Maryland OFR Responds to Market Concerns Over Licensing Requirements for Mortgage and Installment Loan Assignees
On February 18, the Maryland Office of Financial Regulation (OFR) issued an alert to address industry concerns regarding its January guidance on licensing requirements for assignees of residential mortgage and installment loans. In response to market pushback, the OFR has proposed new legislation to exempt certain entities from licensing requirements and has extended the enforcement deadline to allow for further regulatory clarity.
Background: Initial Licensing Guidance and Market Response
On January 10, the OFR issued formal guidance (previously discussed here) stating that assignees of residential mortgage loans—including certain passive trusts—must obtain a Maryland Mortgage Lender license before April 10, 2025, unless expressly exempt under Maryland law. The guidance also extended licensing obligations to assignees of installment loans that fall under the Maryland Credit Grantor provisions.
Following this announcement, the market reacted with significant concern. Some industry participants temporarily halted purchasing Maryland mortgage loans, while others questioned the feasibility of requiring passive trusts to obtain state licensing.
OFR’s Recent Actions to Address Concerns
On February 17, two identical bills—Senate Bill 1026 and House Bill 1516—were introduced under the Maryland Secondary Market Stability Act of 2025. If enacted as proposed, the legislation would exempt assignees of mortgage loans from Maryland’s Mortgage Lender Law, provided they do not engage in loan origination, brokering, funding, or servicing. Similarly, the Installment Loan Act would not apply to assignees of installment loans if they neither originate loans nor engage in loan servicing or collections. These provisions would exclude passive trusts from the licensing requirements, addressing one of the industry’s primary concerns.
Extension of Enforcement Deadline and Additional Clarifications
On February 18, the OFR also issued an alert, extending the enforcement deadline for its licensing guidance from April 10, 2025, to July 6, 2025. The extension should allow affected entities to assess the outcome of the legislative efforts before incurring licensing costs.
The OFR also clarified that commercial lenders making loans solely for business purposes under Maryland’s installment loan statutes are not subject to the new licensing requirements. This exemption aims to ensure that business lenders are not inadvertently swept into the expanded regulatory framework.
Previous OFR Clarifications Regarding Federal and Governmental Entities
These developments follow an earlier clarification issued by the OFR regarding the application of its guidance to government-sponsored entities. In a January 31 update, the OFR confirmed that the new licensing requirements do not apply to Fannie Mae, Freddie Mac, Ginnie Mae, or other corporate instrumentalities of the federal government. The exemption also extends to trusts engaged in mortgage loan acquisitions under federal, state, or local government programs. This aims to ensure that federally backed secondary market participants remain unaffected by the licensing changes.
Putting It Into Practice: These recent actions highlight the evolving interpretations of Maryland’s Mortgage Lender Law and Installment Loan Law as they apply to assignees of covered loans, including passive trusts. Industry participants should remain vigilant in tracking these developments to ensure they are prepared to comply with any legislative changes and licensing requirements enacted by the OFR or other state regulators.
Executive Order Establishes Strategic Bitcoin Reserve and Digital Asset Stockpile
Bitcoin and other digital assets now have a welcome home in the United States government. On March 6, President Trump signed an executive order (the March 6 Order) establishing the Strategic Bitcoin Reserve and United States Digital Asset Stockpile. It implements a key component of the administration’s cryptocurrency framework outlined in the January 23 Executive Order, which directed the President’s Working Group on Digital Asset Markets to evaluate the feasibility of a national digital asset stockpile.[1] The March 6 Order creates mechanisms for centralizing and strategically managing federally owned digital assets previously scattered across government agencies.
Strategic Bitcoin Reserve vs. Digital Asset Stockpile: Key Distinctions
The March 6 Order creates the Strategic Bitcoin Reserve and the Digital Asset Stockpile, two distinct but related custodial accounts with different purposes and operational parameters. For each of the accounts, the Secretary of the Treasury is directed to establish dedicated offices to administer and maintain control of these accounts.
The Strategic Bitcoin Reserve is designed specifically for bitcoin (BTC) holdings and treats BTC as a reserve asset of strategic national importance. The reserve will be capitalized with BTC holdings from the Department of the Treasury that were forfeited through criminal or civil asset forfeiture proceedings. The March 6 Order also authorizes the Secretary of the Treasury and the Secretary of Commerce to develop strategies for acquiring additional BTC, provided these strategies are budget-neutral and “impose no incremental costs on American taxpayers.” BTC deposited into this reserve will not be sold and will be maintained as a long-term store of value. The March 6 Order cites BTC’s scarcity (with its permanent cap of 21 million coins) and security track record as key factors in this policy decision.
The United States Digital Asset Stockpile, by contrast, encompasses all digital assets other than BTC that have been forfeited to the Department of Treasury through civil or criminal proceedings. Unlike the Strategic Bitcoin Reserve, the Secretary of the Treasury retains discretion to determine “strategies for responsible stewardship” of these assets. The Order explicitly prohibits the acquisition of additional assets for the Stockpile beyond those obtained through forfeiture.
Implementation Timeline and Administrative Requirements
The Executive Order establishes an accelerated implementation schedule with specific deadlines:
Within 30 days: Each federal agency must provide a complete accounting of all digital assets in its possession and also review its legal authority to transfer government BTC to the Strategic Bitcoin Reserve and other digital assets to the Digital Asset Stockpile.
Within 60 days: The Secretary of the Treasury must deliver an evaluation of legal and investment considerations for establishing and managing both the Reserve and Stockpile, including recommendations for necessary legislation.
Context and State-Level Developments
The establishment of these custodial accounts addresses what the administration characterizes as a “crypto management gap” in which digital assets seized through forfeiture have been scattered across various federal agencies without clear management policies. According to the fact sheet accompanying the March 6 Order, premature sales of bitcoin have cost US taxpayers over $17 billion in lost appreciation.
The federal initiative comes as states are pursuing similar strategies. On the same day as the March 6 Order, the Texas Senate passed Senate Bill 21 in a 25-5 vote, which would establish a Strategic Bitcoin Reserve at the state level. The bill, which now awaits the governor’s signature, would make Texas the first state to create its own bitcoin holdings. Texas is among many other states that have introduced bitcoin reserve legislation, including Arizona, Alabama, Florida, Illinois, Massachusetts, Missouri, New Hampshire, North Dakota, Ohio, Oklahoma, Pennsylvania, Utah, Kansas, Wyoming and Kentucky. These efforts demonstrate the growing recognition by US governmental entities of the uses and benefits of digital assets and portend renewed US leadership on digital asset policy and innovation.
FOOTNOTES
[1] See Katten’s coverage of the January 23 Executive Order here.
Clearer Skies Ahead: CFTC Enforcement Division’s New Advisory Opens Doors for Self-Reporting and Increased Cooperation
In what is being widely viewed as a welcome breath of fresh air, the Commodity Futures Trading Commission (the Commission or CFTC) Division of Enforcement (the Division) released an advisory on February 25, detailing the factors under which the Division will evaluate self-reporting, cooperation, and remediation when recommending enforcement actions (the Advisory). CFTC Acting Chairman Caroline D. Pham described the Advisory as part of her commitment to provide transparency and due process in the agency’s law enforcement function1 and a larger effort to implement the Trump administration’s February 19 Executive Order ensuring lawful governance.2
Although the implementation of any cooperation policy is necessarily subjective, on its face, the new Advisory attempts to provide guidance regarding the factors that the CFTC will consider in evaluating self-reporting and cooperation and concrete discounts that will apply if certain circumstances are found to exist. Among other important improvements described in more detail below, (1) the Advisory revises past policy requiring registrants to report to the Division for credit to apply and now provides self-reporting credit for reports made to any division of the CFTC; and (2) opens the door for including disclosures made in annual chief compliance officer (CCO) reports as self-disclosure under the Advisory.3
The Division has long had an explicit policy of rewarding self-reporting and cooperation. However, the Division’s prior practice in this regard varied greatly.4 That uncertainty has led individuals and firms (Market Participants) to question the value of engaging with and assisting the Division with its investigations.5 The Advisory introduces several important changes and reversals from prior Division practice that aim to encourage and reward prompt and voluntary self-reporting, cooperation with Division staff during an investigation, and timely remediation of rule violations, with the ultimate goal of preserving significant Division enforcement resources and allow the Division to focus on fraud and other bad actors in the marketplace. These welcome changes include:
Providing clear and concrete guidance via the Mitigation Credit Matrix that Market Participants can use to assess the potential value of any self-reporting and cooperation credit and reduce the previous concerns about the value of any such credit.
Allowing Market Participants to self-report to any relevant CFTC division, creating the opportunity for Market Participants to have discussions with division staff who may be more familiar with the registrant, aspects of market structure or a particular issue.
Making disclosures in an annual chief compliance officer report eligible for self-reporting credit, streamlining the disclosure process and potentially changing the incentives related to chief compliance officer disclosures.
Providing potential benefits to Market Participants who self-report (often a fact that is not subject to debate) but are not perceived to have provided appropriate cooperation (which may be contested), a direct departure from the Division’s prior guidance on self-reporting and cooperation credit that only provided self-reporting benefits to Market Participants who also cooperated.
Providing a safe harbor to Market Participants that amend or correct a self-report upon further investigation, reducing the risk of making a report while an issue remains under review.
Revoking the Division’s prior guidance on recidivism and admissions, relieving Market Participants of the uncertainty as to what qualifies as recidivism and the higher likelihood that an enforcement action would require factual or legal admissions.
While the Advisory addresses a number of concerns Market Participants have raised regarding the Division’s prior practice, as with any new guidance, it raises additional questions about how the self-reporting and cooperation credits will operate moving forward. Market Participants would likely welcome additional guidance from the Division regarding (1) the scope of the self-reporting safe harbor provisions; (2) the baseline calculations of civil monetary penalties; (3) the Division’s decision to decline to pursue enforcement actions; and (4) the difference between excellent and exceptional cooperation. The Division should be applauded for anticipating some of these questions and promising further guidance on how operating divisions assess matters for enforcement referrals.
Summary of the New Guidelines
In a first for the Commission — and for most other US financial regulators — the Advisory provides a new framework and “credit matrix” that clarifies how the Division will consider a Market Participant’s self-reporting, cooperation and remediation in determining whether, and to what extent, to discount civil monetary penalties.
Self-Reporting
The Advisory identifies several key factors to determine whether self-reporting qualifies for mitigation credit. First, the self-report must be voluntary, meaning the disclosure was made “prior to an imminent threat of exposure.”6 Considerations include whether the potential violation was known publicly or by another government actor.7 Importantly, a Market Participant may still be eligible for self-reporting credit even if the information would otherwise be required to be included in an annual chief compliance officer report.8 Second, the self-disclosure must be made to the “appropriate” division of the Commission, which includes the Division or another division “responsible for the interpretation and application of each [applicable] regulation.”9 Unlike previous guidance, Market Participants may disclose to the operative CFTC divisions (e.g., the Market Participants Division, the Division of Market Oversight, and the Division of Clearing and Risk) instead of receiving credit only for disclosure to the Division of Enforcement.10 Third, the self-report must be timely or “reasonably prompt” after consideration of the efforts to determine the violation.11 In assessing timeliness, the Division will consider the extent of the firm’s efforts to identify the violation, the violation’s materiality, and whether the “escalation, investigation, management review, and governance requirements” were commensurate with the nature and magnitude of the violation.12 Fourth, the self-report must be complete, meaning the self-disclosure must include “all material information,” including a “description of the issue, date, and method of discovery, available root cause analysis, and remediation.”13 Recognizing the inherent tension between a timely and complete report, the Division encourages early, good-faith disclosure by promising full credit for Market Participants that make “best efforts” to investigate the issue, promptly disclose it and continue to investigate — leading to more disclosure if necessary.14 To further incentivize early self-reporting, the Advisory also provides a safe harbor provision that protects good-faith self-reports that are later determined to contain inaccuracies and promptly corrected from false-statement prosecution.15
The Division categorizes self-reporting into one of three tiers: No Self-Report; Satisfactory Self-Report; or Exemplary Self-Report. A disclosure qualifies as “No Self‑Report” if there was no disclosure, the disclosure was already known to the Division or the disclosure was not designed to notify the Division of the violation.16 A disclosure qualifies as a “Satisfactory Self-Report” if a self-report to the appropriate division identifies a potential violation but does not include all material information known to the disclosing person at the time of the report.17 A disclosure qualifies as an “Exemplary Self-Report” if there was a self-report to the appropriate division that identifies a potential violation, includes all material information related to the potential violation known at the time, and includes additional information that assisted the Division with conserving resources.18
Cooperation
The Division will also consider several elements when determining whether a Market Participant is eligible for cooperation credit, including whether cooperation: (1) materially assisted the Division; (2) was timely; (3) was “truthful, specific, complete, credible, and reliable;” (4) was voluntary; (5) involved adequate resources such as thorough and high-quality analysis, presentations, or submissions; and (6) was extensive, involving document preservation, timely disclosure and cooperation from directors, officers and employees, and where necessary, sworn statements or testimony.19 When considering remediation, the Division will evaluate the timeliness and scope of the remediation plan, considering its appropriateness and whether it is designed to prevent future violations. It may also recommend a monitor or consultant to oversee the remediation plan and deliver progress reports.20
The Division categorizes cooperation into four tiers: No Cooperation; Satisfactory Cooperation; Excellent Cooperation; and Exemplary Cooperation. “No Cooperation” would apply to a self-report that includes full compliance with subpoenas and other compulsory processes but lacks substantial assistance.21 “Satisfactory Cooperation” is available to self-reporters who voluntarily provide documents and presentations and make witnesses available beyond the compulsory process.22 “Excellent Cooperation” reflects consistent, substantial assistance to an investigation, and examples of such assistance might include internal investigations or reviews, thorough analysis of the potential violation and root cause, corrective action (including the use of experts or consultants where appropriate), and consistent voluntary disclosure of documents and information.23 The highest tier of cooperation, “Exemplary Cooperation,” is available to self-reporters who “provided an exceptionally high degree of value” through their cooperation.24 This requires not only proactive engagement with the Commission but also completing a significant portion of the proposed remediation and accountability measures.25
Even if a self-reporter makes a complete and timely self-report and cooperates with the Division, any credit obtained will be offset by uncooperative conduct, such as bad faith actions that impeded its investigation, incurred significant resources, or involved willful ignorance to red flags or violations.26 The Division may also find noncooperation if the self-report involved serious, willful violations, customer harm, or significant financial loss.27
Determining the Mitigation Credit
In determining the monetary offset for self-reporting and/or cooperation, the Division will first calculate a civil monetary penalty and then apply a discount according to the quality and extent of the self-report and subsequent cooperation. The Commission may, in its discretion, modify any discount recommendation in light of the facts and circumstances of the case.28 Then, the Commission will assess a Mitigation Credit according to this Mitigation Credit Matrix:
TABLE
Positive Signals From the Advisory
The Division’s effort to provide more transparency and clarity in the self-reporting and cooperation process should be applauded. Against the backdrop of the Commission’s broader effort of devoting more resources to pursuing fraudsters and other bad actors,29 this Advisory provides a comprehensive framework that could prove immensely useful in guiding Market Participants in evaluating how best to assess and manage potential violations via self-reporting and cooperation with the Division. It will likely decrease the amount of resources the Division must devote to a number of matters that traditionally occupied its time.
First, the fact that the Division took the time to set out a methodical approach to credit and provided a clear credit matrix suggests that this is a focus and top priority for the Division and the CFTC as a whole. By explicitly stating the expected discounts available to Market Participants for proactively engaging and cooperating with the Division, similar to guidelines from the Department of Justice and other federal regulators like the Office of Foreign Assets Control,30 the Advisory’s new guidance provides structure and certainty to Market Participants. For example, a hypothetical Market Participant may uncover a potential swap reporting violation. After the initial assessment, the Market Participant determined that this type of violation has historically resulted in civil monetary penalties of around $10 million. Immediately, the Market Participant could see a savings of $2 million by putting together a prompt and comprehensive self-report. Additionally, the Market Participant could see savings of an additional of $2–3.5 million by engaging in extensive cooperation throughout the completion of the matter. Historically, the Division and other federal financial regulators, like the Securities and Exchange Commission (SEC), have not provided a clear credit matrix detailing the exact amounts of credit provided for certain conduct. This has led to uncertainty in the marketplace as to the value of self-reporting and cooperation. Market Participants will undoubtedly welcome this new effort to provide clarity and certainty.
Second, the Advisory provides further benefit to Market Participants by revoking prior guidance that required voluntary disclosures to be made to the Division to receive self-reporting credit. By encouraging Market Participants to make a voluntary disclosure to any operative CFTC division, not just the Division, the Advisory opens the door for Market Participants to have effective and practical conversations with CFTC staff with unique expertise related to the unique market structures relevant to the self-disclosure. This approach is far preferable to requiring Market Participants to disclose directly to the Division, which is narrowly focused on enforcement actions. This change also opens the door for the other operating divisions to receive a self-report and potentially not make an enforcement referral, as previewed in the Advisory, based on the operating division’s expertise and understanding of the relevant rules and regulations.31
Third, by removing the barrier to self-reporting credit for voluntary disclosures that would also have been included in mandatory annual chief compliance officer reports, the Advisory may alter incentives relating to chief compliance officer report disclosures and result in further dialogue with Market Participants. While the prior practice ultimately resulted in the Commission learning of information through annual reports, by making this change, Market Participants now have a powerful incentive to engage directly and proactively with the relevant division to discuss and remediate the self-identified issue rather than merely include it in an annual compliance report.
Fourth, by restructuring the self-reporting and cooperation credit into two independent evaluations, the Advisory makes self-reporting more attractive to Market Participants. Under the Division’s prior practice, partial credit was available for Market Participants who cooperated without self-reporting, but there was no credit available for a Market Participant who only self-reported.32 This practice likely disincentivized Market Participants from self-reporting because any potential benefit of doing so could be negated by the Division’s later determination the Market Participant did not cooperate sufficiently to warrant a reduction in penalty. Moreover, a Market Participant understood that if they did not self-report, they still had the possibility to obtain a reduction, though likely smaller, by only cooperating if the Division discovered the issue. By opening an avenue for a Market Participant to receive up to a 20 percent reduction of a civil monetary penalty solely for self-reporting, Market Participants now have a stronger incentive to self-report to the Commission.
Fifth, the Advisory provides a safe harbor to Market Participants if they must correct a self-disclosure. The Division’s previous guidance recognized that voluntary self-disclosures may require amending after additional investigation and provided an avenue to receive credit if the Division was kept abreast of new facts as they were discovered.33 As Commissioner Pham has previously noted, “the CFTC has sought to bring fraud charges against Market Participants for allegedly making false statements to the CFTC when a Market Participant later discovers that the information provided in a self-report was not entirely accurate — even when it thought the information was accurate at the time of the disclosure to the CFTC.”34 By implementing a safe harbor provision, Market Participants no longer have to be concerned about any potential adverse consequences for making good-faith voluntary disclosures to the Division.
Sixth, the industry will appreciate the Division’s express withdrawal of its prior guidance on recidivism and admissions.35 The Division’s prior guidance, which threatened Market Participants with higher fines for recidivists without providing clarity about what conduct was subject to the recidivism amplifier, recommended the imposition of third-party monitors and admissions of fact and/or violations of law as part of settlements and was not well received by the industry.36 While the Advisory does not abandon those tools as part of the enforcement toolbox, the Division’s tone has shifted. The Advisory makes no mention of mandatory admissions of facts and/or violations of laws. It now indicates that the Division has discretion to consider recidivism if it relates to “the same specific violation and facts and circumstances not involving fraud, manipulation, or other abuse.”37 While the Advisory does envision the continued use of monitors or consultants, it pares back the conditions in which the Division would recommend the use of a monitor or consultant.
The Advisory Raises a Few New Questions and Acknowledges That Further Guidance Is Forthcoming
In addressing a significant number of industry concerns arising from prior enforcement activity by the Division, the Advisory necessarily introduces a degree of uncertainty that Market Participants must navigate. In the near term, there is no precedent for how the Division will apply the credit matrix, so it may take time for firms to sense how the matrix operates and how the Division categorizes conduct into the various categories outlined in the Advisory. Commissioner Johnson’s Statement noted that Market Participants rely upon “clear, consistent guidance” in order to develop effective internal compliance programs.38
Thankfully, the Division recognizes that this Advisory is only the beginning, that additional clarification and guidance from the Division will be necessary, and that such guidance is already in development.39 In the interim, until the industry receives additional guidance or future precedent applying the credit matrix, Market Participants may expend additional, unnecessary resources to assess and advocate for where they fall within this new credit matrix.
At first glance, there are a few areas where Market Participants would welcome further clarification and guidance from the Division.
First, additional guidance would be welcome on the scope of the self-reporting safe harbor. The Advisory’s safe harbor provision provides to a Market Participant that self-reports in good faith protection from a potential false reporting charge if, following the self-report, the Market Participant corrects or supplements the self-report after learning additional information following an investigation. While the Advisory indicates that this safe harbor would apply to a number of traditional false reporting rules or regulations, it also indicates that the safe harbor could extend to violations under 7 U.S.C. § 13(a)(2) and CFTC Regulation 180.1. Both of those provisions relate to making false statements while addressing manipulation. The Advisory does not seem to indicate that a self-reporting Market Participant may obtain safe harbor protection from a potential manipulation charge, additional clarity from the Division would be welcome to avoid any potential confusion.
Additionally, Market Participants would likely welcome additional guidance regarding the conduct a Market Participant must undertake to benefit from the safe harbor for good-faith self-reporting. The Advisory provides that a Market Participant will only benefit from the safe harbor provision if the self-report or voluntary disclosure was made in good faith and any inaccuracies are supplemented or corrected “promptly” after discovering the inaccuracy. However, uncertainty remains regarding whether the Division would:
Provide safe harbor protection to a Market Participant that makes an initial self-report, makes no further inquiry, only discovers the earlier inaccuracy after prodding from the Division, and then reports the inaccuracy?
Provide safe harbor protection to a large global firm that makes a self-report and, through further inquiry, learns of an earlier inaccuracy but also learns that the earlier inaccuracy was known by one employee prior to the firm’s self-report?
Provide the same level of safe harbor protection to a firm that makes a self-report, devotes extensive resources to an internal investigation, and then makes a correction, as it would to a firm that makes a self-report, devotes limited resources to an internal investigation, and then makes a correction?
Provide self-reporting credit to a firm that discloses a single potential violation to the Division and later, after investigation, discovers and then discloses other potential violations to the Division?
This potential uncertainty regarding these conditions could diminish the value of safe harbor protection. While the answers to these questions may depend on the facts and circumstances of each instance, any additional guidance from the Division about how safe harbor treatment will be applied will likely provide more comfort to the industry and potentially promote further self-reporting and cooperation.
Second, additional guidance from the Division would be welcome regarding how charging decisions and civil monetary penalty calculations are determined. While registrants will welcome the potential to receive significant discounts on civil monetary penalties, the benefit of these potential discounts is dependent upon a predictable and consistent application of charges and calculations of civil monetary penalties.
Historically, the Division staff has exercised enormous discretion over how many violations are charged and their view of the severity of those violations. That variability, and many other factors, create uncertainty regarding the starting points for calculating civil monetary penalties. Continued use of that discretion, without further clarity and guidance from the Division, could diminish the intended disciplined approach sought in the Advisory if line staff and supervisors are not equally disciplined in deciding which charges to bring against Market Participants.
In addition to concerns about which charges are brought, the industry also has observed for years, as detailed in the Division’s previous fiscal year reports, that civil monetary penalties for violations have steadily risen over the years for similar conduct and similar charges.40 Market Participants may be confused or concerned if, after self-reporting and cooperating, the Division selects a starting civil monetary penalty significantly higher, such that any discount ultimately results in a proposed penalty similar to settlements entered into prior to the Advisory. Moving forward, the industry would welcome further guidance as to how the Division decides which charges to bring and how it calculates civil monetary penalties, which would give Market Participants the ability to better assess and rely upon the benefits of self-reporting and cooperation.
Third, additional guidance would be welcome regarding whether an Operating Division could choose not to recommend enforcement and when the Division will decline to pursue enforcement. In addition to the extensive guidance provided by the Advisory regarding the qualifications for potential self-reporting and cooperation credit, the industry would similarly welcome detailed guidance outlining the conditions under which the Division will not pursue an enforcement action. The Division should be commended for anticipating this need, as it already indicated in the Advisory that there will be future guidance as to whether and how the Operating Divisions will make enforcement referrals. It has indicated that the Division may recommend declination in “extraordinary circumstances.”41
Further guidance on how these decisions will be made could be critical in establishing a robust framework for encouraging self-reporting and cooperation. Market Participants must weigh the expected costs and benefits of self-reporting a potential violation, and most often, one of the costs of self-reporting is the high likelihood of charges and a penalty. However, if the Division were to publish clear guidance to the industry outlining the circumstances in which it, or another Operating Division, would decline to recommend enforcement, Market Participants could be incentivized to self-report and cooperate at an exemplary level in hopes of obtaining such relief. While the Advisory indicates that such declinations are possible, providing additional guidance as to what “extraordinary circumstances” would qualify for declination eligibility may further increase Market Participants’ willingness to self-report and cooperate.
Fourth, additional guidance on the difference between “excellent” and “exemplary cooperation” would be welcome. By providing an additional 15 percent credit benefit for Market Participants who engage in exemplary cooperation, the Division is incentivizing Market Participants to strive for as much cooperation as possible. While many Market Participants may pursue that level of cooperation, it is unclear from the Advisory how exactly they can confirm their conduct qualifies for exemplary, as opposed to merely excellent cooperation. The Division provides a helpful table that distinguishes the factors for excellent versus exemplary cooperation, but those factors are inherently subjective and may be applied inconsistently. For example, Market Participants would benefit from further guidance as to what distinguishes substantial assistance from material assistance, what conduct beyond the use of internal or external expert resources and consultants would qualify for “proactive engagement and use of significant resources,” or how to effectively distinguish between corrective action for remediation and significant completion of remediation. Additionally, guidance would be helpful as to how excellent and exemplary cooperation are distinguished in different factual circumstances. For example, how would the Division distinguish cooperative conduct in matters that have simple underlying facts, which may not necessitate the expenditure of significant resources to investigate and remediate, from more complex matters that require extensive analysis and complex remediation plans?
Understandably, these questions will likely be addressed on a case-by-case basis, as they depend on each matter’s facts and circumstances. With that in mind, the industry would welcome settlement orders that explicitly detail how the Division evaluated the Market Participants’ conduct in determining which tier of self-reporting and cooperation credit was appropriate, as well as specific facts about the cooperative conduct, so that Market Participants may better understand the types of conduct the Division would like to see moving forward.
Conclusion
Overall, the new guidance provides greater clarity and will be much appreciated by the industry. The Division acknowledges that further guidance will be issued that supplements the Advisory in order to address certain unanswered questions. In the meantime, the Advisory will allow Market Participants to better understand the structure and function of the Division’s self-reporting, cooperation, and remediation policy.
1 See CFTC, Release No. 9044-25, CFTC Division of Enforcement to Refocus on Fraud and Helping Victims, Stop Regulation by Enforcement (Feb. 4, 2025), available at https://www.cftc.gov/PressRoom/PressReleases/9044-25; and Statement of Commissioner Caroline D. Pham on Self-Reporting and Cooperation Credit in Enforcement Actions (Aug. 19, 2024), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement081924.
2 Executive Order, Ensuring Lawful Governance and Implementing the President’s “Department of Government Efficiency” Deregulatory Initiative (Feb. 19, 2025), available at https://www.whitehouse.gov/presidential-actions/2025/02/ensuring-lawful-governance-and-implementing-the-presidents-department-of-government-efficiency-regulatory-initiative/.
3 Recent public comments by the Director of the Division indicate that the Division may provide self-reporting credit to disclosures included in annual CCO reports.
4 See CFTC Div. of Enforcement, Updated Advisory on Self Reporting and Full Cooperation (Sept. 17, 2017), available at https://www.cftc.gov/sites/default/files/idc/groups/public/@lrenforcementactions/documents/legalpleading/enfadvisoryselfreporting0917.pdf; CFTC Div. of Enforcement, Recognizing Cooperation, Self-Reporting, and Remediation in Commission Enforcement Orders (Oct. 29, 2020), available at https://www.cftc.gov/media/5181/ENFSelfReportingRemediationGuidance102920/download.
5 See https://quickreads.ext.katten.com/post/102iqjo/tread-with-caution-new-cftc-enforcement-advisory-on-penalties-monitors-and-admi.
6 CFTC Div. of Enforcement, Advisory on Self-Reporting, Cooperation, and Remediation (Feb. 25, 2025), at ¶ I.a.i, available at https://www.cftc.gov/media/11821/EnfAdv_Resolutions022525/download.
7 Id. at ¶ I.a.ii.
8 Id. at ¶ I.a.iii.
9 Id. at ¶ I.b.iii.
10 Compare id. with CFTC Div. of Enforcement, Updated Advisory on Self Reporting and Full Cooperation (Sept. 17, 2017) at 2, available at https://www.cftc.gov/sites/default/files/idc/groups/public/@lrenforcementactions/documents/legalpleading/enfadvisoryselfreporting0917.pdf (requiring cooperation with Enforcement).
11 Advisory at ¶ I.c.ii.
12 Id. at ¶ I.c.ii.
13 Id. at ¶ I.d.i.
14 Id. at ¶ I.d.ii.
15 Id. at ¶ I.e.
16 Id. at ¶ I.f.ii. Some credit will be given for new facts, analysis, or insights about information otherwise known to the Commission. Id.
17 Id. at ¶ I.f.iii.
18 Id. at ¶ I.f.iv. The primary consideration here is the quality, not quantity, of the information. Id.
19 Id. at ¶ II.a.viii.
20 Id. at ¶ II.a.ix.
21 Id. at ¶ II.a.iv.
22 Id. at ¶ II.a.v.
23 Id. at ¶ II.a.vi.
24 Id. at ¶ II.a.vii.
25 Id.
26 Id. at ¶ II.b.
27 Id. at ¶ II.b.ii.
28 Id. at ¶ III.c. Disgorgement and restitution are not eligible for this offset.
29 See CFTC, Release No. 9044-25, CFTC Division of Enforcement to Refocus on Fraud and Helping Victims, Stop Regulation by Enforcement (Feb. 4, 2025), available at https://www.cftc.gov/PressRoom/PressReleases/9044-25.
30 See U.S. Dep’t of Justice, Voluntary Self Disclosure and Monitory Selection Policies, available at https://www.justice.gov/corporate-crime/voluntary-self-disclosure-and-monitor-selection-policies; U.S. Dep’t of Treasury Office of Foreign Assets Control, 31 C.F.R. Ch. V § 501 App’x A (2025) (Economic Sanctions Enforcement Guidelines), available at https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/part-501/appendix-Appendix%20A%20to%20Part%20501.
31 Advisory at 2 n.4 (“The Division, together with the Operating Divisions, will be developing a future public enforcement advisory to set forth transparent and consistent criteria for enforcement referrals by an Operating Division to the Division of Enforcement.”).
32 See CFTC Div. of Enforcement, Updated Advisory on Self Reporting and Full Cooperation (Sept. 17, 2017), at 2 (“the Division may recommend a reduced civil monetary penalty even where a company or individual did not self-report wrongdoing but otherwise fully cooperated with the Division’s investigation and remediated deficiencies in its compliance or control programs”); CFTC Div. of Enforcement, Recognizing Cooperation, Self-Reporting, and Remediation in Commission Enforcement Orders (Oct. 29, 2020) (noting credit for self-reporting is only available if accompanied by substantial cooperation and remediation).
33 See CFTC Div. of Enforcement, Updated Advisory on Self Reporting and Full Cooperation (Sept. 17, 2017), at 3.
34 Statement of Commissioner Caroline D. Pham on Self-Reporting and Cooperation Credit in Enforcement Actions (Aug. 19, 2024), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement081924.
35 Advisory at 1 n.3 (“The Advisory is the Division’s sole policy on self-reporting, cooperation, and remediation. The previously announced policies, including those contained in six different Division advisories as well as in the Division’s Enforcement Manual, are no longer the policy of the Division.”). See also CFTC, Advisory Regarding Penalties, Monitors and Consultants, and Admissions in CFTC Enforcement Actions (Oct. 17, 2023), available at https://www.cftc.gov/media/9466/EnfAdvResolutions/download.
36 See https://quickreads.ext.katten.com/post/102iqjo/tread-with-caution-new-cftc-enforcement-advisory-on-penalties-monitors-and-admi.
37 Advisory at 3.
38 See Commissioner Johnson’s Statement, available at https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement022525 (“I believe that we must be careful not to muddy the waters. To best enable market participants to develop internal compliance infrastructure, it is critical that the Commission offer clear, consistent guidance that enables effective compliance as well as a well-defined pathway to report, cooperate, or remediate.”).
39 See also Advisory at 2 n.4 (“The Division, together with the Operating Divisions, will be developing a future public enforcement advisory to set forth transparent and consistent criteria for enforcement referrals by an Operating Division to the Division of Enforcement.”). See also Commissioner Johnson’s Statement (“I stand ready to work with all of the divisions at the Commission and our registered market participants to develop further clarity on the Commission’s policies articulated in the Advisory.”).
40 See https://katten.com/will-history-repeat-itself-peering-into-the-past-to-predict-the-next-four-years-of-cftc-enforcement-actions.
41 Advisory at 2 n.4 (“The Division, together with the Operating Divisions, will be developing a future public enforcement advisory to set forth transparent and consistent criteria for enforcement referrals by an Operating Division to the Division of Enforcement.”). See also id. at ¶ III.g (“In extraordinary circumstances—for example where a Person is the first to self-report pervasive fraud, manipulation, or abuse involving multiple parties, and also provides Exemplary Cooperation — the Division may recommend a declination.”).
Regulation Round Up: February 2025
Welcome to the Regulation Round Up, a regular bulletin highlighting the latest developments in UK and EU financial services regulation.
Key developments in February 2025:
28 February
FCA Handbook Changes: The Financial Conduct Authority (“FCA”) published Handbook Notice 127, which sets out changes to the FCA Handbook made by the FCA board on 30 January and 27 February 2025.
27 February
Economic Growth / Consumer Duty: The FCA published a speech on, among other things, how the FCA is working to support growth initiatives in the economy and its approach to the Consumer Duty.
FCA Regulation Round‑up: The FCA published its regulation round‑up for February 2025. Among other things, it covers the launch of a new companion tool to the Financial Services Register and future changes to the pre‑application support services the FCA offers.
26 February
Reserved Investor Funds: The Alternative Investment Funds (Reserved Investor Fund) Regulations 2025 (SI 2025/216) were published, together with an explanatory memorandum. The Reserved Investor Fund is a new UK‑based unauthorised contractual scheme with lower costs and more flexibility than the existing authorised contractual scheme.
ESG: The European Commission proposed an Omnibus package on sustainability (here and here) to amend the sustainability due diligence and reporting requirements under the Corporate Sustainability Due Diligence Directive ((EU) 2024/1760) and the Corporate Sustainability Reporting Directive ((EU) 2022/2464). Please refer to our dedicated article on this topic here.
ESG: The European Commission published a call for evidence on a draft Delegated Regulation amending the Disclosures Delegated Act ((EU) 2021/2178) (Ares (2025) 1532453), the Taxonomy Climate Delegated Act (Commission Delegated Regulation (EU) 2021/2139) and the Taxonomy Environmental Delegated Act (Commission Delegated Regulation (EU) 2023/2486).
FCA Asset Management / Alternatives Supervision: The FCA published a portfolio letter explaining its supervision priorities for asset management and alternatives firms.
Cryptoassets: ESMA published the official translations of its guidelines (ESMA35‑1872330276‑2030) on situations in which a third‑country firm is deemed to solicit clients established or situated in the EU and the supervision practices to detect and prevent circumvention of the reverse solicitation exemption under the Markets in Crypto Assets Regulation (EU) 2023/1114 (“MiCA”).
24 February
Artificial Intelligence: The FCA published a research note on AI’s role in credit decisions.
Suitability Reviews / Ongoing Services: The FCA published a webpage and press release containing the findings of its multi‑firm review of suitability reviews and whether financial advisers are delivering the ongoing services that consumers have paid for.
21 February
Cryptoassets: The Financial Stability Board published summary terms of reference for its thematic peer review on its global regulatory framework for cryptoasset activities.
20 February
PRA Policy: The Prudential Regulatory Authority (“PRA”) published a policy statement (PS3/25) on its approach to policy.
Digital Operational Resilience: Two Commission Regulations supplementing the Regulation on digital operational resilience for the financial sector ((EU) 2022/2554) (“DORA”) were published in the Official Journal of the European Union (here and here).
17 February
Cryptoassets: ESMA published a consultation paper (ESMA35‑1872330276‑2004) on guidelines for the criteria to assess knowledge and competence under MiCA.
14 February
ESG: The FCA updated its webpage on its consultation paper on extending the sustainability disclosure requirements (“SDR”) and investment labelling regime to portfolio managers. Please refer to our dedicated article on this topic here.
ESG: The City of London Law Society published its response to HM Treasury’s November 2024 consultation on the UK green taxonomy.
Authorised Funds: The FCA published a document setting out its expectations on authorised fund applications.
Financial Sanctions: The Office of Financial Sanctions Implementation published a threat assessment report covering financial services.
13 February
Financial Regulatory Forum: HM Treasury published a statement following the third meeting of the joint UK‑EU Financial Regulatory Forum on 12 February 2025.
12 February
EU Competitiveness: The European Commission adopted a Communication setting out its vision to simplify how the EU works by reducing unnecessary bureaucracy and improving how new EU rules are made and implemented to make the EU more competitive.
European Commission 2025 Work Programme: The European Commission published a communication outlining its work programme for 2025 (COM(2025) 45 final).
10 February
Artificial Intelligence: The European Commission published draft non‑binding guidelines to clarify the definition of an AI system under the EU AI Act.
5 February
ESG: The EU Platform on Sustainable Finance published a report setting out recommendations to simplify and improve the effectiveness of taxonomy reporting. Please refer to our dedicated article on this topic here.
3 February
Payments: The FCA published a portfolio letter sent to payments firms setting out its priorities for them and actions it expects them to take.
Artificial Intelligence: The House of Commons Treasury Committee launched an inquiry into AI in financial services and published a related call for evidence.
Sulaiman Malik and Michael Singh contributed to this article
New Rulemaking Announced: Treasury Department Suspends Reporting, Enforcement and Fines under the Corporate Transparency Act until Further Notice
How Did We Get Here?
The Corporate Transparency Act (CTA) went into effect on January 1, 2024, and was enacted as part of the Anti-Money Laundering Act of 2020. Administered by the Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury (FinCEN), the CTA is designed as another tool in the mission to protect the financial system from money laundering, terrorism financing, and other illicit activity. FinCEN issued the implementing final rules on September 29, 2022. Pursuant to these rules, reporting companies[1] formed before 2024 were to file their initial beneficial ownership reports (BOIRs) with FinCEN by January 1, 2025. Reporting companies formed after January 1, 2024, and before January 1, 2025, were to file their initial BOIR within 90 days following their formation.
In late 2024, multiple lawsuits were filed challenging the constitutionality of the CTA. Plaintiffs in those cases sought, and in many cases obtained, injunctions excusing them from filing their initial BOIRs until the merits of the case were decided. In two of the cases, federal judges issued nationwide injunctions excusing all reporting companies from filing their initial BOIR during the pendency of the case. As we recently reported, the United States Supreme Court on January 3, 2025 overturned the nationwide injunction in one of those cases, narrowing the injunction to just the plaintiffs in that particular case. On February 18, 2025, the district court judge in the other case narrowed his nationwide injunction to just the plaintiffs in that case. All of the cases continue to work their way through the federal court system.
As a result, on February 19, 2025, FinCEN issued a notice declaring a new filing deadline of March 21, 2025, for initial BOIRs. Then on February 27, 2025, FinCEN announced that by March 21, 2025, it would propose an interim final rule that further extends BOIR deadlines. Moreover, FinCEN stated it would not issue fines or penalties or take any enforcement actions until that forthcoming interim final rule became effective and the new relevant due dates in the interim final rule have passed. The Treasury Department also issued a comparable press release on February 27, 2025, but added that it will further not enforce any penalties or fines against U.S. citizens or domestic reporting companies or their beneficial owners after the forthcoming rule changes take effect. The Treasury Department stated that the interim final rule that it would issue by March 21, 2025, would propose narrowing the scope of the rule to foreign reporting companies only.
Current Status
The recently announced actions by the Department of Treasury effectively mean that:
FinCen won’t enforce penalties or fines against companies or beneficial owners who do not file by the March 21 deadline.
If your reporting company was created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe and all of the beneficial owners of your reporting company are U.S. citizens, the Department of Treasury has stated it intends to amend the rules to eliminate the obligation for your reporting company to ever file a BOIR report and accordingly, FinCEN will never enforce penalties or fines against your reporting company or its U.S. beneficial owners.
If your reporting company was created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe and some of the beneficial owners are NOT U.S. citizens, FinCEN won’t currently enforce any penalties or fines against the company or its foreign beneficial owners until after the new rules go into effect. The Department of Treasury press release suggests that it will eliminate the obligation to file a BOIR for your domestic reporting company with non-U.S. beneficial owners, but we must await the proposed new rule to see if FinCen is proposing to narrow the rule in this manner. The CTA itself defines what is a reporting company without this distinction of ownership by U.S. citizens or non-U.S. citizens. Given that the CTA’s stated objective to combat illicit activity, it would seem useful for FinCEN to have information about the non-U.S. citizenship ownership of a domestic reporting company.
If your reporting company was created by the filing of a document outside of the United States and you have registered your company with a secretary of state or a similar office under the law of a State or Indian Tribe, FinCEN won’t currently enforce any penalties or fines against the company or its foreign beneficial owners until after the new rules go into effect. Foreign companies are currently subject to the BOIR only if they are registered to do business in the United States. Foreign registered companies who are not registered to do business in the United States are not currently subject to the BOIR requirements (even if they are doing business here). Narrowing the BOIR reporting rules in this manner would seem to result in far fewer reporting companies. We await further communication from the Department of Treasury on this position.
State Level Developments
Lastly, we note that with this major development on the federal level, states may adopt CTA-like legislation for entities created or registered under their state law. The State of New York has already done so by enacting the New York Limited Liability Company Transparency Act (the NY LLCTA) which mirrors the CTA in many respects, with key differences. The NY LLCTA applies only to limited liability companies (LLCs) created under New York law or registered to do business in New York. Under the NY LLCTA, these reporting LLCs must disclose their beneficial owners to the New York State Department of State (DOS) beginning on January 1, 2026. LLCs that qualify for one of the CTA’s 23 exemptions will be exempt under NY LLCTA, but must file an “attestation of exemption” with DOS.
It is not clear whether any other states will enact comparable legislation. This includes Delaware, which has always been the preferred state for domestic businesses to incorporate, including 30% of Fortune 500 companies. More recently, however, Texas and Nevada have been courting companies to reincorporate in their states. These other states offer tax breaks and perceived business-friendly regulations. Faced with potentially losing corporate business to other states, it is not known whether Delaware would risk giving companies another reason to consider incorporating elsewhere.
ENDNOTES
[1] A “reporting company” is defined under the CTA as “a corporation, limited liability company, or other similar entity” that is either “created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe” or “formed under the law of a foreign country and registered to do business in the United States.”
Tax Transparency and Data Privacy — Which Wins?
As tax authorities embrace new digital technologies, the issue of safeguarding citizens’ data privacy rights steps to the fore. Since the implementation of the EU General Data Protection Regulation (GDPR) in 2018, there has been a greater focus on data privacy from both the public and organisations. At the same time, the cooperative international effort to combat offshore tax evasion has been steadily increasing. Several information-sharing regimes have been conceived to allow tax authorities to share information globally relating to financial accounts and investments under Automatic Exchange of Information Agreements.
In J Webster v HMRC [2024] EWHC 530 (KB), Ms. Webster, a US citizen, brought a case against His Majesty’s Revenue and Customs (HMRC) regarding information sharing under the Foreign Account Tax Compliance Act. At the centre of this case stands the question of which wins — tax transparency or data privacy?
Automatic Exchange of Information (AEOI)
The United Kingdom shares information with foreign tax authorities under two specific regimes:
1. Foreign Account Tax Compliance Act (FATCA): The FATCA regime is US-specific. Financial institutions outside of the United States are required to provide the US tax authorities with information relating to the foreign financial accounts of US individuals. Information includes, for example, the individual’s name and address, account balance and amount of interest accrued.
2. Common Reporting Standard (CRS): Nicknamed “global FATCA” by commentators at its inception, the CRS requires the automatic exchange of financial account information between tax authorities globally. The information shared is largely the same as that under FATCA, with the addition of the date and individuals’ places of birth (in some cases).
In practice, financial institutions in the United Kingdom supply the required data to HMRC, which then provides it to the relevant tax authorities on an annual and automatic basis.
The GDPR
Data privacy in the United Kingdom is regulated by the UK GDPR (the retained version of the EU GDPR) and the Data Protection Act 2018. Under Article 4(1) of the UK GDPR, personal data means any information relating to an identified or identifiable natural person. There are seven key principles for processing personal data (found in Article 5, UK GDPR). Broadly, these require that personal data is: (i) processed lawfully, fairly and transparently, (ii) collected for specified, explicit and legitimate purposes only, (iii) limited to what is necessary for the purposes (minimisation), (iv) accurate, (v) not stored longer than necessary, and (vi) processed in a manner that ensures appropriate security of the data. Finally, the data controller must be responsible for and able to demonstrate compliance with the preceding six principles.
Importantly, personal data must only be transferred outside of the United Kingdom if the receiving countries have adequate levels of protection for data subjects in place or appropriate safeguards for the transfer of personal data (Article 46, UK GDPR).
So, Which Wins?
Ms. Webster argued that information sharing between tax authorities under the FATCA regime breached her data privacy and human rights. In summary, she claimed that there were no appropriate safeguards in place for the transfers by HMRC and that US law failed to provide adequate levels of protection. Additionally, the data transfers allegedly fell foul of the principle of proportionality, as bulk processing did not account for Ms. Webster’s personal circumstances — specifically, that Ms. Webster had no US tax obligations (having modest income in the United Kingdom and owning no assets or income in the United States).
Unfortunately, the central question of “which wins?” remains unanswered. The judgment focused more on questions of procedure than substance — for example, as argued by HMRC, whether the claim should have been brought via judicial review and was, therefore, an abuse of process.
However, it is not difficult to see some merit in Ms. Webster’s claim. The aims of FATCA and the CRS are clearly worthy, and tax transparency is important. However, since personal data is processed automatically and whether an individual poses any real risk of tax evasion is immaterial to that processing, it is unconvincing that the principles of proportionality and data minimisation are comfortably being met.
Information-sharing regimes have been challenged in other countries as well. For example, the Belgian Data Protection Authority has argued (in a decision that has since been annulled) that data exchanges under FATCA violate the EU GDPR since more information than necessary is shared and the purposes for the data transfers are insufficiently defined. The Slovakian Data Protection Authority also challenged FATCA on the grounds that the AEOI Agreement under which data transfers took place did not contain the necessary safeguards to transfer personal data to third countries.
It is widely agreed that the GDPR is far more comprehensive than US privacy laws — some might remember the highly publicised “Schrems II” case from 20201 where the Court of Justice of the European Union declared that the US privacy laws fail to ensure an adequate level of protection. Recent news about the US Treasury being hacked also inevitably raises concerns about the security of the personal data transferred, and with President Donald Trump’s firing of Democratic members of the Privacy and Civil Liberties Oversight Board since the beginning of his second term, more widespread privacy concerns now linger.
We will have to wait and see how the tension between tax transparency and data privacy culminates. A judgment that focuses on the merits of Ms. Webster’s concerns would bring us some much-needed answers. However, what is clear is that there is pressure on tax authorities to address concerns relating to the data privacy of individuals, which are not subsiding.
1 Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18.
Georgia Griesbaum contributed to this article
Navigating the Changing Landscape of Corporate Transparency Act Compliance
Both the U.S. Department of the Treasury and FinCEN, a bureau within the Treasury Department, have issued statements, which, taken together, indicate a significant reduction in the enforcement of the Corporate Transparency Act (CTA) beneficial ownership information (BOI) reporting requirements against U.S. citizens and domestic reporting companies. Specifically, the Treasury Department has indicated its intent to narrow, via forthcoming rule changes, the scope of the BOI reporting requirements to foreign reporting companies only and to halt any penalties or fines against U.S. citizens and domestic reporting companies following implementation of these rule changes.
The Treasury Department has yet to issue the proposed rulemaking reflecting these changes to the scope of BOI reporting requirements, and it will be important to see the proposed rulemaking to better understand how the Treasury Department and FinCEN plan to effect these changes. Items to look out for in any proposed rulemaking include:
Whether U.S. citizens who are beneficial owners of foreign reporting companies will need to comply with BOI reporting efforts of foreign reporting companies.
Whether domestic reporting companies with foreign beneficial owners will be subject to any BOI reporting requirements.
How the language regarding ending enforcement of penalties and fines against U.S. citizens and domestic reporting companies for non-compliance is worded (i.e., eliminating altogether enforcement against all U.S. citizens and domestic reporting companies or a general, discretionary pause by FinCEN).
In addition, the validity or legality of any proposed rulemaking regarding the narrowed scope of the CTA may be challenged in the courts. And, as noted in our previous alert, there are still a number of court cases pending, and Congress is also considering bills that would affect the CTA. Accordingly, this is unlikely to be the last update in the CTA enforcement saga.
The U.S. Department of the Treasury issued the following release regarding enforcement of the CTA:
Treasury Department Announces Suspension of Enforcement of Corporate Transparency Act Against U.S. Citizens and Domestic Reporting Companies
The Treasury Department is announcing today that, with respect to the Corporate Transparency Act, not only will it not enforce any penalties or fines associated with the beneficial ownership information reporting rule under the existing regulatory deadlines, but it will further not enforce any penalties or fines against U.S. citizens or domestic reporting companies or their beneficial owners after the forthcoming rule changes take effect either. The Treasury Department will further be issuing a proposed rulemaking that will narrow the scope of the rule to foreign reporting companies only. Treasury takes this step in the interest of supporting hard-working American taxpayers and small businesses and ensuring that the rule is appropriately tailored to advance the public interest.
“This is a victory for common sense,” said U.S. Secretary of the Treasury Scott Bessent. “Today’s action is part of President Trump’s bold agenda to unleash American prosperity by reining in burdensome regulations, in particular for small businesses that are the backbone of the American economy.”
In addition, FinCEN issued the following release regarding enforcement of the CTA:
FinCEN Not Issuing Fines or Penalties in Connection with Beneficial Ownership Information Reporting Deadlines
WASHINGTON––Today, FinCEN announced that it will not issue any fines or penalties or take any other enforcement actions against any companies based on any failure to file or update beneficial ownership information (BOI) reports pursuant to the Corporate Transparency Act by the current deadlines. No fines or penalties will be issued, and no enforcement actions will be taken, until a forthcoming interim final rule becomes effective and the new relevant due dates in the interim final rule have passed. This announcement continues Treasury’s commitment to reducing regulatory burden on businesses, as well as prioritizing under the Corporate Transparency Act reporting of BOI for those entities that pose the most significant law enforcement and national security risks.
No later than March 21, 2025, FinCEN intends to issue an interim final rule that extends BOI reporting deadlines, recognizing the need to provide new guidance and clarity as quickly as possible, while ensuring that BOI that is highly useful to important national security, intelligence, and law enforcement activities is reported.
FinCEN also intends to solicit public comment on potential revisions to existing BOI reporting requirements. FinCEN will consider those comments as part of a notice of proposed rulemaking anticipated to be issued later this year to minimize burden on small businesses while ensuring that BOI is highly useful to important national security, intelligence, and law enforcement activities, as well to determine what, if any, modifications to the deadlines referenced here should be considered.
Unfair Competition Defense- Episode 16: An Increased Interest in Credit Card Surcharges [Podcast]
In this episode, Greenberg Traurig shareholder Ed Chansky joins Greg Nylen to explore the evolving landscape of credit card surcharges in the U.S. From state-level quirks and disclosure requirements to recent regulatory developments, this episode delves into the legal complexities surrounding merchants’ ability to pass credit card processing fees onto consumers.
Greenberg Traurig’s Unfair Competition Defense Podcast focuses on consumer protection statutes at the state and federal levels. Claims under these laws frequently are brought as proposed consumer class action litigation across many different industries. Each episode addresses key principles under these laws, new developments and, most importantly, defense strategies.
US Treasury Announces That the Corporate Transparency Act Will Not Be Enforced Against Domestic Companies, Their Beneficial Owners or US Citizens
As noted in our previous Corporate Advisory, the Financial Crimes Enforcement Network (FinCEN) announced on February 27, 2025, that it will not take enforcement action against a Reporting Company that fails to file or update a Beneficial Ownership Information Report (BOIR) as required by the Corporate Transparency Act (CTA), pending the release of a new “interim final rule.”
On March 2, 2025, the US Department of the Treasury (Treasury) issued a press release expanding on FinCEN’s announcement. The Treasury release states that even “after the forthcoming rule changes take effect[,]” the Treasury will not enforce fines and penalties under the CTA against domestic Reporting Companies, beneficial owners of domestic Reporting Companies or US citizens.
The release also outlines Treasury’s intention to propose additional rulemaking that would limit CTA reporting obligations solely to foreign Reporting Companies. Under the CTA, a foreign Reporting Company is defined as any entity that is formed under the laws of a foreign country and registered to do business in the United States by filing a document with a secretary of state or a similar office under the laws of a State or Indian tribe. As a result, the proposed rulemaking would significantly narrow the CTA’s application.
Given the Treasury’s announcement, non-exempt domestic Reporting Companies and their beneficial owners may wish to consider ceasing CTA compliance efforts until there are further developments in this space. Non-exempt foreign Reporting Companies should continue preparing CTA filings in anticipation of forthcoming guidance regarding extended filing deadlines.
Alexander Lovrine contributed to this article.
New Leader At The California Department Of Financial Protection & Innovation
Last month, Governor Gavin Newsom appointed Khalil “KC” Mohseni, as Commissioner of the California Department of Financial Protection and Innovation. Commissioner Mohseni is not an entirely new to the DFPI. He served as Chief Deputy Director of the DFPI since 2023. He has previously served as the Chief Operating Officer at the State Controller’s Office and the Deputy Director of Administration at the California Department of Housing and Community Development. Commissioner Mohseni earned a Juris Doctor degree from the University of California, Davis School of Law, and a Bachelor of Arts degree in Political Science from the University of California, Irvine.
Although Commissioner Mohseni assumed office immediately, he will lose his position if the California Senate fails or refused to confirm his appointment within 365 days after the day on which he first began performing the duties of the office. Cal. Gov’t Code § 1774(c).
How much will Commissioner Mohseni make in his new position? $224,868 per year.
SEC Expands Confidential Review Process for Draft Registration Statements
Go-To Guide:
SEC expands confidential review process for draft registration statements, now available for all Securities Act and Exchange Act registrations.
New policy removes “initial filing” limitation, allowing both private and public companies to submit draft registration statements confidentially.
The policy clarifies accommodation for de-SPAC transactions.
Underwriter details may now be omitted from initial draft submissions, but must be included in later drafts and public filings.
On March 3, 2025, the Securities and Exchange Commission’s Division of Corporation Finance issued new guidance expanding the availability of confidential (nonpublic) review of draft registration statements (DRS).
Background
A DRS is a confidential draft of a registration statement submitted to the SEC for review before a public filing is made, granting issuers flexibility to avoid alerting the public market of the planned offering and sharing sensitive information until a more advanced stage of the offering process, if at all.
The confidential submission process was originally established only for foreign private issuers but was introduced in 2012 under the Jumpstart Our Business Startups Act (JOBS Act) for emerging growth companies (EGCs), allowing them to submit draft registration statements for nonpublic SEC review under Section 6(e) of the Securities Act of 1933, as amended (Securities Act), in order to encourage smaller companies to enter the public markets and streamline the initial public offering (IPO) process.
In 2017, the SEC extended this benefit to all companies—whether or not they qualified as EGCs—when filing:
an IPO registration statement under the Securities Act;
an initial registration statement under Section 12(b) of the Securities Exchange Act of 1934, as amended (Exchange Act), when seeking to list securities on a national securities exchange for the first time; or
an initial submission of a registration statement under the Securities Act during the twelve-month period following the effective date of the IPO registration statement or an issuer’s Exchange Act Section 12(b) registration statement.
The March 2025 guidance extends the benefits of non-public review to all issuers by removing the “initial filing” limitation. Now, both private and public companies can submit a DRS for confidential SEC review in connection with any Securities Act or Exchange Act registration—regardless of whether they are first-time registrants. Affected companies may now forestall market scrutiny of contemplated capital markets transactions triggered by a public SEC filing and, in some cases, during the pendency of the SEC review process, which may offer an advantage for planning and marketing the transaction.
Key Enhancements
1.
Expanded Eligibility for Nonpublic Review
a.
IPOs and Initial Exchange Act Registrations
The confidential review process now applies to initial Exchange Act registrations under both Section 12(b) (exchange listings) and Section 12(g) (required registration for companies exceeding $10 million in assets with a class of equity securities held by either 2,000 shareholders or 500 non-accredited investors), broadening access to the confidential review process.
Previously, companies filing on Forms 10, 20-F, or 40-F to go public outside the traditional IPO registration statement were not permitted to request non-public review.
b.
Subsequent Offerings and Registrations
Previously, the SEC would only accept subsequent DRSs for nonpublic review if they were submitted within the 12-month period following the effective date of either (i) the issuer’s IPO registration statement under the Securities Act, or (ii) the issuer’s initial Exchange Act registration statement under Section 12(b).
Under the SEC’s new policy, issuers may now submit DRSs for confidential review in connection with any Securities Act offering or any registration of a class of securities under Section 12(b) or Section 12(g) of the Exchange Act, regardless of how much time has passed since the issuer became public.
2.
Accommodation for de-SPAC Transactions
Under rules adopted in July 2024, target companies in de-SPAC transactions (where a SPAC, which is a public company, merges with a private company) must be co-registrants when the SPAC files the registration statement.
The SEC has now clarified that these registration statements—where the SPAC is the surviving entity—are eligible for confidential submission if the target company would itself qualify for non-public review under existing policies.
3.
Foreign Private Issuers (FPIs)
FPIs may rely on this expanded non-public review process. Alternatively, if the FPI qualifies as an EGC, it can follow the EGC-specific DRS procedures. FPIs that do not qualify as EGCs may also continue to rely on the separate confidential submission policy the SEC outlined in its May 30, 2012, guidance for FPIs.
4.
Omission of Underwriter Information
Issuers are now permitted to omit underwriter names from initial draft submissions, which is consistent with a practice that has developed when an issuer has not yet selected an underwriter. However, underwriter details must still be included in subsequent confidential draft submissions and in the publicly filed registration statement.
Submitting a Draft Registration Statement
The SEC expects a substantially complete submission—meaning the draft should be as close to final as possible. However, the SEC recognizes that some financial information may not be ready (for example, if a fiscal period has not yet ended), and commented that if the issuer reasonably expects that the missing information will not be required at the time of public filing (e.g., due to permitted reporting accommodations), the SEC will proceed with its review despite the omissions, an accommodation previously limited to EGCs.
Issuers can also continue to request relief under Rule 3-13 of Regulation S-X, which allows them to omit or modify certain financial statement requirements if the omitted information is immaterial and providing it would be unduly burdensome. The SEC will assess these requests based on the issuer’s particular facts and circumstances.
Public Availability and Timing
DRS submissions remain confidential until the issuer publicly files its registration statement. At that point, previously submitted DRS submissions, along with the SEC’s comment letters and the issuer’s responses, become publicly available via EDGAR.
For IPOs and initial Exchange Act registrations, the initial public filing must be made at least 15 days before any road show or, in the absence of a road show, at least 15 days prior to the registration statement’s requested effective date. This 15-day requirement is not new and mirrors the timeline previously applied to EGCs.
For subsequent public offerings and Exchange Act registrations (regardless of how much time has passed since the company became public), the initial public filing must be made at least two business days prior registration statement’s requested effective date. However, unlike the non-confidential registration process for IPOs and initial Exchange Act registrations, the SEC indicated that an issuer responding to staff comments on a DRS will need to do so on a public filing and not in a revised DRS.
Additionally, submissions of Exchange Act registration statements on Form 10, 20-F, or 40-F will need to be publicly filed with the SEC to ensure that the required 30-day or 60-day period runs before effectiveness, in accordance with existing rules.
Coordinating with the SEC
Issuers should consider communicating directly with SEC staff regarding their anticipated transaction timelines—particularly for filings tied to specific pricing windows or deal milestones. The SEC will consider reasonable requests for expedited review for both confidential and public filings.
The SEC staff indicated that for subsequent public offerings and Exchange Act registrations it may consider reasonable requests to expedite the two-business day period that the registration statement has to be public.
Takeaways
This expanded confidential submission process provides issuers with greater flexibility, particularly companies that were previously excluded from confidential review (such as seasoned issuers).
In particular, for seasoned issuers that are unable to access shelf-registrations (due to, for example, baby-shelf limitations), the new guidelines allow issuers seeking to raise capital in a registered offering to file a DRS on Form S-1 or F-1 confidentially, and if there is a no review, to quickly pivot to pricing the deal when market conditions are ripe.
By allowing more issuers to engage in a nonpublic review process with the SEC, the new policy may facilitate more capital formation while preserving key investor protections.
David Huberman also contributed to this article.
NYDFS Annual Compliance Submissions Due April 15, 2025 and New Compliance Requirements Effective on May 1, 2025
As we previously reported, in 2023 the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). As of November 1, 2024, Class A Companies and Covered Entities were required to comply with numerous Part 500 compliance obligations outlined here.
April 15, 2025 Compliance Certification Deadline
Covered Entities have been required to submit annual compliance with Part 500 since the regulation’s adoption; however, since 2024, Covered Entities now have the option to submit either a Certification of Material Compliance (certifying they materially complied with the regulation requirements that applied to them in the prior year) or an Acknowledgement of Noncompliance (identifying all sections of the regulation with which they have not complied and providing a remediation timeline).
The deadline for Covered Entities to submit annual compliance notifications for the 2024 calendar year is April 15, 2025. Submissions can be submitted through the NYDFS Portal. Covered Entities that qualify for full exemptions from Part 500 do not have to submit annual compliance notifications. For more information on the April 15 compliance deadline, guidance on which form to file, and step-by-step instructions, see NYDFS’s Submit a Compliance Filing section in the Cybersecurity Resource Center or contact your Katten attorney.
May 1, 2025 Compliance Obligations
On May 1, 2025, Covered Entities are required to meet additional requirements under Part 500, including:
Access Privileges and Management
Implement enhanced requirements regarding limiting user access privileges, including privileged account access.
Review access privileges and remove or disable accounts and access that are no longer necessary.
Disable or securely configure all protocols that permit remote control of devices.
Promptly terminate access following personnel departures.
Implement a reasonable written password policy to the extent passwords are used.
Covered Entities and Class A Companies must also address the below items:
Vulnerability Management: conduct automated scans of information systems, and a manual review of systems not covered by such scans” to discover, analyze, and report vulnerabilities at a frequency determined by their risk assessment and promptly after any material system changes.
Mailicious Code: Implement controls to protect against malicious code.
Class A Companies must further update their information security programs to include:
Monitoring and Training: Implement (1) endpoint detection and response solution to monitor anomalous activity and (2) centralized logging and security event alert solution. CISOs can approve reasonably equivalent or more secure compensating controls, but approval must be in writing.