this downward payment trend occurred despite 2024 being a record year for ransomware attacks overall.
This work reveals a disconnect between attack volume and successful extortion, suggesting organizations are becoming more resilient to ransomware pressure tactics. Some of the possible factors contributing to the decrease in ransomware payments include:
Law Enforcement and International Collaboration: Increased law enforcement actions and improved international collaboration have been effective in disrupting ransomware operations. For example, the takedown of LockBit by the UK’s National Crime Agency (NCA) and the US FBI led to a 79% decrease in payments.
Increased Gap Between Demands and Payments: The difference between ransom demands and actual payments is increasing. Incident response data shows that a majority of clients do not pay at all.
Shift in Ransomware Ecosystem: The collapse of LockBit and BlackCat led to a rise in lone actors and smaller groups that focus on small to mid-size markets with more modest ransom demands.
Illegitimate Victims on Data Leak Sites (more on this below): Some threat actors have been caught overstating or lying about victims, or reposting claims by old victims. LockBit has been known to publish as high as 68% repeat or fabricated victims on its data leak site after being ostracized by the underground community following law enforcement action.
Ransomware Actors Abstaining From Cashing Out: Ransomware operators are increasingly abstaining from cashing out their funds (such that the funds flow isn’t tracked), likely due to uncertainty and caution amid law enforcement actions targeting individuals and services facilitating ransomware laundering.
Victim Refusal to Pay: More victims are choosing not to pay ransoms due to improved cyber hygiene and overall resiliency.
Chainalysis also gives a summary of the data leak trends in 2024:
unprecedented growth in ransomware data leak sites, with 56 new sites emerging in 2024 – more than twice the number identified in 2023
researchers note significant concerns about the accuracy of these reported leaks:
many leaks overstated their impact, claiming entire multinational organizations when only small subsidiaries were affected
over 100 organizations appeared on multiple leak sites
ransomware gang LockBit, following law enforcement disruption, artificially inflated their numbers by reposting old victims and fabricating new ones – with up to 68% of their posts being repeat or false claims
This analysis suggests that while data leak sites showed record numbers in 2024, the actual scope of successful ransomware attacks may be significantly lower than the raw numbers indicate.
Attorney General Pam Bondi Narrows FCPA Enforcement Focus
Attorney General (AG) Pam Bondi has issued a directive that both: (1) effectively shifts the DOJ’s FCPA enforcement focus towards those cases related to foreign bribery involving cartels and transnational criminal organizations (TCOs); and (2) expands the DOJ’s ability to prosecute certain types of FCPA violations.
Questions around how and to what extent FCPA enforcement will be impacted under the current Trump administration have been swirling. While early into President Trump’s second term, his administration has already taken steps aimed at implementing substantive changes throughout the Executive Branch, reforming the DOJ, as well as reducing the size of the federal workforce. This has led many to anticipate the potential scaling back of FCPA enforcement efforts in the near future.
Shift in FCPA Enforcement Focus
AG Bondi has recently issued fourteen memos, addressed to all DOJ employees, detailing new policies and priorities for the DOJ across a range of enforcement activities. The FCPA was specifically named in the “Total Elimination of Cartels and Transnational Criminal Organizations” directive (the “Directive”). The Directive provides more insight as to the DOJ’s priorities around FCPA enforcement going forward.
Specifically, the Directive states that “[t]he Criminal Division’s FCPA Unit shall prioritize investigations related to foreign bribery that facilitates the criminal operations of Cartels and TCOs, and shift focus away from investigations and cases that do not involve such a connection.”
The Directive also overrides certain sections of the Justice Manual, as it relates to foreign bribery involving cartels or TCOs, that required FCPA cases to be either conducted by Fraud Section prosecutors or approved by the Criminal Division. In other words, U.S. Attorney Offices are now empowered to also pursue criminal FCPA cases involving foreign bribery and cartels or TCOs – no longer requiring approval to bring such matters – having provided 24 hours notice to the Criminal Division before proceeding.
FCPA Background
The FCPA is a two-pronged federal statute that contains anti-bribery provisions as well as accounting provisions; the accounting provisions address both internal controls (e.g., maintaining robust internal systems designed to prevent and identify corrupt activities) and books and records (e.g., maintaining accurate records that make it challenging to hide improper payments). The DOJ and SEC have dual enforcement authority over the FCPA, with the DOJ pursuing criminal violations of the FCPA and the SEC handling civil matters pertaining to publicly traded companies.
Since the FCPA was enacted in 1977, enforcement has focused on targeting corporate corruption where companies – including through, indirectly or directly, their third-party intermediaries (e.g., consultants, distributors, sales agents, etc.) – have improperly gained or retained unfair business advantages in exchange for providing something of value to foreign government officials. With the current shift in FCPA enforcement priorities, the DOJ is anticipated to redirect efforts away from targeting bribery in the context of legitimate corporate industries to focusing on bribery schemes in connection with organized crime and cartels.
It will be interesting to see how objectives under the Directive play out, given the logistics of the FCPA. For instance, the FCPA’s scope covers issuers (publicly traded companies with securities listed on a national securities exchange in the U.S.), domestic concerns (U.S. companies or U.S. persons), as well as any other persons that engage in acts furthering corruption while in the U.S. These limitations may exclude many individuals and entities involved in cartels or TCOs. In other words, the FCPA’s design – considering its jurisdictional reach and entity-focus – may limit its effectiveness as a tool against organized crime.
Why Compliance Still Matters
While DOJ’s FCPA enforcement priorities may be shifting under the Trump Administration to focus on cartels and TCOs, this should not be read as DOJ will no longer pursue other forms of foreign corruption. The Directive does not suggest any plans to repeal or even weaken the FCPA, rather the Directive refocuses DOJ’s FCPA enforcement priorities.
For nearly two decades, the FCPA has been a cornerstone of DOJ’s corporate enforcement efforts. This continued focus has resulted in steady and substantial financial recoveries – with penalties exceeding one billion dollars in some cases – over the course of several presidential terms spanning both Democratic and Republican leadership, including President Trump’s first term. Precedent suggests that FCPA enforcement is an entrenched priority for the DOJ and SEC, transcending individual administrations and political affiliations. Further, several countries have also enacted similar anti-bribery and anti-corruption regulations. When pursuing FCPA resolutions, international cooperation between the U.S. and foreign authorities has been essential in order to navigate the complexities of FCPA cases, which usually involve international transactions, multiple actors, and diverse legal frameworks.
Regarding corporate compliance programs, the DOJ will frequently give credit when considering the appropriate resolution, monetary penalty, and subsequent compliance obligations, if the company is able to demonstrate it has a robust and well-designed compliance program, including having made improvements to the program in response to the investigated misconduct. In other words, a company may be able to secure a more favorable outcome if it maintains a strong compliance program, which may ultimately result in the DOJ determining not to prosecute.
There are other benefits for companies that invest in their compliance programs:
Risk Management: Robust compliance programs help prevent potential compliance issues before they occur. Further, early detection of potential violations allows for timely intervention, remediation, and disclosure, if necessary.
Informed Decision-Making: Companies are better positioned to make strategic business decisions with a strong compliance foundation. This includes evaluating and responding to potential enforcement-related situations.
Long-Term Business Integrity: Maintaining high compliance standards fosters a culture of ethical business practices, which can enhance a company’s reputation and promote stakeholder confidence.
Adaptability to Regulatory Changes: A well-designed and effective compliance program is more easily adaptable to shifting regulatory landscapes and emerging risks, enabling companies to more efficiently respond to new enforcement trends.
Takeaway
Regardless of the DOJ’s FCPA enforcement priorities shifting, companies will continue to meaningfully benefit from maintaining and investing in their compliance programs. Further, the Directive does not impact SEC enforcement of FCPA violations; in other words, issuers that fall under the SEC’s jurisdiction will need to continue to comply with the FCPA regardless of DOJ’s shift in FCPA enforcement focus. Moreover, the applicable statute of limitations for FCPA violations generally extends beyond the current administration. Ultimately, companies would be well advised to continue to ensure that their compliance programs are effective and well-resourced in order to mitigate risks.
Key Takeaways on New U.S. Tariffs on Canada, China and Mexico Imports
On Feb. 1, 2025, the White House published new executive orders imposing tariffs on goods imported from Canada, Mexico and China citing national security threats of illegal immigration and drugs and statutory authority under the International Emergency Economic Powers Act (IEEPA).
Specifically, the executive orders impose a 10 percent tariff on imports from China and a 25 percent tariff on imports from Mexico and Canada, excluding Canadian energy imports, which will carry a 10 percent tariff. Below are initial highlights from the orders and from the Federal Register notices published shortly after the orders:
The effective date and time of the tariff actions is on or after 12:01 a.m. Eastern time on Feb. 4, 2025, except for tariffs on Mexico and Canada, which have been deferred for one month, until March 4, 2025.
The IEEPA tariffs appear to cover every imported commodity from Canada, Mexico, and China, with the exception of limited statutory exclusions on personal communications, donated articles, informational materials (e.g., certain publications, films, and artwork), and transactions ordinarily incident to travel
The executive orders are silent on whether there will be a product exclusion process, akin to the exclusions for Section 301 and Section 232 tariffs
The executive orders include a retaliation clause that should Canada/Mexico/China retaliate against the U.S. in response (i.e. tariffs on U.S. exports), then the “President may increase or expand in scope the duties imposed under this Executive Order to ensure the efficacy of this action.”
Drawback (refund) claims and the $800 de minimis exclusion are not available under these IEEPA tariffs
In a prior post on potential tariffs, we had noted the possible use of IEEPA to impose immediate tariffs. No president has used IEEPA to impose tariffs, although President Richard Nixon used a predecessor statute to IEEPA to impose a 10 percent tariff on all imports in 1971.
What does this all mean, and what is next for importers and stakeholders affected by these tariffs? Below are a few issues and questions to keep in mind:
What exactly will be the U.S. response to the announcement of retaliatory measures? Canada announced tariffs of 25 percent on $155 billion worth of American goods. These tariffs target products such as orange juice, peanut butter, wine, spirits, beer, coffee, appliances, apparel, footwear, motorcycles, cosmetics, and pulp and paper. Mexico initially announced plans to impose retaliatory measures. But since that time, Mexico and Canada have agreed to take action at the border, resulting in a one-month deferral of the application of IEEPA duties against Mexico and Canada and suspension of any reciprocal tariffs.
IEEPA tariffs on China are 10 percent, but these are on top of existing Section 301 tariffs that are 25 percent on most goods from China. Interestingly, there will now be a smaller group of products from China that are subject to lower Section 301 duties (List 4A, 7.5 percent) or even no Section 301 duties. Thus, if the suspended Canada and Mexico tariffs ultimately go into effect, imports of those products from China may actually be subject to lower duties than imports of the same products from Canada and Mexico.
For China, the Federal Register is silent on the applicable rule of origin, although it is anticipated that “substantial transformation” will be the applicable rule. For Canada, there will actually be two applicable rules of origin for IEEPA tariffs – USMCA marking rules of origin and the “substantial transformation” legal standard. This will have particularly interesting implications for importers of goods produced in Canada from Chinese-origin materials. Indeed, an FAQ released by the White House states that IEEPA tariffs will be in addition to any other tariffs imposed under other authorities.
Tayo Osuntogun, Michelle Rosario, and Yusra Siddique contributed to this article
It Lives: Trump Administration Defends Corporate Transparency Act; May Modify its Application
On February 5, 2025, the Trump administration added a new chapter to the saga that has been implementation of the Corporate Transparency Act (CTA), filing a notice of appeal and motion for stay against an Eastern District of Texas injunction in Smith v. United States Department of the Treasury on enforcement of the CTA’s filing deadline.
In its filing, the Treasury Department stated that it would extend the filing deadline for 30 days if the stay is granted, and would use those 30 days to determine if lower-risk categories of entities should be excluded from the reach of the filing requirements. In light of the Supreme Court’s stay of the injunction in Texas Top Cop Shop, Inc., et al. v. Merrick Garland, et al., also from the Eastern District of Texas, it is likely that stay will be granted.
Passed in the first Trump administration but implemented during the Biden presidency, the CTA – an anti-money laundering law designed to combat terrorist financing, seize proceeds of drug trafficking, and root out illicit assets of sanctioned parties and foreign criminals in the United States – has faced legal challenges around the country.
The constitutionality of the CTA was challenged in several cases, with most courts upholding the law, but some issuing either preliminary injunctions or determining that the law is unconstitutional. In addition to the appeals of Texas Top Cop Shop and Smith, both before the Fifth Circuit, appeals are currently pending in the Fourth, Ninth, and Eleventh Circuits.
Although enforcement of the CTA deadline is currently paused, the granting of a stay in Smith, or a ruling by one of the circuits, could reinstate the deadline at any time, triggering the start of the 30-day clock to file. Entities may file now notwithstanding the injunction if they choose to do so, and entities may wish to complete the filing so that they do not need to monitor the situation and to avoid high traffic to the filing website in the event a deadline is reimposed.
Please note that if you file or have already filed and the law is ultimately found unconstitutional or otherwise overturned or rescinded, you will not be under any continuing obligation regarding that filing.
Entities can, of course, choose not to file or to keep filings updated. However, be aware that in addition to the potential need to file on short notice should the preliminary injunction be limited, stayed, or overturned, financial institutions may inquire as to whether the entity has filed a CTA and could require filing as part of the financial institution’s anti-money laundering program.