Treasury May Be Shifting CTA Reporting Rule Away from Domestic and Toward Foreign Reporting Companies
On March 2, 2025, the United States Department of Treasury announced that it will not enforce fines or penalties based on the existing deadlines for reporting beneficial ownership information under the CTA beneficial ownership reporting rule.[1] This follows earlier guidance issued by FinCEN.[2]
Treasury further announced that it will be engaging in proposed rule-making to limit the CTA reporting rule to foreign reporting companies, noting that even after the new rules are in effect, it will not enforce any fines or penalties on any U.S. citizens, domestic reporting companies or their beneficial owners. No other details of the proposed rule-making or its timing were announced, including whether any changes might be proposed as to the definitions of domestic[3] or foreign[4] reporting companies under the reporting rule or any exemptions.
Treasury noted that this action is “in the interest of supporting hard-working American taxpayers and small businesses and ensuring that the rule is appropriately tailored to advance the public interest.”
[1] See Treasury Department Announces Suspension of Enforcement of Corporate Transparency Act Against U.S. Citizens and Domestic Reporting Companies | U.S. Department of the Treasury.
[2] On February 18, 2025, the Financial Crimes Enforcement Network of the Department of Treasury (FinCEN) issued a notice extending beneficial ownership reporting deadlines for most reporting companies to March 21, 2025. See FinCEN Notice, FIN-2025-CTA1, FinCEN Extends Beneficial Ownership Information Reporting Deadline by 30 Days; Announces Intention to Revise Reporting Rule (February 18, 2025) and an updated FinCEN Alert (February 19, 2025) Beneficial Ownership Information Reporting | FinCEN.gov. Subsequently, on February 27, 2025, FinCEN announced that it was suspending enforcement of the CTA reporting rule, including any fines or penalties, pending its further extension of reporting deadlines in an interim reporting rule to be issued not later than December 21, 2025. See FinCEN Not Issuing Fines or Penalties in Connection with Beneficial Ownership Information Reporting Deadlines | FinCEN.gov.
[3] A “domestic reporting company” is currently defined under the CTA and the reporting rule as any entity that is formed by filing a document with a secretary of state or similar office under the laws of a State or Indian tribe (including, for example, most LPs, LLPs and statutory, business and other trusts if the laws of a state or tribal jurisdiction require such filing to create the entity), subject to exemptions from the definition included in the CTA and the reporting rule. See 31 U.S.C. § 5336(a)(11)(A)(i) and 31 CFR 1010.380(c)1(i)).
[4] A “foreign reporting company” is currently defined under the CTA and the reporting rule as any entity that is formed under the laws of a foreign country and registered to do business in the United States by the filing of a document with a secretary of state or similar office under the laws of a State or Indian tribe subject to exemptions from the definition included in the CTA and the reporting rule. See 31 U.S.C. § 5336(a)(11)(A)(ii) and 31 CFR 1010.380(c)(1)(ii).
CFTC Issues Enforcement Advisory on Benefits of Self-Reporting, Cooperation, and Remediation
On Feb. 25, 2025, the Division of Enforcement (Division) of the Commodity Futures Trading Commission (CFTC) issued an Enforcement Advisory (2025 Advisory) outlining the benefits of self-reporting, cooperation, and remediation for violations of the Commodities Exchange Act (CEA). The 2025 Advisory embodies a further refinement of the Division’s approach over the last decade in connection with evaluating an entity’s or individual’s self-reporting, cooperation, and remediation when recommending enforcement actions to the Commission. The 2025 Advisory and the accompanying statement by CFTC Acting Chairman Caroline Pham underscore that the CFTC is emphasizing efficient use of enforcement resources and pursuing a more structured framework designed to create more concrete financial incentives for self-reporting to, and cooperating with, the Division.
Background
A brief review of the Division’s prior pronouncements in this area provides background and context to the 2025 Advisory. In January 2017, the Division updated the CFTC’s cooperation guidelines (2017 Update) by encouraging entity and individual self-reporting. The 2017 Update provided that self-reporting of wrongdoing and cooperating throughout an investigation could result in speedier settlements, substantially reduced penalties and, in rare cases, no prosecution at all. However, the 2017 Update did not provide specific guidance or concrete reductions, estimated or otherwise, for self-reporting, cooperation, and remediation. In May 2020, the Division issued a memorandum (2020 Memo), which provided further guidance and clarification regarding the factors the Division would consider when recommending civil monetary penalties to the Commission for violations of the CEA or the CFTC’s rules and regulations. The factors referenced in the 2020 Memo were incorporated into the Division’s updated Enforcement Manual. Taking the same general approach as the 2017 Update, however, the 2020 Memo did not provide specific guidance or concrete reductions for self-reporting, cooperation, and remediation.
The 2025 Advisory
The 2025 Advisory attempts to incentivize self-reporting, cooperation, and remediation of potential violations, and the Division’s stated policy objective for the 2025 Advisory is to provide clarity to the benefits of self-reporting and cooperating through reduced penalties. In contrast to the 2017 Update and the 2020 Memo, the 2025 Advisory indicates that the Division will now use a matrix to calculate the applicable mitigation credit (Credit), thereby creating tangible financial incentives for firms and individuals to come forward proactively and receive reduced penalties and/or sanctions. The Division noted that the new policy is aligned with best practices for assessing appropriate penalties used by the Department of Justice and other U.S. financial and commodity regulators. For example, the Federal Energy Regulatory Commission has a long-standing Policy Statement on Penalty Guidelines (based on the U.S. Sentencing Guidelines) for enforcement actions including credit through reduction in the “culpability score” for self-reporting and cooperation that can reduce civil penalties.
Aligned with the principles of regulatory consistency, transparency, and clarity, the 2025 Advisory details both the structure and framework the Division will utilize when assessing self-reporting, cooperation, and remediation in connection with investigations and enforcement actions. Specifically, with respect to self-reporting and entitlement to Credit, the 2025 Advisory states that the Division will utilize a three-tier scale: No Self-Report, Satisfactory Self-Report, and Exemplary Self-Report. To receive “Exemplary” self-reporting credit, the self-report must be timely and voluntary, made to either the Division or one of the other CFTC divisions with oversight responsibility, provide information that assists the Division in conserving resources in its investigation, and include all material information known at the time of the self-report.
With respect to its evaluation of cooperation and remediation, the 2025 Advisory states that the Division will assess cooperation using a four-tiered scale: No Cooperation, Satisfactory Cooperation, Excellent Cooperation, and Exemplary Cooperation. The Division will assess remediation as a part of its evaluation of cooperation and will consider further whether the entity or individual engaged in efforts to prevent future violations.
The Division’s assessment of the level of cooperation will also consider whether the entity or individual fully complied with subpoenas, voluntarily provided documents and information, made presentations to the Division, and, where applicable, made witnesses available for interviews or testimony. “Exemplary Cooperation” may include all of the foregoing, as well as evidence of significant remediation. The Division also included in the 2025 Advisory examples of behavior considered uncooperative, including untimely subpoena compliance, failure to preserve material information, bad faith attempts to improperly shape testimony, as well as harm to clients, counterparties, or customers.
Finally, the Advisory provides the Credit matrix (Matrix) detailing hypothetical/presumptive Credits. For example, the Matrix indicates that an entity or individual may be eligible to receive a Credit up to 55% for Exemplary Self-Reporting and Exemplary Cooperation, 40% for Exemplary Self-Reporting and Excellent Cooperation, 30% for Exemplary Self-Reporting and Satisfactory Cooperation, and 20% for Exemplary Self-Reporting and No Cooperation. The 2025 Advisory also notes that the Division’s assessment of cooperation is discretionary and will require a case-by-case analysis of the specific facts and circumstances of each matter.
Conclusion
The 2025 Advisory states that it is the “Division’s sole policy on self-reporting, cooperation, and remediation,” superseding all previous advisories and the Division’s Enforcement Manual, and is thus a critical read for any practitioner before the CFTC. Entities and individuals subject to CFTC jurisdiction should carefully consider the various tiers with counsel when contemplating a self-report, and practitioners should consult the 2025 Advisory in order to position clients to receive credit under the newly announced Matrix.
No Funny Business: The Supreme Court Should Get Sirois
As you might have guessed from the title of this post, we are returning to cover new developments in the United States v. Sirois case. A few months ago, the First Circuit released an opinion that we discussed in an earlier post. As we predicted, the Rohrabacher-Farr issues have reappeared, with the Defendants in Sirois now petitioning the United States Supreme Court to grant them certiorari and review the case.
Rohrabacher-Farr Refresher
Just as a reminder, the Rohrabacher-Farr Amendment is an appropriations rider that was first passed in 2014. It bars the DOJ from using government funds to investigate and prosecute state-compliant medical marijuana operations. However, it does not on its face protect individuals who participate in adult-use marijuana operations, even if those operations are legal at the state level. Nor does it suspend the federal Controlled Substances Act. Remember, marijuana cultivation, sales, and use are still illegal under federal law, even in states with medical marijuana programs.
In practice, Rohrabacher-Farr allows state-compliant medical marijuana businesses to operate with much less fear that they will be prosecuted by the federal government.
Risky Business – United States v. Sirois
Before we head down to D.C., let’s take the third boxcar, midnight train up to our destination: Bangor, Maine. The Sirois Defendants were charged with a number of crimes, including violating the Controlled Substances Act while running their marijuana cultivation and sorting business based in Farmington, Maine. They were accused of, among other things, operating the business as a “collective” in violation of Maine law and facilitating illegal interstate sales of marijuana. Although the DEA initially claimed an even broader multi-drug conspiracy, it seems that the DOJ quickly gave up on proving that most of these people really still deal cocaine.
The trial court dismissed the Defendants’ attempt to enjoin their prosecution based on the Rohrabacher-Farr Amendment. The First Circuit upheld that decision, reasoning that the Defendants failed to show “substantial compliance” with state law and that they were not immune from prosecution due to their “blatantly illegitimate activity.”
Now, the Sirois Defendants have filed a petition for writ of certiorari to the U.S. Supreme Court. The petition seeks to resolve a split between Ninth and Eleventh Circuit precedent and get the Supreme Court to shift the burden of proof — requiring the DOJ to prove that a criminal defendant is noncompliant, rather than forcing the defendant to prove it was in either substantial or strict compliance with state law. The petition previews the Sirois Defendants’ arguments. It reasons that not only were the Defendants in compliance with state law, but that the current state of the law is uncertain, overburdens defendants, and allows the DOJ to overstep and disregard Congressional limits on its power.
We cannot know whether or how the Supreme Court will decide this case. However, given the Circuit split and the current tenor of discussions around executive overreach, this case is ripe for Court review.
Paranoia, Paranoia
Don’t worry, this is not cause for massive alarm. I know most medical marijuana operators out there don’t need to hear this, but we will say it anyway. Everyone is not, in fact, coming to get you. As we said in our last post on this case, we do not believe that Sirois signals mass-scale federal prosecution of state-legal medical marijuana businesses. It is also important to remember, too, that rescheduling may not actually affect the current state of affairs for state-legal operators (although it may make compliance more onerous, with added FDA, DEA, and state pharmaceutical oversight and licensing requirements).
If the Supreme Court grants certiorari, this case will almost certainly clarify the questions that the Sirois Defendants raise. First, state-licensed and authorized medical marijuana operators and patients will better know when the DOJ can criminally investigate and prosecute them for cultivating, distributing, possessing, or using medical marijuana. Second, those same parties will know whether they have the burden to prove they acted in compliance with state law. And third, they will know what they must show to prove that they were actually sufficiently compliant.
If you are still unconvinced, if nothing seems to satisfy you, and you feel like you’ll lose your mind trying to make sure you are following the law, give us a call. Your friends at Bradley are happy to advise you on any regulatory or compliance issues that your cannabis business faces.
Treasury Department Announces Suspension of Enforcement of Corporate Transparency Act Against U.S. Citizens and Domestic Reporting Companies
The Treasury Department announced plans to significantly narrow beneficial ownership information (BOI) reporting obligations under the Corporate Transparency Act (CTA).
In a press release issued on March 2, 2025, the Treasury Department stated the following:
The Treasury Department is announcing today that, with respect to the Corporate Transparency Act, not only will it not enforce any penalties or fines associated with the beneficial ownership information reporting rule under the existing regulatory deadlines, but it will further not enforce any penalties or fines against U.S. citizens or domestic reporting companies or their beneficial owners after the forthcoming rule changes take effect either. The Treasury Department will further be issuing a proposed rulemaking that will narrow the scope of the rule to foreign reporting companies only. Treasury takes this step in the interest of supporting hard-working American taxpayers and small businesses and ensuring that the rule is appropriately tailored to advance the public interest.
The Department’s announcement would appear to end the CTA regulatory regime for all entities other than foreign companies that have registered to do business in the U.S.
Client Alert: The Uncertainty Continues – Another Major Update to The Corporate Transparency Act
As reported in our Client Alert dated Feb. 20, 2025, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued guidance on Feb. 19, 2025, stating that the requirement to file beneficial ownership interest reports (“BOIR”) under the Corporate Transparency Act (“CTA”) is once again in effect. This guidance impacted deadlines to file BOIRs as follows:
Entities in existence as of Dec. 31, 2023, had until March 21, 2025, to file their BOIRs.
Entities that were created or registered between Jan. 1, 2024, and Dec. 31, 2024, originally had 90 days from the date of creation or registration to file their BOIRs. They had until March 21, 2025, to file BOIRs.
Reporting companies that were previously given a reporting deadline later than the March 21, 2025, deadline had to file their initial BOIR by that later deadline. For example, if an entity’s reporting deadline was in April 2025 because it qualified for certain disaster relief extensions, it was to follow the April deadline, not the March deadline.
Entities that were created or registered on or after Jan. 1, 2025, had until the later of March 21, 2025, or 30 days after their creation or formation, to file their BOIRs.
The past tense is intentionally used with respect to the deadlines specified above because on Feb. 27, 2025, FinCEN announced that it will not issue any fines or penalties or take any other enforcement actions against any companies based on failure to file or update BOIRs by the current deadlines. No fines or penalties will be issued, and no enforcement actions will be taken, until a forthcoming interim final rule becomes effective and the new relevant due dates in the interim final rule have passed. FinCEN stated that no later than March 21, 2025, FinCEN intends to issue an interim final rule extending BOIR deadlines. Recognizing the need to provide new guidance and clarity as quickly as possible, the rule must ensure that beneficial ownership interest information that is highly useful to important national security, intelligence, and law enforcement activities is reported.
Then, on March 2, 2025, the U.S. Treasury Department issued the following announcement:
“The Treasury Department is announcing today that, with respect to the Corporate Transparency Act, not only will it not enforce any penalties or fines associated with the beneficial ownership information reporting rule under the existing regulatory deadlines, but it will further not enforce any penalties or fines against U.S. citizens or domestic reporting companies or their beneficial owners after the forthcoming rule changes take effect either. The Treasury Department will further be issuing a proposed rulemaking that will narrow the scope of the rule to foreign reporting companies only. Treasury takes this step in the interest of supporting hard-working American taxpayers and small businesses and ensuring that the rule is appropriately tailored to advance the public interest.”
During the past several months, with respect to filing BOIRs, entities were vacillating between taking take a “wait and see approach” and incurring the risk of having to make a filing quickly. Other entities were more proactive and made a voluntary filing. Now, with FinCEN’s March 2, 2025 announcement, and presuming that the Treasury Department does not change course again, domestic entities will not need to file BOIRs; only foreign entities will need to file BOIRs in accordance with a rule to be promulgated at some point by the Treasury Department.
Important Update – Treasury Will Not Enforce CTA Against U.S. Citizens, Domestic Reporting Companies and Their Beneficial Owners – New Rules To Follow (March 3, 2025 Edition)
The U.S. Department of the Treasury announced on Sunday March 2, 2025 that it will “not enforce any penalties or fines against U.S. citizens or domestic reporting companies or their beneficial owners [ …]” This press release from Treasury followed the February 27, 2025 release wherein FinCEN committed to (i) extending the existing March 21, 2025 filing deadline, (ii) re-writing the reporting rules (and opening the process to public comment) and (iii) not enforcing the CTA based on violations of the extended deadlines.
Thus, once the new reporting rules have been issued, and absent further change, U.S. citizens or domestic reporting companies or their beneficial owners are not expected to have reporting obligations. Non-U.S. entities that have filed in a U.S. jurisdiction to do business are expected to have a CTA filing obligation; however, for now, the scope of such an obligation has not been set, and the applicable deadline has not been determined.
As suggested by Treasury and FinCEN, subject to the additional commitments, the obligations (and applicable timelines) are as follows:
U.S. Citizens, Domestic Reporting Companies and Their Beneficial Owners: No enforcement of the CTA will be effected.
Foreign Reporting Companies (and other stakeholders not included above):
Now (as of February 27, 2025): FinCEN will not issue fines or penalties for failures to file, correct or update beneficial ownership information (BOI) reports by current deadlines and therefore filing, while mandatory (and subject to changing obligations with respect to the forthcoming new reporting rule), is at your discretion as to timing for the moment.
By March 21, 2025: FinCEN expressed its intent to issue an interim final rule extending certain, as yet undisclosed, BOI reporting deadlines.
Later in 2025: FinCEN expressed its plans to solicit public comments on potential revisions to BOI reporting requirements and issue a notice of proposed rulemaking.
There will be additional developments in this space, so it is necessary to pay careful attention to CTA updates as they develop.
Navigating the Risks of Cartel Terrorist Designation for Companies Operating in Mexico and Latin America
Introduction
The U.S. Department of State recently designated Tren de Aragua (“TdA”), Mara Salvatrucha (“MS-13”), Cártel de Sinaloa, Cártel de Jalisco Nueva Generación (“CJNG”), Cártel del Noreste (“CDN”), La Nueva Familia Michoacana (“LNFM”), Cártel de Golfo (“CDG”), and Cárteles Unidos (“CU”) as Foreign Terrorist Organizations (“FTOs”) and Specially Designated Global Terrorists (“SDGTs”). These designations have introduced significant legal and compliance challenges for companies operating in Mexico and Latin America. This move, aimed at curbing the influence of powerful cartels, has far-reaching implications for businesses that must now navigate a complex landscape of anti-terrorism regulations. This alert explores the risks associated with the cartel terrorist designation and provides strategic recommendations for companies to mitigate these risks.
Background on Cartel Terrorist Designation
On his first day in office, President Trump issued an Executive Order (“EO”) pursuant to the International Emergency Economic Powers Act creating, “a process by which certain international cartels (the Cartels) and other organizations will be designated as [FTOs], consistent with section 219 of the INA (8 U.S.C. 1189), or [SDGTs], consistent with IEEPA (50 U.S.C. 1702) and EO 13224 of September 23, 2001 (Blocking Property and Prohibiting Transactions With Persons Who Commit, Threaten to Commit, or Support Terrorism), as amended.” These instructions to designate cartels as terrorist organizations is part of a broader strategy to combat the influence of these criminal groups, which are involved in drug trafficking, human smuggling, and other illicit activities. The EO aims to disrupt the financial networks of these cartels and enhance the enforcement capabilities of U.S. law enforcement agencies.
The EO is also meant to work in conjunction with the “Day One Memo” issued by the U.S. Department of Justice (“DOJ”) calling for the Total Elimination of Cartels and Transnational Criminal Organizations. The Memo realigns DOJ priorities and resources to aggressively target cartels and removes bureaucratic impediments to doing so.
Legal Risks
The designation of cartels as FTOs significantly increases the legal and compliance risks for companies operating in affected regions. Under U.S. law, providing material support to a designated terrorist organization is a serious offense that can result in severe penalties, including significant fines and imprisonment.
Companies operating in areas controlled by these cartels, or doing business with them, face increased risks of U.S. sanctions violations, potential criminal investigations, and civil liability and asset forfeiture. Simply paying fees to a designated organization for protection, to operate in an area they control, or selling them goods or services can constitute material support subject to criminal penalties. For example, paying a designated cartel fees to transport goods through, or be allowed to operate in, a certain territory or providing financial services to, or conducting financial transactions for, a cartel-owned business exposes a company or financial institution, and its employees, to criminal enforcement risk, including but not limited to criminal investigation by U.S. law enforcement, civil lawsuits, sanctions designation and enforcement, and asset forfeiture.
The reach of the Anti-Terrorism Act (“ATA”), 18 U.S.C. § 2339B(d) is explicitly extraterritorial, meaning these restrictions are intended to regulate the actions of non-U.S. entities. While Specially Designated Nationals (“SDNs”) restrictions have allowed the United States to sanction extra-territorial actors in limited circumstances, they primarily target U.S. entities and transactions involving U.S. entities or U.S. dollars (“USD”). The ATA has no such limitation and is unbounded by U.S. nexus. In short, a non-U.S. company doing business with an FTO in Latin America can be prosecuted through the extraterritorial reach of the ATA without having a presence in the United States.
Economic Sanctions Risks
Each of the eight organizations listed above has been added to the Office of Foreign Assets Control’s Specially Designated Nationals List (“SDN List”). This means that any property or interests in property of those organizations that is in the United States or in the possession or control of U.S. persons, including U.S. financial institutions, is blocked.
U.S. persons, and non-U.S. persons subject to U.S. sanctions jurisdiction, risk violating U.S. sanctions regulations and facing civil and criminal liability if they engage in virtually any activity, directly or indirectly, involving these organizations. In the case of non-U.S. persons, the United States may bring enforcement actions where transactions (i) are directly or indirectly prohibited as to U.S. persons (e.g., involve SDNs or other blocked persons such as these organizations or their property and interests in property), and (ii) have a direct or indirect U.S. nexus (e.g., the use of USD).
Whether or not there is a U.S. nexus, the U.S. government may impose blocking sanctions (i.e., secondary sanctions) on non-U.S. persons determined to have provided “material support” to any of these organizations. The U.S. government may also impose correspondent account/payable through account (“CAPTA”) restrictions on non-U.S. financial institutions determined to have knowingly conducted or facilitated a significant transaction on behalf of an SDGT.
Criminal Liability for Providing “Material Support” to an FTO
Importantly, in addition to the sanctions risked involved with dealing with the designated entities described above, U.S. persons, and non-U.S. persons subject to U.S. jurisdiction as set out in the ATA, that knowingly provide “material support” to FTOs may face criminal liability. The definition of “material support” broadly encompasses “any property, tangible or intangible, or service.” The term excludes, medicine and religious materials but includes currency, monetary instruments, financial securities, financial services, lodging, training (i.e., instruction or teaching designed to impart a specific skill), and expert advice or assistance (i.e., advice or assistance derived from scientific, technical, or other specialized knowledge), among others.
The ATA also provides another robust mechanism for the U.S. government to combat terrorism: the use of asset forfeiture, which allows for the seizure of assets belonging to individuals or entities that provide material support to FTOs. This includes funds, property, and other tangible or intangible assets.
Case Study
Background
A European multinational company faced serious allegations of complicity in human rights violations and financing terrorism in a Middle Eastern country. Between 2012 and 2014, the company’s subsidiary continued operations at its facility despite the escalating conflict in the region.
Allegations and Charges
The company was criminally charged by the United States Attorney’s Office for conspiring to provide material support and resources to two designated FTOs. The specific conduct involved:
Payments to Terrorist Groups: The company allegedly paid these groups to ensure safe passage for employees and goods. This included direct payments to terrorist organizations to secure the safety of their operations.
Purchasing Raw Materials: The company allegedly bought raw materials from suppliers who were controlled by or affiliated with terrorist groups. This enabled the subsidiary to continue its production activities.
Revenue Generation: By maintaining operations and securing raw materials through these means, the subsidiary was able to generate millions in revenue during the period in question.
Legal Proceedings
In October 2022, the company, in a first-of-its-kind agreement, pleaded guilty to a one-count criminal information charge of conspiring to provide material support to FTOs. The U.S. District Court sentenced the company to probation and imposed financial penalties, including criminal fines and forfeiture, totaling hundreds of millions of dollars.
Impact and Implications
This case underscores the intersection of corporate crime and national security. It highlights the severe consequences for companies that operate in specific regions, especially in high-risk environments. The case serves as an example of the importance of investing in robust compliance programs, paying vigilant attention to national security compliance risks, and conducting thorough due diligence.
Civil Liability Under the Anti-Terrorism Act
Financial institutions and other companies that interact with FTOs may also face civil lawsuits under the ATA. The Act provides a private right of action for U.S. citizens injured by an act of international terrorism to claim treble damages, costs, and attorney’s fees. Liability extends to those who materially supported, aided and abetted, or conspired with the FTO to commit the act of terrorism creating an extremely inclusive regime of liability.
Numerous plaintiffs have filed lawsuits in the United States against various entities, including banks, telecom providers, social media companies, and state-owned enterprises, accused of aiding and abetting or supporting FTOs. The Supreme Court clarified that aiding and abetting liability requires a defendant to have knowingly provided substantial assistance to another person in committing the act of international terrorism.
In multiple lawsuits in the Southern District of New York and around the country, plaintiffs who were victims or representatives of victims of various terrorist attacks by FTOs brought claims under the ATA. The plaintiffs have alleged multiple theories, including that financial institutions provided financial services to these designated FTOs, which substantially contributed to the attacks. In recent cases, Courts have denied motions to dismiss in similar cases finding that plaintiff’s had adequately alleged that financial institutions were generally aware that they were playing a role in the FTOs overall terrorist activities, and that the defendants provided knowing and substantial assistance with respect to terrorist attacks.
Companies must ensure that their operations do not inadvertently support these organizations, either directly or indirectly.
Impact on Companies Operating in Mexico and Latin America
The designation of cartels as FTOs poses several challenges for companies operating in Mexico and Latin America:
Increased Due Diligence Requirements: Companies must conduct thorough due diligence to ensure that their business partners, suppliers, and customers are not affiliated with designated cartels. This includes implementing robust screening processes and regularly updating risk assessments.
Heightened Regulatory Scrutiny: U.S. regulatory agencies are likely to increase their scrutiny of companies operating in regions affected by the cartel designations. This may result in more frequent audits, investigations, and enforcement actions.
Operational Disruptions: Companies may face operational disruptions if they are forced to sever ties with business partners or suppliers linked to designated cartels. This can impact supply chains, production schedules, and overall business continuity.
Reputational Damage: Being associated with designated terrorist organizations can cause significant reputational damage. Companies must proactively manage their public image and communicate their commitment to compliance and ethical business practices.
Strategic Recommendations for Companies
To mitigate the risks associated with the cartel terrorist designation, companies should consider the following strategic recommendations:
Enhance Compliance Programs: Companies should strengthen their compliance programs to address the specific risks associated with the cartel designations, including anti-money laundering and counter-terrorism financing and sanctions controls. This includes updating policies and procedures, providing training to employees, and implementing robust monitoring and reporting mechanisms.
Conduct Comprehensive Risk Assessments: Regular risk assessments are essential to identify and mitigate potential exposure to designated cartels. Companies should assess their entire value chain, including suppliers, customers, and third-party intermediaries.
Strengthen KYC and Third-Party Due Diligence: Implementing strict know-your-customer (“KYC”) and third-party screening, background checks, and management procedures is critical to identify and remediate active risks. The identification of third-party risk is essential to identify and avoid the most likely source of liability to the company.
Engage with Legal and Compliance Professionals: Given the complexity of the legal and regulatory landscape, companies should seek guidance from legal and compliance professionals with experience in anti-terrorism regulations. This can help ensure that their compliance programs are effective and up-to-date.
Develop Contingency Plans: Companies should develop contingency plans to address potential operational disruptions resulting from the cartel designations. This includes identifying alternative suppliers, diversifying supply chains, and establishing crisis management and dawn raid protocols.
Foster a Culture of Compliance: Building a strong culture of compliance is critical to ensuring that employees understand the importance of adhering to anti-terrorism regulations. Companies should promote ethical behavior and encourage employees to report any suspicious activities.
Conclusion
The designation of drug cartels as FTOs by the U.S. government has introduced significant challenges for companies operating in Mexico and Latin America. By understanding the risks and implementing robust compliance measures, companies can navigate this complex landscape and mitigate potential legal, operational, and reputational risks. Proactive engagement with legal and compliance professionals, comprehensive risk assessments, and a strong culture of compliance are essential components of an effective strategy to address the challenges posed by the cartel terrorist designation.
The CTA: Now You See It … Now You Don’t
As the flurry of Corporate Transparency Act (CTA) developments continues, on March 2, the US Department of the Treasury (Treasury) announced the suspension of CTA enforcement against US citizens and domestic reporting companies, following on the heels of last week’s announcement by the Financial Crimes Enforcement Network (FinCEN) that it is not issuing fines or penalties in connection with beneficial ownership information (BOI) reporting for the time being. Going forward, as indicated by Treasury, the CTA will apply only to foreign reporting companies.
FinCEN’s February 27 Announcement
Barely more than a week after announcing a new March 21 reporting date for most reporting companies that have not yet filed all required reports under the CTA (see our prior alert for more information about this), FinCEN announced that it will not issue any fines or penalties, or take any other enforcement actions against any companies based on any failure to file or update their BOI reports. FinCEN’s nonenforcement of penalties will continue until a forthcoming interim final rule becomes effective and new reporting deadlines set forth in that rule have passed.
FinCEN expects to issue this interim final rule no later than March 21, 2025. Additionally, FinCEN intends to solicit public comments on revisions to existing BOI reporting requirements, which it will consider as part of a notice of proposed rulemaking that the agency anticipates issuing later this year to minimize the burden of CTA compliance on small businesses while maintaining the usefulness of BOI to key enforcement functions.
Treasury’s March 2 Announcement
Wasting no time, on March 2, Treasury released a statement announcing that, not only would it not enforce penalties or fines associated with BOI reporting under the existing regulatory deadlines, but it also would not enforce any penalties or fines against US citizens or domestic reporting companies or their beneficial owners after forthcoming rule changes take effect. Treasury’s announcement noted that it will issue a proposed rule that will narrow the scope of CTA reporting obligations to foreign reporting companies only, a step that, according to Treasury, would support American taxpayers and small businesses while ensuring that the rule is appropriately tailored to advance the public interest.
Listen to this article
Preserving and Maximizing Defense Coverage Through Final Adjudication
Last week, the Ninth Circuit affirmed fraud convictions for Theranos’ former CEO, Elizabeth Holmes, and former COO, Ramesh Balwani, upholding an order finding both defendants personally liable for $452 million in restitution to various Theranos investors. While it remains to be seen whether the embattled executives will pursue further appeals to the US Supreme Court, the years of litigation and appeals following Theranos’s untimely demise in 2018 highlight the importance of directors and officers having robust “final adjudication” language in conduct exclusions found in all D&O liability policies.
Modern D&O policies contain exclusions for fraudulent or criminal acts. But those exclusions usually cannot apply until a “final adjudication” establishes that the alleged fraudulent or criminal conduct actually occurred. The result is that individuals defending against alleged fraud get the benefit of a defense funded by the D&O policy unless and until the fraud is finally proven. And even where fraud is finally adjudicated, the onus is placed on the insurer to try to recover those costs from the policyholder, which is easier said than done when an entity is insolvent or a beleaguered individual endured years of litigation and appeals. In both cases, the insured may be unable to repay thousands if not millions of dollars in advanced legal fees and expenses if dragged into a new lawsuit by the D&O insurer.
The importance of securing timely and robust defense coverage cannot be overstated. In the case of Theranos, some investors have alleged that the company maintained at least $30 million in D&O coverage. Yet Elizabeth Holmes’ defense alone reportedly cost in excess of $30 million.
When reviewing your D&O policy with an eye towards maximizing executive protection and defense coverage, consider these key issues:
What is a “final adjudication”? Negotiate triggers in conduct exclusions to be as narrow as possible. If the policy requires a final adjudication, how is that defined? Some policies specify complete exhaustion of all appeals, while others may trigger at earlier stages. Does the exclusion contemplate adjudications in the underlying action only or in other actions, like those initiated by the insurer to determine coverage under the policy? Are defense expenses expressly carved out from the exclusion? Slight variations can materially impact whether coverage is preserved.
What are the insurer’s advancement obligations? A narrow conduct exclusion is only effective if the policyholder can receive the benefits of full and efficient reimbursement of ongoing defense costs in litigation prior to any final adjudication. At a minimum, the policy should make clear that the insurer has a duty to advance defense costs until it is determined that the previously advanced defense costs are not insured.
But how quickly must those payments be made? And what happens if there is a dispute where the insurer is claiming that uncovered parties, claims, or matters allow for limited defense reimbursement under the policy’s “allocation” provision? Following the flow of money from the insurer to the individual (and perhaps back again in a repayment situation) will ensure there are no reimbursement snafus in the midst of contentious litigation that distracts from the underlying defense.
How to ensure protection for “innocent” insureds? If one bad actor commits fraud and loses coverage, it should not impact coverage for other individual defendants. Pay close attention to “severability” provisions. Does the policy provide full or limited severability? When, if at all, can wrongful acts committed by one insured by imputed to other insureds who were not involved in the wrongdoing? How does the policy treat other misrepresentations, like those in applications?
How to protect executives when the company cannot? Under most D&O policies, the company has access to the same set of limits that otherwise would be available to protect individual insureds. If the company can indemnify and advance legal fees for its executives, those shared limits are usually not problematic. But when the company is insolvent and in bankruptcy, as was the case with Theranos, the D&O policy is the only source of protection preventing executives from personal exposure.
The solution is purchasing dedicated “Side A” coverage that sets aside separate limits that are available exclusively for the benefit of directors and officers when the company is unable or unwilling to provide indemnification. Some D&O policy forms provide built-in dedicated Side A-only limits, but many times they are purchased through standalone policies. Structuring a D&O program with adequate Side A coverage can ensure executives have an insurance backstop to defend, settle, and pay claims when they need it most.
For corporate executives, these small but important aspects of defense coverage under D&O policies can be the difference between executives being fully protected in protracted litigation and being left uninsured and subject to personal exposure.
The More Things Change… DOJ’s Latest Cyber Settlement Shows Continued False Claims Act Risk
Although the change in administrations has heralded shifting enforcement priorities at the U.S. Department of Justice (DOJ), cybersecurity enforcement under the False Claims Act (FCA) appears to be alive and well. That is the takeaway from the recent DOJ announcement that Health Net Federal Services and its parent, Centene Corporation, have agreed to pay over US$11 million to resolve a FCA matter alleging cybersecurity violations.
The Health Net Settlement
According to DOJ, Health Net entered into a contract with the Department of Defense to administer the Defense Health Agency’s TRICARE health benefits program. Health Net allegedly failed to meet certain cybersecurity controls as part of its government contract and falsely certified compliance with those requirements in annual reports to the government. The government alleged that the company failed to timely scan for known vulnerabilities and to remedy security flaws on its networks and systems. In addition, according to the government, Health Net allegedly ignored reports from third-party security auditors and its own audit department regarding cybersecurity risks on the company’s networks and systems. Those risks related to, among other things, asset management, firewalls, patch management, and password policies. The government alleged that, as a result of these purported failures, the company’s claims for reimbursement under the contract were false, even if there was not any exfiltration or compromise of data or protected health information.
This latest settlement builds on prior DOJ actions against government contractors for alleged cybersecurity failures. Foley has reported on those prior actions here and here, including DOJ’s FCA suit against Georgia Tech, which remains pending.
The Health Net settlement demonstrates that the Trump Administration’s DOJ remains focused on cybersecurity enforcement, particularly pursuant to the FCA. This is not surprising, given the administration’s pronouncements about stamping out alleged fraud, waste, and abuse. Further, this was a theme echoed by several DOJ speakers at a national qui tam conference in Washington, D.C. in February 2025.
Also, where a federal contract involves the military, as was the case with the Health Net settlement, this administration is likely to be especially committed in its investigative and prosecution efforts. Indeed, it is notable that the Health Net settlement does not appear to have arisen from a qui tam suit, which would mean the government initiated the investigation on its own. Finally, the fact remains that cybersecurity has always been a bipartisan issue.
Recommendations
In light of the Health Net settlement and the new administration’s interest in cybersecurity enforcement, companies and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:
Catalogue and monitor compliance with all government-imposed cybersecurity standards. This includes not only ongoing knowledge of the organization’s contracts, but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards.
Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. Because the FCA’s qui tam provisions allow employees and others to file suit on behalf of the United States, it is critical to respond to employees’ concerns effectively.
Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.
Out With a Bang: Treasury Restricts Corporate Transparency Act to Foreign Reporting Companies
On March 2, 2025, the Treasury Department announced suspension of the March 21, 2025 deadline for filing under the Corporate Transparency Act (CTA) for any domestic companies or U.S. citizens.
Treasury said that it is preparing a proposed rulemaking to narrow the scope of the rule to foreign reporting companies only. “Foreign reporting companies,” under the present formulation, are entities (including corporations and limited liability companies) formed under the law of a foreign country that have registered to do business in the U.S. by filing a document with a secretary of state or any similar office.
While the rule may be subject to legal challenge, as the narrowing proposed by the Treasury Department is inconsistent with the text of the CTA itself, it is not clear who, if anyone, would challenge the new proposed rules. Congress is also contemplating changes to the law.
The determination from Treasury follows the February 17, 2025 decision out of the Eastern District of Texas in Smith v. United States Department of the Treasury, which lifted the last remaining nationwide preliminary injunction on enforcement of the filing deadline, following the Supreme Court’s stay of the injunction in Texas Top Cop Shop, Inc., et al. v. Merrick Garland, et al., earlier this year.
Passed in the first Trump Administration but implemented during the Biden presidency, the CTA — an anti-money laundering law designed to combat terrorist financing, seize proceeds of drug trafficking, and root out illicit assets of sanctioned parties and foreign criminals in the U.S. — faced legal challenges around the country, many of which are still pending before appellate courts.
Treasury has not announced what will happen to the information provided by entities that have already filed under the CTA. However, domestic companies and U.S. citizens are no longer under any obligation to keep that information up to date given the suspension of enforcement.
CTA Is Pausing Fines, Penalties and Enforcement Actions Regarding Filing of Beneficial Ownership Information Reports
Below is a statement from the Financial Crimes Enforcement Network (FinCEN) released February 27, 2025 stating it will not take any enforcement action against a Reporting Company that fails to file or update a beneficial ownership information report per the Corporate Transparency Act, pending the release of a new “interim final rule.” FinCEN intends to issue this interim final rule (which will extend the reporting deadline) prior to the current reporting deadline of March 21, 2025. We will continue to monitor for updates. For now, however, failure to file will not result in fines, penalties or any other enforcement actions.
FinCEN Not Issuing Fines or Penalties in Connection with Beneficial Ownership Information Reporting Deadlines
Immediate release: February 27, 2025
WASHINGTON –– Today, FinCEN announced that it will not issue any fines or penalties or take any other enforcement actions against any companies based on any failure to file or update beneficial ownership information (BOI) reports pursuant to the Corporate Transparency Act by the current deadlines. No fines or penalties will be issued, and no enforcement actions will be taken, until a forthcoming interim final rule becomes effective and the new relevant due dates in the interim final rule have passed. This announcement continues Treasury’s commitment to reducing regulatory burden on businesses, as well as prioritizing under the Corporate Transparency Act reporting of BOI for those entities that pose the most significant law enforcement and national security risks.
No later than March 21, 2025, FinCEN intends to issue an interim final rule that extends BOI reporting deadlines, recognizing the need to provide new guidance and clarity as quickly as possible, while ensuring that BOI that is highly useful to important national security, intelligence, and law enforcement activities is reported.
FinCEN also intends to solicit public comment on potential revisions to existing BOI reporting requirements. FinCEN will consider those comments as part of a notice of proposed rulemaking anticipated to be issued later this year to minimize burden on small businesses while ensuring that BOI is highly useful to important national security, intelligence, and law enforcement activities, as well to determine what, if any, modifications to the deadlines referenced here should be considered.
Alexander Lovrine and Walter Weinberg contributed to this article.