House Bipartisan Task Force on Artificial Intelligence Report
In February 2024, the House of Representatives launched a bipartisan Task Force on Artificial Intelligence (AI). The group was tasked with studying and providing guidance on ways the United States can continue to lead in AI and fully capitalize on the benefits it offers while mitigating the risks associated with this exciting yet emerging technology. On 17 December 2024, after nearly a year of holding hearings and meeting with industry leaders and experts, the group released the long-awaited Bipartisan House Task Force Report on Artificial Intelligence. This robust report touches on how this technology impacts almost every industry ranging from rural agricultural communities to energy and the financial sector to name just a few. It is clear that the AI policy and regulatory space will continue to evolve while being front and center for both Congress and the new administration as lawmakers, regulators, and businesses continue to grapple with this new exciting technology.
The 274-page report highlights “America’s leadership in its approach to responsible AI innovation while considering guardrails that may be appropriate to safeguard the nation against current and emerging threats.” Specifically, it outlines the Task Force’s key findings and recommendations for Congress to legislate in over a dozen different sectors. The Task Force co-chairs, Representative Jay Obernolte (R-CA) and Representative Ted Lieu (D-CA), called the report a “roadmap for Congress to follow to both safeguard consumers and foster continued US investment and innovation in AI,” and a “starting point to tackle pressing issues involving artificial intelligence.”
There was a high level of bipartisan work on AI in the 118th Congress, and although most of the legislation in this area did not end up becoming law, the working group report provides insight into what legislators may do this year and which industries may be of particular focus. Our team continues to monitor legislation, Congressional hearings, and the latest developments writ large in these industries as we transition into the 119th Congress. See below for a sector-by-sector breakdown of a number of findings and recommendations from the report.
Data Privacy
The report’s section on data privacy discusses advanced AI systems’ need to collect huge amounts of data, the significant risks this creates for the unauthorized use of consumers’ personal data, the current state of US consumer privacy protection laws, and recommendations to address these issues.
It begins with a discussion of AI systems’ need for “large quantities of data from multiple diverse sources” to perform at an optimal level. Companies collect and license this data in a variety of ways, including collecting data from their own users, scraping data from the internet, or some combination of these and other methods. Further, some companies collect, package, and sell scraped data “while others release open-source data sets.” These collection methods raise their own set of issues. For example, according to the report, many websites following “a voluntary standard” state that their websites should not be scraped, but their requests are ignored and litigation ensues. It also notes that some companies “are updating their privacy policies in order to permit the use of user data to train AI models” but not otherwise informing users that their data is being used for this purpose. The European Union and Federal Trade Commission have challenged this practice. It notes that in response, “some companies are turning to privacy-enhanced technologies, which seek to protect the privacy and confidentiality of data when sharing it.” They also are looking at “synthetic data.”
In turn, the report discusses the types of harms that consumers frequently experience when their personal and sensitive data is shared intentionally or unintentionally without their authorization. The list includes physical, economic, emotional, reputational, discrimination, and autonomy harms.
The report follows with a discussion of the current state of US consumer privacy protection laws. It kicks off with a familiar tune: “Currently, there is no comprehensive US federal data privacy and security law.” It notes that there are several sector specific federal privacy laws, such as those intended to protect health and financial data and children’s data, but, as has become clear from this year’s Congressional debate, even these laws need to be updated. It also notes that 19 states have adopted state privacy laws but notes that their standards vary. This suggests that, as in the case of state data breach laws, the result is that they have “created a patchwork of rules and regulations with many drawbacks.” This has caused confusion among consumers and resulted in increased costs and lawsuits for businesses. It concludes with the statement that Federal legislation that preempts state data privacy laws has advantages and disadvantages.” The report outlines three Key Findings: (1) “AI has the potential to exacerbate privacy harms;” (2) “Americans have limited recourse for many privacy harms;” and (3) “Federal privacy laws could potentially augment state laws.”
Based on its findings, the report recommends that Congress should: (1) help “in facilitating access to representative data sets in privacy-enhanced ways” and “support partnerships to improve the design of AI systems” and (2) ensure that US privacy laws are “technology neutral” and “can address the most salient privacy concerns with respect to the training and use of advanced AI systems.”
National Security
The report highlights both the potential benefits of emerging technologies to US defense capabilities, as well as the risks, especially if the United States is outpaced by its adversaries in development. The report discusses the status and successes of current AI programs at the Department of Defense (DOD), the Army, and the Navy. The report categorizes issues facing development of AI in the national security arena into technical and nontechnical impediments. The technical impediments include increased data usage, infrastructure/compute power, attacks on algorithms and models, and talent acquisition, especially when competing with the private sector in the workforce. The report also identifies perceived institutional challenges facing DOD, saying “acquisition professionals, senior leaders, and warfighters often hesitate to adopt new, innovative technologies and their associated risk of failure. DOD must shift this mindset to one more accepting of failure when testing and integrating AI and other innovative technologies.” The nontechnical challenges identified in the report revolved around third-party development of AI and the inability of the United States to control systems it does not create. The report notes that advancements in AI are driven primarily by the private sector and encourages DOD to capitalize on that innovation, including through more timely procurement of AI solutions at scale with nontraditional defense contractors.
Chief among the report’s findings and recommendations is a call to Congress to explore ways that the US national security apparatus can “safely adopt and harness the benefits of AI” and to use its oversight powers to hone in on AI activities for national security. Other findings focus on the need for advanced cloud access, the value of AI in contested environments, and the ability of AI to manage DOD business processes. The additional recommendations were to expand AI training at DOD, continue oversight of autonomous weapons policies, and support international cooperation on AI through the Political Declaration on Responsible Military Use of AI. The report indicates that Congress will be paying much more attention to the development and deployment of AI in the national security arena going forward, and now is the time for impacted stakeholders to engage on this issue.
Education and the Workforce
The report also highlights the role of AI technologies in education and the promise and challenges that it could pose on the workforce. The report recognizes that despite the worldwide demand for science, technology, engineering, and mathematics (STEM) workers, the United States has a significant gap in the talent needed to research, develop, and deploy AI technologies. As a result, the report found that training and educating US learners on AI topics will be critical to continuing US leadership in AI technology. The report notes that training the future generations of talent in AI-related fields needs to start with AI and STEM education. Digital literacy has extended to new literacies, such as media, computer, data, and now AI. Challenges include resources for AI literacy.
US leadership in AI will require growing the pool of trained AI practitioners, including people with skills in researching, developing, and incorporating AI techniques. The report notes that this will likely require expanding workforce pathways beyond the traditional educational routes and a new understanding of the AI workforce, including its demographic makeup, changes in the workforce over time, employment gaps, and the penetration of AI-related jobs across sectors. A critical aspect to understanding the AI workforce will be having good data. US leadership in AI will also require public-private partnerships as a means to bolster the AI workforce. This includes collaborations between educational institutions, government, and industries with market needs and emerging technologies.
While the automation of human jobs is not new, using AI to automate tasks across industries has the potential to displace jobs that involve repetitive or predictable tasks. In this regard, the report notes that while AI may displace some jobs, it will augment existing jobs and create new ones. Such new jobs will inevitably require more advanced skills, such as AI system design, maintenance, and oversight. Other jobs, however, may require less advanced skills. The report adds that harnessing the benefits of AI systems will require a workforce capable of integrating these systems into their daily jobs. It also highlights several existing programs for workforce development, which could be updated to address some of these challenges.
Overall, the report found that AI is increasingly used in the workplace by both employers and employees. US AI leadership would be strengthened by utilizing a more skilled technical workforce. Fostering domestic AI talent and continued US leadership will require significant improvements in basic STEM education and training. AI adoption requires AI literacy and resources for educators.
Based on the above, the report recommends the following:
Invest in K-12 STEM and AI education and broaden participation.
Bolster US AI skills by providing needed AI resources.
Develop a full understanding of the AI workforce in the United States.
Facilitate public-private partnerships to bolster the AI workforce.
Develop regional expertise when supporting government-university-industry partnerships.
Broaden pathways to the AI workforce for all Americans.
Support the standardization of work roles, job categories, tasks, skill sets, and competencies for AI-related jobs.
Evaluate existing workforce development programs.
Promote AI literacy across the United States.
Empower US educators with AI training and resources.
Support National Science Foundation curricula development.
Monitor the interaction of labor laws and worker protections with AI adoption.
Energy Usage and Data Centers
AI has the power to modernize our energy sector, strengthen our economy, and bolster our national security but only if the grid can support it. As the report details, electrical demand is predicted to grow over the next five years as data centers—among other major energy users—continue to come online. These technologies’ outpacing of new power capacity can “cause supply constraints and raise energy prices, creating challenges for electrical grid reliability and affordable electricity.” While data centers only take a few years to construct, new sources of power, such as power plants and transmission infrastructure, can take up to or over a decade to complete. To meet growing electrical demand and support US leadership in AI, the report recommends the following:
Support and increase federal investments in scientific research that enables innovations in AI hardware, algorithmic efficiency, energy technology development, and energy infrastructure.
Strengthen efforts to track and project AI data center power usage.
Create new standards, metrics, and a taxonomy of definitions for communicating relevant energy use and efficiency metrics.
Ensure that AI and the energy grid are a part of broader discussions about grid modernization and security.
Ensure that the costs of new infrastructure are borne primarily by those customers who receive the associated benefits.
Promote broader adoption of AI to enhance energy infrastructure, energy production, and energy efficiency.
Health Care
The report highlights that AI technologies have the potential to improve multiple aspects of health care research, diagnosis, and care delivery. The report provides an overview of use to date and its promise in the health care system, including with regard to drug, medical device, and software development, as well as in diagnostics and biomedical research, clinical decision-making, population health management, and health care administration. The report also highlights the use of AI by payers of health care services both for the coverage of AI-provided services and devices and for the use of AI tools in the health insurance industry.
The report notes that the evolution of AI in health care has raised new policy issues and challenges. This includes issues involving data availability, utility, and quality as the data required to train AI systems must exist, be of high quality, and be able to be transferred and combined. It also involves issues concerning interoperability and transparency. AI-enabled tools must be able to integrate with health care systems, including EHR systems, and they need to be transparent for providers and other users to understand how an AI model makes decisions. Data-related risks also include the potential for bias, which can be found during development or as the system is deployed. Finally, there is the lack of legal and ethical guidance regarding accountability when AI produces incorrect diagnoses or recommendations.
Overall, the report found that AI’s use in health care can potentially reduce administrative burdens and speed up drug development and clinical diagnosis. When used appropriately, these uses of AI could lead to increased efficiency, better patient care, and improved health outcomes. The report also found that the lack of standards for medical data and algorithms impedes system interoperability and data sharing. The report notes that if AI tools cannot easily connect with all relevant medical systems, their adoption and use could be impeded.
Based on the above, the report recommends the following:
Encourage the practices needed to ensure AI in health care is safe, transparent, and effective.
Maintain robust support for health care research related to AI.
Create incentives and guidance to encourage risk management of AI technologies in health care across various deployment conditions to support AI adoption and improve privacy, enhance security, and prevent disparate health outcomes.
Support the development of standards for liability related to AI issues.
Support appropriate payment mechanisms without stifling innovation.
Financial Services
With respect to financial services, the report emphasizes that AI is already and has been used for decades within the financial services system, by both industry and financial regulators alike. Key examples of use cases have included fraud detection, underwriting, debt collection, customer onboarding, real estate, investment research, property management, customer service, and regulatory compliance, among other things. The report also notes that AI presents both significant risks and opportunities to the financial system, so it is critical to be thoughtful when considering and crafting regulatory and legislative frameworks in order to protect consumers and the integrity of the financial system, while also ensuring to not stifle technological innovation. As such, the report states that lawmakers should adopt a principles-based approach that is agnostic to technological advances, rather than a technology-based approach, in order to preserve longevity of the regulatory ecosystem as technology evolves over time, particularly given the rapid rate at which AI technology is advancing. Importantly, the report notes that small financial institutions may be at a significant disadvantage with respect to adoption of AI, given a lack of sufficient resources to leverage AI at scale, and states that regulators and lawmakers must ensure that larger financial institutions are not inadvertently favored in policies so as not to limit the ability of smaller institutions to compete or enter the market. Moreover, the report stresses the need to maintain relevant consumer and investor protections with AI utilization, particularly with respect to data privacy, discrimination, and predatory practices.
A Multi-Branch Approach to AI/Next Steps
The Task Force recognizes that AI policy will not fall strictly under the purview of Congress. Co-chair Obernolte shared that he has met with David Sacks, President Trump’s “AI Czar,” as well as members of the transition team to discuss what is in the report.
We will be closely following how both the administration and Congress act on AI in 2025, and we are confident that no industry will be left untouched.
Vivian K. Bridges, Lauren E. Hamma, Abby Dinegar contributed to this article.
SEC Settlement Highlights Importance of Proper Disclosure Requirements for Private Fund Managers
On January 10th 2025, the Securities and Exchange Commission (SEC) settled charges against two fund managers (collectively the “Fund Managers”)[1] and their sole owner, chief executive office, chief compliance office and founder (the “Founder”)[2].
The SEC alleged the Founder and the Fund Managers had breached their fiduciary duties owed to the private equity funds managed by the Fund Managers (the “Private Funds”) and related compliance program deficiencies. Specifically, the SEC asserted the Founder and the Fund Managers: (i) impermissibly charged certain expenses to the Private Funds from January 2019 through December 2023 instead of paying such expenses themselves and in so doing failed to disclose the resulting conflicts of interest and (ii) improperly submitted vague and unsubstantiated invoices to the Private Funds without taking reasonable steps to confirm the Private Funds were the proper payees.
Improper Expenses
The SEC raised three specific improper expenses that it viewed as Fund Manager costs that were improperly charged to the Private Funds.
Prior to January 2019, the Fund Managers employed and paid the salary of a full-time, in house chief financial officer (the “CFO”), who provided services to the Fund Managers and not to the Private Funds. When to the CFO left, the Fund Managers outsourced those financial services (totaling approximately US$1.3millon from January 2019 to December 2023) to third-party financial firms and charged those services to the Private Funds. Similarly, in May 2019, a public relations provider was paid by and worked for one of the Fund Managers providing strategic communications and public relations services. However, when re-engaged in 2022, that expense (totaling approximately US$214,000) was instead charged to the Private Funds. Lastly, a legal expense (approximately US$91,000) was charged to one of the Private Funds, but the SEC asserted that more than 70% of those expense were for services performed for the Fund Manager.
In each case, the SEC noted the expenses at issue were not listed or disclosed in the applicable Private Fund governing documents or private placement memorandum as permitted fund expenses, and that when the applicable Fund Manager changed its prior practices and instead held the applicable Private Fund responsible for such expenses, it failed to fully and fairly disclose the payment and the resulting conflict of interest to the investors of the corresponding Private Fund.
Unsupported and Unspecified Expenses
The SEC also took issue with the Fund Managers’ supporting documentation and approval processesfor the improper expenses allocated to the Private Funds, noting that vague and unsubstantiated invoices for amounts to be borne by the Private Funds included generic invoices that described the expenses as “various expenses”, “expense reimbursement”, “due to management Co.” and nothing more, and generic credit card reimbursements with insufficient or no back up or further description including for the Founder’s living and business expenses as well as credit cards held by his family members.
The Settlement between the parties censured the Fund Managers and the Founder for violating the anti-fraud provisions of Sections 206(2) and 206(4) of the Investment Advisers Act of 1940 and Rules 206(4)-7 and 206(4)-8(a)(2). Without admitting or denying the SEC’s findings, the Fund Managers, and the Founder consented to the entry of the order and agreed to pay a civil money penalty of US$250,000 in addition to disgorgement of over US$1.5 million, prejudgment interest of approximately US$272,000.
This order highlights the importance of:
Clearly drafted private fund governing document provisions outlining, in detail, the expenses to be borne by the private fund and expenses to be borne by the manager and its affiliates.
Policies and procedures that are reasonably designed to ensure that expenses are allocated in accordance with the applicable private fund governing documents and that require appropriate, clear and supporting records and documented approval processes.
Established processes to timely review expense allocation practices and related recordkeeping, in particular, in cases of changes in a manager’s favor, such as allocating ongoing expenses previously paid by the manager to a fund and considering if such changes require disclosure to the investors of the impacted private fund.
It is notable here, that the issues for the Fund Managers appear to begin with the departure of the Fund Mangers’ CFO. Fund managers must ensure that they consistently have the appropriate internal staffing and third-party professional services firms’ support to appropriately operate their businesses in accordance with the governing documents of their private funds and related law.
[1] During the periods in question through March 2024, one Fund Manager was a registered investment adviser with the SEC with the other Fund Manager electing to file as a relying adviser thereof.
[2] In the Matter of ONE THOUSAND & ONE VOICES MANAGEMENT, LLC; FAMILY LEGACY CAPITAL CREDIT MANAGEMENT, LLC and HENDRIK F. JORDAAN.
U.S. Treasury Department’s Final Rule on Outbound Investment Takes Effect
On January 2, 2025, the U.S. Department of the Treasury’s Final Rule on outbound investment screening became effective. The Final Rule implements Executive Order 14105 issued by former President Biden on August 9, 2023, and aims to protect U.S. national security by restricting covered U.S. investments in certain advanced technology sectors in countries of concern. Covered transactions with a completion date on or after January 2, 2025, are subject to the Final Rule, including the prohibition and notification requirements, as applicable.
The Final Rule targets technologies and products in the semiconductor and microelectronics, quantum information technologies, and artificial intelligence (AI) sectors that may impact U.S. national security. It prohibits certain transactions and requires notification of certain other transactions in those technologies and products. The Final Rule has two primary components:
Notifiable Transactions: A requirement that notification of certain covered transactions involving both a U.S. person and a “covered foreign person” (including but not limited to a person of a country of concern engaged in “covered activities” related to certain technologies and products) be provided to the Treasury Department. A U.S. person subject to the notification requirement is required to file on Treasury’s Outbound Investment Security Program website by specified deadlines. The Final Rule includes the detailed information and certification required in the notification and a 10-year record retention period for filing and supporting information.
Prohibited Transaction: A prohibition on certain U.S. person investments in a covered foreign person that is engaged in a more sensitive sub-set of activities involving identified technologies and products. A U.S. person is required to take all reasonable steps to prohibit and prevent its controlled foreign entity from undertaking transaction that would be a prohibited transaction if undertaken by a U.S. person. The Final Rule contains a list of factors that the Treasury Department would consider whether the relevant U.S. person took all reasonable steps.
The Final Rule focuses on investments in “countries of concern,” which currently include only the People’s Republic of China, including Hong Kong and Macau. The Final Rule targets U.S. investments in Chinese companies involved in the following three sensitive technologies sub-sets: semiconductor and microelectronics, quantum information technologies and artificial intelligence. The Final Rule sets forth prohibited and notifiable transactions in each of the three sectors:
Semiconductors and Microelectronics
Prohibited: Covered transactions relating to certain electronic design automation software, fabrication or advanced packaging tools, advanced packaging techniques, and the design and fabrication of certain advanced integrated circuits and supercomputers.
Notifiable: Covered transactions relating to the design, fabrication and packaging of integrated circuits not covered by the prohibited transactions.
Quantum Information Technologies
All Prohibited: Covered transactions involving the development of quantum computers and production of critical components, the development or production of certain quantum sensing platforms, and the development or production of quantum networking and quantum communication systems.
Artificial Intelligence (AI) Systems
Prohibited:
Covered transactions relating to AI systems designed exclusively for or intended to be used for military, government intelligence or mass surveillance end uses.
Covered transactions relating to development of any AI system that is trained using a quantity of computing power meeting certain technical specifications and/or using primarily biological sequence data.
Notifiable: Covered transactions involving AI systems designed or intended to be used for cybersecurity applications, digital forensics tools, penetration testing tools, control of robotic systems or that trained using a quantity of computing power meeting certain technical specifications.
The Final Rule specifically defines the key terms “country of concern,” “U.S. person,” “controlled foreign entity,” “covered activity,” “covered foreign person,” “knowledge” and “covered transaction” and other related terms and sets forth the prohibitions and notification requirements in line with the national security objectives stated in the Executive Order. The Final Rule also provides a list of transactions that are excepted from such requirements.
U.S. investors intending to invest in China, particularly in the sensitive sectors set forth above, should carefully review the Final Rule and conduct robust due diligence to determine whether a proposed transaction would be covered by the Final Rule (either prohibited or notifiable) before undertaking any such transaction.
Any person subject to U.S. jurisdiction may face substantial civil and/or criminal penalties for violation or attempted violation of the Final Rule, including civil fines of up to $368,137 per violation (adjusted annually for inflation) or twice the amount of the transaction, whichever is greater, and/or criminal penalties up to $1 million or 20 years in prison for willful violations. In addition, the Secretary of the Treasury can take any authorized action to nullify, void, or otherwise require divestment of any prohibited transaction.
Reminder for Public Companies Granting Stock Options and Stock Appreciation Rights: Don’t Forget New Item 402(x) Disclosure
As public company issuers prepare for the 2025 reporting season, issuers should be reminded (or made aware) of the new executive compensation-related disclosure requirements. On December 14, 2022, the Securities and Exchange Commission (SEC) adopted rules setting forth new disclosure requirements for awards of stock options and stock appreciation rights (SARs) under new Item 402(x) of Regulation S-K (Item 402(x)). For a public company with a fiscal year that ended December 31, 2024, these new disclosure requirements will take effect beginning with its forthcoming annual report on Form 10-K (or, if applicable, the proxy statement for its annual meeting) to be filed in 2025.
General Instruction G(3) to Form 10-K provides, in part, that the information required by Part III (which includes the Item 402(x) disclosure) may be incorporated by reference from the reporting company’s definitive proxy statement filed pursuant to Regulation 14A for a meeting of shareholders involving the election of directors (an “annual meeting proxy statement”), if such annual meeting proxy statement is filed with the SEC not later than 120 days after the end of the fiscal year covered by the annual report on Form 10-K (for this new Item 402(x) disclosure, such date is April 30, 2025). If a reporting company’s annual meeting proxy statement is not filed with the SEC in the 120-day period, then the new Item 402(x) disclosure must be filed as part of the annual report on Form 10-K, or as an amendment to the Form 10-K, not later than the end of the 120-day period.1
Item 402(x) Purpose
Item 402(x) requires narrative and tabular disclosure on a public company’s policies and practices relating to awards of stock options and SARs that are granted close in time to the disclosure of material nonpublic information (MNPI). For these purposes, “close in time” means within a period starting four business days before and ending one business day after the filing or furnishing of a quarterly report on Form 10-Q, an annual report on Form 10-K or a current report on Form 8-K that discloses MNPI (such period, the Covered Period). Item 402(x) serves to increase transparency and protect against actual or perceived timing issues (e.g., potential insider trading concerns) surrounding awards of stock options or SARs that are granted “close in time” to the disclosure of MNPI that would boost the value of the underlying stock price shortly after grant.
Narrative Disclosure Requirement
Narrative disclosure on a public company’s policies and practices relating to the timing of awards of stock options and SARs in relation to the disclosure of MNPI is required whether or not the company has granted such awards within the Covered Period. This disclosure is not required for full-value awards, such as awards of restricted stock or restricted stock units. Specifically, the narrative disclosure must describe the following:
how the board of directors determines when to grant such awards (e.g., whether such awards are granted on a predetermined schedule);
whether and how the board of directors takes MNPI into account when determining the timing and terms of such award; and
whether the company has timed the disclosure of MNPI for the purpose of affecting the value of executive compensation.
Tabular Disclosure Requirement
If, during the last completed fiscal year, a company granted awards of stock options or SARs to one or more named executive officers during the Covered Period, the company must disclose in a tabular format, as illustrated below,2 the following with respect to each such grant: (1) the name of the named executive officer; (2) the grant date of the award; (3) the number of securities underlying the award; (4) the per-share exercise price of the award; (5) the grant date fair value of the award; and (6) the percentage change in the closing market price of the underlying securities between the trading day ending immediately prior to and the trading day beginning immediately following the disclosure of MNPI.
Inline XBRL Requirement
Consistent with other recently promulgated disclosure rules, the information required to be disclosed pursuant to Item 402(x) (i.e., both tabular and narrative disclosure) must be tagged in Inline XBRL.
Action Items
Public company issuers should consider adopting formal equity grant practices, policies or guidelines that align with the new disclosure requirements or revisiting their existing equity grant practices, policies or guidelines to address the timing of awards of stock options and SARs in relation to the disclosure of MNPI. Issuers should also consider implementing policies and procedures to prevent the granting of equity awards within the Covered Period if the additional scrutiny that might come with tabular disclosure would be undesirable.
1 The first applicable fiscal year covered by the new disclosure requirements is the first full fiscal year beginning on or after April 1, 2023. For public companies (other than smaller reporting companies) with a fiscal year [that] ended on or after March 31, 2024, the new disclosure requirements must have been satisfied (or must be satisfied) on the annual report on Form 10-K covering such fiscal year.
For smaller reporting companies, the first applicable fiscal year covered by the new disclosure requirements is the first full fiscal year beginning on or after October 1, 2023 (i.e., the new disclosure requirements must be satisfied on the annual report on Form 10-K and annual meeting proxy statement for fiscal years ending on or after September 30, 2024).
2 For smaller reporting companies, this table will only apply to the named executive officers determined under Item 402(m)(2) of Regulation S-K, which consists of the principal executive officer (PEO) and the next two most highly compensated executive officers other than the PEO who were serving as executive officers at the end of the last completed fiscal year.
Jonathan Weiner also contributed to this article.
Europe: Are the UK FCA’s Revised “Name and Shame” Proposals An Improvement?
In November 2024, the UK FCA released a Consultation which seeks to clarify its proposed approach to publicising ongoing enforcement action – dubbed the “name and shame” plan – and to assure the wider market of the plan’s benefits. Responses are due by 17 February 2025.
The FCA has now proposed providing affected firms with 10 days’ notice before an announcement is made. It has also agreed that additional matters – such as the impact on affected firms – will form part of its public interest test when it considers whether to make an announcement. It agrees that it will not announce investigations that have begun before the proposals come into effect, but will be able to confirm public knowledge of an ongoing investigation.
These all seem helpful concessions to the plan’s detractors but some difficulties with the proposals persist.
Whilst the FCA argues that many investigations already end up in the public domain because of firms’ wider disclosure requirements, this may not be comforting to firms that do not have relevant disclosure requirements, for example because they are not listed.
The FCA contends that while the announcement of an investigation can be associated with a fall in a firm’s share price, and consequent detriment to a firm, that is often not the case and it is difficult to isolate the impact of an announcement on share prices. However, they do also concede that in some cases large share price falls do appear to have been triggered by announcements of regulatory action.
In its defence, the FCA asserts that announcements may provide an educational opportunity to foster a competitive and credible market environment, but some may feel that this down-plays to too great an extent the “innocent until proven guilty” principle, especially in cases where the FCA decides to name the parties involved.
Crypto in the Courts: Five Cases Reshaping Digital Asset Regulation in 2025
There has rarely been a larger or more widely distributed financial market that existed in a more uncertain regulatory context than cryptocurrencies and decentralized finance (DeFi) at the start of 2025. In the past several years, the regulatory status of this asset class in the United States has been at the center of a concerted effort by the US Securities Exchange Commission (SEC) to apply the regime applicable to securities to diverse crypto instruments and methods of exchange and transfer. (Although the Commodity Futures Trading Commission (CFTC) has also consistently enforced its regulations on products it deems to be commodities, that effort has not led to the widespread litigation that is likely to define the regulatory status of these products.)
The SEC’s effort is now in jeopardy. As we begin 2025, the legal landscape surrounding digital assets stands at a critical inflection point, with several watershed cases poised to reshape how these assets will be governed, traded, and regulated in the United States. The convergence of these cases — spanning securities law, administrative procedure and federalism — presents opportunities to clarify how traditional legal frameworks apply to digital assets. Further, the Trump administration has promised that it will be a “pro-crypto” administration — driving the SEC towards a friendlier stance with the cryptocurrency industry and having cryptocurrency rules and regulations “written by people who love [the] industry, not hate [the] industry”1 — and that the United States will become the “crypto capital of the world.”2 President Donald Trump has nominated Paul Atkins, a former SEC Commissioner, to become the next SEC chairperson, stating in his announcement that Mr. Atkins “recognizes that digital assets & other innovations are crucial to Making America Greater than Ever Before.”3 The Trump administration’s announced intention to change the course of cryptocurrency regulation and the selection of an SEC chairperson who is an avowed advocate for innovation through blockchain technologies raise questions about the future of the pending litigation at the center of this industry.
This article examines five cases that may define the future of digital asset regulation in the United States and sets out the issues at stake in those cases. These cases are the Second Circuit’s review of SEC v. Ripple Labs, Inc., the interlocutory appeal in SEC v. Coinbase, Inc., and three cases representing the industry’s shift toward offensive litigation against federal agencies — Blockchain Association v. IRS, Bitnomial Exchange, LLC v. SEC, and Kentucky et al. v. SEC. The purpose of this article is not to predict how those cases will progress — that determination is going to lie in the hands of the courts and policymakers — but rather to make clear what is at stake, especially in light of an anticipated shift in regulatory priorities regarding digital assets with the Trump administration, which could decide to no longer support the government’s positions in these cases.
SEC v. Ripple Labs, Inc. (2d Cir.)
The SEC’s appeal in SEC v. Ripple Labs, Inc. follows a July 2023 ruling in the Southern District of New York that began when the SEC charged Ripple Labs, Inc. (Ripple) with conducting an unregistered securities offering through sales of its XRP token. The SEC argued that the offer and sale of XRP tokens constituted an offer and sale of investment contracts under SEC v. W.J. Howey, which provides that an “investment contract” is a contract, transaction, or scheme whereby a person: (1) “invests his money” (2) “in a common enterprise” and (3) “is led to expect profits solely from the efforts of the promoter or a third party.”4 In response, Ripple advanced an “essential ingredients test,” arguing that in addition to the three-part Howey test, investment contracts must also contain “essential ingredients”: (1) “a contract between a promoter and an investor that establishe[s] the investor’s rights as to an investment,” which contract (2) “impose[s] post-sale obligations on the promoter to take specific actions for the investor’s benefit” and (3) “grant[s] the investor a right to share in profits from the promoter’s efforts to generate a return on the use of investor funds.”5
The district court, in its July 2023 ruling, rejected Ripple’s novel “essential ingredients” test, noting that “in the more than seventy-five years of securities law jurisprudence after Howey, courts have found the existence of an investment contract even in the absence of Defendants’ ‘essential ingredients,’ including in recent digital asset cases in this District.”6 Nevertheless, the district court found that, while Ripple’s institutional sales violated securities laws, the company’s programmatic sales (sales of XRP on digital asset exchanges) and other distributions (such as employee compensation and third-party development incentives) did not constitute securities offerings — marking the first major setback to the SEC’s digital asset enforcement initiative.7 Crucially, the district court distinguished between XRP sales based on their economic reality: institutional sales to sophisticated buyers under written contracts were deemed securities transactions because buyers reasonably expected profits from Ripple’s efforts, while programmatic sales on exchanges were not because buyers could not know they were purchasing from Ripple. The court also found that other distributions failed to meet the basic requirements of an “investment of money” since recipients did not provide payment to Ripple.
The SEC filed a notice of appeal on October 4, 2024, and Ripple has cross-appealed. This will likely be the first appellate court to consider how Howey applies to digital assets unless the Trump administration determines to freeze the litigation.8 The SEC filed its appellate brief on January 15, 2025, arguing that the district court erred in concluding that programmatic sales to retail investors were not offers or sales of investment contracts under Howey because “investors were led to expect profits” based on the efforts of Ripple.9 The SEC also argued that other distributions of XRP were also offers or sales of investment contracts because Ripple the “recipients provided tangible and definable consideration in return for Ripple’s XRP.”10 Ripple will likely challenge whether digital assets are ever securities under the Howey framework.
The SEC maintains that the district court’s decision “conflicts with decades of Supreme Court precedent and securities laws.”11 If the SEC persists in this appeal, it will likely be the first appellate court to consider how Howey applies to particular types of primary sales of digital assets and, more broadly, how securities laws are to be applied to the digital asset economy. The appeal’s resolution will provide important clarity on how federal securities laws apply to various types of primary sales of digital assets.
SEC v. Coinbase, Inc. (2d Cir.)
On January 7, 2025, a Southern District of New York court granted Coinbase Inc.’s motion to certify for interlocutory appeal the court’s March 2024 order denying in substantial part Coinbase’s motion for judgment on the pleadings.12 The certification permits the Second Circuit to address Howey’s reach and application to digital assets, particularly in secondary market transactions.
The case arose from the SEC’s June 2023 enforcement action, alleging that Coinbase operated as an unregistered national securities exchange, broker and clearing agency by intermediating transactions in 13 digital assets that the SEC claimed were investment contracts and, thus, securities. The district court in March 2024 rejected Coinbase’s argument that cryptoasset transactions could not be investment contracts absent post-sale contractual obligations between issuers and purchasers.13
In granting Coinbase’s motion to certify for interlocutory appeal, the court found that the case presents a “controlling question of law regarding the reach and application of Howey to cryptoassets, about which there is substantial ground for difference of opinion.”14 In particular, the court emphasized that applying Howey to cryptocurrencies “is itself a difficult legal issue of first impression for the Second Circuit” and questioned the adequacy of the SEC’s application of Howey to secondary market sales.15
The grant of interlocutory appeal is significant for several reasons. First, it creates parallel tracks of appellate review in the Second Circuit, as the SEC’s appeal in Ripple Labs will also be pending. Both cases will allow the Second Circuit to examine how Howey applies to digital assets but from different procedural postures — Ripple Labs on final judgment and Coinbase on interlocutory appeal from a motion for judgment on the pleadings.
Second, the interlocutory appeal addresses a fundamental split in the Southern District of New York regarding whether and how Howey applies to secondary market transactions of digital assets. Judge Torres in Ripple Labs drew a distinction between Ripple’s institutional sales, which satisfied Howey, and programmatic sales (i.e., blind bid-ask transactions on exchanges), which did not. In contrast, Judge Rakoff in SEC v. Terraform Labs and Judge Failla in Coinbase declined to differentiate based on the manner of sale, finding that Howey could apply equally to secondary market transactions.16 The Second Circuit’s resolution of this split will have profound implications for all regulatory disputes relating to digital asset trading platforms, as the designation as a security triggers the application of the securities laws for all participants in the industry, including issuers, traders, and trading platforms.
Third, the appeal will address the novel question of how a digital asset’s “ecosystem” factors in the Howey analysis. The district court in Coinbase found that, unlike traditional commodities, cryptoassets lack inherent value absent their digital ecosystem — a distinction that helped justify treating them as securities.17 However, the district court also recognized in its certification of its appeal that Coinbase raised “substantial ground” to dispute this view of the ecosystem, noting Coinbase’s argument that other commodities such as carbon credits, emissions allowances and expired Taylor Swift concert tickets similarly have no inherent value outside of the ecosystem in which they are issued or consumed.18 The Second Circuit’s treatment of this issue could influence how other courts analyze a wide range of digital assets.
The implications for the digital asset industry are substantial. Coinbase represents the largest US digital asset exchange, and the SEC’s theory would subject most major trading platforms to securities regulation. Resolution of the interlocutory appeal could, therefore, provide crucial guidance on whether and when trading platforms must register with the SEC.
Blockchain Association et al. v. IRS (N.D. Tex.)
On December 27, 2024, three blockchain industry organizations filed suit in the Northern District of Texas, challenging Department of the Treasury (Treasury) regulations that would impose “broker” reporting requirements on DeFi participants.19 The case represents a significant test of Treasury’s authority to regulate the digital asset industry through information reporting requirements.
The challenged regulations implement provisions of the Infrastructure Investment and Jobs Act of 2021 requiring certain digital asset brokers to report transaction information to the Internal Revenue Service (IRS) on Form 1099-DA. The plaintiffs argue that Treasury’s interpretation of who qualifies as a “broker” exceeds its statutory authority. While Congress defined brokers as persons who “effectuate transfers of digital assets” for consideration, Treasury regulations extend to anyone providing “facilitative services” who theoretically could request customer information — potentially including software developers, front-end interface providers and other technology participants who never take custody of assets or directly execute trades.
The complaint raises several significant challenges under the Administrative Procedure Act (APA) and the US Constitution. The plaintiffs argue that the regulations are arbitrary and capricious, violating the APA by failing to engage in reasoned decision-making and ignoring substantial evidence about the practical impossibility of compliance for many DeFi participants. They also contend that the rules violate the Fourth Amendment by compelling warrantless collection of private information and the Fifth Amendment’s due process requirements through unconstitutionally vague standards for determining who qualifies as a broker.
The case has significant implications for the DeFi industry’s future in the United States. According to the IRS’s calculations, compliance with the regulations would cost the industry over $260 billion annually — a potentially existential burden for many DeFi projects. The plaintiffs argue this would force US-based DeFi participants to either relocate overseas, cease operations or fundamentally alter their business models in ways that undermine decentralization.
The case is part of a recent trend of offensive litigation by the cryptocurrency industry against federal agencies, as the industry increasingly turns to the courts to challenge perceived regulatory overreach. In doing so, litigants can at least initially select the venue of these proceedings, subject to the restrictions of the Federal Rules of Civil Procedure. Venue selection can be critical as certain courts in Texas, and the Fifth Circuit itself, have recently expressed criticism of expansive agency authority. In November 2024, the Northern District of Texas vacated the SEC’s rulemaking, expanding the definition of “dealer” under the Securities Exchange Act of 1934 (Exchange Act).20 The same month, the Fifth Circuit reversed a decision wherein Treasury imposed sanctions on Tornado Cash, a cryptocurrency software protocol that conceals the origins and destinations of digital asset transfers.21 The case remains in its early stages, as the government has yet to respond to the complaint.
Bitnomial Exchange, LLC v. SEC (N. D. Ill.)
Bitnomial Exchange, LLC v. SEC marks a notable offensive litigation against the SEC, with a futures exchange regulated by the CFTC directly challenging the SEC’s authority to regulate a cryptoasset security futures product.22 Filed in October 2024 in the Northern District of Illinois, the case stems from Bitnomial’s attempt to list XRP futures contracts after completing the CFTC’s self-certification process. The complaint seeks both a declaratory judgment that XRP futures are not security futures under the Exchange Act and injunctive relief to prevent SEC oversight of these products.
Bitnomial argues that the SEC has created an impossible regulatory situation by taking the view that XRP futures constitute security futures, requiring both registration of the underlying asset (XRP) as a security and Bitnomial’s registration as a national securities exchange. The exchange contends this position is legally untenable, particularly given the court’s ruling in SEC v. Ripple Labs, Inc. that “XRP, as a digital token, is not in and of itself a ‘contract, transaction[,] or scheme’ that embodies the Howey requirements of an investment contract,” and that anonymous secondary market sales of XRP do not constitute investment contracts.23
According to the complaint, even if Bitnomial were to accept the SEC’s position that XRP futures are security futures, compliance would be impossible because XRP itself is not registered as a security with the SEC — a prerequisite for listing single stock security futures under current regulations. Moreover, Bitnomial, as a trading venue rather than the issuer, lacks the authority to register XRP as a security.
The outcome of the litigation could have far-reaching implications for how digital asset futures products are regulated and traded in the United States. A ruling in Bitnomial’s favor would reinforce the CFTC’s exclusive jurisdiction over non-security futures products and potentially clear the way for other futures exchanges to list similar products. Conversely, if the SEC prevails, it could effectively prevent the listing of futures contracts on many digital assets, as the vast majority of digital assets are not registered as a security with the SEC and cannot be registered by the exchanges seeking to list futures on them. As cases are litigated across jurisdictions, there is also the possibility of a split in how federal circuits view secondary transfers of digital assets.
Kentucky et al. v. SEC (E. D. Ky.)
In November 2024, 18 states and a blockchain industry association filed a lawsuit against the SEC in the Eastern District of Kentucky, challenging the agency’s authority to regulate digital asset trading platforms as securities exchanges. The case, which remains in its initial stages, challenges the SEC’s assertion of regulatory authority over digital asset trading platforms, arguing that the agency’s approach improperly preempts state money transmitter laws and interferes with state unclaimed property regimes that many states have specifically adapted for digital assets.
The states detail how they have developed specific regulatory frameworks for crypto businesses, including licensing requirements and consumer protection measures. Under the SEC’s interpretation that most digital asset transactions constitute securities transactions, platforms facilitating these transactions would be required to register as securities exchanges, brokers or dealers. The states argue that this interpretation would effectively nullify their respective regulatory regimes, as the Exchange Act prohibits states from imposing certain requirements — including licensing and bonding requirements — on entities that qualify as securities brokers or dealers. For example, states such as Kentucky have issued guidance stating that transmitters of digital assets are money transmitters under state law. Still, this classification would be preempted if these entities must register with the SEC as securities intermediaries.
This case could help resolve a key question underlying several ongoing SEC enforcement actions against major crypto exchanges: whether secondary market transactions in digital assets on trading platforms constitute securities transactions subject to SEC oversight. A ruling that such transactions fall outside the SEC’s authority could undermine the agency’s enforcement strategy against these platforms. On the other hand, a decision upholding the SEC’s interpretation could strengthen the agency’s positions in these enforcement actions and potentially impact other trading platforms currently operating in the United States.
The timing of the lawsuit, filed just days after the 2024 presidential election, adds another layer of complexity to the litigation.
Conclusion
The five cases examined above will help define the coming shift in digital asset litigation under the new Trump administration. While the Second Circuit’s consideration of Ripple Labs and Coinbase will determine whether the manner of sale creates meaningful distinctions under Howey, the industry-led cases signal an equally important development: the emergence of coordinated challenges to agency authority. The Blockchain Association’s challenge to Treasury’s broker regulations, Bitnomial’s challenge to the SEC’s claim of authority over CFTC-regulated futures products, and 18 states’ defense of their regulatory frameworks collectively represent sophisticated attempts to define and limit federal oversight of digital assets.
The resolution of these cases, coupled with the anticipated regulatory shifts under the new administration, could fundamentally alter the landscape for digital asset innovation in the United States. Market participants should closely monitor these developments as they may significantly impact operational strategies and regulatory obligations in the digital asset space.
1 MacKenzie Sigalos, Here’s What Trump Promised the Crypto Industry Ahead of the Election, CNBC (Nov. 6, 2024), https://www.cnbc.com/2024/11/06/trump-claims-presidential-win-here-is-what-he-promised-the-crypto-industry-ahead-of-the-election.html.
2 Mauricio Di Bartolomeo, Trump’s Top 3 Bitcoin Promises and Their Implications, Forbes (Nov. 7, 2024), https://www.forbes.com/sites/mauriciodibartolomeo/2024/11/07/trumps-top-3-bitcoin-promises-and-their-implications/.
3 Rafael Nam, Trump Picks Crypto Backer Paul Atkins as New Securities and Exchange Commission Chair, NPR (Dec. 4, 2024), https://www.npr.org/2024/12/04/g-s1-36803/trump-crypto-paul-atkins-sec-chair.
4 SEC v. W.J. Howey, 328 U.S. 293 (1946).
5 SEC. v. Ripple Labs, Inc., 682 F. Supp. 3d 308, 322 (S.D.N.Y. July 13, 2023).
6 Id.
7 Id.
8 Hanna Lang and Chris Prentice, Trump’s New SEC Leadership Poised to Kick Start Crypto Overhaul, Sources Say, Reuters (Jan. 15, 2025), https://www.reuters.com/world/us/trumps-new-sec-leadership-poised-kick-start-crypto-overhaul-sources-say-2025-01-15/ (noting top Republican official at the SEC are “reviewing some crypto enforcement cases pending in the courts.”).
9 Brief for SEC at 27-28, SEC v. Ripple, No. 24-2648 (2d Cir. Jan. 15, 2025) (“Ripple publicly promised that it would create a rising tide that would lift the price of XRP for all investors, whether having purchased from Ripple, its affiliates, or a third party.”).
10 Id. at 49-50 (citing Intl. Teamsters v. Daniel, 439 U.S. 551, 560 n. 12 (1979) for the proposition that an “investment of money” under Howey includes “goods and services” so long as the investor provides “some tangible and definable consideration.”).
11 Nikhilesh De, SEC Files Notice of Appeal in Case Against Ripple (Oct. 2, 2024), CoinDesk, https://www.coindesk.com/policy/2024/10/02/sec-files-notice-of-appeal-in-case-against-ripple.
12 SEC v. Coinbase, Inc., No. 1:23-cv-04738-KPF (S.D.N.Y. Jan. 7, 2025).
13 SEC v. Coinbase, Inc., 726 F. Supp. 3d 260 (S.D.N.Y. Mar. 27, 2024).
14 Supra note 9 at 12.
15 Id. at 26.
16 SEC v. Terraform Labs Pte. Ltd., 684 F. Supp. 3d 170, 197 (S.D.N.Y. July 31, 2023) (“It may also be mentioned that the Court declines to draw a distinction between these coins based on their manner of sale, such that coins sold directly to institutional investors are considered securities and those sold through secondary market transactions to retail investors are not.”); Coinbase, Inc., 726 F. Supp. 3d at 293 (“Contrary to Defendants’ assertion, whether a particular transaction in a crypto-asset amounts to an investment contract does not necessarily turn on whether an investor bought tokens directly from an issuer or, instead, in a secondary market transaction.”).
17 Coinbase, Inc., 726 F. Supp. 3d at 295.
18 Coinbase, Inc., No. 1:23-cv-04738-KPF at *28.
19 Blockchain Ass’n et al. v. IRS, No. 3:24-cv-03259-X (N.D. Tex. Dec. 27, 2024).
20 See Nat’l Ass’n of Private Fund Managers et al. v. SEC, No. 4:24-cv-00250 (N.D. Tex. Nov. 21, 2024); Crypto Freedom All. of Tex. et al. v. SEC, No. 4:24-cv-00361 (N.D. Tex. Nov. 21, 2024).
21 See Van Loon v. Department of the Treasury, No. 23-50669 (5th Cir. 2024).
22 Bitnomial Exch., LLC v. SEC, No. 1:24-cv-09904 (N.D. Ill. Oct. 10, 2024).
23 Ripple Labs, Inc., 682 F. Supp. 3d at 324 (S.D.N.Y. July 13, 2023).
Yawara Ng also contributed to this article.
DORA Takes Effect: Key Next Steps for Firms
After a two-year implementation period, the EU Digital Operational Resilience Act (DORA) takes effect on 17 January 2025.
DORA is part of the EU’s Digital Finance Package and aims to strengthen the financial sector’s ability to withstand and recover from operational disruption.
Despite DORA coming into effect, many financial entities and information communication and technology (ICT) third-party service providers (TPPs) continue to work towards DORA compliance.
Following 17 January 2025, financial entities will need to, among other things:
continue negotiating DORA-compliant contractual arrangements with TPPs to ensure such arrangements include the minimum contractual provisions set out in DORA;
establish and maintain their registers of information related to their ICT services, and engage with their national competent authorities (NCAs) on the delivery of such information ahead of the deadline for the first submission of these registers by NCAs to the European Supervisory Authorities (ESAs) on 30 April 2025;
monitor the adoption of the remaining technical standards on the subcontracting of ICT services and threat-led penetration testing as well as the publication of other DORA-related materials such as the highly anticipated guidance on the scope of ICT services;
enhance legacy ICT systems and infrastructure or integrate them with new systems to assist with the implementation of DORA’s requirements;
engage across multiple internal departments to avoid siloed efforts, miscommunication and/or gaps in compliance implementation, and ensure that the organisation is appropriately staffed to deal with ongoing DORA obligations;
prepare for engagement with NCAs who will play a key role in the supervision and enforcement of DORA; and
monitor the ESAs designation of TPPs as “critical” and determine any impact that such a designation may have on them where they utilise such a provider.
For further information on developments regarding DORA, please see our recent article (available here).
CFPB Orders Credit Reporting Agency to Pay $15 Million for Mishandling Consumer Disputes
On January 17, 2025, the CFPB issued a consent order against a large consumer reporting agency for failing to properly investigate consumer disputes concerning inaccurate information on consumers’ credit reports. The CFPB alleges the agency violated the Fair Credit Reporting Act (FCRA), by relying on ineffective processes and failing to thoroughly investigate disputes.
The CFPB alleges the agency failed to implement reasonable procedures to ensure the accuracy of consumer reports. As a result, inaccurate credit information was provided to lenders, affecting consumers’ ability to obtain loans or credit at favorable terms. The CFPB also alleged the agency failed to reasonably investigate consumer disputes, disregarded relevant information, and provided inaccurate investigation results to consumers. The Bureau asserts that these actions harmed consumers by creating unnecessary obstacles and delays in resolving credit errors.
To address these alleged violations, the CFPB issued an order requiring the credit reporting agency to:
Pay a $15 Million Civil Penalty. The penalty will be added to the CFPB’s Civil Penalty Fund, which is used to provide financial relief to harmed consumers.
Improve Dispute Investigation Processes. The agency will be required to implement changes to ensure that consumer disputes are thoroughly investigated and resolved in accordance with the FCRA. The changes include improving staff training, enhancing quality control measures, and implementing systems to prevent the reinstatement of previously corrected errors.
Putting It Into Practice: This underscores CFPB’s commitment to tackling FCRA violations, which has ratcheted up during the final days of the current administration (previously discussed here, here, and here). As Chopra’s term as Director of the CFPB wraps up, it will be worth monitoring how the incoming administration approaches the latest salvo of CFPB enforcement actions.
Listen to this post
CFPB Proposes Roadmap For States to Continue Regulatory Activity
The Consumer Financial Protection Bureau (CFPB) released a comprehensive report today, outlining detailed recommendations to strengthen state-level consumer protection laws and address modern risks in consumer financial markets. The CFPB also provided a compendium of guidance documents summarizing its enforcement strategies and regulatory insights, designed to serve as a resource for state lawmakers and regulators.
The report identifies areas of growing concerns such as increased market concentration, misuse of consumer data for targeted advertising, and the proliferation of junk fees, all of which necessitate stronger consumer protections to ensure fair competition and transparency.
Key recommendations from the report include:
Adopting the “abusive” standard: States are encouraged to incorporate the prohibition of “abusive” acts or practices into their statutes, a concept central to the CFPB’s enforcement under the Consumer Financial Protection Act (CFPA). This standard addresses harmful tactics such as dark patterns, excessive reliance on consumer misunderstanding, and exploitation of unequal bargaining power, without requiring proof of consumer harm. (See discussion on CFPB’s Policy Statement on Abusiveness here).
Removing barriers to effective enforcement: The CFPB recommends that states grant their attorneys general broad investigative powers, including pre-suit subpoenas, and the authority to pursue equitable relief, punitive damages, and revocation of corporate charters for egregious violators. States are also urged to establish consumer restitution funds, modeled after the CFPB’s Civil Penalty Fund, to compensate victims when offenders cannot.
Cracking down on junk fees: The CFPB advocates for explicit bans on hidden and misleading fees that obscure the true cost of goods or services, and on price-gouging tactics that exploit captive consumers. For example, it suggests requiring businesses to prominently disclose total prices upfront and prohibiting fees for services reasonably expected to be included in the advertised cost. (See discussion on the CFPB’s crackdown on junk fees here, here, here and here).
Enhancing consumer data privacy: The CFPB encourages states to create enforceable rights for consumers, including the ability to delete, correct, and control the use of their personal data. It also recommends prohibiting the sale of sensitive data to third-party brokers and limiting the use of such data for targeted advertising or discriminatory pricing practices. (See discussion on states’ consumer privacy legislative efforts here and here).
The CFPB also recommends that states eliminate burdensome proof requirements that hinder enforcement, such as the need to prove monetary injury or consumer reliance on misleading claims. Additionally, the Bureau urges states to expand consumer protection laws to safeguard small businesses and to allow private causes of action, enabling individuals to hold violators accountable through direct litigation.
Additionally, the CFPB’s report highlights its strong partnerships with state regulators, which have significantly bolstered enforcement and consumer protection capabilities.
Putting It Into Practice: The CFPB’s report includes specific model language recommended by the CFPB, such as definitions of “abusive” practices and provisions to address junk fees, which can provide a helpful starting point for lawmakers drafting or revising consumer protection statutes. With more tools, resources, and collaborative frameworks than in the past, Bureau leadership is hoping that state regulatory bodies are likely better equipped now to continue fill in the potential regulatory gap resulting from a new administration.
Listen to this post
Trade Group Calls for Clarity on Ohio Fintech Guidance
On January 14, 2025, the American Fintech Council (AFC) submitted a letter to the Ohio Department of Financial Institutions, urging it to re-examine its recent guidance on responsible bank partnerships and provide more clarity. The guidance, which outlines expectations for banks partnering with fintech companies, raised concerns among industry participants regarding its potential impact on innovation and competition in financial services.
The AFC’s letter stressed the need for clear guidance to ensure a balanced approach that protects consumers and supports innovation and competition within financial services. In particular, the AFC is seeking more detail on how banks should conduct due diligence on their fintech partners, what data privacy and security standards should be applied to these partnerships, and how consumer complaints should be handled.
The AFC highlighted the following areas where it believes additional clarity is needed:
Due Diligence Expectations. The letter seeks clarity on the specific due diligence requirements for banks partnering with fintech companies. This includes outlining the scope of due diligence reviews, the factors banks should consider when assessing fintech partners, and the documentation required to demonstrate compliance.
Data Privacy and Security. The AFC also seeks clarification on data privacy and security standards to ensure fintech partnerships adequately protect consumer information. This includes specifying the data security measures banks and fintech companies must implement, the protocols for data sharing and transfer, and the requirements for notifying consumers in case of a data breach.
Complaint Handling. Additionally, the AFC requested more detailed guidance on how banks and fintech companies should collaboratively handle consumer complaints related to their partnerships. This includes outlining the roles and responsibilities of each party in responding to complaints, the timelines for resolution, and the escalation procedures for unresolved issues.
Industry participants have expressed concerns that the current guidance lacks specificity and could lead to inconsistent interpretations and enforcement. This uncertainty may discourage banks from partnering with fintech companies, potentially stifling innovation and limiting consumer access to new financial products and services. The AFC argues that clearer guidance will foster a more predictable regulatory environment, promoting responsible partnerships while also encouraging continued growth in the fintech sector.
Putting It Into Practice: This development highlights the ongoing tension between fostering innovation in financial services and ensuring adequate consumer protection. Federal and state agencies continue to step up enforcement against bank-fintech partnerships and clarify existing rules and regulations (previously discussed here and here). While states like Ohio seek to provide guidance for bank-fintech partnerships, striking the right balance between encouraging growth and mitigating risks remains a challenge. Banks and fintechs alike should review their compliance obligations to ensure alignment with applicable federal and state standards.
Listen to this post
CFPB Publishes Supervisory Highlights Focused on Deposits, Small-Dollar Lending, BNPL, and Paycheck Advance Products
During the week of January 6, the CFPB released a “second” Winter 2024 Supervisory Highlights, focused on the agency’s most recent findings in deposits, small dollar lending, buy now, pay later (BNPL), paycheck advance products, and furnishing. Some key takeaways include:
Compliance Failures with Deposit Accounts
The Bureau reported that in recent examinations of depository institutions and service providers, companies were cited for unfair acts and practices for charging consumers unfair unanticipated overdraft fees, such as authorize-positive settle-negative (APSN) overdraft fees. Supervision continued to cite institutions in connection with charging consumers NSF fees on transactions that already incurred an NSF fee when it was previously declined. In addition, the Bureau cited service providers for unfair acts and practices by having their technology platforms continue to assess APSN fees unless client institutions specifically took action to avoid assessing these fees (even though the service provider knew that the fees should not be assessed). Finally, examiners cited institutions for unfair acts and practices for not offering consumers a way to easily stop preauthorized debit card transactions (which can be done through a network-based stopped payment service). (See here, here, and here for our previous discussions on the oversight of overdraft fees.)
Furnisher Compliance Failures
Furnishers of credit data were also cited for failures under the Fair Credit Reporting Act (FCRA). Key issues included furnishers’ inability to process identity theft block requests, inadequate investigations of consumer disputes, and deficient policies for ensuring data accuracy and integrity. The report highlights that deficiencies in furnishers’ internal controls regarding the accuracy and integrity of furnished information led to failures in identifying, and promptly remediating, accounts that were furnished inaccurately. Examiners also found that furnishers failed to conduct reasonable investigations of indirect disputes where they utilized automated dispute response systems. Furnishers, through their automated dispute response systems, verified the information subject to the dispute even though the furnishers’ records were insufficient to confirm the information. (We previously discussed FCRA compliance issues here and here.)
Small Dollar Lender Compliance Failures
Examiners found that BNPL lenders engaged in unfair acts or practices by delaying the resolution of consumer disputes, leaving consumers waiting months for refunds on items or services not delivered as promised, and also by allowing misleading advertisements about loan costs and terms to appear on merchant partner websites, confusing borrowers.
Paycheck advance lenders faced scrutiny for allegedly deceptive and abusive practices. Examiners found that lenders’ consumer interfaces misrepresented how tips were allocated, falsely suggesting they directly helped other borrowers when, in reality, tips were added to general revenue. Examiners found that certain paycheck advance lenders obstructed consumers from closing accounts and continued debiting funds despite claims that accounts could be closed at any time. Some lenders’ payment platforms engaged in unfair acts and practices by blocking consumers from accessing linked deposit accounts due to outstanding advances, which the Bureau claims exacerbated consumer financial harm. (See here, here, and here for our previous discussions on the regulation of paycheck advance lenders.)
Putting It Into Practice: This edition of the CFPB’s Supervisory Highlights offers critical lessons for financial institutions aiming to avoid regulatory scrutiny and protect consumers. Institutions should conduct thorough reviews of their policies and practices, particularly regarding fee structures, credit reporting, and dispute resolution mechanisms.
For Deposit-Related Practices: Institutions should review how overdraft and NSF fees are assessed, paying close attention to configurations in core banking systems. Proactively addressing these issues can prevent harm to consumers and reduce exposure to regulatory penalties.
In the Realm of Credit Reporting: Furnishers should prioritize the accuracy and integrity of data furnished to consumer reporting agencies. This includes implementing robust procedures to handle identity theft disputes, thoroughly investigating consumer disputes, and rectifying systemic data issues to ensure compliance with the FCRA and Regulation V.
For Emerging Products like BNPL and Paycheck Advances: Financial institutions should establish clear policies to resolve disputes promptly and ensure accurate and transparent marketing practices. This includes monitoring third-party advertising to prevent misleading claims and adopting systems that facilitate timely refunds and accurate disclosures.
CFPB Proposes Interpretive Rule on Emerging Payment Mechanisms Under EFTA
On January 2, 2025, the Consumer Financial Protection Bureau (CFPB) proposed an interpretive rule under the Electronic Fund Transfer Act (EFTA) and Regulation E to clarify how emerging payment systems, such as those used in video games, esports betting, and the use of stablecoin, fit within the existing regulatory framework. According to the Bureau, their actions are part of a broader effort to ensure that companies offering these types of “financial products” have mechanisms in place to protect consumers against hacking attempts, account theft, scams, and unauthorized transactions. It is the CFPB’s belief that absent these protections, consumers may face challenges vindicating their rights in the event of unauthorized transfers or errors.
Key Highlights of the Proposed Rule
Under the interpretive rule, the CFPB would expand EFTA/Regulation E protections to in-game transactions in video games, esports betting, and transactions involving stablecoins. The proposal builds on the Bureau’s research and input from stakeholders, touching on the following notable areas:
Defining “Funds”:
The proposed interpretive rule would define the term “funds” to include assets that are used like money which include “stablecoins, as well as any other similarly-situated fungible assets that either operate as a medium of exchange or as a means of paying for goods or services.” Accordingly, it is intended to include widely held cryptocurrencies and stablecoins, as well as in-game virtual currencies that can be easily exchanged back to U.S. dollars. Notably, the Bureau states that what constitutes “funds” is a “fact-specific” inquiry and would not necessarily encompass funds that cannot be used to make payments or cannot be readily exchanged into fiat currency. (We previously discussed stablecoins here).
Defining “Accounts”:
The term “account” is defined in EFTA to encompass demand deposit accounts, prepaid accounts, and other consumer asset accounts established for personal, family, or household purposes.
The proposed rule adds that (i) digital currency wallets used to buy goods and services or facilitate peer-to-peer transfers, (ii) gaming accounts used to purchase virtual items from multiple game developers or players, and (iii) credit card rewards points accounts where consumers can buy points that can be used to purchase goods from multiple merchants may also fall under this category.
Market participants subject to EFTA must comply with certain error resolution and unauthorized transfer liability protections under Regulation E. Companies newly subject to EFTA under the proposed rule may be required to provide clear disclosures regarding EFT services, including fees, transfer limits, and error-resolution procedures.
Request for Information on Privacy Issues
Separate from the interpretive rule, the CFPB also issued a Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data to better understand how gaming companies offer financial products and collect and use consumer data. The purpose of the RFI is to assess whether the Bureau should consider changes to Regulation P, the rule that implements the privacy protections under the Gramm-Leach-Bliley Act. When it comes to the monetization of consumer data, both the CFPB and the FTC have been relatively active in this space, focused on how Big Tech companies monetize consumer data. Related to the Bureau’s Request for Information, the Bureau also published a blog last week asking video gamers and parents to share their experiences with gaming assets and transactions.
Putting It Into Practice: EFTA and Regulation E contain exceptions for certain securities or commodities transactions. These exceptions include any transfer of funds primarily purposed to buy or sell a security or commodity if, among other things, the security or commodity is regulated by the Securities and Exchange Commission (SEC) or the Commodity Futures Trading Commission (CFTC). It remains to be seen to what extent digital currencies will be regulated under the SEC as securities or under the CFTC as commodities. Should certain virtual currencies be classified and regulated as securities or commodities, subject transactions could be exempted from EFTA requirements.
Listen to this post