10 Important Insights for Procurement Fraud Whistleblowers in 2025
If you have information about procurement fraud, providing this information to the federal government could lead to the recovery of taxpayer funds and put a stop to any ongoing fraud. It could also entitle you to a financial reward. In addition to providing strong protections to procurement fraud whistleblowers, the False Claims Act entitles whistleblowers to financial compensation when the information they provide leads to a successful enforcement action.
Whether you are interested in seeking a financial reward or you are solely focused on ensuring integrity and accountability within the federal procurement process, if you have information about procurement fraud, it will be important to make informed decisions about your next steps. While protections and financial incentives are available, whistleblowers who wish to expose procurement fraud must meet various substantive and procedural requirements, and they must come forward before someone else beats them to it.
“Federal procurement fraud is a pervasive issue, and whistleblowers play a critical role in the government’s fight against fraudulent bidding, contracting, and billing practices. For those who are thinking about serving as procurement fraud whistleblowers, understanding the federal whistleblowing process is critical for making informed decisions about their next steps.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
So, what do you need to know if you are thinking about reporting procurement fraud to the federal government? Here are 10 important insights for whistleblowers in 2025:
1. Suspecting Procurement Fraud and Being Able to Prove Procurement Fraud Are Not the Same
Filing a whistleblower complaint for procurement fraud requires more than just suspicion of wrongdoing. To qualify as a federal whistleblower—and to become eligible for the protections and financial compensation that are available—you must be able to help the federal government prove that a contractor or subcontractor has violated the law, whether through false statements, bid rigging, overbilling, or other fraudulent actions.
As a result, if you just have general concerns about procurement fraud, these concerns—on their own—will generally be insufficient to substantiate a procurement fraud whistleblower complaint. However, if you have inside information about a specific form of procurement fraud, then this is a scenario in which filing a whistleblower complaint may be warranted.
2. You Don’t Need Conclusive Proof to Serve as a Procurement Fraud Whistleblower
To be clear, however, filing a whistleblower complaint does not require conclusive proof of government procurement fraud. Instead, to file a whistleblower complaint under the False Claims Act in federal court, you must be able to make allegations that “have evidentiary support or, if specifically so identified, will likely have evidentiary support after a reasonable opportunity for further investigation.” As a result, you do not need any specific type or volume of evidence to serve as a procurement fraud whistleblower. If you have reason to believe that government contract fraud has been committed (or is in the process of being committed), this is generally all that is required.
With that said, the more evidence you have, the better—and you will want to work closely with an experienced procurement fraud whistleblower lawyer to determine whether you can meet the federal pleading requirements. If you need additional information, your lawyer can advise you regarding the information needed and how to collect it, as discussed in greater detail below.
3. You Must Be the First to Come Forward with Material Non-Public Information
Another requirement for serving as a procurement fraud whistleblower is that you must be privy to non-public information. In most cases, you also need to be the first to share this information with the federal government, though certain exceptions may apply.
With this in mind, while it is important to make an informed decision about whether to file a procurement fraud whistleblower complaint under the False Claims Act, it is also important to act promptly. A lawyer who has experience representing federal whistleblowers should understand that time is of the essence and should be able to assist you with making an informed decision as efficiently as possible.
4. While You Should Protect Any Evidence You Have, You Should Be Cautious About Collecting Additional Evidence
If you have collected or copied any evidence from your employer’s facilities or computer systems, you should protect this evidence to the best of your ability. Keep any hardcopy documents in a secure location and keep any electronic files on a secure storage device (and not in the cloud). This is important for your protection and for helping to ensure that you remain eligible to secure federal whistleblower status.
At the same time, if you are aware of additional evidence that you have not yet collected, you will need to be cautious about collecting this additional evidence. Even when you are taking steps to expose fraud, it is important to avoid violating employment policies or non-disclosure obligations–as doing so could put you at risk. While there are rules on when employers can (and can’t) enforce these types of restrictions to prevent whistleblowing, here too, you need to ensure that you are making informed decisions. An experienced procurement fraud whistleblower lawyer will be able to help.
5. If You Come Forward with Qualifying Information, the Government Will Have a Duty to Investigate Further
A key aspect of the procurement fraud whistleblower process is that the government has a duty to investigate allegations that warrant further inquiry. This is due, in part, to the nature of the qui tam procedures under the False Claims Act. The government isn’t necessarily required to pursue an enforcement action—this decision will be based on the outcome of its investigation—but it is generally required to determine if enforcement action is warranted.
With that said, not all substantiated allegations of government procurement fraud will necessarily warrant a federal investigation. If the amount at issue is small, the U.S. Department of Justice (DOJ) may be justified in deciding not to devote federal resources to a full-blown federal inquiry. A whistleblower lawyer who has significant experience in qui tam cases will be able to assess whether the DOJ is likely to determine that your allegations warrant an investigation.
6. Federal Authorities Will Expect to Be Able to Work With You During Their Procurement Fraud Investigation
If you file a procurement fraud whistleblower complaint and the government decides to open an investigation, you will be expected to work with the government during the investigative process. Whether, and to what extent, you remain involved is up to you–but it is important to understand that federal agents and prosecutors will be expecting you to assist to the extent that you can. Your lawyer can advise you here as well, and can communicate with federal authorities on your behalf if you so desire.
7. Procurement Fraud Whistleblowers Are Entitled to Protection Against Retaliation and May Be Entitled to Financial Rewards
If you qualify as a procurement fraud whistleblower under the False Claims Act, you will be entitled to protection against retaliation in your employment (if you are currently employed by the contractor or subcontractor that you are accusing of fraud). Your employer will be prohibited from taking adverse employment action against you based on your decision to blow the whistle; and, if it retaliates against you illegally, you will be entitled to clear remedies under federal law.
If the information you provide leads to a successful enforcement action, you may also be entitled to a financial reward. Subject to certain stipulations, under the False Claims Act, whistleblowers who help the government recover losses from procurement fraud are entitled to between 10% and 30% of the amount recovered.
8. Hiring an Experienced Whistleblower Lawyer is Important, and You Can Do So at No Out-of-Pocket Cost
While filing a procurement fraud whistleblower complaint is a complex process, you do not have to go through the process on your own. You can—and should—hire an experienced whistleblower lawyer to represent you at no out-of-pocket cost. An experienced lawyer will be able to advise you of your options every step of the way, answer all of your questions, and interface with the federal government on your behalf.
9. There Are Several Reasons to Consider Blowing the Whistle on Procurement Fraud
If you have information about government procurement fraud, there are several reasons to consider coming forward. While the prospect of a financial reward is appealing to many, blowing the whistle is also simply the right thing to do. Contractors that engage in procurement fraud deserve to be held accountable, and helping federal and state governments recover taxpayer funds—while also helping to mitigate the risk of future losses—is beneficial for everyone.
10. It Is Up to You to Decide Whether to Blow the Whistle on Procurement Fraud
Ultimately, however, whether you decide to serve as a procurement fraud whistleblower is up to you. While an experienced whistleblower lawyer will help you make sound decisions, your lawyer should not pressure you into coming forward. It is a big decision to make, and it is one that you need to make based on what you believe is the right thing to do under the circumstances at hand.
As we mentioned above, however, time can be of the essence in this scenario. With this in mind, if you believe that you may have inside information, you should not wait to report fraud to the government. Your first step is to schedule a free and confidential consultation with an experienced procurement fraud whistleblower lawyer—and this is a step that you should take as soon as possible.
Understanding the U.S. Embassy Paris Certification Requirement
Last week, the U.S. Embassy in Paris issued a letter and certification form to multiple French companies requiring companies that serve the U.S. Government to certify their compliance with U.S. federal anti-discrimination laws. This certification request was issued in furtherance of President Trump’s Executive Order 14173 on Ending illegal Discrimination and Restoring Merit-Based Opportunities, issued on January 21, 2025. This Order addresses programs promoting Diversity, Equity and Inclusion (DEI) and requires that government contractors’ employment, procurement and contracting practices not consider race, color, sex, sexual preference, religion or national origin in ways that violate the United States’ civil rights laws.
Certification Contents
The certification requires U.S. Government contractors to certify that they comply with all applicable U.S. federal anti-discrimination laws and do promote DEI in violation of applicable U.S. federal anti-discrimination laws.
While the letter was issued by the U.S. Embassy in Paris and is arguably limited to contractors serving that embassy, the requirement under the Executive Order extends to all contractors doing business with any U.S. Government agency.
Any company submitting the certification with knowledge that it is false will be deemed to have violated the U.S. False Claims Act, which imposes liability on individuals and companies who defraud governmental programs.
Implications for French Companies
This letter raises questions about the extraterritorial application of U.S. laws to foreign companies and their reach. In particular, while the Executive Order clearly applies to companies (irrespective of nationality) that directly supply or provide services to the U.S. Government, it is unclear whether, for example, the French parent of a U.S. subsidiary providing services to the U.S. Government would be subject to the certification.
The issue is complicated by the fact that French law in some ways conflicts with the provisions of the Executive Order – for instance, requiring that mid-sized and large companies have a minimum percentage of women sitting on their boards.
Neither the Executive Order nor the documents mention any exemptions or carve-outs for suppliers and service providers.
Conclusion
The U.S. Embassy’s certification requirement underscores the current complexities faced by international businesses in dealing with the U.S. Government. French companies should consider carefully assessing their DEI programs and overall compliance with U.S. federal laws while continuing to adhere to their own legal obligations, striking a careful balance as best they can.
Latest FCA Cybersecurity Settlement Shows Enforcement Remains a Priority Under Trump Administration
A recent United States Department of Justice (DOJ) announcement reinforces that enforcement of cybersecurity requirements under the False Claims Act (FCA) remains an ongoing risk. According to the press release, defense contractor MORSECORP Inc. (MORSE) agreed to pay US$4.6 million to resolve a FCA matter arising from a qui tam relator’s suit alleging that MORSE failed to comply with certain U.S. Department of Defense (DOD) cybersecurity requirements. This is the most recent settlement involving DOJ cybersecurity enforcement, a topic that Foley reported on previously.
The MORSE Settlement
Qui tam relator Kevin Berich, MORSE’s Head of Security, filed an FCA complaint against MORSE and its CEO in January 2023. MORSE is a software development company that had contracts and subcontracts with the U.S. Army and Air Force. Federal regulations dictate that DOD contracts like those entered into by MORSE require implementation of cybersecurity controls outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). But Mr. Berich alleged that he witnessed MORSE continually fail to implement NIST SP 800-171 controls, including by failing to use multi-factor authentication, using non-compliant email and video call-hosting services, and using employee personal devices to access MORSE systems and transmit controlled unclassified information (CUI).
Under the FCA, a qui tam complaint is filed under seal, shared with DOJ, and not shared with the defendant so that DOJ can investigate the matter. After investigating for over two years, in March 2025, DOJ announced a settlement with MORSE and Mr. Berich for US$4.6 million. According to the announcement, MORSE admitted that it:
Used a third-party vendor for email hosting without ensuring that vendor met the necessary security requirements.
Failed to implement all NIST SP 800-171 controls or maintain a system security plan for its covered information systems.
Submitted a self-assessed score of 104 to DOD for its NIST SP 800-171 implementation and continued to report that score even after an outside audit notified MORSE that it failed to implement 78 percent of the required security measures and had an actual score of -142.
Notably, the settlement does not indicate that there were any breaches or other compromises of CUI or other protected information; rather, the case appears to have been premised on the possibility that such breaches could occur as a result of MORSE’s sub-standard cybersecurity program.
The MORSE settlement demonstrates the risk of failing to prioritize cybersecurity controls, especially given that FCA qui tam suits can be filed by insiders such as the Head of Security that initiated the MORSE suit. The case also underscores DOJ’s ongoing focus on cybersecurity enforcement, which includes the 2021 Department of Justice Cyber-Fraud Initiative and appears to be continuing full-steam ahead in the current Trump administration.
Recommendations
Given those risks, defense contractors and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:
Catalogue and monitor compliance with all government-imposed cybersecurity standards. A first step is to ensure your organization has a comprehensive list of all cybersecurity requirements and covered systems in your organization. These requirements may come not only from prime government contracts but also subcontracts, grants, or other federal programs. This includes not only ongoing knowledge of the organization’s contracts, but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards. This assessment should also consider third-party relationships, such as vendors or service providers.
Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. As the MORSE settlement illustrates, it is critical to respond to employees’ concerns effectively.
Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.
Criminal Health Care Fraud Enforcement: Projections for 2025 and Beyond [Podcast]
Since Pam Bondi was appointed U.S. Attorney General, we’ve seen notable shifts in the U.S. Department of Justice’s (DOJ’s) criminal enforcement priorities.
How significant are some of these changes, and how might they affect your health care organization as we progress through 2025 and beyond?
On this episode, Epstein Becker Green attorneys Sarah Hall, Melissa Jampol, Thomas Jaworski, and Richard Westling discuss what to expect from criminal health care fraud enforcement under Attorney General Bondi’s leadership and how it may impact the health care industry.
Court Sides with RICO Complainant Who Received Tainted Medical Marijuana and with FDA on Regulating E-Cigarettes – SCOTUS Today
The Racketeer Influenced and Corrupt Organizations Act (RICO) allows any person “injured in his business or property by reason of” racketeering activity to bring a civil suit for damages. 18 U. S. C. §1964(c). However, the statute forbids suits based on “personal injuries.” But are economic harms resulting from personal injuries “injuries to ‘business or property?’”
Yesterday, in Medical Marijuana, Inc. v. Horn, the U.S. Supreme Court, in a 5–4 opinion written by Justice Barrett and joined by Justices Kagan, Sotomayor, Gorsuch, and Jackson, answered that question in the affirmative. Justices Thomas and Kavanaugh wrote dissenting opinions, the latter joined by the Chief Justice and Justice Alito.
Attempting to alleviate his chronic pain, Douglas Horn purchased and began taking “Dixie X,” advertised as a tetrahydrocannabinol-free (“THC-free”), non-psychoactive cannabidiol tincture produced by Medical Marijuana, Inc. However, when his employer later subjected him to a random drug test, Horn tested positive for THC. When Horn refused to participate in a substance abuse program, he was fired. Horn then brought his RICO suit.
The U.S. Court of Appeals for the Second Circuit, reversing the U.S. District Court for the Western District of New York, held that Horn had been “injured in his business” when he lost his job and rejecting the “antecedent-personal-injury bar,” which several circuits had adopted to exclude business or property losses that derive from a personal injury. Affirming the Second Circuit, the Supreme Court held that the civil RICO statute did not categorically bar that form of recovery.
Interestingly (and the subject of the dissents, particularly that of Justice Thomas, who asserted that cert. had been improvidently granted), the Court did not address issues deemed outside of the question presented, including whether Horn suffered a personal injury when he consumed THC, whether the term “business” encompasses all aspects of “employment,” and what “injured in his . . . property” means for purposes of §1964(c). Thus, the majority opinion encompasses several assumptions, the verification of which will be the subject of the Court’s ultimate remand to the Second Circuit.
The essence of the opinion is derived from the dictionary, and a debate over how its definitions should be read informs the split among the Justices. Justice Barrett’s majority opinion starts with the American Heritage Dictionary and the “ordinary meaning of ‘injure’”: to “cause harm or damage to” or to “hurt.” While the statute precludes recovery for injury to the person, its business or property requirement operates with respect to the kinds of harm for which the plaintiff can recover, not the cause of the harm for which he seeks relief. For example, a gas station owner beaten in a robbery cannot recover for his pain and suffering. But if injuries from the robbery force him to shut his doors, he can recover for the loss of his business. A plaintiff can seek damages for business or property loss, in other words, regardless of whether the loss resulted from a personal injury.
Rejecting Medical Marijuana’s (and the dissenters’) view of what “business or property” should mean under RICO, Justice Barrett, in a delightfully written paragraph, remarks that:
Medical Marijuana tries valiantly to engineer a rule that yields its preferred outcomes. (Civil RICO should permit suit against Tony Soprano, but not against an ordinary tortfeasor.) But its textual hook—the word “injured”—does not give it enough to go on. When all is said and done, Medical Marijuana is left fighting the most natural interpretation of the text—that “injured” means “harmed”—with no plausible alternative in hand. That is a battle it cannot win.
It didn’t.
With respect to the remand, Justice Barrett noted that RICO’s “direct relationship” requirement is a constraint on civil RICO claims and, given the complications in the factual underpinnings of the case, that requirement might prove to be an insurmountable barrier to Horn’s succeeding. Horn himself “concedes that he faces ‘a heavy burden on remand.'”
The second case decided yesterday shows that if the Court is indeed going to be unanimous, it will not be succinct. Justice Alito’s 46-page discourse on behalf of a unanimous Court in Food and Drug Administration v. Wages and White Lion Investments, L.L.C. proves that point. I shall argue that Justice Alito’s lengthy opinion indirectly provides much useful guidance to patients, providers, and payers with respect to likely challenges to administrative actions, especially in the health care space, in the current Trump administration.
The issue in the case concerned whether the FDA lawfully denied respondents authorization to market certain electronic nicotine-delivery system products, known as electronic cigarettes, “e-cigarettes,” or “vapes.” These products come in a variety of flavors that particularly appeal to young people, and they pose unique risks. While the FDA has always had authority to determine whether a manufacturer could market a new drug, the FDA gained particular jurisdiction to regulate tobacco products under the Family Smoking Prevention and Tobacco Control Act of 2009 (TCA). The TCA barred the FDA from banning all regulated tobacco products outright, but it blocked marketing any “new tobacco product” without FDA authorization. The TCA requires the FDA to deny such an application unless an applicant shows that its product “would be appropriate for the protection of the public health.” To determine this, the FDA must consider, among other things, “the risks and benefits to the population as a whole.”
The respondents in the case had petitioned for judicial review of the FDA’s denial orders under the Administrative Procedure Act (APA). The Fifth Circuit, sitting en banc, held that the “FDA had acted arbitrarily and capriciously by applying application standards different from those articulated in its predecisional guidance documents regarding scientific evidence, cross-flavor comparisons, and device type. The court expressed particular concern about the FDA’s failure to review marketing plans it previously deemed critical. It also rejected the FDA’s argument that any errors were harmless.”
Reversing the Fifth Circuit, the Supreme Court first declined to reach the argument that the FDA erred in evaluating the respondents’ applications under standards developed in adjudication rather than standards promulgated in notice-and-comment rulemaking. Instead, the Court concluded that the denial orders were sufficiently consistent with the FDA’s predecisional guidance—as to scientific evidence, comparative efficacy, and device type—and thus did not run afoul of the so-called “change-in-position doctrine,” which provides that “[a]gencies are free to change their existing policies as long as they provide a reasoned explanation for the change,” “display awareness that [they are] changing position,” and consider “serious reliance interests.”
This doctrine asks whether an agency changed existing policy and, if so, whether it displayed awareness of the change and offered good reasons for it. Here, the new policy that led to the rejection of the respondents’ applications was “sufficiently consistent” with the agency’s predecisional guidance regarding scientific evidence. It was also consistent with the TCA’s provision that “well-controlled investigations” or other “valid scientific evidence,” if found “sufficient,” may support a finding that a new tobacco product is “appropriate for the public health.”
However, there was still a “harmless error” issue for the Court to decide. And that related to the Fifth Circuit’s rejection of the FDA’s claim of harmless error regarding the agency’s change of position on marketing plans. The FDA did not dispute that despite assuring manufacturers that marketing plans would be “critical” to their applications, it ultimately did not consider the respondents’ marketing plans. The FDA argued that this was harmless because it had issued denials to manufacturers other than the respondents that were based upon marketing plans indistinguishable from those of the respondents. While the Fifth Circuit applied an incorrect standard of review under governing precedents, doing it correctly “presents a difficult problem, requiring reconciliation of the so-called remand rule developed in SEC v. Chenery Corp., 318 U. S. 80, 88, 93–95, with the APA’s instruction that reviewing courts must take ‘due account’ of ‘the rule of prejudicial error’ that ‘ordinarily appl[ies] in civil cases,’ Shinseki v. Sanders, 556 U. S. 396, 406 (quoting 5 U. S. C. §706).”
The Court continues, “The most natural interpretation of the APA’s language is that reviewing courts should adapt the ‘rule of prejudicial error’ applicable in ordinary civil litigation (also known as the harmless-error rule) to the administrative-law context, which, of course, includes the remand rule.” However, the Court has acknowledged that a remand may be unwarranted in certain cases when an agency’s decision “is supported by a plethora of factual findings, only one of which is unsound, because a remand would be pointless.” Given the fact that both the FDA and the Fifth Circuit might have been in error with respect to the harmless error question, and that the FDA has not asked the Court to decide the harmless error question at this point in the case, the Supreme Court vacated the Fifth Circuit’s holding and remanded the case to it so that the Circuit Court “can decide the question afresh” under the correct reading of the caselaw requirements described by the Supreme Court.”
One recognizes the importance of the FDA’s consideration of marketing a tobacco product directed at young people. But perhaps more importantly, I suggest that the Court’s decision offers grounds for useful observations about the many changes in regulatory position and various rulemaking determinations (or lack thereof) being made by various administrative agencies during the current administration. Many of these events are occurring in the food and drug and health care coverage and reimbursement spaces. The length and depth of this unanimous opinion with respect to the FDA’s responsibilities when it has changed position or otherwise might be challenged under the APA for having acted arbitrarily or capriciously suggests the intensity and precision of what federal courts will require in administrative law challenges. In this decision, the agency largely prevailed, though the facts of the case occurred during the previous administration. The court challenges in the current administration are just beginning to take shape as the regulatory environment is radically changing.
Even during the Supreme Court’s current term, at the beginning of a new presidential term, we shall see—and many of my readers will bring—regulatory challenges that will be guided by what the Court held yesterday.
Supreme Court Rules Lost Wages May Be Recoverable Under RICO For False Advertising After Drug Test Dismissal
On April 2, 2025, the Supreme Court of the United States ruled that a truck driver who lost his job after testing positive for marijuana may pursue claims for lost wages under the Racketeer Influenced and Corrupt Organizations Act (RICO) against the sellers of an allegedly fraudulently marketed pain relief product.
Quick Hits
The Supreme Court allowed a truck driver to pursue civil RICO claims for lost wages after he failed an employer drug test after ingesting an allegedly falsely marketed pain relief product.
The Court ruled that a plaintiff may pursue treble damages under RICO for lost business or property that followed a personal injury.
The decision raises questions about the scope of RICO, particularly whether lost wages and economic harms related to personal injuries can be considered recoverable.
The 5–4 ruling in Medical Marijuana, Inc. v. Horn held that a plaintiff may seek treble damages under RICO, a law initially designed to combat organized crime, for lost business or property, even if the damages resulted from an antecedent personal injury.
The ruling allowed a truck driver to pursue civil RICO claims seeking recovery for lost wages against the sellers of a pain relief product after he was discharged for failing a random drug test when he tested positive result for tetrahydrocannabinol (THC), the psychoactive component of marijuana or cannabis. He alleged the sellers falsely marketed their pain relief product as not containing THC, only the non-psychoactive chemical cannabidiol, more commonly known as CBD.
The product sellers argued that the damages resulted from a personal injury and that RICO’s “business or property” injury limitation precludes recovery for economic harms stemming from personal injuries. Specifically, RICO allows an individual to bring civil claims for damages to “business or property by reason of” racketeering and other activities prohibited by the act and recover treble damages.
“The phrase ‘injured in his business or property’ does not preclude recovery for all economic harms that result from personal injuries,” Justice Amy Coney Barrett wrote in the Court’s opinion, which was joined by four other justices. “We therefore affirm the Second Circuit’s judgment and remand the case for further proceedings consistent with this opinion.”
Notably, the Supreme Court expressly did not address whether the truck driver had suffered a personal injury when he consumed THC or whether the term “business” encompasses all aspects of “employment.” The Court also did not provide further explanation on what types of injuries to “property” are covered by RICO.
The Second Circuit had found that the truck driver was “‘injured in his business’” when he lost his job and that there is no bar to recovery under RICO if the economic harm is preceded by or a result of a personal injury.
The CBD product sellers argued that the Second Circuit’s approach would effectively destroy RICO’s “business or property” limitation and transform traditional personal injury suits into federal suits under RICO, which allows for recovery of treble damages.
However, the Supreme Court majority rejected the sellers’ arguments. In the Court’s opinion by Justice Barrett, the Court clarified the plain interpretation of the RICO text, stating that “‘injured’ means ‘harmed’ − with no plausible alternative in hand.” (Justice Ketanji Brown Jackson wrote a short concurring opinion to note that Congress has instructed that RICO be “liberally construed.”)
The Court further explained that while “civil RICO has undeniably evolved,” RICO claims are still limited in that they require a direct relationship between the injury and the alleged injurious conduct, and a “plaintiff must first establish a pattern of racketeering activity.” The Court also noted that the terms “business” and “property” in RICO still limit the types of claims that are recoverable.
“As we noted at the outset, ‘business’ may not encompass every aspect of employment, and ‘property’ may not include every penny in the plaintiff ’s pocketbook,” the Court said. “Accordingly, not every monetary harm—be it lost wages, medical expenses, or otherwise—necessarily implicates RICO.”
“If the breadth of the statute ‘leads to the undue proliferation of RICO suits, the ‘correction must lie with Congress,’” the Court added.
In a dissenting opinion joined by Chief Justice John Roberts and Justice Samuel Alito, Justice Brett Kavanaugh argued that RICO categorically excludes personal injury claims, stating that “the fundamental question here is whether business or property losses from a personal injury transform a traditional personal-injury suit into a business-injury or property-injury suit that can be brought in federal court for treble damages under RICO.”
Justice Kavanaugh further argued that the majority’s opinion “leaves substantial confusion in its wake” because it did not explain “whether lost wages and medical expenses are recoverable losses of business or property in those RICO suits.”
Justice Clarence Thomas dissented, arguing that the case was “improvidently granted” because the parties dispute whether the truck driver even “suffered a personal injury in the first place” and that there has been inadequate briefing on the meaning of the “business or property” injury requirement in RICO.
Next Steps
The Supreme Court’s ruling expands the reach of RICO’s civil component by finding that personal injury claims that have damages to “business or property” are not necessarily excluded. The CBD sellers in the case and business groups have argued that such an approach could increase federal RICO liability for businesses for product liability claims. However, the Court noted that it is up to Congress to limit the claims, if necessary.
Further, while the ruling comes in the context of an employee suing for lost wages after losing his job, the ruling leaves open questions over the extent to which lost wages or other adverse employment actions that lead to lost wages or economic losses for employees may implicate RICO. The Second Circuit had interpreted injury in “business” under RICO as encompassing “employment.” Still, the Supreme Court expressly did not decide that issue, noting the Second Circuit’s “interpretation may or may not be right.”
Whether the truck driver’s RICO suit will ultimately be successful after remand level is highly questionable. However, the concerns raised in the dissent remain—the inclusion of economic harms that stem from personal injuries as recoverable under RICO is likely to lead some crafty attorneys to attempt to further expand the applicability of the civil RICO statute.
Trump Administration Efforts to Eliminate Cartels Pose Heightened Risk for Financial Institutions
As discussed in Bracewell’s February 11 and February 26 updates, the executive branch is prioritizing the “total elimination” of cartels and transnational criminal organizations, both through edicts from the Oval Office and through agency initiatives. Each action is significant on its own, but taken together, this concerted effort increases the potential criminal and civil liability of any company — but particularly financial institutions — that conducts business in Mexico and certain parts of Central and South America. Below we break down three significant pieces of this effort and provide guidance on how companies should navigate this new risk landscape.
Designation of Cartels as FTOs and SGDTs Expands Scope of Criminal and Civil Liability
Pursuant to Executive Order 14157, the US State Department designated eight international cartels and transnational organizations[1] as Foreign Terrorist Organizations (FTOs) and Specially Designated Global Terrorists (SGDTs). The list includes six Mexican cartels, TdA (a cartel active in parts South America) and MS-13 (a cartel active in parts of Central America). These new designations increase the risk of criminal and civil liability for both US and foreign companies that may interact with these cartels knowingly or unknowingly, directly, through third-party vendors, or when paying certain “fees” and to conduct business in areas controlled by the cartels.
Criminal Liability. Providing any of the cartels now designated as FTOs with money, financial services, lodging, personnel or transportation may constitute the criminal offense of providing “material support” to a terrorist organization in violation of 18 U.S.C. § 2339B. Because the reach of 18 U.S.C. § 2339B is not confined to US entities or activities on US soil, these charges have been brought against foreign companies for transactions in foreign countries, including against Lafarge, a French building materials manufacturer for sharing revenue with FTOs (ISIS and ANF) in Syria, and Chiquita Banana for making payments to an FTO (the AUC) in Colombia. By increasing the number of FTOs, the new designations increase the risk of similar prosecutions directed at any company providing material support to these newly designated FTOs operating in Mexico and in parts of Central and South America. While some of these entities may previously have been subject to US sanctions, criminal liability creates an even greater threat.
Civil Liability. The Anti-Terrorism Act, 18 U.S.C. § 2333, allows US nationals injured by an act of terrorism to bring claims against companies that engage in or aid and abet an act of international terrorism by providing material support or knowingly providing substantial assistance to the FTO who perpetrated, planned or authorized the attack. The potential liability is considerable, because the statute allows the victims to “recover threefold the damages he or she sustains and the cost of the suit, including attorney’s fees.” In Linde v. Arab Bank, PLC,[2] for example, a jury found Arab Bank Plc liable for knowingly supporting militant attacks in Israel linked to Hamas — an FTO — based on the bank’s providing financial services to charities that plaintiffs allege were agents of Hamas set up to solicit and launder money to support the FTO’s operations. Before the verdict was overturned on appeal, the bank was facing at least $100 million in damages. Ultimately, Arab Bank Plc reached a settlement with the plaintiffs for an undisclosed amount.
Justice Department Expedites Cartel-Related Prosecutions
Historically, certain types of prosecutions required approvals by various stakeholders within the Department of Justice. To facilitate the “aggressive prosecution” of cartels and transnational criminal organizations (TCOs), Attorney General Pam Bondi has suspended certain approval requirements, to which she referred as “bureaucratic impediments,” that might slow down or impede prosecutors from bringing charges against cartels, TCOs or their affiliates for some terrorism charges,[3] violations of the International Emergency Economic Powers Act (IEEPA), racketeering, violations of the Foreign Corrupt Practices Act and money laundering and asset forfeiture. See Bondi Memorandum regarding Total Elimination of Cartels and Transnational Criminal Organizations (Bondi Memo).
Before this suspension, a prosecutor would need approval from either the Criminal Division or the National Security Division (NSD) before issuing warrants and filing the charges listed above. Now, prosecutors are able to proceed more easily, without the same level of oversight. The Bondi Memo does, however, encourage consultation with the NSD and requires that prosecutors provide 24 hours’ advance notice of the intention to seek charges or apply for warrants. Nevertheless, the requirement to provide NSD with 24 hours’ notice, as compared to the requirement to meet NSD’s approval requirements, will allow for more charges to be brought more quickly.[4]
In addition to increasing the number of charges brought against cartels and their members directly, these changes will likely lead to an increase in the number of charges brought against companies for various crimes, including providing “material support” to a terrorist organization in violation 18 U.S.C. § 2339B, as described above; facilitating payments related to the human smuggling or illegal drugs, which has been declared a national emergency under IEEPA; and laundering money used for activities of the cartels.
Financial institutions are particularly at risk of tripping these wires. Banks that may provide financial services, or money transfer businesses (MTBs) that facilitate payments to cartels, for example, could be the subject of the criminal prosecutions described above. Given that cartels are woven into the fabric of many industries in Mexico, Central and South America, banks may be providing these services unwittingly. To address this threat, banks must reevaluate their Customer Due Diligence and KYC policies and reassess their current customers.
OFAC Highlights Risk for Financial Institutions Related to Cartel Designations
Reinforcing the increased risk of liability to financial institutions described above, the Office of Foreign Asset Control (OFAC) issued an alert on March 18, 2025 (OFAC Alert), warning of exposure to sanctions and civil or criminal penalties, especially for providing material support to foreign terrorist organizations in violation of 18 U.S.C. 2339B. The OFAC Alert is specifically directed at US and foreign financial institutions, noting that “foreign financial institutions that knowingly facilitate a significant transaction or provide significant financial services for any of the designated organizations could be subject to US correspondent or payable-through account sanctions.” This could suggest that the administration is not only aware that its new approach may ensnare financial institutions, but that doing so is one of its aims, likely calculating that such a focus will decrease cartel access to finances.
There is a precedent for such prosecutions of financial institutions for failing to maintain effective anti-money laundering programs and to conduct appropriate due diligence to avoid transacting with customers located in countries subject to sanctions enforced by OFAC. These prosecutions can result in fines and penalties greater than $1 billion. Now, the OFAC Alert serves as a warning that financial institutions may be prosecuted if they provide financial services to any of the cartels now designated as FTOs.
[1] The first round of designations include: Tren de Aragua (TdA); La Mara Salvatrucha (MS-13); Cártel de Sinaloa; Cártel de Jalisco Nueva Generación (CJNG); Cártel del Noreste (CDN); La Nueva Familia Michoacana (LNFM); Cártel del Golfo (CDG); and Cártel Unidos (CU).
[2] Case No. 04-cv-2799 in the United States District Court for the Eastern District of New York.
[3] The terrorism charges for which NSD approval has been suspended include: 18 U.S.C. §§ 2332a, 2332b, 2339, 2339A, 2339B, 2339C, 2339D, 21 U.S.C. § 960A, and 50 U.S.C. § 1705. This policy does not exempt from NSD’s approval and concurrence requirements cases involving 18 U.S.C. §§ 175, 175b, 219, 793, 794, 831, 951, and 1030(a)(l).
[4] Although it is not entirely clear in the Bondi Memo, these changes appear to apply only to “investigations targeting members or associates of cartels or TCOs.” The suspension of approval requirements could be interpreted, or may be amended, to include all charges under the enumerated statutes.
Corporate Transparency Act Update: Drastic Reduction in Scope of BOI Reporting in March 21, 2025 FinCEN Guidance
On March 21, 2025, the United States Treasury announced a significant reduction in scope of the definition of “reporting company” under the Corporate Transparency Act, limiting the obligation to file beneficial ownership reports to foreign entities only and removing the obligation to file from U.S. persons and U.S. companies.
As noted in our previous online posts, following significant litigation regarding the constitutionality of the regulation, on February 19, 2025, FinCEN suspended reporting obligations under the CTA and promised further guidance on reporting obligations to be issued on or before March 21, 2025. On March 21, 2025, FinCEN issued an interim final rule:
The new rule exempts U.S. persons from having to disclose BOI under the regulations by narrowing the definition of a “reporting company”. This means that any entity created in the United States does not need to report beneficial ownership to FinCEN under the CTA, even if it has non-US persons as beneficial owners.
The rule is now narrowed to only foreign entities that are registered to do business in the United States by the filing of a document with a secretary of state or similar office. The rule reduces the scope of the CTA dramatically, as most foreign enterprises doing business in the United States will have created a legal subsidiary within the country in order to conduct business. As above, U.S. entities are exempt from reporting.
Entities in existence prior to Friday have 30 days to complete their BOI filings with FinCEN. Entities that come into existence after the issuance of the rule have 30 days following formation to complete their filing obligations.
FinCEN continues to accept comments to this interim final rule and intends on issuing a final rule later this year. The final rule may change the scope of the CTA, and litigation continues before the courts regarding the CTA. We will continue to follow the law’s progress and will provide updates as this regulation evolves.
Our prior posts on CTA developments can be found here:
Client Alert: Corporate Transparency Act Beneficial Ownership Information Reporting On Hold – Business Law
Client Alert: Supreme Court Allows Corporate Transparency Act Enforcement But FinCEN Notes Another Stay Prevents Current Implementation – Business Law
CTA Reporting Now Required, but FinCEN Waives Penalties and Indicates New Reporting Deadline Extension Likely Later This Year – Business Law
CTA Drastically Pared Back
As promised by the US Department of Treasury in early March, the Financial Crimes Enforcement Network (FinCEN) issued an interim final rule removing the requirement for US companies, their beneficial owners, and US persons to report beneficial ownership information (BOI) to FinCEN under the Corporate Transparency Act (CTA).
Now, only non-US entities that have registered to do business in the United States are subject to the CTA.
See our prior alert on Treasury’s March 2 announcement here.
Only Non-US Entities Subject to the CTA
The interim final rule, issued by FinCEN on March 21 and published on March 26, amends the BOI reporting rule to revise the definition of “reporting company” to extend only to entities formed under the law of a foreign country that have registered to do business in any US state or tribal jurisdiction by filing a document with a secretary of state or similar office. This category of entities under the original rule was termed “foreign reporting companies.” And, in a related move, the interim final rule also formally exempts domestic entities (formerly known as “domestic reporting companies”) from the CTA’s requirements.
No BOI Reporting of US Persons Is Required
Furthermore, reporting companies are not required to report the BOI of any US persons who are beneficial owners, and US persons are exempt from having to provide BOI with respect to any reporting company for which they are a beneficial owner.
Company Applicant Reporting Is Still Required
The concept of a “company applicant” has been retained for the foreign entities still subject to the CTA, but it applies only to the individual who directly files the document that first registers the reporting company with a state or tribal jurisdiction and to the individual (if different from the direct filer) who is primarily responsible for directing or controlling that filing. A company applicant may be a US person and is not exempted from being reported as a company applicant by virtue of being a US person.
New Initial Reporting Deadlines
Foreign entities that are “reporting companies” under the interim final rule and do not qualify for an exemption from reporting under the CTA are subject to new deadlines:
Reporting companies registered to do business in the United States before March 26 must file BOI reports by April 25.
Reporting companies registered to do business in the United States on or after March 26 have 30 calendar days to file an initial BOI report after receiving notice that their registration is effective (or public notice has been provided, such as through a publicly accessible registry).
Having filed an initial BOI report, a foreign entity that is a reporting company is subject to the 30-day deadline after March 26 to file an updated or corrected report as needed.
Next Steps
FinCEN is accepting comments on the interim final rule until May 27 and intends to finalize it later this year.
There are certain special cases that remain ambiguous under the interim final rule, such as that of a company that has been formed and exists simultaneously in the United States and in a foreign country. Based on the text of the interim final rule, such a company appears to not be a “reporting company,” as it presumably would fall within the new regulatory exemption for an entity that has been created by the filing of a document with a secretary of state or similar office under the law of a US state or tribal jurisdiction. But, as of now, the matter is not entirely clear.
With the changes wrought by the interim final rule, most companies are no longer subject to the CTA. For various reasons, the number of foreign entities that have registered to do business in the United States is small, and those companies may wish to consider restructuring their US activities to avoid a continued CTA obligation (although they may still need to file an initial report with FinCEN), such as by creating a US operating subsidiary.
Federal Judge Restrains Liability for Alleged False DEI Certifications
President Trump’s January 21 Executive Order targeting Diversity, Equity, and Inclusion Programs (DEI) (the “January 21 Executive Order”) and, specifically, § 3(b)(iv)) (the Certification Provision) cannot be the basis for liability — at least for one proactive litigant in the Northern District of Illinois. The holding could have broader implications for False Claims Act (FCA) defendants concerned about evolving certification requirements.
On January 20 and 21, 2025, President Trump issued two executive orders targeting Diversity, Equity, and Inclusion programs (titled, “Ending Radical and Wasteful Government DEI Programs and Preferencing” and “Ending Illegal Discrimination and Restoring Merit-Based Opportunity,” respectfully). The January 21 Executive Order included a direction to agencies (the “Certification Provision”) to require federal grant recipients to certify they do not “operate any programs promoting DEI that violate any applicable Federal anti-discrimination laws” and to “agree that its compliance in all respects with all applicable Federal anti-discrimination laws is material to the government’s payment decisions for purposes of [the FCA].” Immediately, this provision raised concerns that the Trump Administration may use the Certification Provision to bring FCA cases against grant recipients who do not comply. The threat of FCA litigation is paused for now, at least for Chicago Women in Trades (CWIT).
In February 2025, CWIT sued the Trump administration arguing, among other things, the Certification Provision violates its First Amendment Right to free speech because it “effectively regulates CWIT’s conduct outside of the contours of the federal grants.” (See Chicago Women in Trades v. Trump et al., Case No.1:25-cv-02005, N.D. Ill.)In response, the government argued the Certification Provision only implicates “illegal” DEI programs and no one has a constitutional right to violate the law. On March 27, 2025, U.S. District Court Judge Matthew Kennelly granted CWIT’s motion for a Temporary Restraining Order, preventing the Department of Labor from enforcing the Certification Provision and the Government from “initiat[ing] any False Claims Act enforcement against CWIT pursuant to the Certification Provision.”
In its Order, the court held the Certification Provision’s definition of what is an illegal DEI program is “left entirely to the imagination.” In the court’s view, the government has emphasized that conduct violating anti-discrimination laws has changed, and the government also has been “unwilling to in (in its briefs or at argument) define how it has changed.” This uncertainty put CWIT (and other grantees) in a difficult position — they must either decline to make a certification and lose federal grant money or risk making a certification that is later deemed to be false because the meaning of an illegal DEI program is unknown, subjecting “the grantee to liability under the False Claims Act.”[1]
While the Order restricts the Government specifically with respect to CWIT and the Certification Provision, lawsuits like CWIT’s will force federal courts across the country to determine what the Certification Provision means for FCA litigation going forward.
If you have questions about President Trump’s January 21 Executive Order or the False Claims Act, contact the authors or your Foley relationship lawyer.
[1] The court also said even if the government did define an illegal DEI program, the January 21 executive order still reads as an “express reference to First Amendment-protected speech and advocacy.”
ICO Fines Advanced Computer Software Group £3 Million Following Ransomware Attack
On March 27, 2025, the UK Information Commissioner’s Office (“ICO”) announced that it had issued a fine against Advanced Computer Software Group (“Advanced”) for £3.07 million (approx. $4 million) for non-compliance with security rules identified through an investigation following a ransomware attack which occurred in 2022.
The ICO’s investigation found that personal data belonging to 79,404 people was compromised, including details of how to gain entry into the homes of 890 people who were receiving care at home. According to the ICO, hackers accessed certain systems of a group subsidiary via a customer account that did not have multi-factor authentication. The ICO also noted that it was widely reported that the security incident let to the disruption of critical services. The ICO concluded that the group subsidiary had not implemented adequate technical and organization measures to keep its systems secure.
Initially, the ICO intended to issue a higher fine against Advanced. However, it took into consideration Advanced’s proactive engagement with the UK National Cyber Security Centre, the UK National Crime Agency and the UK National Health Service in the wake of the attack, along with other steps taken to mitigate the risk to those impacted. The final fine represents a voluntary settlement agreed between the ICO and Advanced.
Strengthening Government Fraud Enforcement: Administrative False Claims Act Provides Agencies Tool to Bring Fraud Claims
Enacted as part of the recent National Defense Authorization Act (NDAA), the U.S. Congress established a significant new fraud enforcement mechanism, called the Administrative False Claims Act (AFCA), which empowers federal agencies to investigate and adjudicate more fraud cases involving false claims and statements made to the government.
Quick Hits
The Administrative False Claims Act (AFCA) significantly strengthens agencies’ ability to combat fraud involving federal funds by allowing direct prosecutions.
The AFCA raises the maximum claim amount from $150,000 to $1 million, expands definitions of false claims that trigger liability beyond those involving claims for money, and establishes reimbursement guidelines for investigation costs.
The AFCA further broadens liability by including false statements not tied to a claim for payment and extends the timeframe for pursuing allegations of fraud.
On December 23, 2024, then-President Joe Biden signed the 2025 NDAA (also known as the “Servicemember Quality of Life Improvement and National Defense Authorization Act (NDAA) for Fiscal Year 2025”). Buried in the lengthy legislation is a section creating the AFCA, which revamps the underutilized Program Fraud Civil Remedies Act (PFCRA) of 1986. The AFCA expands the types of fraud cases that federal agencies can directly pursue, raising the claim ceiling to $1 million and allowing agencies to recover investigation costs.
Background
The PFCRA was enacted in 1986 to provide administrative agencies with a mechanism to pursue low-dollar-value fraud cases. However, the statute has been underutilized historically. In particular, a 2012 study conducted by the U.S. Government Accountability Office (GAO) revealed that during the fiscal years 2006 to 2010, only five civilian agencies—the U.S. Department of Housing and Urban Development (HUD), U.S. Department of Health and Human Services (HHS), the U.S. Department of Energy, the Corporation for National and Community Service (now named AmeriCorps), and the Nuclear Regulatory Commission—had utilized the PFCRA. Notably, HUD referred 96 percent of the cases, while other agencies referred only six cases over five years, according to the GAO study.
Key Amendments Under the AFCA
The AFCA introduces several significant amendments to strengthen the former PFCRA:
Increased Claim Ceiling—The maximum claim amount has been raised from $150,000 to $1 million, adjusted for inflation.
Conformance With FCA Provisions—The AFCA aligns its provisions with those found in the False Claims Act (FCA), one of the government’s primary tools for combating fraud against the federal government, ensuring consistency in fraud enforcement.
Reverse False Claims—The AFCA expands the definition of a false claim to include claims made to an “authority,” including federal agencies, executive departments, and designated federal entities, “which has the effect of concealing or improperly avoiding or decreasing an obligation to pay or transmit property, services, or money to the authority.”
Reimbursement for Investigation Costs—The AFCA also provides that agencies are reimbursed for the costs of investigations from amounts collected, including “any court or hearing costs,” making it more financially viable for agencies to pursue fraud cases.
Expanded Jurisdiction for Appeals—The AFCA specifies who can hear appeals for agencies without ALJs, broadening the scope of administrative review.
No Qui Tam Provision—However, unlike the FCA, the AFCA does not include a qui tam provision, which allows private individuals, known as “relators” or “whistleblowers,” to file lawsuits on behalf of the government and potentially receive a portion of any recovered damages.
Promulgation of Regulations—The AFCA will further require authorities to promulgate regulations and procedures to carry out the act and its amendments by June 23, 2025.
Revision of Limitations—The AFCA expands the limitation period for pursuing allegations, requiring the person alleged to be liable to be notified of the allegation within six years from the date the violation is alleged to have been committed or within three years after the material facts are discovered or “reasonably should have been known,” but not more than ten years from the date the alleged violation was committed.
Semiannual Reporting—The AFCA also amends the reporting obligations for federal government agencies, departments, and entities, requiring semiannual reports to include data on AFCA claims: the number of cases reported, actions taken—including statistical tables showing pending and resolved cases, average time to resolve cases, and final agency decisions appealed—and instances in which officials reviewing cases declined to proceed.
Next Steps
The AFCA represents a significant shift in administrative fraud enforcement as the federal government under the Trump administration focuses on reducing fraud and waste. The law strengthens and enhances the government’s ability to investigate and prosecute allegations of fraud, particularly those involving smaller dollar amounts, by providing agencies with a mechanism to prosecute allegations of fraud without having to go through the U.S. Department of Justice (DOJ) and the FCA process.
Moreover, the AFCA also expands the scope of potential liability, covering false statements even in the absence of a claim for payment. However, the AFCA lacks a qui tam provision that would incentivize whistleblowers to come forward with false claims allegations.
Moreover, the AFCA provides another antifraud tool as the Trump administration has sought to use the FCA against businesses to stop “illegal” diversity, equity, and inclusion (DEI) programs. There is potential that the AFCA could be used similarly as part of the administration’s efforts.
However, there are still questions regarding the AFCA’s authorization of administrative law judges (ALJs) and other officials to oversee cases. In its 2024 decision in Securities and Exchange Commission v. Jarkesy, the Supreme Court of the United States vacated a civil monetary penalty that was imposed in an ALJ proceeding. The Court found that this penalty violated the defendant’s right to a jury trial under the Seventh Amendment of the U.S. Constitution, raising concerns about the constitutionality of ALJ proceedings, particularly concerning monetary penalties.