Non-Bank Lending in the Spotlight – Does the System of Calculating Regulatory Capital Require Revisiting?
In October’s GT Alert on non-bank lending, we focussed on whether there was a justification in banks being subject to regulatory capital requirements when non-bank financial institutions (NBFIs) were not. Professor Simon Gleeson’s evidence – that banks are permitted to take deposits from the public, whereas NBFIs are not – was an important justification for a differentiated regulatory approach.
In this GT Alert, we provide an overview of how the amount of regulatory capital that a UK bank is required to hold is quantified and whether there is a case for reconsidering the current approach. This is based largely on the evidence Lord King of Lothbury, the former governor of the Bank of England, provided to the Financial Services Regulation Committee (the Committee) of the House of Lords. We also consider certain other observations Lord King made in relation to the regulation of banks and NBFIs.
The Calculation of Regulatory Capital
The system of calculating regulatory capital requirements imposed on banks is largely based on the works of the Basel Committee on Banking Supervision (the BCBS), which is headquartered at the Bank for International Settlements – the so-called central bank for central banks – in Basel, Switzerland. The BCBS provides guidance on regulatory capital, liquidity, and financial stability in relation to banks and, while its pronouncements do not have the force of law, countries who participate in its work are expected to implement its recommendations into their local law. Its most prominent work is the Basel Capital Accords, which require banks to hold sufficient capital and manage risk.
While a detailed examination of the principles on which regulatory capital is quantified is beyond the scope of this GT Alert, in essence, it is largely based on a concept known as “risk weighted assets.” Conventionally, the primary assets of a bank are the loans that it makes and holds. The loans generate interest, providing the bank with income. However, these assets are also a source of risk because if the borrowers fail to pay interest or repay principal as they are required to do, the bank may suffer a loss. Regulatory capital is intended to absorb losses so that creditors of the bank, critically depositors, are not adversely affected by these losses and that their claims against a bank will be honoured, but it is not meant to protect banks against risk. It follows that a bank that engages in higher-risk lending should be required to hold more regulatory capital than one whose lending involves less risk, as it would be more vulnerable to losses and has a greater need for loss absorbing capital.
The formula for determining the amount of regulatory capital that a bank is required to maintain for a loan is as follows: the amount of the loan (for example, £100) multiplied by a minimum capital ratio that applies to all loans – 8% of the loan amount (£8 in this example) multiplied by the risk weight assigned to that loan.
If the loan was, under the BCBS framework, perceived to be without risk of default, the risk weight would be 0%. This means that the regulatory capital related to that loan would also be zero (£100 x 8% x 0%). A loan made to a multilateral development organisation may have a risk weight of 0%.
If the loan was, under the BCBS framework, perceived to have a low risk of default, the regulatory capital a bank would require may be determined based on a risk weight of, for example 35%. This would result in a requirement of £2.80 (£100 x 8% x 35%).
If a loan was, under the BCBS framework, perceived to be riskier still, the risk weight ascribed might be 100%, resulting in a regulatory capital requirement of £8 (£100 x 8% x 100%). Loans made to unrated or sub investment grade corporates would typically have a risk weight of 100% to reflect their higher probability of default and their uncertain value. Some loans may have an even higher risk weight. While it may feel counterintuitive to require a bank to give a parcel of loans a risk weighting of more than 100%, this is because a 100% risk weighting would normally result in substantially less than 100% capital being required to be held against it. Capital requirements absorb unexpected losses rather than cover the possibility of default on the entire loan.
As indicated above, this approach makes intuitive sense – the riskier a loan, the greater the risk of loss and the greater the need for loss absorbing capital to prevent creditors of the bank being adversely impacted by the loss.1
Banks are, in turn, required to hold capital (normally in the form of Common Equity Tier 1 (CET1) capital, predominantly the bank’s share capital and retained earnings) against their risk weighted assets. Currently, UK systemically important banks hold such CET1 capital in the region of 14% to 15% of their risk weighted assets. The Difficulty with Risk – Weights
In Lord King’s view, determining regulatory capital requirements based on differentiated risk weights pre-supposes that it is possible to formulate an accurate, forward-looking assessment of the risk of different kinds of lending:
…[the system of risk weights] presumes knowledge that we can accurately assess the riskiness of different kinds of lending. The risk weights that are put into the Basel III and other frameworks tend to reflect people’s quantitative estimates of risk based on normal times, but the purpose of having the capital to absorb losses is for when there is a crisis. At that point, risk weights are a very bad indicator of the riskiness of different elements on the balance sheet. The best example is that, before 2008, it was assumed—and the risk weights reflected this—that mortgage lending was the safest kind of lending. That turned out to be completely false when it came to 2008…. It is just too difficult to assess the riskiness of different kinds of lending… (emphasis added)
This assessment may be worth considering. The riskiness of any financial instrument may not be correctly assessed at the time that it is made (as was the case with residential mortgage lending in the years immediately before the Global Financial Crisis (GFC), given the deterioration of origination standards). Even if it was, the riskiness of that financial instrument may change over time for any number of reasons, both of a systemic or an idiosyncratic nature. Any attempt at achieving mathematical precision in measuring riskiness gives rise to complexity, evidenced by the tens of thousands of pages of regulations that have been implemented by regulators but which individuals responsible for making lending decisions cannot have a detailed understanding of, as well as the adoption of a bureaucratic, rather than judgement based, approach. Reverting to his time at the Bank of England, Lord King commented:
…When we started work at the Bank [of England] on the financial stability report or producing concepts of risk, every month I would get a list of 75 risks. This was not helpful. I would have preferred to have a much smaller group of people, most of whom had years of experience and remembered the previous crisis, at least, who could go out and come back, and say, “This doesn’t feel right.” They could use their judgment to say, “This is the one risk that we should worry about,” rather than trying to pretend that there are 75 risks…. (emphasis added)
In other words, Lord King recognised the merits of a qualitative approach to risk assessment rather than a purely quantitative one.
What Is the Alternative?
Lord King’s preference, based on his evidence to the Committee, is to base regulatory capital requirements not on a system of differentiated risk weights but rather the amount of leverage that an individual bank uses to fund its operations. In his evidence, he stated:
“…I would much rather have a robust and much simpler system that focuses on leverage and by which banks in trouble can have access to the central bank liquidity facility….”
He referred to his experience during the GFC in substantiating this view:
“…In 2008, what really went badly wrong was that the banking sector rapidly expanded its balance sheet, not by issuing loss-absorbing equity or other similar instruments, but by borrowing itself. Its own leverage rose to very high levels, and it had almost negligible liquid financial assets. That was the big risk. It did not matter what the exposure was….” (emphasis added)
To be fair to the BCBS, leverage is already an element in its framework. The leverage ratio, which supplements the differentiated risk weight-based approach, requires that a bank maintains a certain amount of “Tier 1 Capital” (in broad terms, equity, being the best form of capital) relative to its “Total Exposures” (in broad terms, its liabilities both, on and off balance sheet). It is not based on a bank’s assets and their perceived riskiness. The minimum leverage ratio prescribed by the BCBS is 3%, meaning that a bank is required to have an amount of Tier 1 Capital that is at least 3% of its total exposures, though for certain banks that have systemic importance, the requirement may be up to 6%. A bank may manage its leverage ratio by either increasing its Tier I Capital or, alternatively, reducing the amount of its liabilities. This is a less complex concept than differentiated risk weights.
In addition, Lord King focused on the importance of relationship-based knowledge, as opposed to credit scoring, in banks forming a view on the risk of making a loan, again emphasising the importance of qualitative factors.
What of NBFIs?
While Lord King’s view on the merits of a leverage-based approach to determining regulatory capital requirements for banks is clear, his view on the regulation of NBFIs are equally noteworthy. The starting point of his analysis was to question what the purpose of financial regulation is. In broad terms, it is to promote financial stability, ensuring that the financial system supports normal economic activity, so that individuals and firms can save, spend, pay money to each other, and have access to credit without disruption.
In his evidence to the Committee, Lord King stated:
…The non-bank sector comprises a multitude of different kinds [of institution]. The word “ecosystem” has been used to describe it, but it is much more. It is like different life forms across the entire planet – insurance companies, pension funds, bond funds, private equity, hedge funds, venture capital. All of these are completely different animals.
If an individual insurance company were to fail, that is not, in itself, a systemic risk, and there is protection to protect individuals who may be suffering from it. If an insurance company were to fail, and that led the entire insurance industry to find itself in a position where it could not offer insurance to people, that would be systemic.
If a pension fund failed, we have mechanisms for insuring the individuals in that fund. If the entire industry ran into trouble, would we be concerned? ….. I do not see why, if a hedge fund, or several hedge funds, were to fail that constitutes a systemic issue…. (emphasis added)
Based on this and other statements made to the Committee, it seems to us that Lord King’s view is that:
Banks have a systemic importance that NBFIs do not necessarily have, at least at the current time. This is based upon taking deposits and providing access to payment systems.
Banks can access central bank liquidity in a way that NBFIs cannot, and this is also an advantage that justifies more stringent regulation.
NBFIs are not homogeneous, and some may be more systematically important than others.
Some NBFIs, such as insurance and pension providers, already operate within a framework of prudential regulation and those that do not, such as hedge funds, do not have sufficient systemic significance to warrant it.
Regulating NBFIs less stringently than banks may promote financial stability by directing more risky activities to NBFIs, thus preventing banks from getting into trouble.
However, there is at least one example of a hedge fund whose losses required regulatory intervention in order to maintain financial stability – Long Term Capital Management (LTCM).2 It seems that much depends on the size of the hedge fund and its interconnectedness with the regulated financial sector.
Conclusion
Lord King’s experience as both an eminent academic and a governor of the Bank of England, particularly during the GFC, gives him a unique perspective on financial stability. Whether the system of differentiated risk weights is to be replaced by a leverage ratio-based approach as he suggests is a wider question and would require a departure from a well-entrenched approach, but there may be merit in the view that banks and NBFIs play different roles in a financial system and so a differentiated approach to regulation between them has a logic to it. Indeed, the differentiated regulatory approach may promote financial stability by limiting the lending activity of banks. However, the example of LTCM suggests that not all NBFIs should be treated in the same way from a prudential regulation perspective.
The Committee’s work continues. Greenberg Traurig will continue to monitor the developments.
1 As indicated, this description is simplification. It does not recognise the distinction between the “standardised approach” to differentiated risk weights, which is the approach that the BCBS prescribes as a default position and the “internal risk-based approach,” which sophisticated banks may adopt and which may result in different results from the standardised approach. This is based on sophisticated banks being in a better position to assess risks than banking regulators.
2 Long Term Capital Management (LTCM) was a hedge fund established in 1994 and that at one point managed $3.5 billion of investor capital. As a result of the Russian debt default, it sustained several losses and the U.S. government had to intervene, facilitating a bail out by 14 banks and financial institutions in order to prevent a wider financial crisis.
CFPB to Begin Transferring Remaining Litigation to DOJ Amid Funding Collapse
On November 20, 2025, the CFPB notified staff that it will begin transferring its remaining enforcement lawsuits and other pending litigation to the Department of Justice. The shift comes as the agency anticipates running out of operating funds under the Consumer Financial Protection Act (previously discussed here).
The DOJ will assume responsibility for the limited number of enforcement actions and rulemaking challenges that are still active in federal courts. CFPB staff were informed that the Bureau will coordinate the handoff of district-court and appellate matters, while open investigations will remain with the agency for now. The status of ongoing litigation, internal staffing assignments, and transition timelines will be determined as the transfer process unfolds.
Putting It Into Practice: The slow unwinding of the CFPB continues, and the litigation transfer highlights just how limited the agency’s enforcement capacity has become (previously discussed here and here). At the same time, press reports this week indicate that enforcement staff have been told that certain dormant matters are being cleared to move forward. How this apparent shift fits into the Bureau’s evolving posture — and its coordination with DOJ — remains unclear. Companies subject to active or potential CFPB enforcement should closely monitor updates regarding the transition and track DOJ communications to understand how incoming teams may approach case strategy, negotiations, and remedies.
Listen to this article
NYDFS Cybersecurity Crackdown- New Requirements Now in Force, and “Covered Entities” Include HMOs, CCRCs—Are You Compliant?
As cybersecurity breaches grow more complex and frequent, regulators are increasingly focused on organizational compliance.
Organizations such as Crowdstrike report that in 2025, cyberattacks are increasing in speed, volume, and sophistication—and cybercrime has evolved as a “highly efficient business.” The escalating threat landscape demands robust security frameworks that can withstand evolving risks.
Enter the amendments announced in November 2023 to the New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Regulation”), that became effective on November 1. This post explores the breadth of these Amended Regulations, and the steps that covered entities need to take now.
The Amended Regulation applies to “covered entities,” i.e., DFS-regulated entities including partnerships, corporations, branches, agencies, and associations—indeed, “any person”—operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Laws.
Notably, health maintenance organizations (HMOs) and continuing care retirement communities (CCRCs) are considered covered entities. NYDFS-authorized New York branches, agencies, and representative offices of out-of-country foreign banks are also covered entities subject to the requirements of Part 500.
While some requirements took effect almost immediately in late 2023, others were delayed to 2024 and 2025. The final set of cybersecurity requirements that became effective November 1 require covered entities to:
expand multifactor authentication (MFA) to include all individuals accessing information systems; and
implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of information systems.
Multi-Factor Authentication (MFA)
The amended Section 500.12 requires covered entities to use multi-factor authentication (MFA) for any individual accessing any information system of a covered entity—regardless of location, type of user, and type of information contained on the Information System being accessed (FAQ 18). Internal networks that would require the use of MFA include email, document hosting, and related services, whether on-premises or in the cloud, such as Office 365 and G-Suite (FAQ 19).
Definition
MFA is defined in the regulation as authentication through verification of at least two of the following types of authentication factors:
knowledge factors, such as a password, passphrase, or personal identification number (PIN);
possession factors, such as a hardware token, authentication app, or smartcard; or
inherence factors, such as a biometric characteristic (fingerprints, facial recognition, or other biometric markers.
Artificial Intelligence and Other Risks
Note that while the definitions include passwords and biometric characteristics as verifiers, caution should be taken, as AI deepfakes may now pose a risk to biometric-based systems. Indeed, NYDFS issued a related letter regarding AI cybersecurity risks in October 2024. The October 2024 letter does not impose new requirements with respect to the Amended Regulation, yet states:
While Covered Entities have the flexibility to decide, based on their Risk Assessments, which authentication factors to use, not all forms of authentication are equally effective. Given the risks…Covered Entities should consider using authentication factors that can withstand AI-manipulated deepfakes and other AI-enhanced attacks by avoiding authentication via SMS text, voice, or video, and using forms of authentication that AI deepfakes cannot impersonate, such as digital-based certificates and physical security keys. Similarly, instead of using a traditional fingerprint or other biometric authentication system, Covered Entities should consider using an authentication factor that employs technology with liveness detection or texture analysis to verify that a print or other biometric factor comes from a live person. Another option is to use authentication via more than one biometric modality at the same time, such as a fingerprint in combination with iris recognition, or fingerprint in combination with user keystrokes and navigational patterns. [Footnotes omitted].
The NYDFS July 2025 Guidance on the MFA requirements stresses the need “for organizations to understand the trade-offs associated with each method in order to make informed, risk-based decisions.” The July 2025 Guidance discusses the tradeoffs with respect to SMS Authentication, App-based Authentication (with and without number matching), and Token-based Authentication. Note that a covered entity’s Chief Information Security Officer (CISO) may approve in writing the use of reasonably equivalent or more secure controls, to be reviewed at least annually.
Limited Exemptions
The covered entity may qualify for a limited exemption pursuant to section 500.19(a), Section 500.19(a) provides limited exemptions for covered entities with:
fewer than 20 employees;
less than $7,500,000 in gross annual revenue in each of the last three years; or
less than $15,000,000 in year-end total assets.
Where one of the limited exemptions applies, MFA should nevertheless be used for:
remote access to the covered entity’s information system;
remote access to third-party applications, including but not limited to those that are cloud-based, from which nonpublic information is accessible; and
all privileged accounts other than service accounts that prohibit interactive login.
Asset Inventory of Information Systems
Section 500.13(a) requires covered entities—as part of their cybersecurity programs—to implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of their information systems. At a minimum, policies and procedures must include
a method to track specified key information for each asset, including, as applicable:
the owner;
the location;
classification or sensitivity;
support expiration date;
recovery time objectives; and
the frequency required to update and validate the covered entity’s asset inventory.
Section 500.13(b) also requires covered entities to include policies and procedures for the secure disposal on a periodic basis of any nonpublic information (identified in section 500.1(k)(2)-(3)) that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
Enforcement
The regulation is to be enforced by the superintendent. Section 500.20 states that the failure to act to satisfy an obligation shall constitute a violation, although the superintendent is directed, when assessing penalties, to consider elements including cooperation, good faith, history of prior violations, the number of violations, and the extent of harm to consumers. In a recent example, in August, NYDFS secured a $2 million settlement with a health insurance provider for violations of Part 500.
Takeaways
Implementation
Covered entities must:
implement MFA for any individual accessing any information systems of a covered entity or meet the requirements of a limited exemption (fewer than 20 employees, less than $7,500,000 in gross annual revenue in each of the last three years; or less than $15,000,000 in year-end total assets). Covered entities should understand the various methods of MFA in order to make informed, risk-based decisions regarding their use; and
implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of their information systems, with a method to 1) track key information and 2) the frequency needed to update and validate the asset inventory
The CISO may approve alternative controls in writing, if these are reasonably equivalent or more secure, and reviewed annually.
Compliance Filing
Covered entities must:
submit to NYDFS an annual notice regarding compliance with Part 500—through a Certification of Material Compliance or an Acknowledgment of Noncompliance—by April 15 (covers compliance during the previous calendar year), unless fully exempt and a Notice of Exemption is submitted (FAQ 29);
file separate annual notifications, if holding more than one license;
keep all data and documentation supporting their annual notifications for 5 years and provide that information to the Department upon request;
notify NYDFS of a cybersecurity incident no later than 72 hours after determining that one has occurred (FAQ 20). May have to notify even if the attack is unsuccessful (FAQ 21) or occurs at a third-party service provider (FAQ 23).
Third Parties
Covered entities should ensure compliance with regulations pertaining to third-party service providers, including:
Implementing policies with respect to third-party service providers (Section 500.11).
Undertaking a thorough due diligence process in evaluating the cybersecurity practices of third-party providers; the FAQs state that relying on the latter’s certification of material compliance is insufficient.
Cybersecurity governance: If the CISO is employed by a third-party service provider, the covered entity shall retain responsibility and provide direction and oversight (Section 500.4).
Making a risk assessment regarding appropriate controls for third-party service providers (Section 511(b)).
Note that NYDFS issued “Guidance on Managing Risks Related to Third-Party Service Providers” in October 2025, a Part 500 checklist, an exemption flowchart, and more. Developments are fast-paced in the cybersecurity world and companies have a lot to lose if they pay insufficient attention to all of these new legal requirements, as they set a new floor. While meeting all of these (and other) cyber requirements may not be easy, this remains a space in which an ounce of prevention may well be worth a pound of cure.
EBG will continue to monitor developments in this area. If you have questions or need assistance in implementation of the Amended Regulations within your organization, please reach out to the authors or the EBG attorney with whom you work.
Epstein Becker Green Staff Attorney Ann W. Parks assisted with the preparation of this post.
Improving UK Transaction Reporting- FCA Consults on Streamlined Framework
On 21 November 2025, the Financial Conduct Authority (FCA) published a consultation paper (CP25/32) setting out proposed reforms to the UK transaction reporting regime (the Regime). The consultation aims to reduce regulatory burdens, improve data quality, and enhance efficiency for UK financial market participants, including investment firms, trading venues, systematic internalisers, trade repositories, and other regulated entities.
Background
The Regime, originally derived from the EU Markets in Financial Instruments Regulation (MiFIR), has been in force since 2018 and was onshored into UK legislation following Brexit. HM Treasury (HMT) has indicated its intention to repeal these rules, enabling the FCA to deliver a streamlined framework tailored to UK market needs. The FCA’s proposals follow engagement with market participants, including a 2024 discussion paper (DP24/2), and are informed by feedback highlighting the need to reduce duplicative and disproportionate reporting requirements.
Key Proposals
The FCA’s proposed changes include three main areas: the shape of the Regime, the scope of reporting obligations, and the content of transaction reports.
Shape of the Regime
The default period for back reporting (resubmission of corrected reports) would be reduced from five to three years, with the option for the FCA to require up to five years where necessary.
Most corporate actions would be exempted from transaction reporting, except for IPOs, secondary offerings, placings, and debt issuance. Firms may continue to report corporate actions voluntarily if preferable for operational reasons.
The FCA proposes to consolidate existing EU guidelines and provide a new transaction reporting user pack, including additional examples and best practice guidance.
The FCA would maintain ISO 20022 XML as the required messaging standard for transaction reporting whilst also seeking alignment with global data standards, including internationally agreed data definitions from the International Organisation of Securities Commissions (IOSCO), to facilitate efficient data sharing and reduce compliance costs for cross-border firms.
Scope of the Regime
The FCA wants to enable more use of the conditional single-sided reporting mechanism, allowing a receiving firm (typically the sell-side firm, e.g. a broker) to report on behalf of another firm that has transmitted specific details, with the aim of reducing the reporting burden for buy-side firms. The volume of information required to be transmitted would be reduced from ten to four data points.
Reporting obligations would be limited to financial instruments tradeable on UK trading venues only, removing requirements for over six million instruments tradeable solely on EU venues.
FX derivatives would be removed from the scope of transaction reporting, with reliance placed on UK European Market Infrastructure Regulation (EMIR) data instead.
The FCA would not introduce an opt-in register for receiving firms but would instead update the transmission mechanism to support smaller firms in reducing reporting burdens.
Trading venues would be required to report fewer fields under Article 26(5) of UK MiFIR, particularly removing the requirement to report natural person investment and execution decision maker details, which has been identified as a barrier to market participation and a source of frequent errors.
Content of Transaction Reports
Several reporting fields would be removed or clarified, including the derivative notional increase/decrease field, option type, exercise style, delivery type, and others. The overall number would reduce from 65 to 52 reporting fields.
The FCA also proposes to reduce the number of instrument reference data fields from 48 to 37.
Implementation and Next Steps
The consultation period for CP25/32 runs until 20 February 2026. The FCA intends to publish a Policy Statement finalising the new transaction reporting rules in the second half of 2026, with an expected implementation period of around 18 months. Further consultations will be held on transitional provisions and consequential amendments to the FCA Handbook. The FCA will also establish a cross-authority and industry working group to inform the design of its long-term approach to harmonising transaction and post-trade reporting regimes.
CP25/32 and DP24/2 are available here and here, respectively.
James Wells contributed to this article
New Tips and Overtime Guidance, NLRB Circuit Split, and Stalled Nomination [Podcast]
This week, we’re covering new Internal Revenue Service (IRS) guidance on reporting tips and overtime, a widened circuit split on National Labor Relations Board (NLRB) authority, and a delayed Senate Health, Education, Labor, and Pensions (HELP) committee vote on an NLRB nominee.
ILPA Updates Capital Call & Distribution Template: Implications for GPs and LPs
The Institutional Limited Partners Association (ILPA) has released an updated Capital Call & Distribution Template (CC&D Template) to standardise the accounting details embedded in call and distribution notices and to align the template with the updated ILPA Reporting Template and the new ILPA Performance Template. The updated template is intended to supplement existing General Partner (GP) call and distribution notices. ILPA undertook a broad, industry‑wide process, including a nine‑week public comment period with nearly 50 responses, to finalise the design.
This article summarises what has changed in ILPA’s updated CC&D Template and why those changes matter for fund operations and performance reporting, who is affected and when, and practical implementation considerations for GPs, Limited Partners (LPs) and their legal teams.
Key Updates to the CC&D Template
While the overarching structure of the updated CC&D Template remains unchanged from the 2011 version, there have been a number of changes, namely:
Introduction of a standalone LP Unfunded Commitment section aligned to the ILPA Reporting Template, designed to capture the notice’s impact on unfunded commitments, and it adds “Inside Fund” and “Outside Fund” transaction subtotals to clarify whether cash flows occur within the fund entity or where the fund acts as a conduit.
Alignment of the transaction types in the CC&D Template with the transaction types included in the ILPA Granular and Gross Up Performance Templates, enabling direct mapping between call/distribution entries and performance reporting.
Addition of ‘Inside Fund’ and ‘Outside Fund’ transaction subtotals to clarify whether cash flows occur within the fund entity or where the fund acts as a conduit.
Removal of ‘Recallable Distribution’ and ‘Inside/Outside Commitment’ transaction types, which can now be inferred by the transaction’s impact to LP unfunded commitment.
Scope and Timing
The updated template is designed for closed‑end private markets funds, including private equity, venture capital, private credit, real assets, fund‑of‑funds/secondaries and co‑investments, across geographies, and supplements existing notices at the Total Fund and Individual LP levels.
All three ILPA templates are expected to be implemented by GPs starting in 2026. Use of the template should begin immediately after commencement of operations, but the first delivery is not required until Q1 2027, providing an implementation window to align processes and systems. For funds commencing on or after Q1 2026 that are implementing the ILPA Performance Template, ILPA recommends adopting the updated CC&D transaction types from inception to ensure consistent performance reporting. Otherwise, funds commencing on or after Q1 2027 should adopt on a go‑forward basis.
ILPA’s Wider Goals
The CC&D Template is part of a wider ILPA effort to standardise documentation and reporting in the private equity industry. The previous template allowed, to some degree, flexibility. Rather than simply tweaking the previous version, ILPA has removed sections altogether.
The CC&D Template needs to be considered together with the ILPA reporting and performance templates that seek to provide for standardised calculation methodologies enabling investors to compare the relative performance returns among private equity funds. ILPA intends for the call and distribution notices to use the same terminology and categories as the performance template to reduce the reconciliation burden. As such, the ILPA CC&D Template is a complementary building block to the other two templates.
Practical Considerations
The new CC&D Template has several practical considerations:
GPs who itemize calls should use granular call types (e.g. Investments, Management Fees and Partnership Expenses), and where a portion of a draw has no immediately identifiable use, “Working Capital” should be used rather than defaulting to “Total Amount.”
GPs who do not itemise calls should use “Capital Call: Total Amount – Inside Fund/Outside Fund,” consistent with the Gross Up methodology, and should avoid estimates when possible.
Subscription line repayments should be captured by selecting the call type that matches the original use of proceeds (investments or fees) and noting repayment in the transaction description, which enables accurate performance mapping and unfunded tracking.
Negative contributions for returns of excess capital are treated as reductions of paid‑in and increases to unfunded commitment (and not as distributions), while recallable distributions are shown as distributions with a corresponding increase to unfunded commitment.
Withheld taxes may be reported as “Outside Fund” where the fund acts as a conduit with taxing authorities, and distributions should be captured net of carry but gross of withheld taxes in the ILPA Performance Template.
Notice Content and Transparency
ILPA provides best‑practice guidance for the narrative cover and description letters that accompany the standardised template, including the information to include for investment calls, fee/expense calls, subscription facility repayments, cash distributions, stock distributions, and distributions from net asset value‑based facilities, with clear references to limited partnership agreement (LPA) sections and wire instructions.
Operational Readiness – Resources, Modifications and Consistency
ILPA expects use of the standardised transaction list and discourages template modifications by GPs and LPs to promote comparability, while allowing limited optionality such as the use of supplemental calculations and certain disclosure choices that should be footnoted if exercised.
Preparers should align entries to their LPA and accounting framework and ensure that the template’s values reconcile with financial statements and notices, recognising that accurate completion will require knowledgeable accounting personnel and enabling technology third‑party commentary likewise emphasises the need for capable accounting and system support to re‑map general ledger transaction types and implement the new structure.
State-Level Digital Asset Licensing- What to Watch as We Head Into 2026
California, Louisiana, and Illinois have established comprehensive crypto licensing frameworks that mirror New York’s BitLicense regime. With multiple rulemaking processes now established or soon-to-be adopted and critical compliance deadlines approaching in 2026 and 2027, firms that provide digital asset services to residents in these states should carefully evaluate whether their activities trigger compliance obligations and, to the extent that they do, begin preparations for applying for licenses and building comprehensive compliance programs well in advance of the statutory deadlines.
This article provides summaries of each new state framework, as well as practical compliance considerations digital asset firms should consider.
Illinois: Digital Assets and Consumer Protection Act
Illinois enacted the Digital Assets Consumer Protection Act (DACPA) on August 18, 2025, establishing broad regulatory authority over “digital asset business activity” conducted with Illinois residents.[1] This expansive definition of this term encompasses exchanging, transferring, or storing digital assets, as well as digital asset administration and any additional activities designated through Illinois Department of Financial and Professional Regulation (IDFPR) rulemaking. One requirement of note applies to exchanges that fall within DACPA’s statutory definition of “covered exchange.” Before such an exchange lists or offers a digital asset for the benefit of Illinois residents, the exchange must certify that it has (i) identified the risk that the digital asset would be deemed a security by federal or state regulators; (ii) provided written disclosure relating to conflicts of interest of the covered exchange and digital asset; and (iii) conducted a comprehensive risk assessment designed to ensure consumers are adequately protected.
DACPA creates critical compliance milestones: customer disclosure and custody protections must be implemented by January 1, 2027, while full licensing requirements take effect July 1, 2027. Notably, activities regulated by the Securities and Exchange Commission or the Commodity Futures Trading Commission fall outside DACPA’s scope, as do merchant transactions and personal use. IDFPR possesses extensive enforcement powers including examination authority, subpoena power, and civil penalties up to $25,000 per violation. IDFPR’s broad rulemaking mandate suggests detailed regulations addressing cybersecurity, business continuity, asset segregation, and capital requirements are forthcoming.
California: Digital Financial Assets Law
California’s Digital Financial Assets Law (DFAL), enacted in October 2023, requires licensing for digital financial asset business activity beginning July 1, 2026.[2] DFAL requires any person engaging in “digital financial asset business activity” with a California resident to obtain a license from the California Department of Financial Protection and Innovation (DFPI), subject to exemptions for banks, certain broker dealers, government entities, and personal or merchant use. DFAL includes conditional licensure for holders of qualifying New York approvals, robust disclosure duties, exchange listing certifications, and stablecoin provisions tied to issuer reserves and potential licensing of issuers.
In 2025, DFPI advanced rulemaking to promulgate the various requirements under DFAL. Initial proposed regulations in April 2025 outlined application content, surety bond requirements, disclosures, change notifications, and kiosk location oversight.[3] On September 29, 2025, DFPI issued a Notice of Modification that clarified and expanded exemptions to avoid duplicative money transmission licensing, added technical amendments to definitions and application details, and renumbered regulatory sections.[4] The modifications notably clarified that DFAL licensees would be exempt from California’s Money Transmission Act for activities incidental to their digital asset business. Comments closed October 15, 2025.
Next is the finalization of rules and preparation for the July 1, 2026 deadline, by which time entities must be licensed with DFPI or have a pending application.
Louisiana: Virtual Currency Businesses Act
Louisiana’s Virtual Currency Businesses Act (VCBA), effective since 2020, is administered by the Louisiana Office of Financial Institutions (OFI) through the Nationwide Multistate Licensing System. VCBA requires licensure for “virtual currency business activity” including exchange, transfer, storage, and administration services.
In 2023, Louisiana strengthened its regulatory framework under the VCBA through Act 331.[5] This legislation enhanced the regulatory structure by adding new definitions, streamlining change of control procedures, expanding OFI’s enforcement authority, mandating accurate disclosures to residents, and authorizing emergency rulemaking capabilities. Recent legislation provides that the 2023 amendments will automatically expire on July 1, 2027, unless renewed by the legislature.[6]
Strategic Compliance Considerations
As 2026 approaches, digital asset firms that touch residents of Illinois, California, or Louisiana should conduct comprehensive compliance assessments, engage qualified legal counsel to navigate the distinct requirements of each jurisdiction, and establish robust internal governance structures to meet the heightened regulatory expectations. Firms should particularly focus on developing policies for cybersecurity, anti-money laundering, customer asset segregation, and financial reporting that comply with each state’s specific requirements.
Industry participants should also monitor federal developments closely, as potential federal legislation could preempt or modify state regulatory frameworks. In the interim, firms should seek early engagement with state regulators through the rulemaking process, particularly in Illinois where IDFPR has broad authority to shape the scope of DACPA through administrative rules.
[1]https://ilga.gov/Documents/Legislation/PublicActs/104/PDF/104-0428.pdf.
[2]https://legiscan.com/CA/text/AB39/id/2845913/California-2023-AB39-Chaptered.html.
[3]https://dfpi.ca.gov/wp-content/uploads/2025/04/TEXT.pdf.
[4]https://dfpi.ca.gov/wp-content/uploads/2025/09/PRO_02-23_Notice_of_Modification.pdf.
[5]https://legiscan.com/LA/text/SB185/id/2828136.
[6] https://www.legis.la.gov/Legis/ViewDocument.aspx?d=1382721.
New York Department of Financial Services’ Industry Letter- Foreshadowing Enforcement of Vendor Management?
On October 21, 2025, the New York State Department of Financial Services (NYDFS) issued an industry letter, titled, “Guidance on Managing Risks Related to Third-Party Service Providers,” which clarifies covered entities’ responsibilities when engaging third‑party service providers (TPSPs) that access information systems or nonpublic information (NPI). Although the guidance does not add new rules to the NYDFS Cybersecurity Regulations (23 NYCRR Part 500), it clarifies regulatory requirements with respect to TPSPs, provides suggestions for best practices, and may signal increased regulatory focus on third-party risk management.
Quick Hits
The NYDFS recently issued guidance that provides detailed best practices to mitigate risk throughout the TPSP life cycle: due diligence, contracting, ongoing monitoring, and termination.
The guidance indicates that NYDFS will scrutinize policies and procedures related to TPSPs, especially where covered entities outsource cybersecurity compliance.
Companies may want to revisit vendor management policies, contracts, and oversight procedures, including with respect to AI platforms.
NYDFS has identified covered entities’ increasing reliance on TPSPs to provide services—including cloud computing, file transfer systems, artificial intelligence (AI), and more—as introducing new cybersecurity risks, prompting NYDFS to clarify covered entities’ obligations under the NYDFS Cybersecurity Regulations. The guidance provides best practices for covered entities throughout the four phases of the TPSP life cycle: (1) Identification, Due Diligence, and Selection; (2) Contracting; (3) Ongoing Monitoring and Oversight; and (4) Termination.
Identification, Due Diligence, and Selection
At the identification, due diligence, and selection stage, NYDFS recommends classifying vendors according to risk profile. A TPSP’s risk profile is based on factors such as access to systems and NPI, data sensitivity, jurisdictional exposure, and how critical the service is to the covered entity’s operations. NYDFS also calls for tailored, risk-based assessments when selecting TPSPs. These assessments may include, among other criteria, a review of a TPSP’s:
“reputation within the industry, including its cybersecurity history and financial stability”;
external audits and certifications;
access controls for both the covered entity’s and its own information systems and NPI;
incident response and business continuity planning and testing;
downstream service provider management;
data handling, including segmentation and encryption; and
location.
NYDFS recognizes the need for qualified personnel to interpret a TPSP’s responses to questionnaires on a case-by-case basis to make informed decisions, ask follow-up questions as necessary, and determine appropriate mitigation strategies. Where constraints exist when selecting a TPSP due to limited availability, industry concentration, or legacy system dependencies, NYDFS advises making risk-informed decisions, documenting those risks, implementing compensating controls, and regularly monitoring and assessing the selected TPSP.
Contracting
When contracting with TPSPs, NYDFS expects risk-based provisions that are tailored to the service and sensitivity of the systems and data that the TPSP will access. Recommended baseline provisions include access controls (such as multifactor authentication), encryption in transit and at rest, prompt cybersecurity incident notification to the covered entity, warranties of the TPSP’s compliance with applicable law, data location and cross-border transfer restrictions, rights for subcontractors, and data use and exit obligations. Particularly given the rise in the use of AI by vendors, NYDFS also suggests including a clause related to acceptable uses of AI, and whether the covered entity’s data may be used to train AI models or may otherwise be disclosed.
Ongoing Monitoring and Oversight
The guidance clarifies that a covered entity’s TPSP policy should also be tailored to the risk each TPSP presents. Ongoing and periodic oversight processes and controls should include a layered, risk-based assessment that can confirm that a TPSP’s cybersecurity posture is aligned with the covered entity’s expectations. Periodic assessments may include security attestations such as SOC2 and ISO 27001, penetration testing summaries, vulnerability management updates, policy changes, security awareness training, and compliance audits. The guidance recommends that material or unresolved risk be documented in the covered entity’s risk assessment and escalated through appropriate internal risk governance channels.
Termination
Finally, when ending a TPSP relationship, NYDFS expects covered entities to “ensure secure and orderly” offboarding. The guidance stresses promptly disabling access (including deactivating accounts and revoking system access for TPSP personnel and subcontractors). Particularly for TPSPs providing cloud services, this may also necessitate revoking identity federation tools, API integrations, and external storage. NYDFS further emphasizes requiring certified return, destruction, or migration of backup, cached, and snapshots of NPI. Policies should include “a transition plan for critical services with clearly defined timelines, roles and responsibilities.” NYDFS also recommends that access points that become redundant or unnecessary during the TPSP relationship should be eliminated on an ongoing basis, not left for backend cleanup.
Key Takeaways
The guidance may be a bellwether for NYDFS’s increased regulatory scrutiny related to TPSPs. It also provides detailed best practices for all types of businesses to consider, even those companies that are not regulated by NYDFS. As a result, businesses may want to consider the following:
Closing gaps in vendor life-cycle controls. Closing gaps includes revisiting TPSP policies and procedures to incorporate the guidance’s classification scheme, enhanced due diligence measures, ongoing monitoring metrics, and termination protocols.
Updating TPSP contract templates. Updates include standardizing terms for MFA, encryption, breach notification timelines, compliance warranties, audit rights, data location/transfers, subcontractor disclosure and veto rights, AI use and training restrictions, data exit obligations, and cybersecurity-specific remedies/termination triggers.
Bolstering ongoing monitoring for TPSPs. Monitoring involves conducting periodic risk-based assessments based on risk classification, tracking vulnerability remediation, and incorporating third-party risk into incident response plans.
Conclusion
Direct insights from a regulator are informative and are always intended to be taken seriously. Companies may want to consider reviewing and revising their vendor management policies and procedures to ensure compliance with NYDFS Cybersecurity Regulations.
Crypto Part I- The Winds of Change
Crypto[1] is one of the most important disruptors in the past century of finance. On this subject, opinions abound: each one, strongly held and strongly defended.
Pessimists might caution, “What’s wrong with this picture?”: (1) intangible financial products, are being (2) written on intangible digital assets, often with (3) extreme leverage ratios, and are (4) usually bought and sold on unregulated or underregulated exchanges, as enabled by (5) decentralized technologies that are new and relatively untested with (6) questionable / unknown custodial and transactional security provisions, (7) in real time, 24/7, and (8) at global scale. At a minimum, pessimists might seek to have more certainty as to the size, segmentation, and growth of the crypto markets. They might urge that better protections be put in place to protect unknowing participants from cyber fraud, which is already exacerbated by artificial intelligence tools in the hands of bad actors. Pessimists seek industry responsibility. They demand fit-for-purpose regulation.
The Optimists, counter all this by saying the pessimists are creating unnecessary worrying: they claim we should celebrate this important moment in history because crypto could truly democratize finance if we just let it happen. They claim that the Golden Age of Crypto is upon us and that it is no less important than the Gilded Age in building a new society block by block; a society where participation both empowers us and redeems us. They assure us that the streets will be paved with gold in this bright new shared future, and argue that Crypto can allow everyday people and organizations hold and transfer novel, emerging digital asset classes at small scale, allowing for fractional ownership that everyday people could otherwise never afford. These arguments—taken together—suggest that fuller access to the crypto markets could rebalance the wealth imbalance we see today, and that everyday people could gain personal wealth in ways never before available to them.
At the same time, the realists urge prudence, caution, and careful deliberation. Realists claim that we must do the necessary work to create a regulatory framework that is resilient enough to protect us as individuals and society as a whole.
Will the winds of crypto carve out a destructive path of change across the entire financial landscape? Will crypto uproot entire sets of regulations as well as the regulatory agencies that manage them? Or will brisk crypto breezes blow out a few cobwebs, offering novel ways to revisit and reorganize, while improving a contradictory and confusing regulatory framework that has frustrated us for a long time.
I am a lawyer, but I am also a historian. Crypto is in its infancy—so I must caution that “those who cannot remember the past are condemned to repeat it.”[2] With the 100th anniversary of 1929 nearly upon us, I would be remiss if I did not note that rampant market speculation run amok, fueled by the availability of credit, high levels of debt, and a clubby environment for pump and dump schemes all abounded in 1929 as well. They led to a market collapse that nearly took down America.
But in the direct aftermath of the Great Crash, lessons were learned, the country rebuilt, and new laws were written to protect us. Americans may be defined by our entrepreneurial culture, but we are also held to account by regulation, which while it can be cumbersome, remains some of the strongest and most reliable in the world.
It’s best to get ahead of a problem than to react to it—and we are definitely at a point in time, where there is a strong potential for fraud, manipulation, and—yes—for market collapse.
Are we in a perfect storm now?
Is the crypto hurricane about to come onshore and upend finance as we know it?
Or is this simply a tempest in a teapot?
Crypto market
The U.S. only accounts for a fraction of the crypto market. At present, a handful of crypto futures and option products are now traded on U.S. commodities exchanges—but this regulated U.S. market is small when we compare it with the scale of digital assets, crypto derivatives, and spot crypto trading that is engaged in 24/7 around the world.
The expansion of crypto abroad puts the United States at a competitive disadvantage in this fast growing market. For many people schooled in business, including our current president, this paltry U.S. market share is a problem seeking a solution. One solution is to open up the United States crypto market and let the crypto chips fall where they may. But make no mistake, crypto is coming to the United States—affecting everything from brokerage to banking to insurance to your 401-k. In tandem, blockchain—the technology that enables crypto—is also transforming many other sectors, including those that rely on global supply chains with complex needs for source-to-market traceability held together by multiple contractual arrangements along the way.
Three days after being sworn into office for his second term, President Donald J. Trump issued Executive Order 14178,[3] Strengthening American Leadership in Digital Financial Technology. Drawing a bright line between himself and his predecessor, he quickly declared that his administration would “make America the Bitcoin superpower of the world and the crypto capital of the planet.”
President Trump directed the Department of Justice (DOJ), Commodity Futures Trading Commission (CFTC), Securities and Exchange Commission (SEC), the Financial Crimes Enforcement Network (FinCEN), and the Internal Revenue Service (IRS) to move away from regulation by enforcement to regulation by rulemaking. To convene committee after committee of crypto experts to import some real-world wisdom for lawmakers. To enable “regulatory sandboxes” to rapidly develop and help frame necessary oversight and control for these new asset classes. To consider the regulatory overhaul of several traditional markets with the knowledge that banking and derivatives markets would likely be next in line. To get industry involved to help get the job done.
President Trump remains enthusiastic. He sees opportunities and seems undeterred by traditional regulatory frameworks and traditional ways of doing things. His executive order on January 23, 2025, was the first among many pro-crypto measures from his administration that continue to ripple across various branches of government in 2025.
Executive Order 14178 also established the President’s Working Group on Digital Asset Markets (PWG), requiring that the group deliver a report to the president within 180 days to “recommend regulatory and legislative proposals that advance the policies established in [EO 14178].” The PWG proceeded according to plan, delivering a detailed 160-page report with numerous recommendations to the president’s desk in late July 2025.[4]
The report stated five key objectives:
Position the United States as the crypto world leader;
Allow banks to serve crypto businesses, and allow bank customers access to crypto;
Strengthen the US dollar through adoption of dollar-backed stablecoins;
Modernize anti-money laundering rules to combat fraud; and
Ensure fair and predictable crypto taxation that eliminates tax compliance hurdles.[5]
Along with many others, I follow these developments with much interest. And, I was honored to testify before the Senate Finance Committee on the taxation of digital assets in October of 2025.
Crypto-speak
Let’s have a quick look at some of the terms used in the evolving decentralized finance (De-Fi) markets.
Digital assets
A “digital asset” is a digital representation of value that can be owned and transferred electronically on a blockchain (see Blockchain and DLT, below). Digital assets are far broader than cryptocurrency alone. Digital assets include anything digitally represented and owned, ranging from currency to art to property rights to real-world commodities.
The key difference between digital assets and traditional assets is that traditional assets typically require trusted intermediaries (banks, government agencies, brokers) to verify and transfer ownership, while digital assets often operate with reduced or different types of intermediation. Distributed Ledger Technology (DLT) also supports the concept of “smart contracts,” where terms of agreement between a buyer and seller, for example, are written into lines of computer code, and are self-executing.
A digital asset is an electronic certificate of ownership or value that:
Can be transferred between parties. Transfer typically occurs directly across digital networks from peer-to-peer without intermediaries or brokers, anywhere around the world quickly and at low cost.
Has specific properties and rights attached to it (a mathematical proof means individuals can independently verify their holdings).
Can be independently verified without relying on a central authority, which allows for public verification of asset ownership (using pseudonymous identifiers), transaction history, total supply of assets, and rules governing the asset, and
Is secured through cryptographic methods (cryptographic keys; essentially, very secure passwords granting exclusive control over that asset on a given network).
Blockchain and DLT
Digital assets are recorded on a computer program called a “distributed ledger” tracks ownership and transfers. The technology used to do so is a type of digital ledger technology (DLT) called “blockchain.”
As Geeks for Geeks explains, “A blockchain is a digital ledger of transactions distributed across the entire network of computers (or nodes) on the blockchain. Distributed ledgers use independent nodes to record, share, and synchronize transactions in their respective electronic ledgers instead of keeping them in one centralized server.” Geek for Geeks goes on to explain that a blockchain uses several technologies including digital signatures, distributed networks, encryption/decryption methods, and DLT. Blockchain is one type of DLT in which transactions are recorded with an unchangeable cryptographic signature called a hash, which is why distributed ledgers are often called blockchains.[6]
Blockchain is a type of DLT where blocks are added in the form of a chain. Other DLT types include DAG (focused on two-degrees of separation verification on transaction sequences), Hashgraph (focused on consensus building), Holochain (agent-centric rather than data-centric), and Radix/Tempo (transactions added in the order of the event rather than time). Being public or semi-public in character, no single party controls the distributed ledger—which advocates claim makes management more transparent, open to validation, better fault tolerance, more efficient, and secure.
Digital asset classes
Cryptocurrencies: Digital tokens that reflect stored value, like Bitcoin and others.
Stablecoins: Digital assets designed to maintain a stable value.
Security Tokens: Digital representations of traditional investments, like stocks or bonds.
Utility Tokens: Digital assets that provide access to specific products or services.
Non-Fungible Tokens (NFTs): Unique digital tokens representing art, collectibles, or access rights.
Real World Asset (RWA) Tokens: Digital representations of physical assets like real estate, commodities, or securities.[7]
Digital asset-based derivatives (loosely, also “crypto derivatives”): digital asset derivatives are similar to traditional derivatives products, referencing underlying digital assets or variables such as cryptocurrencies.[8]
Tokenization
Tokenization comes up frequently as we dig deeper into the world of digital assets. Real world assets can be “tokenized” using blockchain technology to record ownership and transfer real world assets. Ownership of a real world asset is represented on the blockchain by using a “digital twin” to tokenize it. Unlike a simple digital file held on a personal computer that anyone can copy, most tokens cannot be double-spent (digital scarcity), have verifiable ownership, and can include conditions for their use or transfer (programmable rules).
Let’s look at a real world example. Traditionally, real estate ownership has been recorded in title registries, confirmed through title searches. Real estate can, however, be tokenized and maintained on a blockchain to record and confirm ownership. An immutable chain of real estate tokens, along with current and prior ownership records, can be readily inspected on the blockchain. In addition, fractional ownership is possible by dividing a token into any number of “digital slices.” The actual real estate remains a real world asset, with ownership recorded and tracked on the blockchain.
Special Purpose Vehicles
Tokenization of real world assets can also be accomplished through the use of special purpose vehicles (SPVs) set up with the sole purpose of holding a single asset—the real world asset—and without any liabilities. Fractional ownership of the SPV and the ability to transfer that fractional ownership is the way to own and transfer the real world asset being held by the SPV.
[1] “Crypto” has become a generic term that is interchangeable with “Digital Assets” in popular vernacular. “Cryptocurrencies” are one category among many classes of digital assets. Digital assets include cryptocurrencies like Bitcoin, stablecoins, security tokens, utility tokens, non-fungible tokens, real world asset tokens and crypto derivatives / digital asset-based derivatives. I will go into each of these asset classes in greater detail below as I offer a primer on the crypto vernacular to begin this series.
[2] “When change is absolute there remains no being to improve and no direction is set for possible improvement: and when experience is not retained […], infancy is perpetual.” The Life of Reason: The Phases of Human Progress Vol. I, Reason in Common Sense, Jorge Agustín Nicolás Ruiz de Santayana y Borrás (1905-1906).
[3] Executive Order 14178—Strengthening American Leadership in Digital Financial Technology, Administration of Donald J. Trump, (Jan. 23, 2025), available at https://www.govinfo.gov/content/pkg/DCPD-202500169/pdf/DCPD-202500169.pdf
[4] Strengthening American Leadership in Digital Financial Technology, The President’s Working Group on Digital Asset Markets (Jul. 2025), available at https://www.whitehouse.gov/wp-content/uploads/2025/07/Digital-Assets-Report-EO14178.pdf
[5] Strengthening American Leadership in Digital Financial Technology https://www.whitehouse.gov/crypto/
[6] Blockchain and Distributed Ledger Technology (DLT), Geeks for Geeks, (last updated, Sept. 29, 2025). https://www.geeksforgeeks.org/software-engineering/blockchain-and-distributed-ledger-technology-dlt/
[7] Crypto derivatives are becoming a major digital asset class, Gregory Damalis et al, Ernst & Young LLP (2022), available at https://www.ey.com/content/dam/ey-unified-site/ey-com/en-us/insights/financial-services/documents/ey-crypto-derivatives-pov_final4.pdf
[8] Crypto derivatives are becoming a major digital asset class, Gregory Damalis et al, Ernst & Young LLP (2022), available at https://www.ey.com/content/dam/ey-unified-site/ey-com/en-us/insights/financial-services/documents/ey-crypto-derivatives-pov_final4.pdf
Blockchain+ Update — End of a Shutdown and the Beginning of an Era
The government shutdown of the last month and a half stopped a lot of the momentum that had been developing dead in its tracks. There was no movement on market structure with Congress, little ability for regulatory agencies to issue guidance, no ability for the SEC to review registration statements for products and little ability to fill longstanding vacancies that need to be filled to drive progress. While there were not many developments during the shutdown, the end of the shutdown appears to have kicked off additional activity that might still result in significant progress through the end of the year.
Detailed breakdowns of these developments, their implications for businesses going forward and a few other updates on crypto-law topics are discussed below.
Mike Selig Nominated for CFTC Chair: October 25, 2025
Background: Mike Selig has been nominated for CFTC Chair. Most recently, Selig has been the Chief Counsel of the SEC Crypto Task Force. The nomination comes after the nomination of Brian Quintenz was pulled, reportedly due to complaints by certain leaders in the crypto ecosystem.
Analysis: This about as pro-crypto as a nominee could have been. It will be interesting to see the direction he takes the CFTC, particularly in the absence of comprehensive market structure regulation. Unlike Quintenz’s nomination that was repeatedly delayed, the Senate Agriculture Committee moved quickly to set a confirmation hearing.
SEC Chair Teases Taxonomy: November 12, 2025
Background: SEC Chair Atkins gave a landmark speech that seems to be breaking the ground for a more comprehensive overhaul of how securities laws apply to digital assets. First, he clarified the rather commonsense notion that something that was once the subject of an investment contract – orange groves, beavers or cattle embryos to name a few – can cease to be subject to an investment contract as circumstances change. Second, he proposed a taxonomy for digital assets that would be divided into (1) digital commodities (or network tokens) that derive their value from the operation of a crypto platform or network, (2) digital collectibles that represent or convey rights in things, (3) digital tools that perform a function such as verifying identity and (4) tokenized securities, which would be securities. Only the last category would be regulated by the SEC. Third, he laid out what the SEC’s expected approach would be to digital asset regulations.
Analysis: While this is significant progress, it still leaves open a number of major questions that hopefully will be answered in the upcoming months and years. Does the SEC believe a token itself can inherently be or not be a security, rather than being a piece of code that may or may not be associated with a set of rights? Will the agency continue with the “embodiment theory” of tokens that seemed to have been largely rejected by the courts in the later stages of the SEC’s earlier crusade against participants in the digital assets ecosystem? Should there be broad buckets of asset classes where people are developing instruments utilizing new technologies that defy classification? If a tokenized security is just a thing that would have been a security if not tokenized and we’re still relying on the Howey test, have we necessarily moved beyond the morass in large part created by the SEC of the prior six years? This contrasts somewhat with our own proposal submitted on behalf of The Digital Chamber that proposed much narrower categories and a somewhat more fluid approach, though a lot of the principles still align.
Briefly Noted:
Government Back Up and Running: After 43 days, the federal government got its act together for just long enough to end the longest government shutdown in US history. Most regulatory agencies were operating on a skeleton crew, so this also means agencies developed a backlog on normal procedures to get government approvals or reviews for things like registration statements. The SEC came out with this handy dandy FAQ on how to handle certain things that did or didn’t move forward during the shutdown.
SEC Releases Exam Priorities: The SEC’s Division of Examinations, which examines broker-dealers, investment advisers and certain other registered intermediaries, released its annual list of exam priorities. For the first time since the Hinman Speech, digital assets are not one of the enumerated exam priorities, although there is a more general priority regarding the use of emerging financial technologies.
IRS Releases Staking Guidance for ETFs: A new revenue procedure released by the IRS established a safe harbor for “investment trusts” and “grantor trusts” under tax law to be able to stake cryptoassets without jeopardizing their special tax status.
Market Structure Keeps Moving: The Senate Agriculture Committee released a discussion draft that included a lot of placeholders, including an entire “seeking further feedback” section for decentralized finance. The Brookings Institute proposed a merger of the SEC and CFTC to best regulate crypto. Nothing has moved on the House side with respect to the Clarity Act that it passed that does not closely resemble the discussion drafts coming out of the Senate. While Sen. Tim Scott has stated they’re targeting a vote on a market structure bill before the end of the year, it’s hard to see how this would come together so quickly when lawmakers appear to still be so far apart.
Pricing Algorithms – Price Tags and Personal and Competitor Data- States Step Up Algorithmic Pricing Regulation
As price-setting by computer algorithm becomes increasingly prevalent, states are stepping in to address transparency and fairness concerns that federal legislation has yet to comprehensively tackle. Lawmakers argue that clear disclosure and limits on algorithmic practices are essential to protect consumers from opaque pricing methods that may leverage their personal data or result from anti-competitive collaboration among businesses. The growing patchwork of state-level initiatives signals a broader trend toward local oversight of algorithmic decision-making in commerce, but the landscape is rapidly changing as lawmakers attempt to catch up to rapidly changing technology.
As they are often at the forefront of these issues, recent legislative and regulatory developments in California and New York are leading the way on regulating the growing technology. In the meantime, federal courts have issued divided decisions dealing with algorithmic pricing.
New York: Algorithmic Pricing Disclosure Act Survives Legal Challenge
In May 2025, New York passed the Algorithmic Pricing Disclosure Act, requiring businesses to inform customers when prices are set using personalized algorithms. The Act broadly applies to entities domiciled or doing business in New York. The Act requires businesses to disclose when a price is set using an algorithm that incorporates personal consumer data by requiring the following disclosure: “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA.” The New York Act is enforced solely by the New York Attorney General, who must first issue a cease-and-desist notice before pursuing penalties of up to $1,000 per violation.
The passage of the New York law marked a significant milestone, as it recently withstood a legal challenge brought by industry groups who argued that the mandated disclosure infringed on commercial free speech and imposed undue burdens on businesses.[1] On October 8, 2025, the court granted New York State’s motion to dismiss, finding the disclosure was factual and uncontroversial and that it served a valid consumer protection interest.
California: Restrains use of Competitor Data to Influence Price
On October 6, 2025, California signed AB 325 into law. AB 325 prohibits agreements to use or distribute a “common pricing algorithm,” defined as any software or other technology that two or more people use which ingests competitor data to recommend, align, stabilize, set, or otherwise influence a price or commercial term (including terms related to both upstream vendors and downstream customers), and lowers the pleading standard under the Cartwright Act (California’s antitrust statute, Cal Bus. & Prof. Code § 16720) for certain civil claims. The law also prohibits coercing another person to set or adopt a recommended price or commercial term generated by such an algorithm for the same or similar products or services in California.
Other Efforts to Regulate Algorithmic Pricing
In 2025 alone, more than 50 bills have been introduced to regulate algorithmic pricing across 24 state legislatures, including the following:
Illinois introduced several bills that, if enacted, would regulate or ban dynamic pricing in selected situations, including ticket sales (HB 3838) or the use of consumer data in pricing (SB2255).
Texas introduced SB 2567, which would require retailers to disclose algorithmic pricing at the point of sale.
Massachusetts introduced House Bill 99 which, if enacted, would ban dynamic pricing based on customers’ biometric data.
Colorado’s legislature passed, but the governor vetoed, HB25-1004, legislation that would have prohibited the sale or distribution of an algorithmic device sold or distributed with the intent to be used by two or more landlords in the same market to set or recommend the amount of rent, level of occupancy, or other commercial terms.
New Jersey introduced SB 3657, which seeks to make it unlawful for landlords or property managers to use algorithmic systems to influence rental prices or housing supply in New Jersey.
Pennsylvania introduced HB 1779, which seeks to require disclosure of algorithmic pricing and prohibits dynamic pricing based on protected class data (e.g., race, gender, religion).
Last week, U.S. Senators Ron Wyden and Peter Welch introduced The End Rent Fixing Act of 2025. The Act is targeted at algorithms that use competitors’ data to set rental rates. The Act would make it unlawful for rental property owners to contract for the services of a company that coordinates rental housing prices and supply information and would designate such arrangements as a per se violation of the U.S. antitrust laws. It would also prohibit the practice of coordinating price, supply, and other rental housing information among two or more rental property owners. The Act would also allow individual plaintiffs to invalidate any pre-dispute arbitration agreement or pre-dispute joint action waiver that would prevent the plaintiff from bringing suit.
Algorithms Using Competitors’ Data to Set Prices
U.S. antitrust law hasn’t fully caught up with how algorithmic price setting, and the legal landscape, is changing fast. Some experts think there could be liability in certain situations. For example, the Department of Justice has argued that if competitors use the same pricing algorithm—and that algorithm relies on competitors sharing their data to set prices—it could violate the Sherman Antitrust Act.
In September 2025, the Ninth Circuit issued the first federal appellate decision on algorithmic pricing in Gibson v. Cendyn Group, ruling that competing Las Vegas hotels did not violate Section 1 of the Sherman Act by independently using the same third-party pricing software, where there was no underlying agreement among competitors and the software did not share confidential information among licensees.
In contrast, in December 2023, an Illinois federal court denied motions to dismiss claims in multi-district class action litigation alleging software vendors and rental property owners and managers conspired by sharing property rental pricing and supply data to fix prices for multi-family house rentals across the country.[2] Last week, the court granted preliminary approval of settlements with 27 defendants for $141.8 million. The litigation continues with the larger defendants whose conduct, the plaintiffs contend, comprised the larger volume of the alleged illegal commerce at issue in the case.
In June 2025, an Illinois federal court denied a motion to dismiss allegations that health insurers unlawfully conspired to underpay out-of-network providers by outsourcing rate-setting to analytics firm MultiPlan. The court applied the per se standard, finding plaintiffs “plausibly alleged a horizontal hub-and-spokes price-fixing agreement.”
Conclusion
The legislative developments and growing litigation over the legality of dynamic pricing tools reflect growing concern among policymakers about the fairness and transparency of algorithmic pricing models. As states continue to debate and refine proposed laws, businesses that rely on dynamic pricing must closely monitor these changes and proactively assess their compliance obligations. Staying informed about both state and federal actions will be essential to avoid potential legal pitfalls and ensure responsible use of pricing algorithms.
Our team is available to assist with legal reviews, compliance strategies, and AI governance planning. If you have questions about how statutes, regulations, or court rulings impact you or your business, contact your Miller Canfield attorney or one of the authors of this alert.
[1] National Retail Federation v. James, 1:25-cv-05500-JSR
[2] In Re: RealPage, Inc., Rental Software Antitrust Litigation, Case No. 3:23-md-3071, MDL No. 3071.
California Appellate Court Affirms Legality of Auto Technicians’ ‘Flag Bonus Pay’ System
A recently published California Court of Appeal, Second District, decision affirmed that the use of a “flag bonus pay” compensation structure that provides an hourly productivity incentive, which is often used in the automotive service industry, does not necessarily violate California’s “no borrowing” rule. The decision further provided reminders regarding plaintiffs’ requirements for properly prosecuting claims under California’s Private Attorneys General Act (PAGA).
Quick Hits
The California Court of Appeal upheld a ruling that a car dealership’s “flag bonus pay” system for service technicians complies with California’s “no borrowing” rule.
The court distinguished this compensation structure from the previously unlawful “piece rate basis” system because it paid a guaranteed hourly rate for all clocked hours (independent of productivity) that fully satisfied minimum-wage and rest-break requirements, plus a true productivity bonus on top.
The court found deficiencies with the plaintiffs’ PAGA claim, emphasizing the necessity for proper notice letters detailing “facts and theories” for any pursued claims under California’s Labor Code.
On November 18, 2025, the California Court of Appeal, Second Appellate District, published its decision in Mora v. C.E. Enterprises, Inc. The court affirmed a ruling in favor of a Simi Valley car dealership that the “flag bonus pay” system did not violate the “no borrowing rule” and did not otherwise violate Labor Code Section 226.2. The ruling came after a bench trial in a wage-and-hour and PAGA case brought by two former service technicians of the dealership.
On appeal, the technicians argued the trial court was wrong in finding that the dealership’s compensation structure for service technicians, which paid technicians double the minimum wage rate plus “flag bonus pay” based on hours they spent working on service tasks, did not violate California’s “no borrowing” rule or Labor Code Section 226.2, as it was interpreted by the California Fourth District Court of Appeal in Gonzalez v. Downtown LA Motors, LP.
The Hourly Pay Plan
The dealership implemented a compensation structure in December 2014 that pays service technicians at least double the minimum wage for all hours recorded on a biometric time clock, allowing technicians to earn a “flag bonus pay.” This system replaced a former “piece rate basis” based on the number of “flag” hours technicians worked, meaning hours they spent performing service tasks, after such a system was found to be unlawful in Gonzalez.
According to the decision, the “flag bonus pay” system allowed technicians to track “flag” hours for hours worked performing specific tasks and provided them the opportunity to be paid “‘flag bonus pay’ if the flag hours they separately record[ed], multiplied by the dollar amount of their assigned flag rate, exceed[ed] their regular and overtime hourly earnings.”
Compliance With the ‘No Borrowing Rule’
Under the “no borrowing rule,” employers must pay employees the minimum wage for all hours worked, regardless of the compensation structure (e.g., piece-rate or commission). The rule means employers cannot average the wages earned from productive tasks to cover nonproductive time or rest periods. Each hour worked must be compensated at or above the minimum wage independently.
In Mora, the Second Appellate District found that, unlike the compensation plan in Gonzalez, which averaged piece-rate payments to meet minimum wage requirements, the dealership’s plan paid employees for every hour recorded on the biometric clock and provided additional flag bonus pay for efficiency. Instead, the court aligned its analysis with the Supreme Court of California’s “no-borrowing” framework, under which an employer must pay at least the minimum wage for each hour while still honoring separate contractual units of pay.
The court further cited a recent 2025 Ninth Circuit decision that found an hourly-plus-bonus structure, where the employer always paid hourly wages and layered a piece-rate bonus on top, was lawful under Gonzalez.
PAGA Claims
The plaintiffs also raised PAGA claims on behalf of other employees based on the alleged violations of the Labor Code, including failures to pay overtime and provide accurate wage statements. The court emphasized that PAGA claims still require: (1) a notice letter that actually discloses the “facts and theories” later pursued, and (2) admissible, explained evidence at trial tying alleged payroll “deficiencies” to actual Labor Code violations. The court criticized the plaintiffs for simply presenting the trial judge with thousands of unanalyzed time and payroll records and expecting the court to scour them for violations.
Additionally, the court found the plaintiffs’ Labor and Workforce Development Agency (LWDA) letter insufficient regarding other sales and lube technicians, who were paid differently, and faulted their trial presentation for presenting thousands of records to the court without providing the judge with concrete examples to prove any underpayment.
Key Takeaways
The Mora decision provides helpful support for California employers seeking to implement and maintain legal and effective incentive-based compensation systems designed to reward and incentivize productive employees, such as the “flag bonus pay” system used by the dealership in the case, and highlights some key considerations for employers. Specifically, employers may want to ensure that:
all hours under the employer’s control are captured on a reliable timekeeping system and paid at or above the applicable hourly floor (including overtime premiums, where applicable, and any tool-rate requirements); and
any “flag,” “piece,” or “commission” component is structured as true extra compensation, not as a mechanism that makes the employee whole for non-productive time or rest periods.
Further, employers defending PAGA cases may want to keep in mind that plaintiffs still bear the burden to prove actual violations, and courts will enforce both PAGA’s exhaustion requirements and the ordinary evidentiary and record-sufficiency rules.