Maryland Enacts Law Exempting Passive Trusts from Mortgage and Installment Loan Licensing Requirements

In January 2025, the Maryland Office of Financial Regulation (the “OFR”) issued a guidance stating that assignees of residential mortgage loans, including certain passive trusts, were required to hold a Maryland mortgage lender license and, in certain circumstances, an installment loan license (previously discussed here). In response to this, the Maryland House and Senate passed separate but identical bills known as the Maryland Secondary Market Stability Act of 2025 (the “Act”). The Act was signed into law by Maryland Governor Wes Moore on April 22, and became effective immediately. 
The Act addressed the OFR guidance on licensing for secondary market assignees by enacting an exemption from both the Maryland Mortgage Lender Law and the Maryland Installment Loan Law for “passive trusts.” The Act defines a “passive trust” as a trust that acquires or is assigned a mortgage loan but does not (i) make mortgage loans, (ii) act as a mortgage broker or a mortgage servicer, or (iii) engage in the servicing of mortgage loans. The original bills introduced in response to the OFR guidance would have exempted any assignee of mortgage loans or installment loans from licensing, including a trust, but the final Act more narrowly exempts only passive trusts. 
Putting It Into Practice: The OFR’s guidance can now be considered abrogated, at least to the extent that it applied to passive trusts. However, secondary market purchasers of loans that do not use passive trusts to acquire or take assignment of residential mortgage loans in Maryland must become licensed as Maryland mortgage lenders by July 6, 2025. In addition, it is worth noting that the Act does not apply to loans made under the Maryland Consumer Loan Law, which provides that an assignee of a loan made under that law must hold a consumer loan license in order to enforce the loan.
Listen to this post 

Fourth Circuit Rejects Rehearing in ACH Fraud Suit Alleging Violations of KYC Rules and NACHA Operating Standards

On April 22, the Fourth Circuit declined to reconsider a panel ruling that found a credit union could not be held liable for a scam in which fraudsters diverted over $560,000 from a metal fabricator through unauthorized ACH transfers. The denial leaves intact a March 2025 decision overturning the district court’s earlier ruling in favor of the plaintiff.
The dispute stems from a 2018 incident in which the company received a spoof email claiming to be from a supplier and directing the company to reroute payments to a new bank account. Relying on the instructions, the company made four ACH transfers to an account at the credit union, identifying the supplier as the beneficiary. However, the funds were deposited into an account belonging to another individual who had also been unknowingly involved in the fraud.
In its original complaint, the plaintiff alleged that the credit union failed to comply with Know Your Customer (KYC) regulations and anti-money laundering (AML) procedures by not verifying the identity or eligibility of the account holder. The complaint also asserted that the credit union violated the NACHA Operating Rules by accepting commercial ACH transfers—coded for business transactions—into a personal account. These claims were framed as failures to implement basic security protocols and to recognize clear mismatches in the payment data.
The panel held that the credit union lacked actual knowledge that the account was being used for fraudulent purposes and therefore could not be held liable under applicable law. In a concurring opinion, however, one judge noted that the record may contain evidence suggesting the credit union obtained actual knowledge of the misdescription before the final two transfers.
Putting It Into Practice: Even though the credit union ultimately avoided liability, the action is a good example of the lengths plaintiffs’ attorneys are going to hold banks liable for fraud related to spoofing. Unfortunately, Regulation E provides no avenue for relief for consumers where they are tricked into transferring money knowingly to another account. And the CFPB’s lawsuit against major banks related to similar conduct, where claims under the CFPA were alleged, was dropped earlier this year. 

CFPB Shifts Supervision and Enforcement Priorities; Staff Reduction Stayed by Court

On April 16, the CFPB released an internal memo outlining major shifts in its supervision and enforcement priorities, signaling a retreat from several areas of regulatory activity. The next day, the Bureau issued formal reduction-in-force (RIF) notices to numerous employees, notifying them of termination effective June 16.
The supervision memo directs a significant reallocation of the Bureau’s focus and resources. Examinations are to be reduced by 50%, with an emphasis on collaborative resolutions, consumer remediation, and avoiding duplicative oversight. The CFPB will shift attention back to depository institutions, moving away from nonbanks that have increasingly been subject to Bureau exams in recent years. Enforcement will prioritize matters involving tangible consumer harm, particularly in areas of mortgage servicing, data furnishing under the FCRA, and debt collection under the FDCPA. The memo explicitly deprioritizes supervision of student lending, digital payments, remittances, and peer-to-peer platforms, and restricts the Bureau’s use of statistical evidence to support fair lending cases, limiting such actions to those involving intentional discrimination and identifiable victims.
The RIF notices cite structural realignment and policy shifts as the basis for the cuts and inform employees that the decision does not reflect performance or conduct. Following the issuance of the RIF notices, plaintiffs in ongoing litigation against the CFPB filed an emergency motion, arguing that the RIF appeared to violate an existing preliminary injunction. After an emergency hearing on April 18, Judge Amy Berman Jackson of the D.C. District Court ordered the CFPB to suspend its reduction-in-force and maintain employees’ access to the agency’s systems while legal proceedings continue, raising concerns that allowing the layoffs to move forward could permanently damage the Bureau’s ability to meet its legal obligations. The court set a follow-up hearing for April 28.
Putting It Into Practice: The current administration’s push to downsize the CFPB continues. While paused for the moment, a Bureau of only 200 employees will have a dramatic impact on the enforcement of the country’s federal financial services laws.
Listen to this post 

CFPB Drops Suit Against Credit Card Company Alleging TILA Violations and Deceptive Marketing Practices

On April 23, the CFPB voluntarily dismissed with prejudice its lawsuit, filed in September 2024, against a Pennsylvania-based credit card company that had been accused of unlawfully marketing a high-cost, limited-use membership program to subprime consumers.
The complaint alleged that the company violated the Consumer Financial Protection Act (CFPA) and the Truth in Lending Act (TILA) and its implementing Regulation Z. The Agency asserted the following violations:

Misleading marketing of a “general-purpose” credit card. The company allegedly represented that it offered a standard credit card when the product could only be used at the company’s own online store.
Excessive fees in violation of TILA and Regulation Z. The card carried annual charges amounting to roughly 60% of the card’s credit limit, exceeding the 25% cap permitted during the first year of account opening.
Limited consumer use and value. Despite charging substantial fees, the program offered minimal utility—only 6% of customers used the card and just 1–3% used any ancillary benefits.
Deceptive cancellation and refund process. The company claimed cancellations could be completed in under a minute but instead subjected consumers to extended calls and repeated sales pitches before granting partial refunds.
Unreasonable barriers to exit constituted abusive conduct. The CFPB alleged the company exploited consumers’ inability to easily exit the program or secure refunds, thereby taking unreasonable advantage of financially vulnerable individuals.

Putting It Into Practice: The dismissal is the latest in a series of reversals by the CFPB under its current leadership (previously discussed here and here). While the agency appears to be retreating from certain nonbank UDAAP cases, the statutory obligations under the CFPA and TILA remain unchanged. Companies marketing credit products to subprime consumers should closely review how their offerings are presented, how fees are structured, and how cancellation processes are administered.
Listen to this post

White House Executive Order Eliminates Disparate-Impact Liability Enforcement

On April 23, the White House issued an Executive Order entitled Restoring Equality of Opportunity and Meritocracy, directing federal agencies to “eliminate the use of disparate-impact liability in all contexts to the maximum degree possible.” The Executive Order marks a potential shift in how federal fair lending laws will be enforced across the financial services sector.
Federal agencies have historically used disparate-impact liability to evaluate facially neutral policies that may result in unequal outcomes for protected classes. The Executive Order now instructs agencies to reassess their enforcement strategies and deprioritize claims rooted in disparate impact, including under the Equal Credit Opportunity Act, the Fair Housing Act, and other fair lending statutes. 
Specifically, the Executive Order directs the Attorney General to identify and initiate repeal or amendment of regulations, guidance, or rules that impose disparate-impact liability. It also calls on federal agencies, including the CFPB, to review all pending investigations, litigation, and consent orders based on disparate-impact claims. Additionally, the Attorney General must evaluate whether federal law preempts state-level disparate-impact regimes and recommend further action where such state laws may conflict with federal policy.
Putting It Into Practice: The Executive Order reflects a broader policy shift on how discriminatory conduct is litigated. (previously discussed here). The Executive Order will certainly impact federal fair lending and anti-discrimination oversight, particularly in areas where enforcement has traditionally relied on statistical disparities rather than explicit intent. Market participants should also prepare for potential divergence between federal and state priorities in some jurisdictions.

CFPB to Revoke Medical Debt Collection Advisory Opinion

On April 11, the CFPB filed a joint motion in the U.S. District Court for the District of Columbia indicating its intent to revoke an advisory opinion on medical debt collection. The Bureau requested a stay of litigation while it moves to formally withdraw the opinion and committed to providing a status update by July 14 and every 30 days thereafter.
The October 2024 advisory opinion interpreted the Fair Debt Collection Practices Act (FDCPA) and Regulation F to restrict certain medical debt collection practices, including those involving allegedly deceptive or unfair statements about the validity or scope of consumer obligations. The opinion’s issuance triggered multiple lawsuits challenging the CFPB’s statutory authority and legal basis, arguing that the Bureau exceeded its rulemaking powers by issuing substantive policy through an advisory opinion without following the Administrative Procedure Act’s notice-and-comment requirements.
The parties explained that revoking the advisory opinion would resolve the plaintiff’s legal claims, eliminating the need for further litigation. The CFPB stated that it was actively evaluating next steps and that maintaining the litigation would be inefficient and unnecessary.
Putting It Into Practice: The CFPB’s decision to revoke its medical debt advisory opinion continues a broader rollback of policies issued under prior leadership (previously discussed here and here). As the Bureau reconsiders its approach, states may increasingly step in to fill the regulatory gap—particularly those active in applying and enforcing UDAAP laws.

North Dakota Expands Data Security Requirements and Issues New Licensing Requirements for Brokers

On April 11, North Dakota enacted HB 1127, overhauling its regulatory framework for financial institutions and nonbank financial service providers. The law amends multiple chapters of the North Dakota Century Code and creates a new data security mandate for financial corporations—a category that includes non-depository entities regulated by the Department of Financial Institutions (DFI). It also expands the licensing requirement for brokers to include “alternative financing products,” potentially impacting a broad array of fintech providers.
The law introduces sweeping data protection obligations for nonbank financial corporations through new requirements created in Chapter 13-01.2. Specifically, covered entities must:

Implement an information security program. This includes administrative, technical, and physical safeguards, based on a written risk assessment.
Designate a qualified individual. Each financial corporation must designate a qualified individual responsible for overseeing the security program and report annually to its board or a senior officer.
Conduct regular testing. Annual penetration tests and biannual vulnerability assessments are mandatory unless continuous monitoring is in place.
Secure consumer data. Encryption of data in transit and at rest is required unless a compensating control is approved. Multifactor authentication is also mandatory.
Notify regulators of breaches. A data breach involving 500 or more consumers must be reported to the Commissioner within 45 days.

The bill also amends North Dakota’s broker licensing laws to authorize the DFI to classify certain alternative financing arrangements as “loans.”
Putting It Into Practice: Of the many amendments here, North Dakota’s expansion of licensing requirements for brokers of alternative financing products may have the biggest impact for institutions, especially fintechs.

Pushback of Deadline for SNFs to Submit Significantly More Detailed Ownership and Control Information in New “SNF Attachment” to CMS Form 855A

With newly confirmed Dr. Mehemet Oz at its helm, the Centers for Medicare & Medicaid Services (CMS) maintained but delayed the deadline for its requirement that Skilled Nursing Facilities (SNFs) to report significantly expanded information to CMS about the ownership, management and relationships with private equity (PE) and real estate investment trusts (REIT), and newly defined “additional reportable parties” (ADPs).
Scheduled to take effect on May 1, 2025, CMS recently announced a three-month reprieve, pushing the deadline back to August 1, 2025. This comes at the same time that CMS is seeking suggestions on lowering the Medicare regulatory burden and simplifying Medicare reporting requirements.
The delay announcement came as a surprise since, as recently as Friday, April 11, CMS reminded SNFs about the May 1 deadline that was fast-approaching for the Off-cycle SNF Revalidation of all Medicare-enrolled SNFs. Originally issued on October 1, 2024, every SNF was required to complete the new Form 855A that was designed to improve transparency and accuracy in SNF enrollment data under new reporting rules that were finalized by CMS in the Medicare and Medicaid Programs; Disclosures of Ownership and Additional Disclosable Parties Information for Skilled Nursing Facilities and Nursing Facilities; Medicare Providers’ and Suppliers’ Disclosure of Private Equity Companies and Real Estate Investment Trusts, on November 17, 2023.
Effective October 1, 2024, CMS added the new “SNF Attachment” to Form 855A, the Medicare Enrollment Application for Institutional Providers. All SNFs must now revalidate CMS enrollment by submitting the updated form by August 1, 2025. Medicare-enrolled SNFs should have received a revalidation notice by the end of the calendar year 2024. Even if the letter got lost in the mail, CMS expects every Medicare enrolled SNF to contact their Medicare Administrative Contractor (MAC) to ensure they revalidate their enrollment before August 1, 2025, or risk what will be serious consequences.
CMS set the bar for disclosures high, and the consequences will be swift and painful for SNFs that fail to report enrollment information fully and accurately. Penalties may include notice of dis-enrollment or revocation of Medicare enrollment, which could result in a lapse in enrollment, leaving a non-compliant SNF unable to submit claims or receive reimbursements.
The updated 855A requires SNFs to disclose all ownership interest and managing control information on the new SNF Attachment, rather than in Sections 5 and 6 as previously required. SNFs will no longer fill out Sections 5 and 6 and instead must check a box in each section which states “Check here if you are a Skilled Nursing Facility and skip this section.”
The new SNF Attachment requires far more information and detail than previously required by Sections 5 and 6. While some of the disclosures previously required in these sections have carried over to the new SNF Attachment, there are several additional requirements. SNFs must now disclose:

All members of their governing body irrespective of business type;
If the SNF is an LLC, all owners must be reported regardless of ownership percentage;
If the SNF is a trust, all trustees;
All Additional Disclosable Parties (ADPs); and
Certain additional information about each ADP.

An Additional Disclosable Party (ADP) is defined broadly to include any person or entity that:

Exercises operational, financial, or managerial control over any part of the SNF,
Provides policies or procedures for any of the SNF’s operations,
Provides financial or cash management services to the SNF,
Leases or subleases real property to the SNF or owns a whole or part interest equal to at least 5% of the total value of property leased by the SNF,
Provides management or administrative services to the SNF,
Provides clinical consulting services to the SNF, and/or
Provides accounting or financial services to the SNF.

There is no minimum threshold for how long the ADP must have furnished the services, the extent of involvement with the SNF’s operations, or the volume of furnished services. If a person or entity performed any of the above-listed services, for any period of time, they must be disclosed as an ADP.
Furthermore, CMS has made it abundantly clear that SNFs should err on the side of disclosure if they are uncertain as to whether a party qualifies as an ADP. Additional information can be found in CMS Guidance for SNF Attachment on Form CMS-855A.
At approximately the same time SNFs were expected to be gathering the information to complete the new disclosures, CMS posted an appeal for regulatory relief titled “Unleashing Prosperity Through Deregulation of the Medicare Program Request for Information” (Medicare Deregulation RFI). Through this RFI, CMS asks for input “on approaches and opportunities to streamline regulations and reduce administrative burdens on providers, suppliers, beneficiaries, Medicare Advantage and Part D plans, and other stakeholders participating in the Medicare program . . . [in an] effort[ ] to reduce unnecessary administrative burdens and costs, and create a more efficient healthcare system. . .” Commenters are asked to identify “specific Medicare administrative processes, quality, or data reporting requirements, that could be automated or simplified to reduce the administrative burden on facilities and providers,” “changes [that could] be made to simplify Medicare reporting and documentation requirements without affecting program integrity,” and “documentation or reporting requirements within the Medicare program that are overly complex or redundant.” Some SNF industry stakeholders are looking at the RFI as an opportunity to get the Trump Administration to at least decrease the complexity of the increased SNF reporting requirements, if not eliminate as a redundant, duplicative and unnecessary administrative burden that will create financial strain on SNFs. 

New Executive Order on HBCUs Establishes Initiative to ‘Promote Excellence And Innovation’

On April 23, 2025, President Donald Trump issued an executive order (EO) that moved a long-standing presidential initiative focused on supporting Historically Black Colleges and Universities (HBCUs) from the U.S. Department of Education to the White House.

Quick Hits

On April 23, President Trump issued a new EO designed to “elevate the value and impact of our nation’s HBCUs as beacons of educational excellence and economic opportunity that serve as some of the best cultivators of tomorrow’s leaders in business, government, academia, and the military.”
The EO establishes an initiative—“the White House Initiative on Historically Black Colleges and Universities”—“housed in the Executive Office of the President and led by an Executive Director designated by the President.”
There are approximately one hundred HBCUs in the United States. Although HBCUs were originally founded to educate Black students, they now enroll students who are not Black.

The executive order establishes the White House Initiative on Historically Black Colleges and Universities under the executive office of the president, to be led by an executive director designated by the president. The executive order outlines two primary missions for the initiative: (1) increasing the private-sector role, including the role of private foundations, in strengthening and further supporting HBCUs; and (2) enhancing HBCUs’ capabilities to serve the country’s young adults. Specifically, the executive order calls for increasing the private-sector role in:

assisting HBCUs with “institutional planning and development, fiscal stability, and financial management”;
“upgrading institutional infrastructure, including the use of technology”; and
“providing professional development opportunities for HBCU students to help build America’s workforce in technology, healthcare, manufacturing, finance, and other high-growth industries.”

In addition, the executive order calls for enhancing HBCUs’ capabilities to serve the country’s young adults by:

“fostering private-sector initiatives and public-private and philanthropic partnerships to promote centers of academic research and program excellence at HBCUs”;
“partnering with private entities and [K-12] education stakeholders to build a pipeline of students that may be interested in attending HBCUs”;
“addressing efforts to promote student success and retention at HBCUs, including college affordability, degree attainment, campus modernization, and infrastructure improvements.”

The executive order establishes, within the U.S. Department of Education, a board, referred to as “the President’s Board of Advisors on Historically Black Colleges and Universities.” The board is to be comprised of current HBCU presidents and representatives in philanthropy, education, business, finance, entrepreneurship, innovation, and private foundations. The board is tasked with advising the president on matters pertaining to the HBCU PARTNERS Act, which became law in 2020.
Furthermore, the initiative will organize an annual White House summit on HBCUs “to discuss matters related to the [i]nitiative’s missions and functions.”
While the executive order does not specifically identify or otherwise promise funding for the initiative, the White House also released a fact sheet that references HBCU-related funding secured during President Trump’s first term.

Financial Institutions May Have Civil and Criminal Exposure for Knowingly or Unknowingly Assisting Customers Who Support Terrorist Activities

While there have been numerous shifts in government enforcement priorities in the past three months, there does appear to be one area where the status quo has remained the same. This new administration has made it clear that preventing financial institutions from working with terrorist organizations remains a top concern. While the administration has added “new” entities to its lists in the form of drug cartels and other nefarious groups, none of this changes the fact that it is as important as ever for banks and similar financial institutions to maintain effective compliance to avoid the government’s crosshairs. Moreover, if one of these banned entities does become inadvertently involved with a financial institution, it is equally as important to know how to get in front of the issue to mitigate the relevant and serious risk. 
For decades, terrorist organizations have tried to access the U.S. financial system to fund their terrorist operations around the world. Terrorist organizations and other criminals use various strategies to conceal the nature of their activities, including money laundering and structuring. The U.S. government has multiple tools for combatting terrorists’ abuse of the U.S. financial system. Congress enacted the Currency and Foreign Transaction Reporting Act of 1970, as amended (referred to as the Bank Secrecy Act or BSA) to monitor the source, volume, and flow of currency and other monetary instruments through the U.S. financial system to detect and prevent money laundering and other criminal activities. After the terrorist attacks on Sept. 11, 2001, Congress strengthened the BSA framework through the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001. Among other things, the USA PATRIOT Act targeted terrorist financing and enhanced enforcement mechanisms to combat it. Indeed, there are numerous other statutes and regulations that may come into play in cases involving terrorist financing. Those statutes and regulations rely heavily on U.S. financial institutions to identify and report bad actors. 
The risks involved when banks fail to follow these statutes and regulations are severe, and this GT Advisory summarizes the current laws that the government uses to try to eliminate terrorist organizations’ ability to move funds for their nefarious activities. U.S. financial institutions and their employees have substantial exposure if they knowingly or unknowingly assist customers in supporting or financing terrorist activities. As mentioned above, while the new administration is changing the way the government addresses the threat of terrorist funding in some ways, the basic tools used in detecting and prosecuting remain largely the same. Some of the government’s tools that should be considered in creating effective compliance for financial institutions include the following. 
1. Terrorist Support and Financing Violations
The most powerful tool in U.S. law enforcement’s quiver in curbing terrorist financing involves statutes proscribing the provision of material support to designated terrorist organizations. The government can prosecute individuals and entities that facilitate or finance terrorism under multiple statutes: (i) 18 U.S.C. § 2339A, which prohibits persons from providing material support or resources, including financial services, knowing that they will be used in preparation for or in carrying out certain predicate offenses associated with terrorism; (ii) 18 U.S.C. § 2339B, which prohibits knowingly providing material support to designated foreign terrorist organizations; and (iii) 18 U.S.C. § 2339C, which prohibits providing or collecting funds with the knowledge or intention that they will be used to carry out a terrorist attack. The statutes are complex, but it is important to note that conspiring to commit terrorism or aiding and abetting the commission of terrorism are punishable as if the person has committed the crime himself. Moreover, under 18 U.S.C.§ 2339C, an individual or entity can be prosecuted for concealing the nature, location, source ownership, or control over any material support or resources knowing that they will be or were provided to support terrorist activity. All of these statutes include severe criminal penalties for individuals and entities. These statutes apply to banks and other financial institutions similarly to how they would apply to anyone that helps known terrorists and, consequently, contain penalties to reflect the severity of the underlying conduct.
More specifically, under 18 U.S.C. § 2339B, if a financial institution becomes aware that it has possession of or control over funds of a foreign terrorist organization or its agent, the financial institution is required to retain possession or control over the funds and report the existence of the funds to the Secretary of Treasury in accordance with the regulations. The failure to do so may result in a civil penalty equal to the greater of $50,000 per violation or twice the value of the funds over which the financial institution was supposed to retain possession or control. The material support statute specifically states that it applies extraterritorially, meaning that the law reaches individuals, companies, and conduct that is normally beyond the reach of U.S. jurisdiction. Since the statute’s inception, U.S. courts have affirmed criminal convictions and civil penalties based on its broad extraterritorial reach.
2. IEEPA Violations
While not as chilling as the threat of being charged as supporting terrorism, the executive branch also can use its emergency powers to curb and punish financial institutions that conduct transactions with designated terrorists. This issue of emergency powers has been in the news recently because of the current administration’s discussion of using these powers to curb narcotics trafficking by targeting the various drug cartels. 
Specifically, the International Emergency Economic Powers Act (IEEPA) delegates authority to the president of the United States to regulate financial transactions to address threats following the declaration of a national emergency. As mentioned above, President Trump has issued multiple executive orders (EOs) designating terrorists or terrorist groups. The EOs prohibit U.S. persons from engaging in transactions with the designated terrorists or terrorist groups. The Office of Foreign Assets Control (OFAC) enforces sanctions against U.S. persons or non-U.S. persons with a U.S. nexus who deal with designated terrorists or terrorist groups. Financial institutions must notify OFAC of any blocked transactions and file an annual report. A financial institution that willfully violates an executive order or IEEPA implementing regulation may be charged criminally. The fines for a financial institution found to have violated these orders may be high and also involve potentially damaging collateral effects, such as debarment. 
3. Money Laundering
While money laundering has always been a relevant risk for financial institutions, in light of the new administration’s views on stopping both terrorism and narcotics trafficking, the industry should expect that the administration will pursue these laundering cases with greater zeal than the prior one. If a U.S. financial institution or its employees willfully assist a customer in laundering money, the government may charge the financial institution or its employees with conspiracy to commit money laundering. While laundering may occur throughout the United States in any location where a nefarious individual is trying to hide ill-gotten proceeds, the increased focus on international criminal and terrorist activities will result in greater detection of laundered amounts and, consequently, much higher fines. 
The government may also charge international money laundering in terrorist financing cases. International money laundering is sometimes referred to as “reverse money laundering” because it involves the transfer of legitimate funds abroad for an illegal purpose. 18 U.S.C. § 1956(a)(2)(A) prohibits the transport, transmission, or transfer of funds and monetary instruments of funds from the United States to a place outside of the United States with the intent to promote a specified unlawful activity. Specified unlawful activities include the terrorism material support offenses, IEEPA violations, and other criminal activities connected to terrorism. 
Most importantly, money laundering is something that a financial institution is legally required to take steps to detect and prevent. These efforts will never be perfect but taking steps to enact effective compliance is critical to mitigating the risk of fines and penalties and, in some circumstances, may even change charging decisions. Effective compliance programs that are continuously reviewed and improved are key to mitigating the risk of fines and penalties if cases like the ones discussed above arise.
4. BSA Violations
Similar to the money laundering issues discussed above, the Bank Secrecy Act (BSA) creates challenges for financial institutions that may increase over the coming years. The BSA imposes substantial reporting and due diligence requirements on financial institutions to prevent abuse of the U.S. financial system. Among other requirements, each financial institution must: (i) develop and implement an effective anti-money laundering (AML) program; (ii) file and retain records of currency transaction reports (CTRs) to report cash transactions of $10,000 or more; (iii) file and retain records of suspicious activity reports (SARs) where the financial institution knows, suspects, or has reason to suspect, inter alia, that the money was from an illegal source or the transaction occurred in connection with a plan to violate federal law or evade reporting requirements; (iv) file and retain records of Reports of International Transportation of Currency or Monetary Instruments (CMIRs) to report the transportation of currency or monetary instruments exceeding $10,000 to or from the United States; and (v) adopt customer identification procedures and perform other due diligence measures. The BSA rules are administered by the Financial Crimes Enforcement Network (FinCEN), the Internal Revenue Service (IRS), and the federal banking agencies including the Federal Deposit Insurance Corporation, the Office of the Comptroller of Currency, and the National Credit Union Administration.
The penalties for violating BSA requirements can be severe. Potentially applicable penalties include:

Criminal Liability for Financial Institutions or Employees Who Willfully Violate BSA Reporting Requirements – A person, including a bank employee, who willfully violates the BSA reporting requirements may be subject to five years in prison and a fine of up to $250,000. The criminal penalties are increased to 10 years in prison and a fine of up to $500,000 where the person commits the BSA reporting violation in connection with another crime or engages in a pattern of illegal conduct. 
Structuring Violations – A person who structures, attempts to structure, or assists in structuring any transaction with one or more domestic financial institutions to evade a BSA reporting requirement may be guilty of a crime. Structuring involves willfully breaking a payment into smaller amounts so that they fall under the reporting threshold. Structuring is punishable by up to five years in prison and a fine of up to $250,000. Like the reporting penalties, the criminal penalties for structuring are increased to up to 10 years in prison and a fine of up to $500,000 where the person commits structuring in connection with another crime or engages in a pattern of illegal conduct exceeding more than $100,000 in a 12-month period.  
Civil Penalties – The secretary of the Treasury may impose a civil penalty of $500 for a negligent violation of the recordkeeping requirements in the BSA. The penalty can be increased by up to $50,000 where there is a pattern of negligent violations. Where a financial institution engages in certain international money-laundering violations, the secretary of Treasury may impose a penalty equal to the greater of two times the value of the transaction or $1,000,000. 
Where a financial institution’s failure to satisfy the recordkeeping requirement is willful, the civil penalty is equal to the greater of the value of the transaction or $25,000, up to a maximum of $100,000. The penalty is applied for each day the violation continues on each branch or place of business. Therefore, the civil penalties can increase significantly. The civil penalty can apply in addition to any criminal penalties. 
Egregious Violator – Where an individual willfully commits a BSA violation and the violation either facilitated money laundering or terrorist financing (i.e. the individual is an “egregious violator”), the individual is prohibited from serving on the board of directors of a U.S. financial institution for a period of 10 years commencing on the date of the conviction or judgment.

5. Internal Revenue Code Currency Violations
The Internal Revenue Service frequently uses information gathered under the BSA reporting requirements to determine if taxpayers are compliant with their U.S. tax reporting obligations. Large transfers of cash are not per se illegal; however, they may be an indicator of fraud for tax purposes. Therefore, the IRS has a strong interest in financial institutions filing timely and accurate CTRs. To this end, the Internal Revenue Code includes a parallel statute that addresses the failure to file or the filing of inaccurate CTRs. The following penalties may apply under 26 U.S.C. § 6050I:

Criminal Liability for Willful Failure to File a CTR – Any person who willfully fails to file a CTR is guilty of a felony punishable with up to five years in prison and a fine of up to $25,000 (or $100,000 in the case of a corporation). 
Criminal Liability for Willfully Filing a False CTR – Any person who willfully files a false CTR is guilty of a felony publishable with up to three years in prison or a fine of up to $100,000 (or $500,000 in the case of a corporation).  
Criminal Liability for Structuring – The Internal Revenue Code includes its own criminal provision for structuring violations. A person who structures or assists in structuring may be publishable with the same penalties that apply to a person who fails to file or files an incorrect CTR.  
Criminal Liability for Willfully Aiding or Assisting in Preparing a False CTR – Any person who aids, assists, counsels, or advises in the preparation of a false CTR is guilty of a felony punishable with up to three years in prison or a fine of up to $100,000 (or $500,000 in the case of a corporation). 
Civil Penalty – The civil penalty for failure to file or filing an incorrect CTR is equal to the greater of $25,000 or the amount of cash received in the transaction, up to a maximum of $100,000. 

6. Forfeiture Actions
In addition to civil and criminal penalties, the government can use civil and criminal forfeiture statutes to seize the property related to terrorism or money-laundering violations. This includes proceeds of the criminal activity, funds used to facilitate the criminal activity, and in some circumstances, legitimate funds that have been knowingly commingled with illegal funds. Where the illegal funds are being held abroad, the government may be able to seize assets held in correspondent accounts that foreign financial institutions maintain in the United States as a substitute. 
7. Loss of Bank Charter or Removal from Banking Activities
In addition to the civil and criminal penalties that can apply, federal banking agencies have the authority to revoke bank charters and prohibit bank employees from engaging in further banking activities. Equally concerning are the various state banking regulators that can also revoke a financial institution’s charter for violations of federal laws. Because of the regulated nature of financial institutions, the ramifications of any of the violations mentioned above, even if not particularly egregious, have the potential to cause irreparable harm to the institution. 
Conclusion
The government has numerous tools to penalize financial institutions or their employees for knowingly and unknowingly assisting customers with supporting or financing terrorism. As the strategies that terrorists use to access the U.S. financial systems continue to evolve, financial institutions may wish to consult with their advisors on the best way to prevent violations.

Blockchain+ Bi-Weekly; Highlights of the Last Two Weeks in Web3 Law: April 24, 2025

The last two weeks have seen federal agencies continue refining their approach to the digital asset industry, while state regulators are beginning to play a more prominent role—even as the overall pace of development appears to be slowed. With the SEC stepping back from non-fraud enforcement, Oregon’s lawsuit against Coinbase highlights a potential shift toward increased state-level activity.
At the federal level, the SEC issued new guidance on registering crypto-related securities, the House held hearings on digital asset market structure, and the DOJ released a memo calling on prosecutors to “end regulation by prosecution”—underscoring a growing federal priority to focus enforcement on fraud and consumer protection rather than taking a broad adversarial stance toward the industry. Other notable developments include Illinois advancing a BitLicense 2.0 proposal, OpenSea seeking SEC guidance on NFT regulations, and Ripple moving to acquire global credit network Hidden Road.
These developments and a few other brief notes are discussed below.
Oregon Sues Coinbase Over Alleged State Securities Laws Violations: April 17, 2025
Background: Oregon’s state attorney general has brought a lawsuit against Coinbase, alleging the exchange has violated Oregon state securities laws through listings of certain assets alleged to be securities under Oregon law. Coinbase has released a statement claiming, “Oregon’s holdout campaign is obstruction for the sake of obstruction. It is a desperate scheme that does nothing to move the crypto conversation forward, and in fact takes us a giant leap backwards from hard-won progress.”
Analysis: As anticipated, states and private litigants are beginning to fill the securities litigation gap left by the SEC’s decision to drop its pending and threatened cases against digital asset participants in favor of pursuing a statutory and rulemaking-based framework. Oregon’s lawsuit, which names 31 assets as “unregistered securities,” is notable—especially as other states withdrew similar actions following the SEC’s retreat in the Coinbase matter. This latest development underscores that, despite federal de-escalation, litigation against exchanges remains an ongoing issue for the industry.
SEC Issues Guidance on How to Register Securities that Involve Crypto: April 10, 2025
Background: Much of the focus at the SEC post-Gensler has been on releasing guidance on what crypto offerings are not securities (memecoins, stablecoins, etc.). The SEC Division of Corporation Finance has now put out guidance for issuers whose securities involve crypto assets on how federal securities law disclosure requirements apply. It recognizes that issuers may offer equity or debt securities as part of operations related to networks, applications, and crypto assets, and highlights the need for tailored, clear, and consistent disclosure aligned with existing rules (e.g., Regulation S-K, Forms S-1, 10, 20-F, and 1-A). Key disclosure elements include a focused description of the issuer’s business and developmental milestones, potential risks (such as technological, regulatory, and liquidity risks), a complete description of the securities (including any unique features and technical specs), and information on directors, executive officers, and significant employees (or third parties) performing policy-making functions.
Analysis: Tokenized securities are coming to traditional finance. Major actors in the traditional financial world are already preparing for that eventuality. Most digital assets are not securities, but many securities could be better handled through addendum only ledger technology rather than a seemingly endless number of middlemen all getting their cut to make sure none of the other middlemen are cheating the consumer. So, while the SEC and Congress work through determining which digital assets are securities and which are something else, this is a good step to allow innovative companies to start registering tokenized products.
Market Structure Hearings Held in House of Representatives: April 9, 2025
Background: The House Financial Services Committee’s Digital Asset Subcommittee and the House Agriculture Committee’s Digital Asset Subcommittee both held hearings on how to approach an overarching market structure for digital assets now that stablecoins seem to be on the fast track to regulatory standards. There is a broad consensus that digital assets that are securities need to be provided a way to register with the SEC and abide by SEC rules that aren’t so onerous that the registration process kills any value of the product.
Analysis: You can probably read the statements from witnesses Bill Hughes, Chris Brummer, and Rodrigo Seira to get the gist of where the focus should be for digital asset regulation. Both hearings had a noticeable focus on use cases for digital assets. We are still waiting for what the market structure bill will look like. It will be close to FIT21, previously passed through the House Financial Services Committee, but we don’t know how close it will be yet, as there were noticeable weaknesses in the bill. Draft language is expected to be public soon, though, and all expectations are for the determining factor between securities offerings and non-securities offerings to focus on “control” as opposed to “decentralization,” which was the focus of last year’s bill.
DOJ Releases Memo “Ending Regulation by Prosecution”: April 7, 2025
Background: Deputy Attorney General Todd Blanche has issued a memorandum to Department of Justice employees with the subject reading “Ending Regulation by Prosecution,” where he states, “Consistent with President Trump’s directives and the Justice Department’s priorities, the Department’s investigations and prosecutions involving digital assets shall focus on prosecuting individuals who victimize digital asset investors or those who use digital assets in furtherance of criminal offenses…” The memo clarifies that the DOJ is not going to focus efforts on exchanges or wallets for the actions of third-parties, and is not the regulator of alleged unregistered money transmission laws. It also disbands the National Cryptocurrency Enforcement Team, which was responsible for most current investigations and prosecutions in the space over the last few years.
Analysis: Note that this memorandum does not include guidance not to prosecute alleged violations of 18 U.S.C. 1960(b)(1)(C), which involves allegations of transmitting funds that are “knowingly” the product of criminal offenses and is the heart of the Roman Storm and Samuri Wallet developer cases. Interestingly, the memo calls out the issue of how digital asset losses are calculated when trying to compensate victims (a not-so-subtle reference to FTX depositors getting ~$20,000 per Bitcoin lost when Bitcoin was worth quadruple that by the time repayments happened). Not sure if there is a solution to this other than making people choose early in the process if they want in-kind or value of asset at time of theft. Unfortunately for Do Kwon, even with this DOJ pivot, his suit will remain ongoing.
Briefly Noted:
Paul Atkins Sworn in as SEC Chair: Paul Atkins has finally been sworn in as SEC Chair, marking the formal start of a new era for the Commission. The agency remained active in redefining its priorities throughout his confirmation process, and Atkins was widely understood to be in alignment with the key decisions made during that period. With his swearing-in now complete, he is positioned to implement a full regulatory agenda and set the tone for the post-Gensler SEC—potentially accelerating shifts in enforcement priorities, rulemaking, and digital asset policy.
Illinois Looking to Pass BitLicense 2.0: An Illinois bill is gaining traction and is expected to pass, which would enact similar onerous reporting and registration requirements as the New York BitLicense. With the combination of the Oregon lawsuit discussed above, this further emphasizes the need for comprehensive regulations at a federal level to prevent fractionalized and contradictory rules.
OpenSea Open Letter: OpenSea has submitted a public letter to the SEC advocating for NFT marketplaces to be carved out of broker/dealer registration requirements with the SEC. It is clear that even with NFTs decline, they are still a crucial part of the ecosystems that need regulatory guidance. 
Nova Labs Lawsuit Dismissed: Nova Labs (the developer behind Helium Network) was sued in the last days before Gensler resigned, and that lawsuit has now been dismissed with prejudice. So this ordeal actually ended up good for them since the lawsuit being brought and then dismissed in this way prevents any future lawsuit over the same allegations from the agency.
Hinman Cleared by Office of Inspector General: Former Corporation Finance Director Bill Hinman has been cleared of allegations that his infamous speech was the result of insider dealings.
$1.2 Billion M&A Deal: Ripple is reportedly acquiring global credit network Hidden Road for $1.25 billion. This is reportedly an effort to give functionality to Ripple’s stablecoin, RLUSD, in traditional finance for cross-border settlements.
MEV Submission: Really great work from the team at Paradigm explaining how MEV works and what the SEC should consider in regulation in light of those technical realities. Good stuff.
DOJ Memo Confirmed Not Applicable for Fraud: As stated above, the DOJ memo regarding cutting down on criminal actions for crypto actors is not a get out of jail free card for past (alleged) frauds.
SEC Roundtable on Crypto Custody: The SEC has announced the time and speakers in its next crypto roundtable on custody. It remains great to see as many of these conversations as possible happen in public.
Phantom Wallet Lawsuit: It looks like an attorney is suing the wallet developer where he held certain memecoins he created, but which were stolen through his computer being compromised. This will be something worth following, especially if wallet developers are regulated under a market structure bill or similar legislation.
Conclusion:
The last two weeks have been relatively quiet in terms of crypto legal development. With the SEC pivoting away from prosecuting non-fraud crypto cases, state regulators have begun stepping into that role, most notably with Oregon suing Coinbase over alleged violations of state securities laws. At the federal level, the SEC provided guidance on registering securities that include crypto assets, the House of Representatives held market structure hearings, while the DOJ aimed to “end regulation by prosecution.”

Mitigation Grant Program Offers Benefits to Homeowners and Communities

The Federal Home Loan Bank (FHLB) of Dallas FORTIFIED Fund Grant Program is entering its third year of operation with more capacity than ever before. The program provides grants through FHLB Dallas members to help income-qualified homeowners install FORTIFIED Roof systems designed to prevent damage from hurricanes, high winds, and other severe weather events.
Funding
The FORTIFIED Fund Grant Program began in 2023 with FHLB Dallas making $1.75 million in grant funds available. In 2024, FHLB Dallas increased the amount to $4 million. Both years, the funds were exhausted. This year, $10 million has been allocated to the FORTIFIED Fund. As of April 18, 2025, $9,131,285 remained available.
Application Process
FHLB Dallas began accepting grant applications on April 15, and the offering will remain open until June 13. Applications are reviewed on a first-come, first-served basis. In the event funds remain available, a second offering will open July 7 and remain open until October 31, or until funds are exhausted. All applications must be submitted by FHLB Dallas member institutions and may request up to $500,000 for up to 50 preapproved households. Grants are capped at $15,000 per home for roof renovations and $7,500 per home for new construction. Members may work with an intermediary organization to identify and qualify households, find roofers and evaluators, and facilitate payments to appropriate parties. Alternatively, members may assume these responsibilities themselves. Application forms and required documentation are available from FHLB Dallas.
FORTIFIED Roof Standards
The FORTIFIED Fund Grant Program helps homeowners replace or upgrade their roofs to meet FORTIFIED Roof standards established by the Insurance Institute for Business & Home Safety (IBHS), an independent, nonprofit scientific research and communications organization. IBHS’s building safety research helps to create more resilient communities. FORTIFIED is a nationally recognized set of construction methods to retrofit or build a home, business, or multifamily development designed to prevent damage that commonly occurs during high winds, hurricanes, hailstorms, severe thunderstorms, and tornadoes up to EF-2. FORTIFIED is based on decades of research, testing, and observations by IBHS. FORTIFIED Roof standards have specific requirements beyond what is required by most building codes that provide a high level of protections from storms.
FORTIFIED Benefits
It is well recognized within the construction and insurance industries that regardless of the type of roof — shingles, metal, or tile — FORTIFIED Roof requirements (including stronger edges, better attachment, sealed roof deck, and impact-resistant shingles) make a home stronger. It has been proven effective repeatedly in real-world severe weather events, lowering insurance premiums and adding financial value. For example, during the record-breaking 2020 hurricane season (hurricanes Laura, Sally, Delta, and Zeta), approximately 95% of the nearly 17,000 FORTIFIED homes impacted by hurricanes experienced little to no damage and had no insurance claims. Additionally, homes with a FORTIFIED designation generally receive discounts/credits on the wind portion of their homeowner’s insurance premium that could be as great as 55% in some states. Furthermore, studies have shown that FORTIFIED homes sell for nearly 7% more than non-FORTIFIED homes.
Eligibility Criteria
The FORTIFIED Fund Grant Program targets owner-occupied, income-qualified primary residences within the FHLB Dallas District, Arkansas, Louisiana, Mississippi, New Mexico, and Texas. Households must meet specific income limitations (120% or less of Area Median Income) and comply with IBHS standards for FORTIFIED Roof systems. All homes included in applications must be precertified as eligible to receive a FORTIFIED Roof by an IBHS-certified evaluator. Documentation requirements include proof of income, homeownership, and compliance with FORTIFIED standards.
Grant Funds
Grant funds are disbursed to FHLB Dallas member institutions prior to renovations for the member to disburse to contractors and evaluators as roofs are completed and certified. FORTIFIED Fund grants can cover costs associated with the pre- and post-construction evaluations to verify that FORTIFIED compliance standards are met. Also, grant funds can be used to cover intermediary fees for roof renovations. Intermediary fees are paid to organizations for their work in sourcing applicants and identifying contractors. These fees are included in the $15,000-per-home maximum grant. Any funds not used in accordance with program requirements must be returned to FHLB Dallas.
Conclusion
While the FORTIFIED Fund Grant Program application process and rules may at first glance appear somewhat daunting, it may be worth the time and effort to consider the opportunities presented by the program. Members not already participating in the program may wish to start with a modest number of homes and plan for greater participation in subsequent years, as indications are that FHLB Dallas will continue the program in the future.