Beyond the Deal: How Do You Expect SEC Exams and Enforcement to Evolve in 2025?
As we head further into 2025, the landscape of SEC exams and enforcement is poised for significant shifts. How will the SEC adapt to emerging trends and evolving market dynamics? In the first issue of Beyond the Deal in 2025, four of our regulatory lawyers weigh in on what to expect. From new regulatory priorities to potential enforcement challenges, they offer key insights into how the SEC’s approach to private fund manager exams and enforcement may evolve in the year to come.
Joshua Newville
Partner, Securities Litigation
“Although the exam staff will aim to maintain their coverage of registered firms, they may be more willing to provide guidance compared to prior years. Enforcement resources and staff may shift away from labor-intensive crypto registration cases, reallocated to investigations involving individual investor fraud. Some types of matters may be deprioritized, such as off-channel text messaging sweeps and strict enforcement of the SEC’s pay-to-play rule. In settlement negotiations, I expect a more collaborative approach, including greater transparency into the Staff’s evidence and testimony record, increased flexibility in penalty discussions, and more credit for remediation and cooperation.”
Robert Pommer
Partner, Securities Enforcement
“We anticipate the new SEC Chair to roll back many of the more aggressive policies of former Chair Gensler and revert to more traditional enforcement cases. While standalone compliance cases may become less frequent, investigations and examinations will still focus on a firm’s culture of compliance. Weak internal controls or inadequate policies are often viewed as “red flags,” prompting Staff to dig deeper and identify other potential problems. Despite a shift in enforcement priorities, investment advisers should continue to prioritize compliance and uphold their fiduciary obligations.”
Nathan Schuur
Partner, Private Funds
“At least in the near term, it may not be obvious that there have been many changes in the Division of Examinations. Exam planning cycles frequently extend months in the future and staff may have already been assigned to particular exams. The division is also geographically dispersed and has a very large head count, which will challenge even the most capable division director as they seek to shift priorities. Depending on the level of attrition the agency experiences, we could over time see examinations narrowing in scope. The percentage of advisers examined each year has held steady at about 15% through each of the past two administrations and there will be substantial pressure to keep this number from dropping; narrowing the scope of examinations would allow the division to examine the same percentage of advisers with fewer resources.”
Robert Sutton
Partner, Private Funds
“Burdensome new rulemaking should decrease dramatically under the new Republican administration, although the SEC will remain focused on many of the same core compliance areas as under the prior Democratic administration. As such, I expect SEC Examinations and Enforcement staff to maintain scrutiny over fees and expenses, allocations, valuations, cross-fund transactions, other undisclosed conflicts, misleading marketing practices (particularly in the retail context) and related matters. While the threshold for referring a violation from Examinations to Enforcement may rise, these focus areas will remain as central to the agency’s oversight efforts as they have been for over a decade, including under the previous Republican administration.”
Congress Revisits Stablecoins
After unsuccessful past efforts to enact federal legislation regulating stablecoins, Congress has again turned to stablecoins. While it is always difficult to predict whether any bill will pass, there seems to be growing support in the current Congress, with the Senate Banking Committee and House Financial Services committee working closely together to adopt legislation.
In the Senate, a bipartisan bill entitled the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act is sponsored by Senators Bill Hagerty (R-TN), Tim Scott (R-SC), Cynthia Lummis (R-WY) and Kirsten Gillibrand (D-NY). The bill defines a payment stablecoin as a digital asset used for payment or settlement that is pegged to a fixed monetary value. It would permit both bank and certain nonbank entities to issue payment stablecoins, and provides for either federal or optional state regulation, depending on the total amount of stablecoins issued. The bill makes clear that payment stablecoins are not securities subject to SEC regulation, and instead provides for banking-like examination, supervision and enforcement.
In the House, House Financial Services Committee Chair French Hill (R-AR) and Digital Assets, Financial Technology, and Artificial Intelligence Subcommittee Chairman Bryan Steil (R-WI) announced a discussion draft of a bill entitled the Stablecoin Transparency and Accountability for a Better Ledger Economy (STABLE) Act. The bill is similar in many respects to the GENIUS Act in that it seeks to provide a path for the permitted issuance of payment stablecoins with regulation at either the federal or state level. A key difference between the GENIUS Act and STABLE Act is that while the GENIUS Act requires the Treasury Department to prepare a written study on “endogenously collateralized stablecoins,” also known as algorithmic stablecoins, the STABLE Act imposes a two-year moratorium on their issuance.
The Government Contractor’s Guide to Termination for Convenience
The Trump administration, as part of its efforts to reshape the federal government, began terminating federal contracts for the convenience of the government almost immediately after coming back to town. These contract terminations show no signs of slowing in the near term. Accordingly, government contractors need to know their rights and obligations so that they can be best positioned if one or more of their contracts are terminated. This article provides a user-friendly guide for government contractors on these important rights and obligations.
General
“Termination for convenience means the exercise of the Government’s right to completely or partially terminate performance of work under a contract when it is in the Government’s interest” (Federal Acquisition Regulation (FAR) 2.101). The right to terminate for convenience is made a part of almost all government contracts by inclusion of the standard Termination for the Convenience of the Government clauses in FAR 52.249-1 through -5. The Termination for Convenience clause in commercial item contracts issued under FAR Part 12 can be found in paragraph (l) of FAR 52.212-4. For government contracts that do not contain a termination for convenience clause, such a clause nonetheless is generally read into the contract by operation of law under the “Christian Doctrine.” See G.L. Christian & Assoc. v. United States, 312 F.2d 418 (Ct. Cl. 1963).
Procedures
Once a government contract has been terminated for the convenience of the government, a series of duties for both the prime contractor and the contracting officer are triggered under FAR 49.104 and FAR 49.105, respectively. These duties are discussed in turn below.
Duties of Prime Contractor
FAR 49.104 (Duties of Prime Contractor After Receipt of Notice of Termination) states that, “[a]fter receipt of the notice of termination, the contractor shall comply with the notice and the termination clause of the contract, except as otherwise directed by the TCO [Termination Contracting Officer].”
FAR 49.104 states that “the notice and clause applicable to convenience terminations” generally require that the contractor:
Stop work immediately on the terminated portion of the contract and stop placing subcontracts thereunder;
Terminate all subcontracts related to the terminated portion of the prime contract;
Immediately advise the TCO of any special circumstances precluding the stoppage of work;
Perform the continued portion of the contract and submit promptly any request for an equitable adjustment of price for the continued portion, supported by evidence of any increase in the cost, if the termination is partial;
Take necessary or directed action to protect and preserve property in the contractor’s possession in which the government has or may acquire an interest and, as directed by the TCO, deliver the property to the government;
Promptly notify the TCO in writing of any legal proceedings growing out of any subcontract or other commitment related to the terminated portion of the contract;
Settle outstanding liabilities and proposals arising out of termination of subcontracts, obtaining any approvals or ratifications required by the TCO;
Promptly submit the contractor’s own settlement proposal, supported by appropriate schedules; and
Dispose of termination inventory, as directed or authorized by the TCO.
Accordingly, government contractors who have had a contract terminated for convenience need to be mindful of the duties that the FAR imposes upon them and should adequately document their compliance with these duties.
Duties of Contracting Officer
FAR 49.105 (Duties of Termination Contracting Officer After Issuance of Notice of Termination), in turn, states that “[c]onsistent with the termination clause and the notice of termination, the TCO shall”:
Direct “the action required of the prime contractor;”
Examine the prime contractor’s termination settlement proposal and, when appropriate, the settlement proposals of subcontractors;
Promptly negotiate settlement with the contractor and enter into a settlement agreement; and
Promptly settle the contractor’s settlement proposal “by determination for the elements that cannot be agreed on, if unable to negotiate a complete settlement” (see FAR 49.105(a)).
Next, FAR 49.105(b) states that, “[t]o expedite settlement, the TCO may request specially qualified personnel to”:
Assist in dealings with the contractor;
Advise on legal and contractual matters;
Conduct accounting reviews and advise and assist on accounting matters; and
Perform the following functions regarding termination inventory (see FAR subpart 45.6): verify its existence; determine qualitative and quantitative allocability; make recommendations concerning serviceability; undertake necessary screening and redistribution; and assist the contractor “in accomplishing other disposition.”
Moreover, FAR 49.105(c) states that the TCO “should promptly hold a conference with the contractor to develop a definite program for effecting the settlement.” In addition, the FAR states that, “[w]hen appropriate in the judgment of the TCO, after consulting with the contractor, principal subcontractors should be requested to attend.”
FAR 49.105(c) goes on to state that “[t]opics that should be discussed at the conference and documented include”:
General principles relating to the settlement of any settlement proposal, including obligations of the contractor under the termination clause of the contract;
Extent of the termination, point at which work is stopped, and status of any plans, drawings, and information that would have been delivered had the contract been completed;
Status of any continuing work;
Obligation of the contractor to terminate subcontracts and general principles to be followed in settling subcontractor settlement proposals;
Names of subcontractors involved and the dates termination notices were issued to them;
Contractor personnel handling review and settlement of subcontractor settlement proposals and the methods being used;
Arrangements for transfer of title and delivery to the government of any material required by the government;
General “principles and procedures to be followed in the protection, preservation, and disposition of the contractors and subcontractors’ termination inventories, including the preparation of termination inventory schedules;”
Contractor accounting practices and preparation of SF 1439 (Schedule of Accounting Information (FAR 49.602-3);
Accounting review of settlement proposals;
Any requirement for interim financing in the nature of partial payments;
Tentative “time schedule for negotiation of the settlement, including submission by the contractor and subcontractors of settlement proposals, termination inventory schedules, and accounting information schedules (see [FAR] 49.206-3 and [FAR] 49.303-2)”;
Actions taken by the contractor to minimize impact upon employees affected adversely by the termination (see paragraph (g) of the letter notice in FAR 49.601-2); and
The “[o]bligation of the contractor to furnish accurate, complete, and current cost or pricing data, and to certify to that effect in accordance with [FAR] 15.403-4(a)(1) when the amount of a termination settlement agreement, or a partial termination settlement agreement plus the estimate to complete the continued portion of the contract exceeds the threshold in [FAR] 15.403-4.”
Although the duties set forth under FAR 49.105 are generally directed to the contracting officer, contractors should keep an eye on these obligations and do their best to make sure that the contracting officer is adhering to them.
Termination Settlement Proposals
In exchange for the government retaining the right to terminate most federal contracts for the convenience of the government, the FAR allows contractors to submit a convenience termination settlement proposal in which the terminated contractor may seek recovery of certain costs. FAR 49.201(a) states that such a settlement “should compensate the contractor fairly for the work done and the preparations made for the terminated portions of the contract, including a reasonable allowance for profit.”
There are two basic approaches to convenience termination settlement proposals: the “inventory basis” and the “total cost” basis. The submission requirements under these two approaches are discussed in turn below. In addition, we discuss unique convenience termination rules for commercial item contracts under FAR 12.403, as well as the general timing requirements for submitting convenience termination settlement proposals.
Inventory Basis
FAR 49.206-2(a) states that “[u]se of the inventory basis for settlement proposals is preferred.” Under the inventory basis, “the contractor may propose only costs allocable to the terminated portion of the contract, and the settlement proposal must itemize separately” the following: (1) “[m]etals, raw materials, purchased parts, work in process, finished parts, components, dies, jigs, fixtures, and tooling, at purchase or manufacturing cost;” (2) charges such as engineering costs, initial costs, and general administrative costs; (3) costs of settlements with subcontractors; (4) settlement expenses; and (5) other “proper charges.”
FAR 49.206-2(a) additionally states that “[a]n allowance for profit ([FAR] 49.202) or adjustment for loss ([FAR] 49.203(b)) must be made to complete the gross settlement proposal.” In addition, “[a]ll unliquidated advance and progress payments and all disposal and other credits known when the proposal is submitted must then be deducted.”
FAR 49.206-2(a) goes on to state that the “inventory basis is also appropriate for use under the following circumstances.”
The “partial termination of a construction or related professional services contract;”
The “partial or complete termination of supply orders under any terminated construction contract;” and
The “complete termination of a unit-price (as distinguished from a lump-sum) professional services contract.”
Total Cost Basis
Concerning the “total cost” basis of settlement, FAR 49.206-2(b) states: “When use of the inventory basis is not practicable or will unduly delay settlement, the total-cost basis (SF-1436) may be used if approved in advance by the TCO as in the following examples”:
If production has not commenced and the accumulated costs represent planning and preproduction or get ready expenses;
If, under the contractor’s accounting system, unit costs for work in process and finished products cannot readily be established;
If the contract does not specify unit prices; and
If the termination is complete and involves a letter contract.
Accordingly, contractors seeking to use the “total cost” basis should confirm in writing with the TCO in advance that the “total cost” basis is acceptable.
“When the total-cost basis is used under a complete termination, the contractor must itemize all costs incurred under the contract up to the effective date of termination.” FAR 49.206-2(b)(2). Further, “[t]he costs of settlements with subcontractors and applicable settlement expenses must also be added,” “[a]n allowance for profit ([FAR] 49.202) or adjustment for loss ([FAR] 49.203(c)) must be made,” and “[t]he contract price for all end items delivered or to be delivered and accepted must be deducted.” “All unliquidated advance and progress payments and disposal and other credits known when the proposal is submitted must also be deducted.”
With respect to the use of the total-cost basis under a partial termination, the FAR states that the “settlement proposal shall not be submitted until completion of the continued portion of the contract.” FAR 49.206-2(b)(3). The FAR also states that the settlement proposal “must be prepared as in [FAR 49.206-2(b)(2)], except that all costs incurred to the date of completion of the continued portion of the contract must be included.”
If, however, “a construction contract or a lump-sum professional services contract is completely terminated, the contractor shall”:
Use the total cost basis of settlement;
Omit line 10 “Deduct-Finished Product Invoiced or to be Invoiced” from Section II of Standard Form-1436 Settlement Proposal (Total Cost Basis); and
“Reduce the gross amount of the settlement by the total of all progress and other payments” (see FAR 49.206-2(b)(4)).
FAR 49.602, in turn, outlines the standard forms used to prepare settlement proposals under both the inventory and total cost basis.
Generally speaking, a convenience termination settlement proposal should seek costs that would otherwise be allowable under FAR Part 31 (see e.g., FAR 52.249-2(i)). FAR 31.205-42 (Termination Costs) sets out specific cost principles applicable to certain unique termination situations. Notably, “settlement expenses,” including the costs incurred in the preparation and presentation of convenience termination settlement proposals, may be allowable costs (see FAR 31.205-42(g)). Finally, in instances in which the prime contract allows for partial payments, “a prime contractor may request [partial payments] on the form prescribed in [FAR] 49.602-4 at any time after submission of interim or final settlement proposals,” and “[t]he Government will process applications for partial payments promptly” (see FAR 49.112-1(a)).
Commercial Item Terminations
Unique termination for convenience procedures apply to commercial item contracts covered by FAR Part 12. Specifically, FAR 12.403(d) provides that, when the contracting officer terminates a contract for commercial items for the government’s convenience, the contractor shall be paid:
The “percentage of the contract price reflecting the percentage of the work performed prior to the notice of the termination for fixed-price or fixed-price with economic price adjustment contracts;” or
An “amount for direct labor hours (as defined in the Schedule of the contract) determined by multiplying the number of direct labor hours expended before the effective date of termination by the hourly rate(s) in the Schedule;” and
Any “charges the contractor can demonstrate directly resulted from the termination.”
FAR 12.403(d) goes on to state that the “contractor may demonstrate such charges using its standard record keeping system and is not required to comply with the cost accounting standards or the contract cost principles in [FAR] part 31.” Importantly, the government “does not have any right to audit the contractor’s records solely because of the termination for convenience.”
Finally, FAR 12.403(d) provides that the parties generally “should mutually agree upon the requirements of the termination proposal,” and that the parties “must balance” the government’s “need to obtain sufficient documentation to support payment to the contractor against the goal of having a simple and expeditious settlement.” Thus, unlike settlement proposals submitted under FAR Part 49, there is no standard form for submitting a settlement proposal under FAR Part 12.
Timing Requirements
FAR 52.249-2 (Termination for Convenience of the Government (Fixed-Price)), which is the most common convenience termination clause, states in relevant part:
(c) The Contractor shall submit complete termination inventory schedules no later than 120 days from the effective date of termination, unless extended in writing by the Contracting Officer upon written request of the Contractor within this 120-day period.
* * *
(e) After termination, the Contractor shall submit a final termination settlement proposal to the Contracting Officer in the form and with the certification prescribed by the Contracting Officer. The Contractor shall submit the proposal promptly, but no later than 1 year from the effective date of termination, unless extended in writing by the Contracting Officer upon written request of the Contractor within this 1-year period. However, if the Contracting Officer determines that the facts justify it, a termination settlement proposal may be received and acted on after 1 year or any extension. If the Contractor fails to submit the proposal within the time allowed, the Contracting Officer may determine, on the basis of information available, the amount, if any, due the Contractor because of the termination and shall pay the amount determined (emphasis added).
Notably, the timing requirements for submitting convenience termination settlement proposals are generally consistent across FAR clauses for traditional government contracts (see e.g., FAR 52.249-3 (Termination for Convenience of the Government (Dismantling, Demolition, or Removal of Improvements)) (containing similar timing requirements under subparagraphs (c) and (e)); FAR 52.249-5 (Termination for Convenience of the Government (Educational and Other Nonprofit Institutions)) (same). Generally, commercial item convenience termination submissions under FAR Part 12 do not contain similar timing requirements.
That said, each contract and set of facts should be analyzed on a case-by-case basis to ensure that the contractor is complying with applicable submission deadlines, and submission deadlines should be calculated conservatively regardless of which FAR clause applies.
Notably, the FAR does not impose a time limit by which the TCO must complete settlement negotiations with a terminated contractor. However, for small business concerns, the FAR dictates that auditors and the TCO “shall promptly schedule and complete audit reviews and negotiations, giving particular attention to the need for timely action on all settlements involving small business concerns” (see FAR 49.101(d)).
Claims and Appeal Rights
In Gardner Machinery Corp. v. United States, 14 Cl. Ct. 286 (1988), the U.S. Claims Court — which is the predecessor to the U.S. Court of Federal Claims — distinguished settlement proposals from Contract Disputes Act (CDA) claims as follows:
[A] Settlement proposal is contemplated under the regulations as a request for opening negotiations. It is not contemplated by the regulations that settlement proposals be used for the submission of final demand, final decision requested CDA claims. That is not to say that CDA claims may not grow out of the settlement proposal process or be converted to a CDA claim. It simply means that at the point of impasse in the negotiation process, the contractor must submit or resubmit its written claim, now in dispute for a finite amount of money, to the contracting officer and request a final decision thereon.
While the foregoing summary may seem straightforward, the rules in this area can actually be quite tricky. Thus, it is important to seek guidance from experienced legal counsel when seeking to convert a convenience termination settlement proposal to a formal “claim” under the CDA.
Once a contracting offer issues a final decision on a contractor’s claim, a dissatisfied contractor may generally appeal that decision to the cognizant agency board of contract appeals within 90 days of receipt of the decision or bring suit on the claim in the U.S. Court of Federal Claims within 12 months (see 41 U.S.C. § 7104).
Conclusion
In light of the recent uptick in federal contract terminations, contractors should be prepared to properly account for and timely submit recoverable costs in a convenience termination settlement proposal, as discussed in this guide.
Listen to this post
Corporate Transparency Act Compliance Still on Hold, For Now
On January 23, the U.S. Supreme Court lifted a nationwide preliminary injunction on the enforcement of the Corporate Transparency Act (the CTA), a law requiring millions of business entities to report information about their individual beneficial owners (including the individual persons who control them) to the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury. The preliminary injunction was originally issued by the U.S. District Court for the Eastern District of Texas in the case of Texas Top Cop Shop, Inc. v. Bondi—formerly, Texas Top Cop Shop v. Garland.
Despite the Supreme Court’s decision in Texas Top Cop Shop, the CTA reporting obligations are still on hold due to a separate nationwide injunction that remains in place. The second nationwide injunction was issued by a different judge of the U.S. District Court for the Eastern District of Texas in the case of Smith v. U.S. Department of the Treasury. The federal government has filed an appeal to the U.S. Court of Appeals for the Fifth Circuit seeking to lift the Smith injunction. This appeal represents the first action taken by the federal government in a CTA court proceeding since January 20, 2025, when the new administration took office.
If the injunction in the Smith case is lifted, the reporting obligations under the CTA would resume and all non-exempt reporting companies would be required to file beneficial ownership information reports (“BOIRs”) within a deadline to be determined by FinCEN. Notably, the government’s request for a stay in the Smith case pending appeal stated that FinCEN intends to extend the CTA compliance deadline for 30 days if the stay is granted. The government also implied that FinCEN is considering changes to the CTA’s reporting requirements to alleviate the burden on low-risk entities while prioritizing enforcement to address the most significant risks to U.S. national security.
Background
See below to view a timeline of notable developments.
What Might Happen Next
The future of the CTA remains in limbo. For now, FinCEN has acknowledged that a nationwide preliminary injunction in the Smith case remains in place, meaning that reporting companies are not currently required to file BOIRs with FinCEN, and further, that reporting companies are not currently subject to liability if they fail to do so. FinCEN has stated that reporting companies may continue to voluntarily submit BOIRs.1
Neither the Supreme Court nor any lower court has made a determination on the merits of the constitutionality of the CTA; the rulings to date have only concerned whether the CTA may be enforced while litigation over the validity of the CTA continues.
As stated above, CTA reporting obligations will likely resume if the Smith injunction is lifted (presumably, within 30 days of such decision), and also could resume in the future depending on the final outcomes in the Smith and Texas Top Cop Shop cases. While new developments may arise in the ongoing litigation over the CTA, Congress could also settle the debate by repealing the CTA.
Given the uncertain landscape, reporting companies who have yet to file their initial BOIRs should consider whether to continue reviewing their reporting obligations under the CTA, as such reporting companies may be required to file BOIRs within 30 days if the government’s request for a stay in the Smith case is granted. Likewise, reporting companies that have already filed should consider whether any changes have occurred to information previously reported, and should be ready to file updated or corrected reports relating to such changes or developments that occur during the pendency of the preliminary injunction. Reporting companies may also choose to voluntarily file initial or updated reports at any time despite the preliminary injunction.
Timeline
Below is a timeline of notable developments since the original nationwide preliminary injunction was issued.
December 3, 2024 – U.S. District Court for the Eastern District of Texas issued a nationwide preliminary injunction against enforcement of the CTA in the Texas Top Cop Shop case.
December 5, 2024 – The government appealed the ruling in the Texas Top Cop Shop case to U.S. Court of Appeals for the Fifth Circuit.
December 6, 2024 – FinCEN issued a statement that it will not enforce the reporting requirements while the injunction is in place and that filing BOIRs during such period is voluntary.
December 13, 2024 – The government filed a motion with the Fifth Circuit seeking an emergency stay of the injunction in the Texas Top Cop Shop case.
December 23, 2024 – A motions panel of the Fifth Circuit granted the government’s emergency motion, issuing a stay of the injunction in the Texas Top Cop Shop case pending the Fifth Circuit’s review of the merits of the appeal. Shortly thereafter, FinCEN reinstated the CTA reporting obligations and extended the reporting deadline from January 1 to January 13, 2025
December 26, 2024 – A separate panel of judges on the Fifth Circuit vacated the stay and reinstated the injunction originating in the Texas Top Cop Shop case, effectively suspending enforcement of the CTA reporting requirements under the CTA. In doing so, the merits panel reasoned that the constitutional status quo needs to be preserved while it considers the parties’ substantive arguments. The Fifth Circuit issued an expedited briefing and oral argument schedule under which briefing is to be completed by February 28, 2025, and oral arguments to occur on March 25, 2025.
December 27, 2024 – FinCEN issued a new statement that it will not enforce the reporting requirements while the reinstated Texas Top Cop Shop injunction is in place and that filing BOIRs during such period is voluntary.
December 31, 2024 – The government filed an emergency application with the Supreme Court for a stay of the injunction originating in the Texas Top Cop Shop case.
January 7, 2025 – U.S. District Court for the Eastern District of Texas issued a separate nationwide preliminary injunction against enforcement of the CTA in the Smith case.
January 15, 2025 – U.S. Senator Tommy Tuberville and Congressman Warren Davidson re-introduced the Repealing Big Brother Overreach Act in Congress seeking to overturn the CTA.
January 23, 2025 – Supreme Court lifted the nationwide injunction originating in the Texas Top Cop Shop case; the Supreme Court’s order did not address the separate nationwide injunction originating in the Smith case.
January 24, 2025 – FinCEN issued a statement that, despite the Supreme Court’s order, reporting companies are still not required to file BOIRs due to the Smith injunction.
February 5, 2025 – The government filed an appeal case seeking a stay of the injunction originating in the Smith case.
1 Further updates from FinCEN can be found at https://fincen.gov/boi.
Scott D. DeWald, Andrew F. Dixon, Laura A. Lo Bianco, Mark Patton, Mark D. Patton, Matthew C. Sweger, Amanda L. Thatcher, and Karen L. Witt
FINRA Facts and Trends: February 2025
Welcome to the latest issue of Bracewell’s FINRA Facts and Trends, a monthly newsletter devoted to condensing and digesting recent FINRA developments in the areas of enforcement, regulation and dispute resolution. We dedicate this month’s issue to FINRA’s 2025 Annual Regulatory Oversight Report. Read about the Report’s findings and observations, below.
FINRA Issues 2025 Regulatory Oversight Report
On January 28, 2025, FINRA published its 80-page 2025 Regulatory Oversight Report (the Report), offering insights and observations on key regulatory topics and emerging risks that firms should consider when evaluating their compliance programs and procedures. Broadly speaking, the Report identifies relevant rules, summarizes noteworthy findings, highlights key considerations for member firms’ compliance programs, and provides helpful and practical considerations as member firms analyze their existing procedures and controls.
The 2025 Report discusses 24 topics relevant to the securities industry. While many of these are perennially important topics, the Report also includes two new sections: third-party risk landscape and extended hours trading. Below, we provide an overview of the Report’s new priorities, together with certain continuing priorities highlighted in the Report.
A FINRA Unscripted podcast episode about the report — featuring Executive Vice President and Head of Member Supervision, Greg Ruppert, Executive Vice President and Head of Market Regulation and Transparency Services, Stephanie Dumont, and Executive Vice President and Head of Enforcement, Bill St. Louis — is available on FINRA’s website.
Newly Identified Priorities
Third-Party Risk Landscape: The most significant addition to the Report is a new top-level section on Third-Party Risk Landscape. Firms’ reliance on third parties for many of their day-to-day functions create risks, and, as the Report indicates, this new section was prompted by “an increase in cyberattacks and outages at third-party vendors” firms use.
As the broad heading indicates, the newly added material outlines effective practices and general steps to be taken by firms, including:
maintaining a list of all third-party vendor-provided services, systems and software components that the firm can leverage to assess the impact on the firm in the event of a cybersecurity incident or technology outage at a third-party vendor;
adopting supervisory controls and establishing contingency plans in the event of a third-party vendor failure;
affirmatively inquiring if potential third-party vendors incorporate generative AI into their products or services, and evaluating and reviewing contracts with these third parties to ensure they comply with the firms’ regulatory obligations, i.e., adding contractual language that prohibits firm or customer information from being ingested into the vendor’s open-source generative AI tool;
assessing third-party vendors’ ability to protect sensitive firm and customer non-public information and data;
ensuring that a vendor’s access to a firm’s systems and data is revoked when the relationship ends; and
periodically reviewing the third party’s vendor tool default features and settings.
Extended Hours Trading: In recent years, trading in National Market System stocks and other securities has extended beyond regular trading hours. In its other new section, FINRA reminds firms that offer extended hours trading that they must comply with FINRA Rule 2265, which requires that these firms provide their customers with a risk disclosure statement. Importantly, if a firm allows its customers to participate in extended hours trading online, the firm must be sure to post a risk disclosure statement on the firm’s website “in a clear and conspicuous manner.” In addition to Rule 2265, firms participating in extended hours trading must also comply with FINRA Rule 5310 (Best Execution and Interpositioning) and Rule 3110 (Supervision).
The Report recommends the following best practices to address any perceived risks associated with extended hours trading:
conducting best execution reviews geared toward evaluating how extended hours orders are handled, routed and executed;
reviewing customer disclosures to ensure they address the risks associated with extended hours trading;
establishing and maintaining supervisory processes designed to address the “unique characteristics or risks” of extended hours trading; and
evaluating the operational readiness and customer support needs during extended hours trading.
Continuing Priorities
In addition to the Report’s new topics, each of the Report’s sections — Financial Crimes Prevention, Firm Operations, Member Firms’ Nexus to Crypto, Communications and Sales, Market Integrity, and Financial Management — places special emphasis on certain continuing priorities that will remain key focus areas for FINRA in 2025:
Reg BI and Form CRS: Reg BI and Form CRS have been perennial areas of focus for FINRA since they first became effective in 2020. The 2025 Report details a number of new findings and observations for each of the four component obligations of Reg BI (Care, Conflict of Interest, Disclosure, and Compliance).
With respect to the Care Obligation, many of FINRA’s latest findings and observations center around firms’ obligations with respect to recommendations of complex or risky products. FINRA reminds firms making such recommendations to consider whether the investments align with the customer’s overall investment profile, and whether the investment would result in concentrations that exceed the firm’s policies or the customer’s risk tolerance, or that represent an inappropriate portion of a retail customer’s liquid net worth.
The primary addition to the Report concerning firms’ Conflict of Interest Obligation is a finding that firms may violate Reg BI by failing to identify all material conflicts of interest that may incentivize an associated person to make a particular recommendation, such as a financial incentive to recommend the opening of an account with the firm’s affiliate, or to invest in securities tied to a company in which the associated person has a personal ownership stake.
The Report also contains a new finding related to the Compliance Obligation, noting that firms must have written policies and procedures that address account recommendations (as distinct from investment recommendations), including transfers of products between brokerage and advisory accounts, rollover recommendations, and potentially fraudulent patterns of account switches by the same associate person.
While the Report contains no new findings or observations related to the Disclosure Obligation, FINRA continues to remind firms of their obligation to provide customers “full and fair” disclosures of all material facts related to the scope of their relationship and any conflicts of interest.
As it relates to Form CRS, the Report’s findings included failures to properly deliver Form CRS and to properly post Form CRS — including posting Form CRS on any websites maintained by financial professionals who offer the firm’s services through a separate “doing business as” website.
Cybersecurity and Cyber-Enabled Fraud: The Report’s section on Cybersecurity and Cyber-Enabled Fraud — titled Cybersecurity and Technology Management in previous years’ reports — includes several important additions in 2025.
Most prominently, the Report highlights the emerging risks associated with quantum computing, a new technology that relies on quantum mechanics to perform functions not possible for more traditional forms of technology. Noting that many financial institutions have recently begun exploring use of quantum computing in their business operations, the Report warns that these technologies could be exploited by threat actors. Among other things, quantum computing has the potential to quickly break current encryption methods utilized by firms in the financial services industry. FINRA recommends that firms considering the use of quantum computers place a particular emphasis on ensuring cybersecurity, third-party vendor management, data governance and supervision.
The Report also discusses a variety of cybersecurity threats and attacks that financial institutions must be prepared to counter. First, the Report observes an increase in the variety, frequency and sophistication of many common threats, including new account fraud, account takeovers, data breaches, imposter sites, and “quishing” (an attack that uses QR codes to redirect victims to phishing URLs). In addition to these more conventional threats, the Report also describes several emerging threats, including: Quasi-Advanced Persistent Threats (Quasi-APTs) (sophisticated cyberattacks intended to gain prolonged network or system access); Generative AI-Enabled Fraud (attacks that make use of emerging generative AI technology to enhance cyber-related crimes); and Cybercrime-as-a-Service (attacks perpetrated by criminals with technical expertise on a for-hire basis, or by selling cyber-attack tools to third parties).
Among the effective practices recommended by FINRA to combat these threats, the Report highlights two new practices: tabletop exercises, in which firms bring internal and external stakeholders together to ensure cyber threats are appropriately identified, mitigated and managed; and lateral movement, a method of subdividing a firm’s networks into various sections to make it more difficult for threat actors to gain access to a network in its entirety.
Senior Investors and Trusted Contact Persons: FINRA remains keenly focused on preventing the financial exploitation of senior investors. The Report reminds members of their regulatory obligations under FINRA Rule 4512 with respect to “Trusted Contact Persons” (TCPs) and FINRA Rule 2165 (Financial Exploitation of Specified Adults).
FINRA Rule 4512(a)(1)(F) requires FINRA members to make reasonable efforts to obtain the name of and contact information for a TCP for non-institutional customer accounts to address possible financial exploitation, to confirm the specifics of the customer’s current contact information, health status, or the identity of any legal guardian, executor, trustee, or holder of a power of attorney; or take other steps permitted by Rule 2165. In particular, Rule 2165 permits firms to place temporary holds on securities transactions and account disbursements if the member reasonably believes that financial exploitation of a Specified Adult has occurred, is occurring, has been attempted, or will be attempted. “Specified Adult” means (A) a natural person age 65 and older; or (B) a natural person age 18 and older who the member reasonably believes has a mental or physical impairment that renders the individual unable to protect his or her own interests.
In the “Findings and Effective Practices” section of the Report, FINRA notes that recent examinations and investigation focus on firms not making reasonable attempts to obtain the name and contact information of a TCP; not providing written disclosures explaining when a firm may contact a TCP; not developing training policies reasonably designed to ensure compliance with the requirement of Rule 2165; and not retaining records that document the firm’s internal review underlying any decision to place a temporary hold on a transaction.
As for suggested effective practices, the Report recommends, among other things: implementing a process to track whether customer accounts have designated TCPs, establishing specialized groups to handle situations involving elder abuse or diminished capacity, and hosting conferences or participating in industry groups focused on the protection of senior customers.
Anti-Money Laundering (AML) and Fraud: FINRA Rule 3310 requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act and its implementing regulations.
As for recommended effective practices, the Report recommends:
conducting thorough inquiries when customers — particularly the elderly — request an unusually significant amount of funds to be disbursed to a personal bank account;
conducting formal, written AML risk assessments;
incorporating additional methods for verifying customer identities when establishing online accounts;
delegating AML duties to specific business units that are best positioned to monitor and identify suspicious activity; and
establishing an AML training program for personnel that is tailored to the individuals’ roles and responsibilities.
The Report highlights one emerging risk: FINRA has observed an increase in investment fraud committed by those that engage directly with investors. This can include persuading victims to withdraw funds from their accounts as part of a fraudulent scheme. The FBI’s Internet Crime Report notes that “investment fraud is the costliest type of crime tracked by the FBI’s Internet Crime Complaint Center.” To help mitigate this threat, FINRA recommends: monitoring for sudden changes in a customer’s behavior, including withdrawal requests that are out of character for the customer; educating firm personnel that are in contact with customers on how to recognize red flags; and developing clear response plans for when the firm identifies a customer that has been victimized.
Private Placements: The Report’s section on private placements does not stray far from previous years’ reports, and primarily re-emphasizes a key area of focus for FINRA’s Enforcement division over the past two years, first highlighted in Regulatory Notice 23-08. As we reported at the time, Regulatory Notice 23-08 reminded member firms of their obligation to conduct a reasonable investigation of private placement investments prior to making any recommendation — including, most particularly, conducting an investigation of the issuer, its management and its business prospects, the assets held or to be acquired by the issuer, and the issuer’s intended use of proceeds from the offering. In its discussion of findings from targeted exams, FINRA further notes that firms fail to satisfy this obligation when, among other things, they do not conduct adequate research into issuers that have a lack of operating history, or where they rely solely on the firm’s past experience with an issuer based on previous offerings. FINRA’s findings offer a reminder to firms to apply scrutiny to all offerings, whether or not the issuer is a known quantity — and to be especially vigilant when an issuer is new to the space.
The Report’s findings also provide another cautionary tale: FINRA warns that firms fail to comply with Reg BI’s care obligation when they take the position that the firm is not making recommendations, even though the firms’ representatives have made communications to customers that include a “call to action” and are individually tailored to the customer. Firms should remain aware that these types of communications are likely to be viewed as investment recommendations, and ensure that they conduct reasonable diligence before making any such communication to a customer.
The Report also discusses an emerging trend concerning firms that have made material misrepresentations and omissions related to recommendations of private placement offerings of pre-IPO securities. As examples, FINRA cites firms that have failed to disclose potential selling compensation, and that have failed to conduct reasonable due diligence to confirm that the issuer actually held or had access to the shares it purported to sell.
Manipulative Trading: Member firms are prohibited, pursuant to a series of FINRA Rules, from engaging in impermissible trading practices. The relevant rules include FINRA Rule 2010 (Standards of Commercial Honor and Principles of Trade); FINRA Rule 5230 (Payments Involving Publications that Influence the Market Price of a Security); and FINRA Rule 5210 (Publication of Transactions and Quotations), which FINRA has relied on in pursuing enforcement actions accusing member firms of publicizing or circulating inflated trading activity.
The Report highlights certain recent findings, including firms having inadequate WSPs, not establishing surveillance controls designed to capture manipulative trading, and not establishing and maintaining a surveillance system reasonably designed to monitor for potentially manipulative trading.
Communications With the Public: As in previous years, the Report details the content standards prescribed for three categories of firm written communications: correspondence, retail communications and institutional communications.
The Report also presents findings on an emerging trend: retail communications focused on registered index-linked annuities (RILAs). FINRA’s findings concerning firms’ communications related to RILAs mirror many of the common findings in connection with other types of investments. For example, FINRA has found that firms have failed to adequately explain how RILAs function and the meaning of specialized terms that are specific to RILAs, as well as finding that firms have made inadequate disclosures of the risks, fees and charges associated with RILAs.
The Report also contains a new focus on firms’ communications made through social media and generative AI. In particular, it recommends that firms ensure that communications made with the assistance of generative AI (including chatbot communications used with investors) are appropriately supervised and retained. Similarly, the Report cautions that firms must maintain systems, including WSPs, reasonably designed to supervise communications disseminated on the firm’s behalf by influencers on social media.
The Report’s findings and observations are intended to serve as a guide for member firms to assess their current compliance, supervisory, and risk management programs and note any perceived deficiencies that could result in scrutiny by FINRA. Member firms are encouraged to focus on the findings, observations and effective practices relevant to their respective business models.
The NIH IDC – Where Are We Now
On February 7, the National Institutes of Health (“NIH”) issued a Notice (NOT-OD-25-068) entitled “Supplemental Guidance to the 2024 NIH Grants Policy Statement: Indirect Cost Rates” (the “Notice”), though which NIH announced the adoption of a uniform indirect cost rate (“IDC Rate”) of 15% applicable to all new grants, and to existing grants awarded to Institutions of Higher Education (“IHEs”) – encompassing the vast majority of postsecondary educational institutions in the United States – as of the date the Notice was issued (February 7, 2025). The Notice also indicates the policy will apply for “all current grants for go forward expenses from February 10, 2025 as well as for all new grants issued.”
The Notice, as written and supported by underlying regulations, appears to apply the 15% IDC Rate to existing awards only for IHE recipients (see the Notice’s acknowledgment that “NIH may deviate from the negotiated rate both for future grant awards and, in the case of grants to institutions of higher education (“IHEs”), for existing grant awards. See 45 CFR Appendix III to Part 75, § C.7.a; see 45 C.F.R. 75.414(c)(1).” (emphasis added)). However, there is some ambiguity in the wording and existing non-IHE awardees should be prepared for a possibly broader read by the NIH. The IDC Rate covers “facilities” and “administration” costs of the grantee institution. As a general matter, an institution’s IDC Rate is pre-negotiated and although the NIH cited 27-28% as the average negotiated IDC Rate, it has been reported that many institutions negotiate upwards of 50-60%, with some even as high as 75%.
The NIH justified its action under 45 C.F.R. § 75.414(c)(1), pursuant to which “[a]n HHS awarding agency may use a rate different from the negotiated rate for a class of Federal awards or a single Federal award only when required by Federal statute or regulation, or when approved by a Federal awarding agency head or delegate based on documented justification as described in paragraph (c)(3) of this section.” Paragraph (c)(3) goes on to require that “[t]he HHS awarding agency must implement, and make publicly available, the policies, procedures and general decision-making criteria that their programs will follow to seek and justify deviations from negotiated rates.” Presumably the NIH is taking the position that this Notice serves as the publication of the criteria it will follow (and is following in real time through the Notice) to seek and justify this likely downward deviation from already negotiated rates held by grantee institutions for existing awards.
The NIH Notice was challenged in two different motions for temporary restraining orders (“TRO”): one filed by a collection of State Attorneys General (see Commonwealth of Massachusetts vs. National Institutes of Health, Case # 1:25-cv-10338) and the other by the Association of American Medical Colleges and other similar associations (Case # 1:25-cv-10340). The motions are based on several similar arguments: (1) the indirect rate change is arbitrary and capricious, (2) the rate change violates Section 224 of the Further Consolidated Appropriations Act, 2024, (3) NIH failed to comply with its own regulations for indirect cost rates, (4) NIH has no authority to make retroactive changes to indirect cost rates, and (5) notice and comment procedures are required because this is a substantive change because it imposes a new obligation that did not exist previously.
On February 10, the District Court for the District of Massachusetts granted the State Attorneys General’s request and entered a TRO blocking the implementation, application, and enforcement of the Notice within the Plaintiff States (i.e., within Massachusetts, Illinois, Michigan, Arizona, California, Connecticut, Colorado, Delaware, Hawaii, Maine, Maryland, Minnesota, Nevada, New Jersey, New Mexico, New York, North Carolina, Oregon, Rhode Island, Vermont, Washington and Wisconsin) until further order is issued by the Court. A hearing date has been set for February 21, 2025 at 10 a.m.
In a separate ongoing litigation, State of New York v. Trump (C.A. No. 25-cv-39-JJM-PAS), the District Court of Rhode Island issued a TRO on January 31, 2025, prohibiting the Defendants from freezing federal funding based on the Trump administration’s Executive Orders or the OMB Memorandum M-24-13 dated January 27, 2025 (“Temporary Pause of Agency Grant, Loan, and Other Financial Assistance Programs”). On February 10, 2025, the same day as the motions to block the NIH’s uniform IDC, the judge in that matter, Chief Judge John J. McConnell, Jr. issued an Order to enforce the funding-freeze TRO in response to Plaintiff’s emergency motion, indicating that the Defendants must take certain steps to both restore funding and refrain from further violation of the TRO. Some media outlets have reported this Order as also blocking the NIH’s Notice related to IDCs. It is unclear at this time whether the NIH’s action in the Notice could be deemed to fall within the scope of the Executive Orders or the OMB Memo, and it does not appear this argument was made in the two motions for TROs brought against the NIH on February 10, 2025. That said, it is possible a cognizable claim could be made that the NIH’s actions constitute an attempt to cut off funding under another “name or title,” which was explicitly incorporated into the TRO issued by Judge McConnell (“Defendants shall also be restrained and prohibited from reissuing, adopting, implementing, or otherwise giving effect to the OMB Directive under any other name or title or through any other Defendants (or agency supervised, administered, or controlled by any Defendant), such as the continued implementation identified by the White House Press Secretary’s statement of January 29, 2025.”).
Given the NIH’s Notice and the various ongoing litigations, Institutions will also have to carefully evaluate their approach to submitting new grant applications and administering current awards.
Australia’s Proposed Scams Prevention Framework
In response to growing concerns regarding the financial and emotional burden of scams on the community, the Australian government has developed the Scams Prevention Framework Bill 2024 (the Bill). Initially, the Scams Prevention Framework (SPF) will apply to banks, telecommunications providers, and digital platform service providers offering social media, paid search engine advertising or direct messaging services (Regulated Entities). Regulated Entities will be required to comply with obligations set out in the overarching principles (SPF Principles) and sector-specific codes (SPF Codes). Those failing to comply with their obligations under the SPF will be subject to harsh penalties under the new regime.
Why Does Australia Need a SPF?
Australian customers lost AU$2.7 billion in 2023 from scams. Whilst the monetary loss from scams is significant, scams also have nonfinancial impacts on their victims. Scams affect the mental and emotional wellbeing of victims—victims may suffer trauma, anxiety, shame and helplessness. Scams also undermine the trust customers may have in utilising digital services.
Currently, scam protections are piecemeal, inconsistent or non-existent across the Australian economy. The SPF is an economy-wide initiative which aims to:
Halt the growth in scams;
Safeguard the digital economy;
Provide consistent customer protections for customers engaging with Regulated Entities; and
Be responsive and adaptable to the scams environment.
What is a Scam?
A scam is an attempt to cause loss or harm to an individual or entity through the use of deception. For example, a perpetrator may cause a target to transfer funds into a specified bank account by providing the target with what appears to be a parking fine. However, financial loss caused by illegal cyber activity such as hacking would not be a scam as it does not involve the essential element of deception.
SPF Principles
The Bill sets out six SPF Principles which Regulated Entities must comply with. The SPF Principles will be enforced by the Australian Competition and Consumer Commission (ACCC) as the SPF General Regulator.
The SPF Principles are outlined in table 1 below.
SPF Principle
Description
1. Governance
Regulated Entities are required to ‘develop and implement governance policies, procedures, metrics and targets to combat scams’. In discharging their obligations under this principle, entities must develop and implement a range of policies and procedures which set out the steps taken to comply with the SPF Principles and SPF Codes. The ACCC is expected to provide guidance on how an entity can ensure compliance with their governance obligations under the SPF.
2. Prevent
Regulated Entities must take reasonable steps to prevent scams on or relating to the service they provide. Such steps should aim to prevent people from using the Regulated Entity’s service to commit a scam, as well as prevent customers from falling victim to a scam. This includes publishing accessible resources which provide customers with information on how to identify scams and minimise their risk of harm.
3. Detect
Regulated Entities must take reasonable steps to detect scams by ‘identifying SPF customers that are, or could be, impacted by a scam in a timely way’.
4. Report
Where a Regulated Entity has reasonable grounds to suspect that a ‘communication, transaction or other activity on, or relating to their regulated service, is a scam’, it must provide the ACCC with a report of any information relevant to disrupting the scam activity. Such information is referred to as ‘actionable scam intelligence’ in the SPF.
Additionally, if requested by an SPF regulator, an entity will be required to provide a scam report. The appropriate form and content of the report is intended to be detailed in each SPF Code.
5. Disrupt
A Regulated Entity is required to take ‘reasonable steps to disrupt scam activity on or related to its service’. Any such steps must be proportionate to the actionable scam intelligence held by the entity. As an example, for banks, appropriate disruptive activities may include:
Contacting customers to warn them of popular scams;
Introducing confirmation of payee features on electronic banking services; and
Placing a hold on payments directed to an account associated with scam activity to allow the bank time to contact the customer and provide them with information about the suspected scam.
6. Respond
Regulated Entities are required to implement accessible mechanisms which allow customers to report scams and establish accessible and transparent internal dispute resolution processes to deal with any complaints. Additionally, Regulated Entities must be a member of an external dispute resolution scheme authorised by a Treasury Minister for their sector. The purpose of such an obligation is to provide an independent dispute resolution mechanism for customers whose complaints have not been resolved through initial internal dispute resolution processes, or where the internal dispute resolution outcome is unsatisfactory.
Table 1
What are ‘Reasonable Steps’?
We expect that SPF Codes will provide further clarification regarding what will be considered ‘reasonable steps’ for the purposes of discharging an obligation under the SPF Principles. From the explanatory materials, it is evident that whether reasonable steps have been taken will depend on a range of entity-specific factors including, but not limited to:
The size of the Regulated Entity;
The services of the Regulated Entity;
The Regulated Entity’s customer base; and
The specific types of scam risk faced by the Regulated Entity and their customers.
Disclosure of Information Under the Reporting Principle
As indicated in table 1 above, the SPF reporting principle requires disclosure of information to the SPF regulator. It is clear from the explanatory materials that, to the extent this reporting obligation is inconsistent with a legal duty of confidence owed under any ‘agreement or arrangement’ entered into by the Regulated Entity, the SPF obligation will prevail. However, it is not expressly stated how this obligation will interact with statutory protections of personal information.
The Privacy Act 1988 (Cth) (Privacy Act) imposes obligations regarding the collection, use and disclosure of personal information. Paragraph 6.2(b) of Schedule 1 to the Privacy Act allows an entity to use or disclose information for a purpose other than which it was collected where the use or disclosure is required by an Australian law. Arguably, once the SPF is enacted, disclosure of personal information in accordance with the obligations under the reporting principle will be ‘required by an Australian law’ and therefore not in breach of the Privacy Act.
Safe Harbour Protection for Disruptive Actions
As noted in table 1, SPF Principle 5 requires entities to take disruptive actions in response to actionable scam intelligence. This may leave Regulated Entities vulnerable to actions for breach of contractual obligations. For example, where a bank places a temporary hold on a transaction, the customer might lodge a complaint for failure to follow payment instructions. To prevent the risk of such liability from deterring entities from taking disruptive actions, the SPF provides a safe harbour protection whereby a Regulated Entity will not be liable in a civil action or proceeding where they have taken action to disrupt scams (including suspected scams) while investigating actionable scam intelligence.
In order for the safe harbour protection to apply, the following requirements must be met:
The Regulated Entity acted in good faith and in compliance with the SPF;
The disruptive action was reasonable and proportionate to the suspected scam;
The action was taken during the period starting on the day that the information became actionable scam intelligence, and ending when the Regulated Entity identified whether or not the activity was a scam, or after 28 days, whichever was earlier; and
The action was promptly reversed if the Regulated Entity identified the activity was not a scam and it was reasonably practicable to reverse the action.
The assessment of whether disruptive actions were proportionate will be determined on a case-by-case basis. However, relevant factors may include:
The volume of information received or available;
The source of that information; and
The apparent likelihood that the activity is associated with a scam.
SPF Codes
As a ‘one-size-fits-all’ approach across the entire scams ecosystem is not appropriate, the SPF provides for the creation of sector-specific codes. These SPF Codes will set out ‘detailed obligations’ and ‘consistent minimum standards’ to address scam activity within each regulated sector. The SPF Codes are yet to be released.
It is not clear whether the SPF Codes will interact with other industry codes and, if so, how and which codes will prevail.
It appears from the explanatory materials that the SPF Codes are intended to impose consistent standards across the regulated sectors. It is unclear whether this will be achieved in practice or whether there will be a disproportionate compliance burden placed on one regulated sector in comparison to other regulated sectors. For example, because banks are often the ultimate sender/receiver of funds, will they face the most significant compliance burden?
SPF Regulators
The SPF is to be administered and enforced through a multiregulator framework. The ACCC, as the General Regulator, will be responsible for overseeing the SPF provisions across all regulated sectors. In addition, there will be sector-specific regulators responsible for the administration and enforcement of SPF Codes.
Enforcement
The proposed Bill sets out the maximum penalties for contraventions of the civil penalty provisions of the SPF.
There are two tiers of contraventions, with a tier 1 contravention attracting a higher maximum penalty in order to reflect that some breaches would ‘be the most egregious and have the most significant impact on customers’. A breach will be categorised based on the SPF Principle contravened as indicated in table 2 below.
Tier 1 Contravention
Tier 2 Contravention
SPF principle 2: prevent
SPF principle 4: detect
SPF principle 5: disrupt
SPF principle 6: respond
An SPF Code
SPF principle 1: governance
SPF principle 3: report
Table 2
In addition to the civil penalty regime, other administrative enforcement tools will be available including:
Infringement notices;
Enforceable undertakings;
Injunctions;
Actions for damages;
Public warning notices;
Remedial directions;
Adverse publicity orders; and
Other punitive and nonpunitive orders.
New Consumer Financial Protection Bureau Acting Director Expands Freeze to All CFPB Activities; CFPB Office Closes
We previously reported that Treasury Secretary Bessent was named as the acting director of the Consumer Financial Protection Bureau (CFPB), and he subsequently ordered the CFPB staff to halt several activities. However, the situation at the CFPB remains in flux, with more changes occurring over the weekend.
On Friday, February 7, 2025, President Trump named newly confirmed director of the Office of Management and Budget, Russell Vought, as acting director of the CFPB.
On Saturday, February 8, 2025, Director Vought expanded the “freeze” of activities to halt all work, including examination and supervision activities and stakeholder engagement. The Trump Administration also canceled the CFPB’s next funding draw from the Federal Reserve.
As of Monday, February 10, 2025, the CFPB’s headquarters in Washington, D.C., has been closed for the week, and staff have been directed to stop all work.
What Should Financial Institutions Expect?
The situation at the CFPB is evolving quickly. However, as we discussed in our previous CFPB update, financial institutions should continue to comply with all applicable laws and regulations and to remember that many requirements enforced by the CFPB may also be enforced by other governmental authorities, including state regulators.
We anticipate legal challenges to the freeze as well as increased state regulatory activity. We will continue to monitor the situation at the CFPB and will provide updates as appropriate.
Insurance Premium Finance Exemption — Maryland Commercial Finance Disclosure Legislation
Maryland recently introduced Commercial Finance Disclosure Law (“CFDL”) legislation in both the House (HB 693) and Senate (SB 754), following a path of other states with laws requiring consumer-like disclosures in certain commercial loans. Maryland has introduced similar legislation in the past but has not yet garnered sufficient support to reach the Governor’s desk.
This legislative session, the sponsors of these bills have added an additional exemption from the law’s application should it be enacted. The bills include an exemption for, among other types of loan products, commercial financing transactions that are insurance premium finance loans. Insurance premium financing loans are short-term, secured loans that enable businesses to purchase insurance coverage. Businesses of all sizes obtain commercial, property, casualty, and liability insurance policies to mitigate operational risk and to protect their interests and those of their customers. While some businesses may choose to pay insurance premiums in full at the time of purchase, others either do not have sufficient funds to pay the premiums in full up front or prefer to finance the premiums permitting other uses of capital. The majority of states regulate insurance premium financing transactions, including Maryland.
This additional CFDL exemption appears appropriate. Insurance premium finance transactions are extensively regulated by the Maryland Department of Insurance and subject to laws that mandate the disclosure of financial terms. (Md. Code Ann., Ins., §§ 23-101 et seq.) Current insurance premium finance law in Maryland requires the disclosure of loan related information in the insurance premium finance agreement itself, including: (i) the total amount of the premiums under the policies purchased; (ii) the amount of the down payment on the loan; (ii) the principal balance; (iii) the amount of the finance charge; (iv) the balance payable by the insured; (v) the number of installments required, the amount of each installment expressed in dollars, and the due date or period of each installment; (vi) any electronic payment fee; and (vii) prepayment particulars. Substantially similar disclosures contemplated under the proposed CFDL bills are required under existing Maryland law regulating insurance premium finance loans. Imposing CFDL standards for insurance premium finance transactions, when already required by other Maryland law, appears redundant and unnecessary. Further, application of multiple disclosure laws could potentially present conflicting obligations for insurance premium finance companies, duplicative regulation by multiple administrative departments, and inconsistent information for borrowers when comparing insurance premium finance loans.
SEC Announces One-Year Extension for Rule 13f-2, Form SHO Compliance
Highlights
Institutional investment managers covered by Rule 13f-2 monthly short reporting requirements now have an extra year to get ready
The SEC’s exemptive order pushes back the initial Form SHO filing deadline from Feb. 14, 2025, to Feb. 17, 2026
The extension gives managers time to digest the Form SHO technical specs and may be an opportunity for the SEC to answer questions about form’s reporting scope
Institutional investment managers who were preparing to file their initial Form SHO on Feb. 14, 2025, have been granted a one-year reprieve.
On Feb. 7, the Securities and Exchange Commission (SEC) announced a temporary exemption from compliance with Rule 13f-2 under the Securities Exchange Act and its associated Form SHO reporting requirement. Originally, a manager’s initial Form SHO was due on Feb. 14, 2025, and would have covered the January 2025 monthly reporting period. Now, the initial Form SHO will be due on Feb. 17, 2026, and will cover the January 2026 monthly reporting period.
Rule 13f-2 requires institutional investment managers that meet or exceed specified short position thresholds with regard to certain equity securities to file Form SHO with the SEC. That filing is due within 14 calendar days after the end of each calendar month.
The one-year compliance exemption is responsive to several industry groups’ requests for more time to become operationally and technologically prepared for Form SHO reporting. In particular, the SEC exemptive order recognizes that commencing reporting in February 2025 as originally planned would not have given managers much time to digest the SEC’s recent Form SHO XML technical specifications and EDGAR Filer Manual updates, which were published only in mid-December 2024.
It remains to be seen whether the SEC will use the compliance interim to provide clarity on the numerous Form SHO interpretive issues raised by market participants to date, including questions about the intended range of equity securities subject to reporting.
U.S. Attorney General Issues Memorandum Redirecting FCPA Enforcement Away From U.S. Businesses
In a memorandum dated Feb. 5, 2025, U.S. Attorney General Pamela Bondi has instituted a novel approach to enforcing the Foreign Sovereign Immunities Act (FCPA).
The FCPA prohibits paying or offering to pay money or anything of value to a foreign official for the purpose of obtaining or retaining business. The FCPA applies to U.S. persons, domestic concerns, and issuers of securities listed on a U.S. exchange or that are required to file S.E.C. reports, as well as to foreign persons and entities that engage in foreign corrupt activity that occurs, at least in part, in or through the United States (such as by using U.S. currency). The FCPA also prohibits issuers from falsifying books and records, and from circumventing or knowingly failing to implement internal controls.
Since its enactment in 1977, the FCPA has been the impetus for international efforts to root out corruption, and has served as the model for anti-corruption legislation in many countries. The Organization for Economic Cooperation and Development’s Anti-Bribery Convention of 1997, and the United Nations Convention Against Corruption of 2003, are progeny of the FCPA.
The Attorney General’s memorandum, titled Total Elimination of Cartels and Transnational Criminal Organizations, cites President Donald Trump’s Jan. 20, 2025 directive “to revise existing national security and counter-narcotics strategies to pursue total elimination of Cartels and Transnational Criminal Organizations (TCOs).”
The memorandum sets out various directives and initiatives that target Cartels and TCOs in furtherance of that goal. In one striking phrase, however, the memorandum appears to assure non-violent FCPA offenders that they need not be concerned about being prosecuted for violating the FCPA: “The Criminal Division’s Foreign Corrupt Practices Act Unit shall prioritize investigations related to foreign bribery that facilitates the criminal operations of Cartels and TCOs, and shift focus away from investigations and cases that do not involve such a connection. Examples of such cases include bribery of foreign officials to facilitate human smuggling and the trafficking of narcotics and firearms.” (Emphasis added.)
While the use of the FCPA against Cartels and TCOs is salutary, the Attorney General’s statement assuring other offenders that they are not likely to be criminally investigated or prosecuted is, at the very least, unconventional.
Regardless, no one should assume they may violate the FCPA with impunity. The statute of limitations for criminal prosecution under the FCPA is five years for corrupt payments, and six years for violation of the books and records and internal controls provisions. An FCPA violation in 2025 is therefore subject to criminal prosecution at least until 2030, by which time a different president, possibly one with different priorities, will be in the White House.
Moreover, the S.E.C., which is not part of the Department of Justice, has civil enforcement authority over FCPA violations by issuers, which (as of now) continues unabated. Any company or person subject to the FCPA would be well-advised to abide by it, thereby acting responsibly and maintaining a positive reputation for lawful conduct.
The FCPA can raise complex and challenging issues for U.S. companies that do business in foreign countries, and for foreign companies that do business in or through the United States.
Vought’s Transformational First Few Days at the CFPB
Within approximately 48 hours, starting on the evening of Friday, February 7, 2025, the trajectory of the Consumer Financial Protection Bureau (CFPB) was significantly altered. Among other things, a new acting director was installed, a more comprehensive internal pause – one that now explicitly covers supervision, examination, and enforcement activities – was put in place, the new acting director publicly stated that the CFPB would not be seeking any additional funding for the third quarter of the 2025 fiscal year and the CFPB’s Washington, D.C. headquarters were closed for a week.
President Donald Trump initially tapped newly confirmed Treasury Secretary Scott Bessent to also temporarily replace Rohit Chopra as the director of the CFPB. In a surprising move, exactly one week later, the Wall Street Journal reported that Bessent had been replaced by Russell Vought to serve as acting director. Like Bessent before him, Vought is simultaneously serving two roles in the Trump administration. On Thursday, February 6, 2025, the day before being designated as the acting director of the CFPB, Vought was confirmed by the Senate to lead the Office of Management and Budget (OMB). When Bessent was designated to be the CFPB’s acting director, we explained how the Federal Reform Vacancies Act imposes limits on who can serve in an acting capacity as the director of an executive agency. Like Bessent, Vought now checks the right boxes by having been confirmed by the Senate to lead the OMB.
Although Trump has not yet issued any official statements regarding the appointment, Vought sent an email to all CFPB staff Saturday evening notifying them of the move. That email echoed what Bessent reportedly told the CFPB staff a week earlier, directing an internal pause on most, if not all, activities at the agency. However, Vought’s email goes even further than Bessent’s, purportedly including specific instructions for the CFPB to “cease any pending investigations,” and “[c]ease all supervision and examination activity.” Once again, it will be important to monitor whether these are temporary pauses or whether they signal a more permanent wind-down of the CFPB’s activities.
Next, on the evening of Saturday, February 8, 2025, acting director Vought published a message on X (formerly known as Twitter) summarizing a letter that he sent the same day to Federal Reserve Chairman Jerome Powell regarding the CFPB’s funding. His post explained that “the CFPB will not be taking its next draw of unappropriated funding,” and that the “Bureau’s current balance of $711.6 million is in fact excessive in the current fiscal environment.” His letter to Powell also states that he has also “determined that no additional funds are necessary to carry out the authorities of the Bureau for Fiscal Year 2025.”
As a quick refresher, the CFPB’s funding structure is set forth in the Consumer Financial Protection Act. Specifically, the director of the CFPB is to request from the Federal Reserve an “amount determined . . . to be reasonably necessary to carry out the authorities of the Bureau under Federal consumer financial law, taking into account such other sums made available to the Bureau from the preceding year (or quarter of such year).” The CFPB spent a total of $729.4 million in fiscal year 2024, and former director Chopra requested and received $248.9 million and $245.1 million for the first and second quarters of fiscal year 2025, respectively. Vought’s social media post suggests that the $711.6 million the CFPB currently has is enough for it to fulfill its duties for the remainder of fiscal year 2025.
Interestingly, the letter from Vought to Powell also notes that prior CFPB administrations have chosen to maintain a “reserve fund,” though no such fund is required by law. Vought’s letter commits to ceasing that practice and states that “[t]he Bureau’s new leadership will run a substantially more streamlined and efficient bureau . . . and do its part to reduce the federal deficit.”
As if that all weren’t enough, on the evening of Sunday, February 9, 2025, acting director Vought reportedly emailed all CFPB staff again and this time informed them that the agency’s headquarters in Washington, D.C. would be closed this upcoming week and that all employees should work remote. This has led many to wonder whether the CFPB’s headquarters are being permanently shuttered, whether the closure is somehow related to the ongoing review of the CFPB that is being conducted by the Department of Government Efficiency (DOGE) or whether there is some other reason to justify a temporary closure. After a hectic weekend filled with CFPB-related developments, the future of the agency is uncertain at best. We will continue to monitor for future developments that impact our clients and report on them here.
Listen to this post