North Dakota Expands Data Security Requirements and Issues New Licensing Requirements for Brokers
On April 11, North Dakota enacted HB 1127, overhauling its regulatory framework for financial institutions and nonbank financial service providers. The law amends multiple chapters of the North Dakota Century Code and creates a new data security mandate for financial corporations—a category that includes non-depository entities regulated by the Department of Financial Institutions (DFI). It also expands the licensing requirement for brokers to include “alternative financing products,” potentially impacting a broad array of fintech providers.
The law introduces sweeping data protection obligations for nonbank financial corporations through new requirements created in Chapter 13-01.2. Specifically, covered entities must:
Implement an information security program. This includes administrative, technical, and physical safeguards, based on a written risk assessment.
Designate a qualified individual. Each financial corporation must designate a qualified individual responsible for overseeing the security program and report annually to its board or a senior officer.
Conduct regular testing. Annual penetration tests and biannual vulnerability assessments are mandatory unless continuous monitoring is in place.
Secure consumer data. Encryption of data in transit and at rest is required unless a compensating control is approved. Multifactor authentication is also mandatory.
Notify regulators of breaches. A data breach involving 500 or more consumers must be reported to the Commissioner within 45 days.
The bill also amends North Dakota’s broker licensing laws to authorize the DFI to classify certain alternative financing arrangements as “loans.”
Putting It Into Practice: Of the many amendments here, North Dakota’s expansion of licensing requirements for brokers of alternative financing products may have the biggest impact for institutions, especially fintechs.
Pushback of Deadline for SNFs to Submit Significantly More Detailed Ownership and Control Information in New “SNF Attachment” to CMS Form 855A
With newly confirmed Dr. Mehemet Oz at its helm, the Centers for Medicare & Medicaid Services (CMS) maintained but delayed the deadline for its requirement that Skilled Nursing Facilities (SNFs) to report significantly expanded information to CMS about the ownership, management and relationships with private equity (PE) and real estate investment trusts (REIT), and newly defined “additional reportable parties” (ADPs).
Scheduled to take effect on May 1, 2025, CMS recently announced a three-month reprieve, pushing the deadline back to August 1, 2025. This comes at the same time that CMS is seeking suggestions on lowering the Medicare regulatory burden and simplifying Medicare reporting requirements.
The delay announcement came as a surprise since, as recently as Friday, April 11, CMS reminded SNFs about the May 1 deadline that was fast-approaching for the Off-cycle SNF Revalidation of all Medicare-enrolled SNFs. Originally issued on October 1, 2024, every SNF was required to complete the new Form 855A that was designed to improve transparency and accuracy in SNF enrollment data under new reporting rules that were finalized by CMS in the Medicare and Medicaid Programs; Disclosures of Ownership and Additional Disclosable Parties Information for Skilled Nursing Facilities and Nursing Facilities; Medicare Providers’ and Suppliers’ Disclosure of Private Equity Companies and Real Estate Investment Trusts, on November 17, 2023.
Effective October 1, 2024, CMS added the new “SNF Attachment” to Form 855A, the Medicare Enrollment Application for Institutional Providers. All SNFs must now revalidate CMS enrollment by submitting the updated form by August 1, 2025. Medicare-enrolled SNFs should have received a revalidation notice by the end of the calendar year 2024. Even if the letter got lost in the mail, CMS expects every Medicare enrolled SNF to contact their Medicare Administrative Contractor (MAC) to ensure they revalidate their enrollment before August 1, 2025, or risk what will be serious consequences.
CMS set the bar for disclosures high, and the consequences will be swift and painful for SNFs that fail to report enrollment information fully and accurately. Penalties may include notice of dis-enrollment or revocation of Medicare enrollment, which could result in a lapse in enrollment, leaving a non-compliant SNF unable to submit claims or receive reimbursements.
The updated 855A requires SNFs to disclose all ownership interest and managing control information on the new SNF Attachment, rather than in Sections 5 and 6 as previously required. SNFs will no longer fill out Sections 5 and 6 and instead must check a box in each section which states “Check here if you are a Skilled Nursing Facility and skip this section.”
The new SNF Attachment requires far more information and detail than previously required by Sections 5 and 6. While some of the disclosures previously required in these sections have carried over to the new SNF Attachment, there are several additional requirements. SNFs must now disclose:
All members of their governing body irrespective of business type;
If the SNF is an LLC, all owners must be reported regardless of ownership percentage;
If the SNF is a trust, all trustees;
All Additional Disclosable Parties (ADPs); and
Certain additional information about each ADP.
An Additional Disclosable Party (ADP) is defined broadly to include any person or entity that:
Exercises operational, financial, or managerial control over any part of the SNF,
Provides policies or procedures for any of the SNF’s operations,
Provides financial or cash management services to the SNF,
Leases or subleases real property to the SNF or owns a whole or part interest equal to at least 5% of the total value of property leased by the SNF,
Provides management or administrative services to the SNF,
Provides clinical consulting services to the SNF, and/or
Provides accounting or financial services to the SNF.
There is no minimum threshold for how long the ADP must have furnished the services, the extent of involvement with the SNF’s operations, or the volume of furnished services. If a person or entity performed any of the above-listed services, for any period of time, they must be disclosed as an ADP.
Furthermore, CMS has made it abundantly clear that SNFs should err on the side of disclosure if they are uncertain as to whether a party qualifies as an ADP. Additional information can be found in CMS Guidance for SNF Attachment on Form CMS-855A.
At approximately the same time SNFs were expected to be gathering the information to complete the new disclosures, CMS posted an appeal for regulatory relief titled “Unleashing Prosperity Through Deregulation of the Medicare Program Request for Information” (Medicare Deregulation RFI). Through this RFI, CMS asks for input “on approaches and opportunities to streamline regulations and reduce administrative burdens on providers, suppliers, beneficiaries, Medicare Advantage and Part D plans, and other stakeholders participating in the Medicare program . . . [in an] effort[ ] to reduce unnecessary administrative burdens and costs, and create a more efficient healthcare system. . .” Commenters are asked to identify “specific Medicare administrative processes, quality, or data reporting requirements, that could be automated or simplified to reduce the administrative burden on facilities and providers,” “changes [that could] be made to simplify Medicare reporting and documentation requirements without affecting program integrity,” and “documentation or reporting requirements within the Medicare program that are overly complex or redundant.” Some SNF industry stakeholders are looking at the RFI as an opportunity to get the Trump Administration to at least decrease the complexity of the increased SNF reporting requirements, if not eliminate as a redundant, duplicative and unnecessary administrative burden that will create financial strain on SNFs.
New Executive Order on HBCUs Establishes Initiative to ‘Promote Excellence And Innovation’
On April 23, 2025, President Donald Trump issued an executive order (EO) that moved a long-standing presidential initiative focused on supporting Historically Black Colleges and Universities (HBCUs) from the U.S. Department of Education to the White House.
Quick Hits
On April 23, President Trump issued a new EO designed to “elevate the value and impact of our nation’s HBCUs as beacons of educational excellence and economic opportunity that serve as some of the best cultivators of tomorrow’s leaders in business, government, academia, and the military.”
The EO establishes an initiative—“the White House Initiative on Historically Black Colleges and Universities”—“housed in the Executive Office of the President and led by an Executive Director designated by the President.”
There are approximately one hundred HBCUs in the United States. Although HBCUs were originally founded to educate Black students, they now enroll students who are not Black.
The executive order establishes the White House Initiative on Historically Black Colleges and Universities under the executive office of the president, to be led by an executive director designated by the president. The executive order outlines two primary missions for the initiative: (1) increasing the private-sector role, including the role of private foundations, in strengthening and further supporting HBCUs; and (2) enhancing HBCUs’ capabilities to serve the country’s young adults. Specifically, the executive order calls for increasing the private-sector role in:
assisting HBCUs with “institutional planning and development, fiscal stability, and financial management”;
“upgrading institutional infrastructure, including the use of technology”; and
“providing professional development opportunities for HBCU students to help build America’s workforce in technology, healthcare, manufacturing, finance, and other high-growth industries.”
In addition, the executive order calls for enhancing HBCUs’ capabilities to serve the country’s young adults by:
“fostering private-sector initiatives and public-private and philanthropic partnerships to promote centers of academic research and program excellence at HBCUs”;
“partnering with private entities and [K-12] education stakeholders to build a pipeline of students that may be interested in attending HBCUs”;
“addressing efforts to promote student success and retention at HBCUs, including college affordability, degree attainment, campus modernization, and infrastructure improvements.”
The executive order establishes, within the U.S. Department of Education, a board, referred to as “the President’s Board of Advisors on Historically Black Colleges and Universities.” The board is to be comprised of current HBCU presidents and representatives in philanthropy, education, business, finance, entrepreneurship, innovation, and private foundations. The board is tasked with advising the president on matters pertaining to the HBCU PARTNERS Act, which became law in 2020.
Furthermore, the initiative will organize an annual White House summit on HBCUs “to discuss matters related to the [i]nitiative’s missions and functions.”
While the executive order does not specifically identify or otherwise promise funding for the initiative, the White House also released a fact sheet that references HBCU-related funding secured during President Trump’s first term.
Financial Institutions May Have Civil and Criminal Exposure for Knowingly or Unknowingly Assisting Customers Who Support Terrorist Activities
While there have been numerous shifts in government enforcement priorities in the past three months, there does appear to be one area where the status quo has remained the same. This new administration has made it clear that preventing financial institutions from working with terrorist organizations remains a top concern. While the administration has added “new” entities to its lists in the form of drug cartels and other nefarious groups, none of this changes the fact that it is as important as ever for banks and similar financial institutions to maintain effective compliance to avoid the government’s crosshairs. Moreover, if one of these banned entities does become inadvertently involved with a financial institution, it is equally as important to know how to get in front of the issue to mitigate the relevant and serious risk.
For decades, terrorist organizations have tried to access the U.S. financial system to fund their terrorist operations around the world. Terrorist organizations and other criminals use various strategies to conceal the nature of their activities, including money laundering and structuring. The U.S. government has multiple tools for combatting terrorists’ abuse of the U.S. financial system. Congress enacted the Currency and Foreign Transaction Reporting Act of 1970, as amended (referred to as the Bank Secrecy Act or BSA) to monitor the source, volume, and flow of currency and other monetary instruments through the U.S. financial system to detect and prevent money laundering and other criminal activities. After the terrorist attacks on Sept. 11, 2001, Congress strengthened the BSA framework through the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001. Among other things, the USA PATRIOT Act targeted terrorist financing and enhanced enforcement mechanisms to combat it. Indeed, there are numerous other statutes and regulations that may come into play in cases involving terrorist financing. Those statutes and regulations rely heavily on U.S. financial institutions to identify and report bad actors.
The risks involved when banks fail to follow these statutes and regulations are severe, and this GT Advisory summarizes the current laws that the government uses to try to eliminate terrorist organizations’ ability to move funds for their nefarious activities. U.S. financial institutions and their employees have substantial exposure if they knowingly or unknowingly assist customers in supporting or financing terrorist activities. As mentioned above, while the new administration is changing the way the government addresses the threat of terrorist funding in some ways, the basic tools used in detecting and prosecuting remain largely the same. Some of the government’s tools that should be considered in creating effective compliance for financial institutions include the following.
1. Terrorist Support and Financing Violations
The most powerful tool in U.S. law enforcement’s quiver in curbing terrorist financing involves statutes proscribing the provision of material support to designated terrorist organizations. The government can prosecute individuals and entities that facilitate or finance terrorism under multiple statutes: (i) 18 U.S.C. § 2339A, which prohibits persons from providing material support or resources, including financial services, knowing that they will be used in preparation for or in carrying out certain predicate offenses associated with terrorism; (ii) 18 U.S.C. § 2339B, which prohibits knowingly providing material support to designated foreign terrorist organizations; and (iii) 18 U.S.C. § 2339C, which prohibits providing or collecting funds with the knowledge or intention that they will be used to carry out a terrorist attack. The statutes are complex, but it is important to note that conspiring to commit terrorism or aiding and abetting the commission of terrorism are punishable as if the person has committed the crime himself. Moreover, under 18 U.S.C.§ 2339C, an individual or entity can be prosecuted for concealing the nature, location, source ownership, or control over any material support or resources knowing that they will be or were provided to support terrorist activity. All of these statutes include severe criminal penalties for individuals and entities. These statutes apply to banks and other financial institutions similarly to how they would apply to anyone that helps known terrorists and, consequently, contain penalties to reflect the severity of the underlying conduct.
More specifically, under 18 U.S.C. § 2339B, if a financial institution becomes aware that it has possession of or control over funds of a foreign terrorist organization or its agent, the financial institution is required to retain possession or control over the funds and report the existence of the funds to the Secretary of Treasury in accordance with the regulations. The failure to do so may result in a civil penalty equal to the greater of $50,000 per violation or twice the value of the funds over which the financial institution was supposed to retain possession or control. The material support statute specifically states that it applies extraterritorially, meaning that the law reaches individuals, companies, and conduct that is normally beyond the reach of U.S. jurisdiction. Since the statute’s inception, U.S. courts have affirmed criminal convictions and civil penalties based on its broad extraterritorial reach.
2. IEEPA Violations
While not as chilling as the threat of being charged as supporting terrorism, the executive branch also can use its emergency powers to curb and punish financial institutions that conduct transactions with designated terrorists. This issue of emergency powers has been in the news recently because of the current administration’s discussion of using these powers to curb narcotics trafficking by targeting the various drug cartels.
Specifically, the International Emergency Economic Powers Act (IEEPA) delegates authority to the president of the United States to regulate financial transactions to address threats following the declaration of a national emergency. As mentioned above, President Trump has issued multiple executive orders (EOs) designating terrorists or terrorist groups. The EOs prohibit U.S. persons from engaging in transactions with the designated terrorists or terrorist groups. The Office of Foreign Assets Control (OFAC) enforces sanctions against U.S. persons or non-U.S. persons with a U.S. nexus who deal with designated terrorists or terrorist groups. Financial institutions must notify OFAC of any blocked transactions and file an annual report. A financial institution that willfully violates an executive order or IEEPA implementing regulation may be charged criminally. The fines for a financial institution found to have violated these orders may be high and also involve potentially damaging collateral effects, such as debarment.
3. Money Laundering
While money laundering has always been a relevant risk for financial institutions, in light of the new administration’s views on stopping both terrorism and narcotics trafficking, the industry should expect that the administration will pursue these laundering cases with greater zeal than the prior one. If a U.S. financial institution or its employees willfully assist a customer in laundering money, the government may charge the financial institution or its employees with conspiracy to commit money laundering. While laundering may occur throughout the United States in any location where a nefarious individual is trying to hide ill-gotten proceeds, the increased focus on international criminal and terrorist activities will result in greater detection of laundered amounts and, consequently, much higher fines.
The government may also charge international money laundering in terrorist financing cases. International money laundering is sometimes referred to as “reverse money laundering” because it involves the transfer of legitimate funds abroad for an illegal purpose. 18 U.S.C. § 1956(a)(2)(A) prohibits the transport, transmission, or transfer of funds and monetary instruments of funds from the United States to a place outside of the United States with the intent to promote a specified unlawful activity. Specified unlawful activities include the terrorism material support offenses, IEEPA violations, and other criminal activities connected to terrorism.
Most importantly, money laundering is something that a financial institution is legally required to take steps to detect and prevent. These efforts will never be perfect but taking steps to enact effective compliance is critical to mitigating the risk of fines and penalties and, in some circumstances, may even change charging decisions. Effective compliance programs that are continuously reviewed and improved are key to mitigating the risk of fines and penalties if cases like the ones discussed above arise.
4. BSA Violations
Similar to the money laundering issues discussed above, the Bank Secrecy Act (BSA) creates challenges for financial institutions that may increase over the coming years. The BSA imposes substantial reporting and due diligence requirements on financial institutions to prevent abuse of the U.S. financial system. Among other requirements, each financial institution must: (i) develop and implement an effective anti-money laundering (AML) program; (ii) file and retain records of currency transaction reports (CTRs) to report cash transactions of $10,000 or more; (iii) file and retain records of suspicious activity reports (SARs) where the financial institution knows, suspects, or has reason to suspect, inter alia, that the money was from an illegal source or the transaction occurred in connection with a plan to violate federal law or evade reporting requirements; (iv) file and retain records of Reports of International Transportation of Currency or Monetary Instruments (CMIRs) to report the transportation of currency or monetary instruments exceeding $10,000 to or from the United States; and (v) adopt customer identification procedures and perform other due diligence measures. The BSA rules are administered by the Financial Crimes Enforcement Network (FinCEN), the Internal Revenue Service (IRS), and the federal banking agencies including the Federal Deposit Insurance Corporation, the Office of the Comptroller of Currency, and the National Credit Union Administration.
The penalties for violating BSA requirements can be severe. Potentially applicable penalties include:
Criminal Liability for Financial Institutions or Employees Who Willfully Violate BSA Reporting Requirements – A person, including a bank employee, who willfully violates the BSA reporting requirements may be subject to five years in prison and a fine of up to $250,000. The criminal penalties are increased to 10 years in prison and a fine of up to $500,000 where the person commits the BSA reporting violation in connection with another crime or engages in a pattern of illegal conduct.
Structuring Violations – A person who structures, attempts to structure, or assists in structuring any transaction with one or more domestic financial institutions to evade a BSA reporting requirement may be guilty of a crime. Structuring involves willfully breaking a payment into smaller amounts so that they fall under the reporting threshold. Structuring is punishable by up to five years in prison and a fine of up to $250,000. Like the reporting penalties, the criminal penalties for structuring are increased to up to 10 years in prison and a fine of up to $500,000 where the person commits structuring in connection with another crime or engages in a pattern of illegal conduct exceeding more than $100,000 in a 12-month period.
Civil Penalties – The secretary of the Treasury may impose a civil penalty of $500 for a negligent violation of the recordkeeping requirements in the BSA. The penalty can be increased by up to $50,000 where there is a pattern of negligent violations. Where a financial institution engages in certain international money-laundering violations, the secretary of Treasury may impose a penalty equal to the greater of two times the value of the transaction or $1,000,000.
Where a financial institution’s failure to satisfy the recordkeeping requirement is willful, the civil penalty is equal to the greater of the value of the transaction or $25,000, up to a maximum of $100,000. The penalty is applied for each day the violation continues on each branch or place of business. Therefore, the civil penalties can increase significantly. The civil penalty can apply in addition to any criminal penalties.
Egregious Violator – Where an individual willfully commits a BSA violation and the violation either facilitated money laundering or terrorist financing (i.e. the individual is an “egregious violator”), the individual is prohibited from serving on the board of directors of a U.S. financial institution for a period of 10 years commencing on the date of the conviction or judgment.
5. Internal Revenue Code Currency Violations
The Internal Revenue Service frequently uses information gathered under the BSA reporting requirements to determine if taxpayers are compliant with their U.S. tax reporting obligations. Large transfers of cash are not per se illegal; however, they may be an indicator of fraud for tax purposes. Therefore, the IRS has a strong interest in financial institutions filing timely and accurate CTRs. To this end, the Internal Revenue Code includes a parallel statute that addresses the failure to file or the filing of inaccurate CTRs. The following penalties may apply under 26 U.S.C. § 6050I:
Criminal Liability for Willful Failure to File a CTR – Any person who willfully fails to file a CTR is guilty of a felony punishable with up to five years in prison and a fine of up to $25,000 (or $100,000 in the case of a corporation).
Criminal Liability for Willfully Filing a False CTR – Any person who willfully files a false CTR is guilty of a felony publishable with up to three years in prison or a fine of up to $100,000 (or $500,000 in the case of a corporation).
Criminal Liability for Structuring – The Internal Revenue Code includes its own criminal provision for structuring violations. A person who structures or assists in structuring may be publishable with the same penalties that apply to a person who fails to file or files an incorrect CTR.
Criminal Liability for Willfully Aiding or Assisting in Preparing a False CTR – Any person who aids, assists, counsels, or advises in the preparation of a false CTR is guilty of a felony punishable with up to three years in prison or a fine of up to $100,000 (or $500,000 in the case of a corporation).
Civil Penalty – The civil penalty for failure to file or filing an incorrect CTR is equal to the greater of $25,000 or the amount of cash received in the transaction, up to a maximum of $100,000.
6. Forfeiture Actions
In addition to civil and criminal penalties, the government can use civil and criminal forfeiture statutes to seize the property related to terrorism or money-laundering violations. This includes proceeds of the criminal activity, funds used to facilitate the criminal activity, and in some circumstances, legitimate funds that have been knowingly commingled with illegal funds. Where the illegal funds are being held abroad, the government may be able to seize assets held in correspondent accounts that foreign financial institutions maintain in the United States as a substitute.
7. Loss of Bank Charter or Removal from Banking Activities
In addition to the civil and criminal penalties that can apply, federal banking agencies have the authority to revoke bank charters and prohibit bank employees from engaging in further banking activities. Equally concerning are the various state banking regulators that can also revoke a financial institution’s charter for violations of federal laws. Because of the regulated nature of financial institutions, the ramifications of any of the violations mentioned above, even if not particularly egregious, have the potential to cause irreparable harm to the institution.
Conclusion
The government has numerous tools to penalize financial institutions or their employees for knowingly and unknowingly assisting customers with supporting or financing terrorism. As the strategies that terrorists use to access the U.S. financial systems continue to evolve, financial institutions may wish to consult with their advisors on the best way to prevent violations.
Blockchain+ Bi-Weekly; Highlights of the Last Two Weeks in Web3 Law: April 24, 2025
The last two weeks have seen federal agencies continue refining their approach to the digital asset industry, while state regulators are beginning to play a more prominent role—even as the overall pace of development appears to be slowed. With the SEC stepping back from non-fraud enforcement, Oregon’s lawsuit against Coinbase highlights a potential shift toward increased state-level activity.
At the federal level, the SEC issued new guidance on registering crypto-related securities, the House held hearings on digital asset market structure, and the DOJ released a memo calling on prosecutors to “end regulation by prosecution”—underscoring a growing federal priority to focus enforcement on fraud and consumer protection rather than taking a broad adversarial stance toward the industry. Other notable developments include Illinois advancing a BitLicense 2.0 proposal, OpenSea seeking SEC guidance on NFT regulations, and Ripple moving to acquire global credit network Hidden Road.
These developments and a few other brief notes are discussed below.
Oregon Sues Coinbase Over Alleged State Securities Laws Violations: April 17, 2025
Background: Oregon’s state attorney general has brought a lawsuit against Coinbase, alleging the exchange has violated Oregon state securities laws through listings of certain assets alleged to be securities under Oregon law. Coinbase has released a statement claiming, “Oregon’s holdout campaign is obstruction for the sake of obstruction. It is a desperate scheme that does nothing to move the crypto conversation forward, and in fact takes us a giant leap backwards from hard-won progress.”
Analysis: As anticipated, states and private litigants are beginning to fill the securities litigation gap left by the SEC’s decision to drop its pending and threatened cases against digital asset participants in favor of pursuing a statutory and rulemaking-based framework. Oregon’s lawsuit, which names 31 assets as “unregistered securities,” is notable—especially as other states withdrew similar actions following the SEC’s retreat in the Coinbase matter. This latest development underscores that, despite federal de-escalation, litigation against exchanges remains an ongoing issue for the industry.
SEC Issues Guidance on How to Register Securities that Involve Crypto: April 10, 2025
Background: Much of the focus at the SEC post-Gensler has been on releasing guidance on what crypto offerings are not securities (memecoins, stablecoins, etc.). The SEC Division of Corporation Finance has now put out guidance for issuers whose securities involve crypto assets on how federal securities law disclosure requirements apply. It recognizes that issuers may offer equity or debt securities as part of operations related to networks, applications, and crypto assets, and highlights the need for tailored, clear, and consistent disclosure aligned with existing rules (e.g., Regulation S-K, Forms S-1, 10, 20-F, and 1-A). Key disclosure elements include a focused description of the issuer’s business and developmental milestones, potential risks (such as technological, regulatory, and liquidity risks), a complete description of the securities (including any unique features and technical specs), and information on directors, executive officers, and significant employees (or third parties) performing policy-making functions.
Analysis: Tokenized securities are coming to traditional finance. Major actors in the traditional financial world are already preparing for that eventuality. Most digital assets are not securities, but many securities could be better handled through addendum only ledger technology rather than a seemingly endless number of middlemen all getting their cut to make sure none of the other middlemen are cheating the consumer. So, while the SEC and Congress work through determining which digital assets are securities and which are something else, this is a good step to allow innovative companies to start registering tokenized products.
Market Structure Hearings Held in House of Representatives: April 9, 2025
Background: The House Financial Services Committee’s Digital Asset Subcommittee and the House Agriculture Committee’s Digital Asset Subcommittee both held hearings on how to approach an overarching market structure for digital assets now that stablecoins seem to be on the fast track to regulatory standards. There is a broad consensus that digital assets that are securities need to be provided a way to register with the SEC and abide by SEC rules that aren’t so onerous that the registration process kills any value of the product.
Analysis: You can probably read the statements from witnesses Bill Hughes, Chris Brummer, and Rodrigo Seira to get the gist of where the focus should be for digital asset regulation. Both hearings had a noticeable focus on use cases for digital assets. We are still waiting for what the market structure bill will look like. It will be close to FIT21, previously passed through the House Financial Services Committee, but we don’t know how close it will be yet, as there were noticeable weaknesses in the bill. Draft language is expected to be public soon, though, and all expectations are for the determining factor between securities offerings and non-securities offerings to focus on “control” as opposed to “decentralization,” which was the focus of last year’s bill.
DOJ Releases Memo “Ending Regulation by Prosecution”: April 7, 2025
Background: Deputy Attorney General Todd Blanche has issued a memorandum to Department of Justice employees with the subject reading “Ending Regulation by Prosecution,” where he states, “Consistent with President Trump’s directives and the Justice Department’s priorities, the Department’s investigations and prosecutions involving digital assets shall focus on prosecuting individuals who victimize digital asset investors or those who use digital assets in furtherance of criminal offenses…” The memo clarifies that the DOJ is not going to focus efforts on exchanges or wallets for the actions of third-parties, and is not the regulator of alleged unregistered money transmission laws. It also disbands the National Cryptocurrency Enforcement Team, which was responsible for most current investigations and prosecutions in the space over the last few years.
Analysis: Note that this memorandum does not include guidance not to prosecute alleged violations of 18 U.S.C. 1960(b)(1)(C), which involves allegations of transmitting funds that are “knowingly” the product of criminal offenses and is the heart of the Roman Storm and Samuri Wallet developer cases. Interestingly, the memo calls out the issue of how digital asset losses are calculated when trying to compensate victims (a not-so-subtle reference to FTX depositors getting ~$20,000 per Bitcoin lost when Bitcoin was worth quadruple that by the time repayments happened). Not sure if there is a solution to this other than making people choose early in the process if they want in-kind or value of asset at time of theft. Unfortunately for Do Kwon, even with this DOJ pivot, his suit will remain ongoing.
Briefly Noted:
Paul Atkins Sworn in as SEC Chair: Paul Atkins has finally been sworn in as SEC Chair, marking the formal start of a new era for the Commission. The agency remained active in redefining its priorities throughout his confirmation process, and Atkins was widely understood to be in alignment with the key decisions made during that period. With his swearing-in now complete, he is positioned to implement a full regulatory agenda and set the tone for the post-Gensler SEC—potentially accelerating shifts in enforcement priorities, rulemaking, and digital asset policy.
Illinois Looking to Pass BitLicense 2.0: An Illinois bill is gaining traction and is expected to pass, which would enact similar onerous reporting and registration requirements as the New York BitLicense. With the combination of the Oregon lawsuit discussed above, this further emphasizes the need for comprehensive regulations at a federal level to prevent fractionalized and contradictory rules.
OpenSea Open Letter: OpenSea has submitted a public letter to the SEC advocating for NFT marketplaces to be carved out of broker/dealer registration requirements with the SEC. It is clear that even with NFTs decline, they are still a crucial part of the ecosystems that need regulatory guidance.
Nova Labs Lawsuit Dismissed: Nova Labs (the developer behind Helium Network) was sued in the last days before Gensler resigned, and that lawsuit has now been dismissed with prejudice. So this ordeal actually ended up good for them since the lawsuit being brought and then dismissed in this way prevents any future lawsuit over the same allegations from the agency.
Hinman Cleared by Office of Inspector General: Former Corporation Finance Director Bill Hinman has been cleared of allegations that his infamous speech was the result of insider dealings.
$1.2 Billion M&A Deal: Ripple is reportedly acquiring global credit network Hidden Road for $1.25 billion. This is reportedly an effort to give functionality to Ripple’s stablecoin, RLUSD, in traditional finance for cross-border settlements.
MEV Submission: Really great work from the team at Paradigm explaining how MEV works and what the SEC should consider in regulation in light of those technical realities. Good stuff.
DOJ Memo Confirmed Not Applicable for Fraud: As stated above, the DOJ memo regarding cutting down on criminal actions for crypto actors is not a get out of jail free card for past (alleged) frauds.
SEC Roundtable on Crypto Custody: The SEC has announced the time and speakers in its next crypto roundtable on custody. It remains great to see as many of these conversations as possible happen in public.
Phantom Wallet Lawsuit: It looks like an attorney is suing the wallet developer where he held certain memecoins he created, but which were stolen through his computer being compromised. This will be something worth following, especially if wallet developers are regulated under a market structure bill or similar legislation.
Conclusion:
The last two weeks have been relatively quiet in terms of crypto legal development. With the SEC pivoting away from prosecuting non-fraud crypto cases, state regulators have begun stepping into that role, most notably with Oregon suing Coinbase over alleged violations of state securities laws. At the federal level, the SEC provided guidance on registering securities that include crypto assets, the House of Representatives held market structure hearings, while the DOJ aimed to “end regulation by prosecution.”
Mitigation Grant Program Offers Benefits to Homeowners and Communities
The Federal Home Loan Bank (FHLB) of Dallas FORTIFIED Fund Grant Program is entering its third year of operation with more capacity than ever before. The program provides grants through FHLB Dallas members to help income-qualified homeowners install FORTIFIED Roof systems designed to prevent damage from hurricanes, high winds, and other severe weather events.
Funding
The FORTIFIED Fund Grant Program began in 2023 with FHLB Dallas making $1.75 million in grant funds available. In 2024, FHLB Dallas increased the amount to $4 million. Both years, the funds were exhausted. This year, $10 million has been allocated to the FORTIFIED Fund. As of April 18, 2025, $9,131,285 remained available.
Application Process
FHLB Dallas began accepting grant applications on April 15, and the offering will remain open until June 13. Applications are reviewed on a first-come, first-served basis. In the event funds remain available, a second offering will open July 7 and remain open until October 31, or until funds are exhausted. All applications must be submitted by FHLB Dallas member institutions and may request up to $500,000 for up to 50 preapproved households. Grants are capped at $15,000 per home for roof renovations and $7,500 per home for new construction. Members may work with an intermediary organization to identify and qualify households, find roofers and evaluators, and facilitate payments to appropriate parties. Alternatively, members may assume these responsibilities themselves. Application forms and required documentation are available from FHLB Dallas.
FORTIFIED Roof Standards
The FORTIFIED Fund Grant Program helps homeowners replace or upgrade their roofs to meet FORTIFIED Roof standards established by the Insurance Institute for Business & Home Safety (IBHS), an independent, nonprofit scientific research and communications organization. IBHS’s building safety research helps to create more resilient communities. FORTIFIED is a nationally recognized set of construction methods to retrofit or build a home, business, or multifamily development designed to prevent damage that commonly occurs during high winds, hurricanes, hailstorms, severe thunderstorms, and tornadoes up to EF-2. FORTIFIED is based on decades of research, testing, and observations by IBHS. FORTIFIED Roof standards have specific requirements beyond what is required by most building codes that provide a high level of protections from storms.
FORTIFIED Benefits
It is well recognized within the construction and insurance industries that regardless of the type of roof — shingles, metal, or tile — FORTIFIED Roof requirements (including stronger edges, better attachment, sealed roof deck, and impact-resistant shingles) make a home stronger. It has been proven effective repeatedly in real-world severe weather events, lowering insurance premiums and adding financial value. For example, during the record-breaking 2020 hurricane season (hurricanes Laura, Sally, Delta, and Zeta), approximately 95% of the nearly 17,000 FORTIFIED homes impacted by hurricanes experienced little to no damage and had no insurance claims. Additionally, homes with a FORTIFIED designation generally receive discounts/credits on the wind portion of their homeowner’s insurance premium that could be as great as 55% in some states. Furthermore, studies have shown that FORTIFIED homes sell for nearly 7% more than non-FORTIFIED homes.
Eligibility Criteria
The FORTIFIED Fund Grant Program targets owner-occupied, income-qualified primary residences within the FHLB Dallas District, Arkansas, Louisiana, Mississippi, New Mexico, and Texas. Households must meet specific income limitations (120% or less of Area Median Income) and comply with IBHS standards for FORTIFIED Roof systems. All homes included in applications must be precertified as eligible to receive a FORTIFIED Roof by an IBHS-certified evaluator. Documentation requirements include proof of income, homeownership, and compliance with FORTIFIED standards.
Grant Funds
Grant funds are disbursed to FHLB Dallas member institutions prior to renovations for the member to disburse to contractors and evaluators as roofs are completed and certified. FORTIFIED Fund grants can cover costs associated with the pre- and post-construction evaluations to verify that FORTIFIED compliance standards are met. Also, grant funds can be used to cover intermediary fees for roof renovations. Intermediary fees are paid to organizations for their work in sourcing applicants and identifying contractors. These fees are included in the $15,000-per-home maximum grant. Any funds not used in accordance with program requirements must be returned to FHLB Dallas.
Conclusion
While the FORTIFIED Fund Grant Program application process and rules may at first glance appear somewhat daunting, it may be worth the time and effort to consider the opportunities presented by the program. Members not already participating in the program may wish to start with a modest number of homes and plan for greater participation in subsequent years, as indications are that FHLB Dallas will continue the program in the future.
Elder Financial Exploitation
Fraud of all sorts remains on the rise. The federal regulatory banking agencies seem to be focusing on educating banks in an effort to decrease losses to the bank and customers as a result of these scams, especially those geared toward older adults.
In late 2024, the various regulatory agencies issued an Interagency Statement on Elder Financial Exploitation that provided guidance to banks with the goal of increasing the detection and prevention of elder financial exploitation. FinCEN has also previously issued an Advisory and a Financial Trend Analysis on Elder Financial Exploitation.
The Interagency Statement provides banks with nine areas to consider when implementing steps to decrease elder financial exploitation:
Governance and oversight
Employee training
Transaction holds and disbursement delays
Use of trusted contacts
Filing of Suspicious Activity Reports
Reporting to authorities
Providing financial records to appropriate authorities
Engaging with prevention and response networks
Consumer outreach and awareness resources from government agencies
Of those nine areas, I think it is important to address in this article those of employee training, transaction holds and disbursement delays, and the use of trusted contacts.
In recent years, many states have adopted legislation to allow banks to stop or hold a transaction upon a good faith or reasonable belief that such transaction would result in the financial exploitation of an elderly customer. While each state’s laws may read differently, the typical scenario is that a bank may have a time frame during which the transaction may be held or delayed but it must report the information to its state’s adult protective services department or similar agency or department. Now is a good time to review your state’s laws related to financial elder exploitation to determine what your bank can do to stop this type of fraud. These laws may also address other individuals the bank may alert and what information may be provided in these instances.
Training is also of the utmost importance. While it is typical for a bank’s BSA department to monitor accounts for unusual or suspicious account activity and to detect unusual transactions or account patterns outside of a customer’s norm, often such monitoring is completed after the transactions have been conducted. Every bank should train its frontline staff on the red flags and warning signs of elder financial exploitation. A bank’s frontline staff is more likely to notice behavioral red flags such as unusual interactions with a caregiver, urgency in sending a wire, a lonely elder mentioning a new friend who needs money, etc.
Finally, while it is not yet common practice, banks should consider implementing the use of trusted contacts. In order to establish a trusted contact, the bank would obtain permission from its customer to contact a third party designated by the customer when elder financial exploitation is suspected. This would allow the bank to share information that would otherwise be prohibited by privacy laws and regulations and get additional assistance in protecting its customer.
The Interagency Statement offers a clear road map for banks to enhance their efforts in preventing elder financial exploitation. By focusing on the nine critical areas — from governance and employee education to consumer outreach and collaboration with authorities — financial institutions can build stronger protections and more responsive systems. Prioritizing these steps not only mitigates risk but also affirms a commitment to the well-being and financial security of older adults.
Financial Industry Concerns Cause FCC to Delay Implementation of Broad Consent Revocation Requirement under TCPA
On April 11, 2025, a controversial new rule by the Federal Communications Commission (FCC) was set to take effect to modify consent revocation requirements under the Telephone Consumer Protection Act (TCPA). But each of the rule’s mandates, as codified at 47 CFR § 64.1200(a)(10), did not go into effect on that date. Just four days before, the FCC issued an Order delaying the rule’s requirement that callers must “treat a request to revoke consent made by a called party in response to one type of message as applicable to all future robocalls and robotexts . . . on unrelated matters.” See FCCOrder, Apr. 7, 2025 (emphasis added).
The plain language of the rule is generally broad. It states that consumers may use “any reasonable method” to revoke consent to autodialed or prerecorded calls and texts, and that such requests must be honored “within a reasonable time not to exceed ten business days.” The rule then goes on to delineate certain “per se” reasonable methods by which consumers may revoke consent. For example, if a consumer responds to a text message with the words “stop,” “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe,” then the consumer’s consent is “definitively revoked” and the sender is thereafter barred from sending any “additional robocalls and robotexts.”
Many industry participants—especially the banking industry—have been critical of the rule. One major concern is its sprawling effect. For example, under the rule, if a consumer were to respond to a marketing communication with the word “unsubscribe” or the like, then the sender and all of its business units may be forced to cease unrelated forms of communication on issues such as the provision of account notices or other informational matters.
The banking industry has taken issue with the burdens imposed by the rule as well. That include concerns about “numerous challenges” financial institutions face in attempting to modify existing call platforms to comply with the rule, with “substantial work” being required by “larger institutions with many business units with separate caller systems.” See FCC Order ¶ 6. The bank industry has also raised challenges faced by financial institutions in “designing a system that allows the institution . . . [to] not apply a customer’s revocation to a broader category of messages than the customer intended.” See FCC Order ¶ 9.
The banking industry’s concerns ultimately appear to be what persuaded the FCC to stay the implementation of Section 64.1200(a)(10) in part earlier this month. The new rule is now set to not go fully into effect until April 11, 2026. For the time being, that means banks and other companies receiving a consent revocation request from a consumer in response to one type of message may not necessarily be prohibited from communicating with the consumer using “robocalls and robotexts from that caller on unrelated matters.” The FCC nonetheless suggests—albeit vaguely—that it will enforce any additional obligations required under the new Section 64.1200(a)(10), so companies engaging in TCPA-regulated communication practices should take heed accordingly.
If You Agree That Stock Issuance Was Not “Compensation, Salary, Or Income”, You May Want To Think Carefully Before Issuing A Form 1099
Ten years ago, Hovik Nazaryan sued Femtometrix, Inc. claiming that the company had issued shares to him than it had promised. The parties settled the lawsuit. The settlement agreement provided that the stock issued to Mr. Nazaryan “is not ‘compensation,’ ‘salary,’ or ‘income’ for services performed by [Nazaryan].” The settlement agreement further provided “The Settlement Stock, and any other stock issued by way of this Agreement, is being provided to [plaintiff] as ‘Founder’s Stock’ for his capital/equitable contributions to Femtometrix as alleged by [Nazaryan] in the Action, and the Parties will classify it as such, for all purposes to the extent permitted by law.” When Femtometrix later issued 1099 forms, Mr. Nazaryan sued. The action was removed to federal court but U.S. District Court Judge James V. Selna remanded the case to the Superior Court. Nazaryan v. FemtoMetrix, Inc., 2019 WL 3545452 (C.D. Cal. Aug. 5, 2019) based on a forum selection clause in the settlement agreement.
The trial court held that Femtometrix had breached the settlement agreement and had issued fraudulent information returns under Internal Revenue Code section 7434. Yesterday, the Court of Appeal affirmed. Notably, the Court of Appeal, while acknowledging a split of authority in the federal courts, upheld the trial court’s decision to hold Femtometrix’s chief executive and financial officers jointly and severally liable.
The UK’s Failure to Prevent Fraud Offense
Effective September 1, 2025, the UK’s Failure to Prevent Fraud offense will go into effect as part of the UK’s Economic Crime and Corporate Transparency Act 2023 (the ECCTA). The law significantly expands corporate liability for fraud committed by employees and other associated persons of relevant corporates and will require compliance refinement for any business within scope of the offense operating in connection with the UK. The UK government (its Home Office) published guidance in 2024 (the “Guidance”) to help companies navigate this corporate criminal fraud offense as well as take appropriate action to help prevent fraud.
As companies continue to grapple with recent developments regarding enforcement of the FCPA, international efforts to curb bribery and corruption have not waned. Foreign governments continue to prioritize anti-corruption enforcement such as the European Commission’s proposed directive from May 2023 to combat corruption, the ECCTA and Failure to Prevent Fraud Offense, as well as the recently announced International Anti-Corruption Prosecutorial Task Force with the UK, France, and Switzerland. These cross-border initiatives demonstrate how a temporary pause in U.S. enforcement of the FCPA should not result in companies moving away from maintaining robust and effective compliance programs.
The Failure to Prevent Fraud Offense
You can see more detail on the new offense in this article from our UK colleagues. In summary, a “large organization” can be held criminally liable where an employee, agent, subsidiary, or other “associated person” commits a fraud offense intending to benefit the organization or its clients, and the organization failed to have reasonable fraud prevention procedures in place. An employee, an agent or a subsidiary is considered an “associated person” as are business partners and small organizations that provide services for or on behalf of large organizations. Regarding the underlying fraud offense itself, this includes a range of existing offenses under fraud, theft and corporate laws, which the UK’s Home Office notes as including “dishonest sales practices, the hiding of important information from consumers or investors, or dishonest practices in financial markets.”
A “large organization” for purposes of the fraud offense is defined as meeting two of the following three thresholds: (1) more than 250 employees; (2) more than £36 million (approx. USD $47.6 million) turnover; (3) more than £18 million (approx. USD $23.8 million) in total assets – and includes groups where the resources across the group meet the threshold. Further, the fraud offense has extraterritorial reach, meaning that non-UK companies may be liable for the fraud if there is a UK nexus. This could play out in several scenarios. For example, the fraud took place in the UK, the gain or loss occurred in the UK, or, alternatively, if a UK-based employee commits fraud, the employing organization could be prosecuted, regardless of where the organization is based.
What Companies Can Do Now
The Failure to Prevent Fraud offense is an important consideration in corporate compliance, extending beyond UK-based companies to non-UK companies with operations or connections in the UK. The only available defense to the failure to prevent fraud offense is for the company to demonstrate that it “had reasonable fraud prevention measures in place at the time that the fraud was committed.” Or, more riskily that it was not reasonable under the circumstances to expect the organization to have any prevention procedures in place. To that end, the Guidance outlines six core principles that should underpin any effective fraud prevention framework: (1) top-level commitment; (2) risk assessment; (3) proportionate and risk-based procedures; (4) due diligence; (5) communication and training; and (6) ongoing monitoring and review. Specifically, the Guidance makes clear that even “strict compliance” with its terms will not be a “safe harbor” and that failure to conduct a risk assessment will “rarely be considered reasonable.” These principles mirror the now well-established principles in the UK that apply to the UK offences of failure to prevent bribery under the UK Bribery Act 2010, and failure to prevent the facilitation of tax evasion under the UK Criminal Finances Act 2017.
Companies should consider the following proactive steps:
Determining whether they fall within the scope of the ECCTA’s fraud offense.
Identifying individuals who qualify as “associated persons.”
Conducting and documenting a comprehensive fraud risk assessment to determine whether the company’s internal controls adequately address potential fraudulent activity involving the company.
Ensuring due diligence procedures, as related to, for instance, external commercial partner engagements and other transactions, address the risk of fraud in those higher risk activities.
Reviewing and updating existing policies and procedures to address the risks of fraud.
Communicating the company’s requirements around preventing fraud and providing targeted training to employees and other associated persons, including subsidiaries and business partners, to make clear the company’s expectations around managing the risk of fraud.
Establishing fraud related monitoring and audit protocols, including in relation to third party engagements, for ongoing oversight and periodic review.
Ensuring these policies and procedures are aligned with other financial crime prevention policies and procedures and relevant regulatory expectations.
The months ahead are a critical window to align internal policies and procedures not only with the UK’s elevated enforcement expectations as evidenced by the ECCTA and the Failure to Prevent Fraud offense, but also as bribery and corruption remain a mainstay priority for other foreign regulators. Companies should continue to prioritize the design, implementation, and assessment of their compliance internal controls. Companies with a well-designed and effective compliance program will be better equipped to adapt as regulatory landscapes shift and emerging risks develop, enabling companies to more efficiently respond to new enforcement trends.
European Commission Publishes the AI Continent Action Plan
On April 9, 2025, the European Commission published the AI Continent Action Plan (the “Action Plan”). The objective of the Action Plan is to strengthen artificial intelligence (“AI”) development and uptake in the EU, making the EU a global leader in AI. The Action Plan builds upon the InvestAI initiative that aims to mobilize €200 billion for investment in AI in the EU.
The Action Plan is divided into five strategic areas where the EU intends to intervene to foster its AI ambitions:
Computing infrastructure. Measures envisioned include setting up 13 AI Factories across the EU, five AI Gigafactories (powered by over 100,000 advanced AI processors) for which it will mobilize €20 billion from the InvestAI initiative, and proposing a Cloud and AI Development Act to boost private investment in the EU in cloud and data centers.
Data. The European Commission aims to fully realize the single market for data through the upcoming Data Union Strategy. This strategy intends to respond to the scarcity of robust and high-quality data for the training and validation of AI models. The European Commission will also implement data labs within AI factories to gather and organize high-quality data from diverse sources and continue supporting the deployment of Common European Data Spaces.
Foster innovation and accelerate AI adoption in strategic EU sectors. Measures to be implemented include adapting scientific research programs to boost development and deployment of AI/generative AI, and through the Apply AI Strategy, integrating AI in strategic sectors and boosting the use of this technology by the European industry.
Strengthen AI skills and talent. Measures to be implemented include facilitating international recruitment, supporting the increase in provision of EU bachelor’s and master’s degrees as well as PhDs focusing on key technologies, including AI, and promoting AI literacy in the current workforce.
Fostering regulatory compliance and simplification. Measures to be implemented in this context include creating an AI Act Service Desk through which organizations may request clarifications and obtain practical advice regarding their AI Act compliance. The European Commission will also continue its efforts with regards to providing AI Act guidance and launch a process to identify stakeholders’ regulatory challenges and inform possible further measures to facilitate compliance and possible simplification of the AI Act.
Read the AI Continent Action Plan.
CAA Taps Julie Zorn to Build a Family Office Powerhouse
Why is one of the world’s most influential talent agencies expanding from managing fame to managing wealth?
Creative Artists Agency (CAA) is entering the Family Office space with a new advisory division focused on ultra-high-net-worth clients. This is more than a service expansion-It reflects a shift in how CAA supports individuals at the center of culture and capital.
With the launch of its Global Family Office Advisory division, led by veteran adviser Julie Zorn, CAA is becoming a partner in long-term planning, legacy building, and wealth strategy.
A Generational Wealth Transfer Creates a Timely Opening
Cerulli reports that $124 trillion will pass from one generation to the next by 2048. Much of that wealth belongs to individuals who built fortunes through entrepreneurship and entertainment.
These clients are not just seeking investment results. They are focused on structure, values, and impact. CAA already plays a key role in their public lives. Now, it is helping them build systems to preserve wealth across generations.
An Experienced Leader Behind the Strategy
Julie Zorn brings over two decades of experience advising families on establishing and managing Family Offices. Her background includes senior roles at Citi and BMO Harris, where she designed governance frameworks, recruited leadership, and built long-range plans.
Her work helps clients create systems aligned with their goals to support long-term wealth. This includes governance, operations, team development, and leadership planning.
A Strategic Path Toward a Multi-Family Office Model
Most celebrity clients are not looking to build a Family Office from scratch. It is costly and complex. Yet, they want privacy, control, and tailored advice. A shared platform offers those benefits without the burden.
CAA is positioned to deliver this. With a trusted network and strong client insight, the firm could build a multi-family office model that is both efficient and personal.
A Natural Evolution of CAA’s Role
If successful, CAA will move beyond representation to become a long-term partner in how clients approach legacy and continuity.
This expansion raises the bar for advisors who have struggled to serve public wealth creators. CAA understands the balance between visibility and privacy, and the mindset of clients navigating influence and affluence.
A Broader Shift in How Wealth Is Managed
This reflects a broader change in how modern wealth holders want to be supported. Today’s clients seek partners who understand their goals and offer integrated solutions.
CAA is entering a space that has long lacked clarity. If it succeeds, it may reshape how the next generation of wealth creators approaches legacy.
CAA is making a long-term investment in its clients’ futures. No longer just guiding careers, the firm now helps build structures that last. For those managing wealth and visibility, that may be the most valuable role of all.