Regulatory Oversight Blog

Make sure to visit Troutman Pepper Locke’s Regulatory Oversight blog to receive the most up-to-date information on regulatory actions and subscribe to our mailing list to receive a monthly digest.

Regulatory Oversight will provide in-depth analysis into regulatory actions by various state and federal authorities, including state attorneys general and other state administrative agencies, the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC). Contributors to the blog will include attorneys with multiple specialties, including regulatory enforcement, litigation, and compliance.

New Team Member 

Troutman Pepper Locke Bolsters Regulatory Investigations, Strategy and Enforcement Practice Group With Highly Accredited Regulatory Partner Luis A. Reyes

AUSTIN  Luis A. Reyes, a regulatory attorney and former high-ranking government official, has joined Troutman Pepper Locke as a partner in its nationally recognized Regulatory Investigations, Strategy and Enforcement (RISE) Practice Group. With more than two decades of experience providing counsel to clients and public service at the White House, Department of Justice, and other federal and state agencies, Reyes bolsters the firm’s service offerings in Texas and nationally.

Read More

Troutman Pepper Locke Spotlight

2024 State AG Year in Review

By Troutman Pepper Locke State Attorneys General Team

State attorneys general (AGs) continue to play a pivotal role as innovators, shaping the regulatory environment by leveraging their expertise and resources to influence policy and practice. The public-facing nature of AG offices across the U.S. compels them to respond to constituent concerns on abbreviated timetables. This political sensitivity, combined with the AGs’ authority to address both local and national issues, underscores their significant influence in the current regulatory environment.

Read More

Troutman Pepper Locke Partner Ashley Taylor Co-Edits ABA Book on Consumer Protection and the Rise of State Attorney General Enforcement

By Ashley L. Taylor, Jr.

Ashley L. Taylor, Jr., co-leader of Troutman Pepper Locke’s nationally ranked State Attorneys General Practice, co-edited a new book published by the American Bar Association titled Consumer Protection: Understanding Enforcement Actions Brought by State Attorneys General. Given the growing regulatory power of state attorneys general in highly regulated industries, companies are at risk of bet-the-company government investigations, enforcement actions, and high-stakes litigation.

Read More

Podcast Updates

Behind the Scenes: The Role of Senior Staff in AG Offices

By Stephen C. Piepgrass and Chuck Slemp

In this episode of Regulatory Oversight, Chuck Slemp welcomes Lacey Mase, the chief deputy attorney general (AG) of Tennessee, to explore the inner workings of an AG’s office and the pivotal role of its senior staff in driving legal and policy outcomes.

Read More

The Growing Role of State AGs in AI Regulatory & Enforcement Issues

By Brett MasonChris Carlson, and Michael Yaghi

Join Troutman Pepper Locke Partner Brett Mason for a podcast series analyzing the intersection of artificial intelligence (AI), health care, and the law.

Read More

Understanding Georgia’s Civil Justice Climate With Commissioner John King

By David Dove and Stephen C. Piepgrass

In this episode of Regulatory Oversight, David B. Dove, leader of our firm’s Regulatory and Economic Investment Practice in Georgia, is joined by Georgia Insurance Commissioner John King to discuss his office’s recent report analyzing Georgia’s civil justice climate.

Read More

State AG Regulatory Landscape

Predicting Where State AGs Will Direct Their Attention in 2025

By Chris CarlsonClayton FriedmanAshley L. Taylor, Jr., and Michael Yaghi

Published in Law360 on January 22, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

In the first installment of this two-part article, state attorneys general across the U.S. took bold action in 2024 to address what they perceived as unlawful activities by corporations in several areas, including privacy and data security, financial transparency, children’s internet safety, and other overall consumer protection claims.

Read More

Looking Back at 2024’s Noteworthy State AG Litigation

By Chris CarlsonClayton FriedmanAshley L. Taylor, Jr., and Michael Yaghi

Published in Law360 on January 15, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

State attorneys general across the U.S. took bold steps in 2024 to address unlawful activities by corporations in several areas, including privacy and data security, financial transparency, children’s internet safety, and other overall consumer protection claims.

Read More

Technology Updates

The AGA: Bipartisan Collaboration and Tackling AI Challenges

By Troutman Pepper Locke State Attorneys General Team

In a recent interview, Karen White, the executive director of the Attorney General Alliance (AGA), discussed the organization’s impactful partnership with PBS, its involvement in the Bipartisan Leadership Project, and its proactive stance on artificial intelligence (AI). Originally a regional group, the AGA has grown into a significant force addressing complex issues through bipartisan collaboration and innovative partnerships.

Read More

Inside New Commerce Tech Restrictions: Key Risk Takeaways

By Peter Jeydel

This article was originally published on January 23, 2025 on Law360 and is republished here with permission.

The U.S. Department of Commerce’s Bureau of Industry and Security has issued the final rule that will determine how its Information and Communications Technology and Services regulations will work going forward.

Read More

Inside New Commerce Tech Restrictions: Mitigation Strategies

By Peter Jeydel

This article was originally published on January 24, 2025 on Law360 and is republished here with permission.

The U.S. Department of Commerce’s Bureau of Industry and Security has issued the final rule that will determine how its Information and Communications Technology and Services regulations will work going forward.

Read More

Missouri AG Announces New Rule for Big Tech

By Troutman Pepper Locke State Attorneys General Team and Jeff Johnson

Missouri’s attorney general (AG) announced on X.com (formerly Twitter) that he is “issuing a rule requiring Big Tech to guarantee algorithmic choice for social media users.” [X.com post (January 17, 2025, roughly 3:35 p.m. EST)] He intends to use his authority “under consumer protection law,” known as the Missouri Merchandising Practices Act in that state, “to ensure Big Tech companies are transparent about the algorithms they use and offer consumers the option to select alternatives.” [x.com post] The Missouri AG touts this rule as the “first of its kind” in an “effort to protect free speech and safeguard consumers from censorship.” [Press release]

Read More

New Jersey AG Platkin Announces New Guidance on AI Use

By Troutman Pepper Locke State Attorneys General Team

On January 9, New Jersey Attorney General (AG) Matthew J. Platkin and the Division on Civil Rights (DCR) launched a new Civil Rights and Technology Initiative aimed at addressing the potential for discrimination and bias associated with artificial intelligence (AI) and other decision-making technologies. The announcement is one of many recent examples of AG’s leading the development of AI regulation. The New Jersey initiative is informed by recommendations from Governor Phil Murphy’s Artificial Intelligence Task Force, which emphasized the need for public education on bias and discrimination related to AI deployment.

Read More

Oregon Issues AI Guidance for Businesses

By Troutman Pepper Locke State Attorneys General Team

As one of her last acts in office, on December 24, 2024, Oregon Attorney General (AG) Ellen Rosenblum issued guidance for businesses deploying artificial intelligence (AI) technologies. The guidance highlights the risks associated with the commercial use of AI, and underscores that, despite the absence of a specific AI law in Oregon, a company’s use of AI must still comply with existing laws.

Read More

Advertising and Marketing Updates

Washington AG Brown Leashes $3.75M Settlement With Puppyland Over Deceptive Advertising and Sales Practices

By Troutman Pepper Locke State Attorneys General Team

Washington Attorney General (AG) Nick Brown secured a $3.75 million settlement with Puppyland, known for selling purebred and mixed breed puppies, over unlawful advertising and sales practices. The settlement resolves a lawsuit filed by former AG Bob Ferguson, addressing multiple violations under the state’s Consumer Protection Act. The complaint alleged that Puppyland misrepresented the breeding standard of puppies sold; failed to honor advertised health guarantees; channeled customers into loans with interest rates approaching 200% “without adequate time to review and understand the terms;” and used nondisparagement provisions in their purchase agreements that restricted truthful online reviews.

Read More

FTC and Illinois AG Settle Matter Against Grubhub for $140M

By Troutman Pepper Locke State Attorneys General Team

On December 17, 2024, the Federal Trade Commission (FTC) and Illinois Attorney General (AG) Kwame Raoul settled their lawsuit against Grubhub for $140 million (Grubhub will only have to pay $25 million, with the balance suspended due to Grubhub’s inability to pay).

Read More

Health Sciences Updates

West Virginia AG Reaches $17M Settlement With Pfizer and Ranbaxy Over Antitrust and Consumer Protection Violation Claims

By Troutman Pepper Locke State Attorneys General TeamMelissa O’Donnell, and Kyara Rivera Rivera

West Virginia Attorney General (AG) Patrick Morrisey announced a total $17 million settlement agreement with pharmaceutical companies, Pfizer and Ranbaxy after more than a decade of litigation regarding the companies’ alleged “pay-for-delay” antitrust violations related to the cholesterol drug, Lipitor.

Read More

HIPAA Security Rule Revamp Is on the Horizon

By Brent Hoard and Emma Trivax

On January 6, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published significant proposed amendments (proposed rule) to the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Key drivers for the proposed rule include the dramatic increase in cyberattacks, including ransomware, the rapid adoption of cloud computing, mobile devices, and other technologies, and inconsistent compliance with the existing Security Rule identified by the OCR’s investigations.

Read More

New Year, New Liability for Private Equity

By Allison O’NeilWarren F. “Jay” MyersColleen O’Connor, and Troutman Pepper Locke State Attorneys General Team

Newly Signed Massachusetts Law Ramps up Regulation and AG Liability for Private Equity Investments in Health Care

Private equity firms and health care companies operating in Massachusetts will now face enhanced liability risks following the recent passage and enactment of legislation regulating private equity investment in Massachusetts health care. This new law greatly expands the authority of the Massachusetts attorney general (AG) and other state health care regulators to examine the involvement of private equity funds and other “significant investors” in the state’s health care sector. Here’s what you need to know:

Read More

Telecommunications Updates

U.S. Supreme Court Declines to Overturn New York’s Affordable Broadband Act

By Troutman Pepper Locke State Attorneys General Team and Dascher Pasco

The U.S. Supreme Court closed out 2024 by confirming states’ authority to regulate internet service providers. On December 16, 2024, the Court denied certiorari in New York State Telecommunications Association, Inc., et al. v. Attorney General Letitia James, Case No. 21-1975, allowing New York’s Affordable Broadband Act (ABA) to stand.

Read More

Tobacco Updates

Federal Appellate Court Agrees that FDA Cannot Regulate “Premium Cigars”

By Bryan HaynesAgustin RodriguezMichael Jordan, and Nick Ramos

Yet again, the premium cigar industry has prevailed in federal court against the U.S. Food and Drug Administration (FDA). As we have previously discussed here and here, FDA appealed a federal district court decision vacating its rule (the Deeming Rule) subjecting premium cigars to the Federal Food, Drug, and Cosmetic Act, as amended by the Tobacco Control Act (TCA). On January 24, the U.S. Court of Appeals for the District of Columbia Circuit (the D.C. Circuit) issued an opinion agreeing[1] with (i) the district court’s ruling that FDA acted arbitrarily and capriciously when it sought to include premium cigars in its Deeming Rule and (ii) the district court’s vacatur of the Deeming Rule as applied to premium cigars, but it remanded the case to the district court to determine the appropriate definition of “premium cigar.” Now, the district court will reconsider the appropriate definition of “premium cigar,” which will ultimately determine the types of cigars that are not subject to the TCA and FDA’s Deeming Rule. In one potential setback for industry, the D.C. Circuit also stated that it understood the district court’s order as granting relief from user fees prospectively but that it does not read it as permitting the refunding of past user fee payments.

Read More

FDA Proposes Limiting Nicotine Levels in Cigarettes and Certain Other Combusted Tobacco Products

By Bryan HaynesAgustin Rodriguez, and Zie Alere

On January 15, the U.S. Food and Drug Administration (FDA) issued a proposed rule that would set a maximum nicotine level in combusted cigarettes and certain other combusted tobacco products.

Read More

Vape Companies Challenge Iowa’s New Vape Directory Law

By Agustin Rodriguez and Nick Ramos

On December 17, 2024, Iowans for Alternatives to Smoking & Tobacco, Inc., Global Source Distribution, LLC, and others filed a complaint[1] and motion for a preliminary injunction[2] in federal district court against the Iowa Department of Revenue (the Department) challenging Iowa House File 2677 (HF 2677), a law imposing certification and directory requirements on vapor products sold in Iowa. A hearing on the plaintiffs’ motion for a preliminary injunction is scheduled for March 5. If the court rules in the plaintiffs’ favor, it could stay enforcement of the new law until the case is ultimately resolved. While the Department was previously scheduled to publish the vapor products directory on January 2 and begin enforcement on February 3, the Department has not published the directory, and its website indicates that it will not be enforcing the directory. The Department’s website states: “Publication and enforcement of Iowa’s vapor products directory is delayed until further notice. The Department will make an additional announcement before publication and enforcement of the vapor products directory begins. During the delay, manufacturers should continue to submit certification applications.”

Read More

Cannabis Regulatory Updates

The Current Landscape of Texas Cannabis Policy and Laws: A 2025 Overview

By Jean Smith-Gonnell and Julia St. John

The Texas legislative session kicked off on January 14, and cannabis policy is set to be a major topic of debate. The state, known for its conservative stance on many issues, is at a crossroads with its cannabis laws, facing both calls for stricter regulations and pushes for legalization.

Read More

Weed-ing Through the Laws: A Snapshot of US Cannabis Legislation

By Jean Smith-Gonnell and Carmen Williams

Marijuana legislation is continuing to evolve in the new year across jurisdictions throughout the U.S. Below, we dive into a brief survey of notable changes to marijuana legislation across the U.S. during the first three weeks of 2025.

Read More

Cannabis Rescheduling: ALJ Cancels Upcoming Hearings on Proposed Rulemaking

By Jean Smith-GonnellZie Alere, and Nick Ramos

Hearings on the merits of the Drug Enforcement Agency’s (DEA) proposed cannabis rescheduling, initially set to begin this month, have been cancelled. The preliminary hearing period has been littered with accusations that the DEA improperly excluded certain parties from participating, that the DEA itself does not adequately support rescheduling, and that the DEA engaged in improper ex parte communications with anti-rescheduling parties.

Read More

Federal Appeals Court Deals Another Blow to Intoxicating Hemp Products in Virginia

By Jean Smith-Gonnell, Agustin Rodriguez, and Michael Jordan

On January 7, the U.S. Court of Appeals for the Fourth Circuit found that Virginia’s hemp product restrictions do not violate federal law. The ruling is the latest defeat for the Virginia hemp industry’s efforts to overturn Virginia S.B. 903, a law intended to prohibit the sale of intoxicating hemp products like delta-8 and delta-10 tetrahydrocannabinol (THC) gummies and beverages in the Commonwealth.

Read More

Stephanie Kozol, Senior Government Relations Manager – State Attorneys General, also contributed to this newsletter.

Our Cannabis Practice provides advice on issues related to applicable federal and state law. Marijuana remains an illegal controlled substance under federal law.

The result of the 2024 U.S. presidential election means uncertainty about future prospects for the renewable energy sector. President Donald Trump has been hostile in the past toward parts of the renewables industry – particularly wind energy – but has also indicated he views solar energy more favorably, for example.

Though Trump has been highly critical of wind turbines, in contrast, during a speech in 2023, Trump acknowledged that he did “like the concept of solar.” Given these mixed messages about different types of renewable energy, there is considerable doubt about how the sector will be impacted by the new administration. However, despite widespread doom-mongering, the energy storage sector remains optimistic that its current growth trajectory will be largely unimpeded by the change in government.

Given the prevailing uncertainty, and in an effort to address the concerns of energy storage investors and developers, Tamarindo, in partnership with Troutman Pepper Locke, convened a panel of energy storage industry experts to discuss the following topic: ‘Post-US election, how can you maximise global energy storage investment in 2025?’ Panelists acknowledged concerns that – given Trump’s scepticism about some forms of renewable energy – there may be a roll back of the Inflation Reduction Act (IRA), including its standalone storage investment tax credit [ITC]. However, the counterargument is that Trump’s supporter base – specifically, states that voted for him in the U.S. election – have benefitted most from the IRA’s provisions and therefore the IRA will remain relatively unscathed.

Participants also heard that the storage industry is concerned about potential tariff increases on imports from China, which is the overwhelmingly dominant player in the energy storage component manufacturing sector. Tariff uncertainty has had a particularly damaging impact on the solar industry in the past and there are fears that it could have a similarly destabilising effect on energy storage.

Read the full report here.

We find ourselves in the midst of a raucous debate among sanctions practitioners about the impact of the Fifth Circuit’s recent decision upholding a challenge against the sanctions the Office of Foreign Assets Control (OFAC) imposed on Tornado Cash, a cryptocurrency “mixer.” Does this case presage a sea change in how OFAC’s sanctions will apply to new technologies that may not clearly fall within the bounds of the agency’s 1970s-era statutory authority? Or is the Fifth Circuit’s ruling likely to be overturned, merely a statement of the obvious, so unclear as to have minimal real world impacts, or otherwise just a blip in the decades-long trend of judicial deference to OFAC?

This article unpacks the Tornado Cash decision, puts it in context with other similar cases that are also working their way through the courts, and tries to predict what the future may hold for challenging OFAC sanctions that target new types of technology.

But first, by way of brief background in a complicated saga, Tornado Cash is a software program that mixes cryptocurrency in various ways to help promote the anonymity of its users. It was initially created and managed by a “decentralized autonomous organization” (DAO), which later released it into the wild to operate independently in the form of an “immutable smart contract,” which now performs the crypto mixing in an automated manner, without any human involvement or control.

Epitomizing the Wild West of the digital world, Tornado Cash was sanctioned by OFAC in 2022 for facilitating money laundering by North Korean hackers among others. The Fifth Circuit decision stems from a challenge against the sanctions brought by a group of Tornado Cash users. The district court in Texas had initially thrown out their case against OFAC, which sought to kill the sanctions. That trial court showed traditional deference to OFAC’s broad interpretation of IEEPA, the statute authorizing the agency to impose these sanctions, thereby finding that OFAC did have the power to sanction Tornado Cash.

This is a case about statutory interpretation and the scope of OFAC’s authority under IEEPA. In targeting Tornado Cash, OFAC had already indicated that they were not sanctioning mere code or limiting anyone’s First Amendment rights to code to the day away. Rather, the sanctions applied to what OFAC found to be a thing that exists and that they called “the entity Tornado Cash,” i.e., the DAO, as well as associated virtual currency wallet addresses and a website (which is no longer on the Internet, but is apparently still accessible for those with useful skills). The district court agreed with OFAC that there is an “entity” that is associated with the Tornado Cash smart contracts and so upheld the sanctions.

But on appeal the Fifth Circuit right off the bat made clear its discomfort with the “sweeping delegated power” that OFAC has long enjoyed under IEEPA. Rather than focusing on whether Tornado Cash can be considered an “entity” that can be sanctioned, the appeals court cut right to the heart of OFAC’s authority under IEEPA, questioning whether this mixer, and in particular its “open-source computer code in the form of ‘immutable smart contracts,'” can be considered “property” under IEEPA that can be subject to OFAC’s “blocking” sanctions. The upshot of this analysis is that, even if an “entity” called Tornado Cash can be sanctioned in name, if it has no “property” that can be “blocked,” the sanctions would have no effect.

After trudging through a morass of technical detail about how Tornado Cash’s “immutable smart contracts” work, the Fifth Circuit found that OFAC had colored outside the lines set by IEEPA and granted the challengers’ motion for summary judgment. Specifically, the court found that this code can no longer be considered “property” since it has been unleashed into the wilds by the DAO and made “immutable,” as from that time on the Tornado Cash smart contract has been “unownable, uncontrollable, and unchangeable — even by its creators.”

This was a bold 180-degree turn by the appeals court. Many observers have since expressed alarm that the Fifth Circuit focused on such a technical analysis in seemingly brushing aside many decades of near-total judicial deference to OFAC, shackling this small but might agency in its critical national security mission. Viewed from this perspective, some have predicted that the case will trigger a tsunami of successful sanctions challenges in the future whenever a new technology does not clearly fit within OFAC’s IEEPA authorities, whereas courts traditionally have only been willing to dip their toes ever so gingerly into this highly sensitive world of national security targeting.

Those who believe the Fifth Circuit’s ruling has set the high-water mark for the almost complete deference that the federal courts have long shown to OFAC point to the court’s invocation of “the L word” (earmuffs for the DOJ readers: Loper Bright), a recent Supreme Court case overturning the longstanding Chevron doctrine of judicial deference to agency rulemakings when the underlying statute is ambiguous. To be sure, there are aspects of this decision that would have sent chills down the spines of the typically fearless attorneys in the Justice Department’s Federal Programs Branch. This is perhaps the first time that a federal court has used “the L word” in a national security case, as judges approximately 99.9% of the time in such cases allow the government to tell the court what the law is rather than doing their Marbury v. Madison duty. But the Fifth Circuit has gone back to that 1803 Supreme Court classic, and on its venerable foundation declared that definitions are to be found in dictionaries, and not in the minds of OFAC’s attorneys.

With that bold principle, they scoured the pages of not one, not two, but SIX dictionaries to arrive at the remarkable conclusion that “property has a plain meaning: It is capable of being owned.” In essence, the court came to the realization that, “because the software continues to operate regardless of the sanctions,” ipso facto and res ipsa loquitur it cannot be sanctioned. (While the court did not adorn this conclusion with such magic words, it may have been well-advised to do so, lest its authority be questioned by future generations of litigants.) Because a “trusted setup ceremony” was held in which these contracts were made immutable by “irrevocably remov[ing] the option for anyone to update, remove, or otherwise control those lines of code,” the contracts were deemed not to be “property” and thus beyond the reach of OFAC. (Scholars will continue to debate to what extent the nature of the “ceremony” motivated this finding, but a strong recommendation may be that if ever one is considering creating an immutable smart contract that may attract the ire of OFAC to do so as ceremoniously as one can bear.)

Despite the court’s huffing and puffing and blowing down OFAC’s lovingly stacked house of cards, another perspective is that this ruling may have little or no effect in the real world. One may even say this could all end up being nothing more than shadow boxing in response to a sanctions action that was doomed to be ineffective from the outset, after OFAC fired its biggest bazooka into the void of the digital world.

Since this code beast called Tornado Cash has been roaming the digital wilds with its leash cut, after having been freed by the DAO and made “immutable,” it effectively cannot be stopped. It has continued to mix crypto since OFAC hit it with the U.S. government’s largest sanctions sledgehammer — being listed as a Specially Designated National (SDN). An SDN designation is often a death sentence for international operators, particularly in the financial sector, but not so much in the libertarian paradise of crypto. Just look at how Garantex, the Russian crypto exchange that OFAC put on the SDN list more than two years ago, continues to make waves in the sanctions and money laundering world. They are surely entertained at Federation Tower in Moscow, where apparently many such organizations have been based.

So the skeptics say that the Fifth Circuit’s decision is a meaningless aberration, not a paradigm shift, and simply states the obvious: that these sanctions cannot be allowed to take effect because they cannot practically speaking have any effect over software code that nobody controls.

Moreover, it is not immediately clear what OFAC is supposed to do now that this ruling has come down. OFAC may not actually need to remove Tornado Cash from the SDN list, because all the court held was that Tornado Cash’s immutable smart contracts are not “property” and therefore that particular code cannot be regulated by OFAC. That does not necessarily mean that “the entity Tornado Cash,” if that is even a thing, or its wallets or URLs, need to be delisted. Indeed, if “the entity Tornado Cash” were ever in the future to have any “interest” in any “property” of “any nature whatsoever,” that “property” would then be subject to these sanctions if the entity remains on the list. Most things have property of some nature at some point, so OFAC may not want to take down this sword of Damocles just yet. For example, “the entity Tornado Cash” has crypto wallets, which OFAC, having laid claim to, surely will not want to relinquish. Perhaps most importantly, if “the entity Tornado Cash” determined, in its robot wisdom, that the current mixer is not mixing just right and needs to be tweaked, the wizards behind the curtain would need to run the OFAC gauntlet in order to do so — if they were to change the code, i.e., create a new “mutable smart contract,” this Fifth Circuit decision may not apply and the OFAC prohibitions may kick in.

So what does this ruling do? It says that OFAC cannot sanction the current immutable smart contracts, which were not much impacted by these sanctions in the first place. But it is certainly far from clear that U.S. persons are free to use Tornado Cash now that the Fifth Circuit has sent OFAC home with its tail between its legs. The mixer fans who brought this case may ultimately not have much to show for it beyond the headlines. For instance, a user would be well advised to consider if their own coins that they may throw into the mixer would become “blocked” under OFAC’s regulations based on Tornado Cash possibly having an “interest” in that “property” after it mixes the coins and sends them back out in altered form. Oh, and by the way, non-U.S. persons could face the risk of “secondary sanctions” should they provide “support” for the Tornado Cash “entity,” in which case they too may find themselves on the SDN list. It is also worth noting that if anyone anywhere were to act “willfully” (careful with those emails and texts!) and with a U.S. nexus in supporting a sanctioned crypto mixer that the government would prefer not exist, they may get an unpleasant 5 a.m. rousing by windbreaker-wearing, gun-toting U.S. federal agents (or any number of their global network of friends and collaborators). IEEPA carries stiff criminal penalties.

There is no question in the mind of any reasonable observer that the Fifth Circuit’s decision was a major generator of high fives, bead throwing, and the like for the court clerks in New Orleans — it’s not every day after all that attorneys get to give such a smackdown to the U.S. government in enforcing its core national security authorities by citing “Geeks for Geeks” and Satoshi Nakamoto. But it is quite possible that its impact ultimately may not be felt much beyond Bourbon Street. Of course, this remains to be seen.

The biggest question mark still lurking is how other similar court cases will go, as this Fifth Circuit decision will not be the federal courts’ last word on whether this digital beast has once and for all escaped OFAC’s clutches. In addition to the criminal cases being heard in Manhattan against “the Romans” (Storm and Semenov), who are alleged to have entered into a money laundering and sanctions evasion conspiracy by developing Tornado Cash, the Eleventh Circuit is hearing arguments that closely resemble the Fifth Circuit case, similarly brought to them by another set of Tornado Cash users.

The defendants in Manhattan have already filed new briefs arguing that the Fifth Circuit decision is sufficient for the charges to be dropped that they conspired to violate IEEPA by creating Tornado Cash. However, different standards will apply in that criminal case, which is also distinguishable in that it focuses on the initial development of these smart contracts and whether that was done knowing that it would lead to sanctions circumvention, rather than whether OFAC currently has the authority to add Tornado Cash to the SDN list and block its “property.” So the key case to watch at this point is in the Eleventh Circuit.

Just as the Texas district court and the Fifth Circuit approached the Tornado Cash case from rather different angles, the very similar Eleventh Circuit case challenging these sanctions also appears to have a distinct focus. The government filed a brief to the Eleventh Circuit on December 13, 2024, which contends that the Fifth Circuit case is not directly relevant, because the Eleventh Circuit proceedings have focused on whether Tornado Cash has any “interest” in these smart contracts, rather than whether they meet the definition of “property.” But the government also addressed the Fifth Circuit ruling head-on, asserting that the Eleventh Circuit should defer to OFAC’s view that the Tornado Cash smart contracts are “property” that can be sanctioned under IEEPA. Seeking to demonstrate the high stakes involved, the government’s brief points out that, if OFAC cannot sanction Tornado Cash, it may not be able to sanction any automated software or related services. This could call into question OFAC’s authority to regulate much of the financial activity in the modern world that occurs in an automated manner. The government argues that the highly technical “property” debate that was central to the Fifth Circuit’s decision is a red herring, and that the Eleventh Circuit should instead focus on the broader view that this mixer provides a “service” that can be regulated by OFAC, even if no “human effort” powers it.

It is anyone’s guess which way the Eleventh Circuit case may go. One thing that is clear though is that, if a circuit split were to emerge, the government will contend that is untenable for a federal regulatory program in so sensitive a national security area. In that case, we can expect the Supreme Court to step in and lay down the law, whatever that may be. Given the controversy that the Loper Bright decision itself has already stirred up, the Supreme Court may be cautious about throwing a similar bomb into the typically far more judicially stable national security arena.

Even the Fifth Circuit judges drew a distinction between Tornado Cash, on the one hand, and “the rogue persons and entities who abuse it,” on the other. The court also acknowledged OFAC’s “undeniably legitimate” concerns with the “illicit foreign actors laundering funds” by using this mixer.

The Eleventh Circuit — and perhaps ultimately the Supreme Court — will need to decide whether upholding the application of Loper Bright in national security cases is a viable approach. It may be much easier for a court to countenance opening its doors to more challenges against environmental, consumer protection, and similar rules, than it would be to welcome into U.S. court a new brand of litigants that the federal government has sanctioned for national security reasons. Courts for many decades have been hesitant to become too deeply involved in the government’s national security decisions, for understandable reasons.

So, while many have predicted the end of sanctions as we know them following the Tornado Cash decision, for others the smart money is on the government’s ability to prevail and convince the courts that Congress cannot be relied upon to legislate bespoke sanctions on every new type of technology as it emerges. The question for the courts in the coming months will be whether judicial deference to the government’s national security determinations is the only path forward in an increasingly insecure and technology-driven world.

Richard Reibstein, a partner with Troutman Pepper Locke, was quoted in the February 3, 2025 FreightWaves article, “Trucking-Backed Suit May Be Arena for Dumping Biden Independent Contractor Rule.”

Richard Reibstein is an attorney with Troutman Pepper Locke who specializes in independent contractor law. He writes a blog on the subject for his law firm.

When the Biden administration rule was announced, Reibstein was skeptical that the massive impact feared by its opponents would actually develop. “The legal impact of the final rule, however, will hardly ripple the waters,” he wrote at the time. “After all, it is the courts that create law on this subject, not regulatory agencies.”

In a November blog post, he returned to that theme. He said at the time that neither the Biden nor Trump rule had been cited by a “single federal court in determining IC status.”

“Only one court – a federal district court in Nevada – cited to the current regulation, and it essentially disregarded the regulation, concluding that the regulation was nothing more than ‘interpretative rules as a guide as opposed to a mandate.'”

However, since Reibstein wrote that, there has been a decision in a federal court in New Mexico with a carrier as the plaintiff. The decision by Judge Kea Riggs in that case discussed the Biden IC rule extensively.

Our team published new content and podcasts to the Consumer Financial Services Law Monitor throughout the month of January. To catch up on posts and podcasts you may have missed, click on the links below:

Auto Finance

CFPB Releases Report Highlighting Auto Lending Challenges for Servicemembers

Fifth Circuit Vacates FTC’s CARS Rule

Banking

NCUA’s New Board Chairman Hauptman Outlines His Priorities for Agency

NCUA Releases its 2025 Supervisory Priorities

New York Federal Court Grants Bank’s Motion to Dismiss in Wire Fraud Case Involving Elderly Customer

Consumer Financial Services

Fourth Circuit Holds SCRA Does Not Bar Mandatory Arbitration in Consumer Agreements, Forcing Portion of Class Action Into Arbitration

Florida Court of Appeals Holds Personal Claims Under the FCCPA are Not Assignable

Consumer Financial Protection Bureau

CFPB Releases Report on Auto Repossessions

CFPB Issues Compliance Aid on Electronic Fund Transfers

The CFPB Issues Revised Sandbox and No-Action Letter Policies

CFPB Rescinds 2020 Advisory Opinion on Earned Wage Access Product

CFPB Highlights Fair Lending Risks in Advanced Credit Scoring Models

CFPB Blog Post Encourages Industry to Do More to Serve LEP Consumers

CFPB Issues a Roadmap for States Days Before Trump Takes Office

CFPB Renews Attempt to Regulate Crypto by Applying Reg E to Stablecoins and Other Digital Payment Mechanisms

CFPB Releases Report Highlighting Consumer Use of Buy Now, Pay Later Products

CFPB Introduces New Rule Banning Certain Contractual Provisions in Consumer Financial Agreements

CFPB Approves Financial Data Exchange as Open Banking Standard Setter

Trade Associations File Challenge to CFPB’s Rule on Medical Debt in Consumer Reports

CFPB Finalizes Rule to Remove Medical Bills from Consumer Reports

Credit Reporting + Data Brokers

Seventh Circuit Reverses Summary Judgment in FDCPA Debt Dispute Case

Federal Court Allows FCRA Claim to Proceed Over Alleged Unauthorized Credit Pulls

Debt Buyers + Collectors 

NYC DCWP Further Delays Effective Date of Amended Debt Collection Rules

Regulatory Enforcement + Compliance

Alaska Proposes Amendments to Small Loan Act Targeting Banking-as-a-Service Programs

New Year = New Earned Wage Access Legislation in New York

Misleading Artificial Intelligence Claims by Marketer of Website Accessibility Widget Lead to $1 Million FTC Settlement

IRS Finalizes New Rules for DeFi Brokers: Challenge Immediately Filed in Texas Federal Court

Telephone Consumer Protection Act (TCPA)

Third Circuit Denies Class Certification But Upholds TCPA’s Restrictions on Unsolicited Fax Advertisements

Eleventh Circuit Vacates FCC’s One-to-One Consent Rule; FCC Issues Stay

Supreme Court Hears Oral Arguments on the Scope of Judicial Review Under the Hobbs Act

Podcasts

The Consumer Finance Podcast – The Evolving Landscape of Earned Wage Access Regulation

The Consumer Finance Podcast – Introducing the Consumer Financial Services Year in Review Series: A Look at What’s to Come

The Consumer Finance Podcast – TCPA Trends: 2024 Year-in-Review and 2025 Predictions

The Consumer Finance Podcast – Launching a Product Too Soon? Lessons From Recent CFPB Orders

The Consumer Finance Podcast – Troutman Pepper Locke – The Powerhouse Merger

The Crypto Exchange – Unpacking the Fifth Circuit’s Landmark Tornado Cash Decision

FCRA Focus Podcast – Recent Developments in California’s Arbitration Landscape

Moving the Metal: The Auto Finance Podcast – Auto Finance Under the Microscope: Unpacking Landmark FTC and AG Settlements

Payments Pros Podcast – 2024 Payments Year in Review: CFPB and FTC Regulatory Trends – Part One

Payments Pros Podcast – Navigating Consumer Protection: The CFPB’s Expanding Reach

Newsletters

Weekly Consumer Financial Services Newsletter – Week of January 27, 2025

Weekly Consumer Financial Services Newsletter – Week of January 20, 2025

Weekly Consumer Financial Services Newsletter – Week of January 13, 2025

Weekly Consumer Financial Services Newsletter – Week of January 6, 2025

The regulation of per- and polyfluoroalkyl substances (PFAS), or “forever chemicals,” was a focal point for the Biden administration. In April 2024, the administration, through the U.S. Environmental Protection Agency (EPA), issued two key PFAS rules. The first set nationwide drinking water standards, or maximum contaminant levels (MCLs), for six types of PFAS, and the second designated PFOA and PFOS, and their salts and structural isomers, as “hazardous substances” under the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA). Both rules are currently being challenged in court, although no judicial stays were requested or are in place.

EPA also proposed other key PFAS regulations in 2024. Under the Resource Conservation and Recovery Act (RCRA), EPA proposed to add nine PFAS, including their salts and structural isomers, to the list of “hazardous constituents” in Appendix VIII of 40 C.F.R. Part 261, requiring their consideration in facility assessments and potential corrective actions. Another proposed rule sought to clarify that emerging contaminants, including PFAS, can be managed under RCRA’s Corrective Action Program. EPA also proposed a Clean Water Act (CWA) rule regulating PFAS discharges from certain facilities. This rule primarily targets industries such as manufacturers and formulators of Organic Chemicals, Plastics, and Synthetic Fibers, which are likely to discharge PFAS into wastewater.

On January 20, 2025, the Trump administration issued a memorandum, as is common for incoming administrations, ordering executive agencies not to “propose or issue any rule in any manner” until the current administration has reviewed and approved the rule. Accordingly, the two pending RCRA PFAS-related proposals and the proposed CWA discharge limits are effectively on ice unless the new administration decides to pursue them.

It is highly unlikely the proposed PFAS regulations under RCRA and the CWA will be finalized as proposed, and at the very least, they will be materially delayed. However, since the PFAS Action Plan was initiated during the first Trump administration, it remains to be seen whether the administration will continue to focus on PFAS in its second term, despite its deregulatory agenda.

As the administration assesses which PFAS regulations align with its goals, it may not only scrutinize pending proposals, but may also reexamine EPA’s final regulations establishing PFAS MCLs and designating PFOA and PFOS as “hazardous substances” under CERCLA. In fact, it remains to be seen whether DOJ will continue to defend the lawsuits challenging these rules or seek to have them delayed/remanded for further administrative reconsideration. Should the administration decide to revise or reverse these regulations, EPA will have to engage in notice and comment rulemaking justifying its change of direction (and EPA should expect that its actions will be immediately challenged). Revisions to the PFAS MCLs would have significant implications for public water supply systems nationwide and the trickle-down effect would be substantial, given state reliance on the MCLs in state level regulations, including those governing wastewater discharges and remediation.

Another final PFAS-related regulation that could be impacted by the change in administration is the October 2023 TSCA PFAS reporting rule, which requires submittal of a one-time report from companies that manufactured or imported certain PFAS between January 1, 2011, and December 31, 2022. The final rule established a six-month reporting period beginning on November 12, 2024, but EPA issued a direct final rule in September 2024 delaying the start of the reporting period to July 11, 2025, explaining that its software was not yet ready to accommodate the expected volume of reporting. The new administration could push this reporting deadline even further out if it wants time to assess possible revisions to the rule, presumably also through a direct final rule based on the same reasons identified by the prior administration.

Up until 2024, states were generally left to regulate PFAS on their own, with little guidance or direction from the federal government. If the new administration decides not to pursue or significantly delays additional PFAS regulation, or even rolls back existing regulations, states could find themselves again left to chart their own paths. States that have been at the forefront of PFAS regulation, including California, Connecticut, Maine, New Hampshire, Michigan, New Jersey, and New York, to name a few, can be expected to continue to push forward with PFAS regulation, but other states that have not been active to date may also move to begin regulating PFAS in the face of growing public concern if faced with a lack of federal direction. At the very least, we may see more states attempting to assess the scope of PFAS contamination in their jurisdictions through the collection of PFAS data via state remediation or wastewater discharge programs. As long as the federal regulatory landscape remains in flux, states will continue advancing their own PFAS regulations, leading to an ever-growing patchwork of standards and requirements across the U.S.

A groundbreaking new regulatory regime, imposing rules unlike any in existing U.S. law, may surprise many companies due to its sudden adoption and complexity. This article tries to simplify the changing regulatory landscape, highlighting key points for any company with a U.S. presence that may be transferring data abroad.

On January 8, the U.S. Department of Justice’s (DOJ) National Security Division (NSD) released its final rule, regulating access to sensitive U.S. data by “countries of concern,” i.e., China (including Hong Kong and Macau), along with Russia, Iran, North Korea, Cuba, and Venezuela, or by “covered persons” anywhere in the world that are linked to those countries. This final rule comes in response to rising concerns over these governments’ exploiting sensitive U.S. personal data and government data for purposes such as espionage. The final rule closely aligns with the DOJ’s earlier proposed rule.

The final rule sets out a sweeping data security regime based on national security policy. It is important to understand that this is not like traditional data privacy regimes; for example, there is no exception to the restrictions based on consent. In many cases, contractual provisions alone will not suffice as a compliance approach. Rather, these are in some respects much more stringent rules that stem from U.S. national security concerns. Therefore, companies should not be comfortable that their activity is compliant with the final rule merely because it satisfies other existing data privacy and security laws. These new regulations are a different ballgame altogether and will often require very challenging steps to be taken, such as changes to existing data security practices and business processes. When applicable, these steps need to be in place by April 8 — a very short timeline.

There are some big carve-outs that will provide relief for many companies. For example, these new regulations do not apply to activity that takes place entirely within the United States among U.S. persons, even if they are owned or controlled by Chinese or other non-U.S. persons (unless they are specifically designated by DOJ). But the rules can cover, for example, U.S. companies that share data with their own affiliates (or third parties) in China or elsewhere, as well as commercial data licensing and other forms of data access across borders. Even for companies that may ultimately fall under one or more carve-outs, it is important to assess and document those positions, and be prepared to answer questions from DOJ.

The core of the final rule is set to take effect on April 8. There is no indication at this point that the Trump administration intends to change course, and, in light of the China and national security focus of the final rule, we expect it to move forward. Given the complexity of the final rule, this is a very short timeline for companies that are not already deep into their preparations for compliance with these regulations. DOJ has provided a delayed implementation timeline, until October 5, for certain requirements under the final rule (i.e., affirmative due diligence, auditing and reporting obligations). Additionally, DOJ has indicated they could potentially provide a degree of flexibility in extenuating circumstances (e.g., by the issuance of authorizations or guidance). Nonetheless, companies that may be impacted by these rules should move urgently to bring themselves into compliance or analyze and document the non-applicability of these rules, in order to be in a strong position with the regulator prior to April 8.

The final rule is similar to — but distinct in important ways from — the 2024 Protecting Americans’ Data from Foreign Adversaries Act (PADFA), administered by the Federal Trade Commission (FTC). PADFA is focused on “data brokers,” whereas the DOJ final rule applies to a much broader array of companies and transactions, including vendor agreements, employment agreements, and investment agreements that do not involve data brokering. Moreover, PADFA includes broad carve-outs that are not present in the final rule, such as for the provision of services where the data transfers are only ancillary to the services provided. On the other hand, the DOJ final rule has a more limited scope when it comes to covered data, which must meet specified “bulk” thresholds. There are other differences between the laws, but both carry consequential compliance obligations. Companies should carefully review (or refresh) their data maps and analyze their data types and flows in light of PADFA and the DOJ final rule to ensure they understand if either or both of these new sets of requirements could impact their compliance approach.

Scope of the Final Rule

The final rule generally applies to U.S. persons that “knowingly” provide “access” (very broadly defined) to listed types of covered data involving a country of concern or covered person.

These restrictions can apply to activity involving the U.S. and a third country (e.g., Singapore, the UK, or any other country that is not a “country of concern”), when there are certain links to a country of concern (e.g., a “covered person” that is owned by a Chinese entity). But these rules generally do not apply to activity that is 100% located in the U.S., even when conducted by persons linked to a country of concern.

The key elements that must be met for the main restrictions under these rules to apply are as follows:

  • Covered Data: This includes the types of data listed below where the specified volume thresholds are met (except for U.S. government-related data, any amount of which triggers the rules) at any point in the preceding 12 months, whether through a single transaction or aggregated across several transactions involving the same parties:

    • Human genomic data: more than 100 U.S. persons;

    • Other human `omic data: more than 1,000 U.S. persons;

    • Biometric identifiers: more than 1,000 U.S. persons;

    • Precise geolocation data: more than 1,000 U.S. devices;

    • Personal health data: more than 10,000 U.S. persons;

    • Personal financial data: more than 10,000 U.S. persons; or

    • Covered personal identifiers: more than 100,000 U.S. persons.

For combinations of these types of data, the lowest applicable threshold applies.

Even if data is anonymized, pseudonymized, de-identified, or encrypted, it is still covered (though such measures will be relevant in implementing the Security Requirements, as discussed below).

There can be complexities (including important carve-outs) built into these definitions of covered data. For example, “personal identifiers” are not covered if they are not linked or linkable in specified ways to other covered data. Dissecting these nuances can be hugely important for determining that certain types of data flows are not subject to these rules at all.

  • Knowingly: The final rule only applies in the first instance to covered activity that is conducted “knowingly,” which includes situations where a person “reasonably should have known” of the relevant facts. This means, for example, that electronic services or platforms would generally not be responsible for the activities of their customers (e.g., an email provider whose user emails covered data to a covered person). But DOJ will expect risk-based due diligence and controls around this.

  • U.S. Person: This includes U.S.-based entities, U.S. citizens or “green card” holders, and any person with asylum or refugee status granted by the U.S. government. (These categories are consistent with U.S. export control rules.) But also (unlike under U.S. export controls), a U.S. person includes “any person in the United States.” For example, Chinese or Russian citizens located in the U.S. would be treated as U.S. persons and would not be covered persons (unless individually designated by DOJ). Those individuals may require U.S. export control licensing if they have access to controlled technology (i.e., “deemed exports”), but they would not trigger the applicability of this DOJ final rule. This is an important limitation to the final rule that will facilitate compliance in some cases.

  • Covered Persons: This includes an individual or entity that is not a U.S. person and that is:

    • An individual primarily resident in a country of concern;

    • An employee or contractor of a country of concern or a covered person entity;

    • An entity based in a country of concern; or

    • An entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by countries of concern or covered persons. (This aligns with the U.S. sanctions (OFAC) “50% rule.”)

In addition, DOJ can designate any person as a covered person (e.g., if a person is determined to be acting on behalf of China or another country of concern, or to be violating these rules). So DOJ may in the future develop such a “blacklist.” That list may then need to be incorporated into restricted party screening procedures (e.g., if currently in place for OFAC compliance).

The final rule essentially divides transactions into the following five categories: not covered, prohibited, restricted, exempt, and licensed.

  • Non-Covered Transactions: If any of the key elements of the rules are not met (e.g., there’s no U.S. person, no covered person, no covered data, no “access” to covered data, etc.), the final rule is not applicable at all. This goes without saying, but as a practical point it is critical to confirm in the first instance whether each of the elements of a prohibition or restriction is met, as there are significant carve-outs built into these basic elements. For transactions that are not covered, even the final rule’s recordkeeping requirements do not apply. However, if there is any nuance involved in determining that the final rule is inapplicable, a record of that analysis should be kept for at least 10 years as a best practice and protective measure in case DOJ comes knocking.

  • Prohibited Transactions: The final rule prohibits covered transactions involving “data brokerage,” which may extend well beyond what many companies would normally think of as data brokerage. DOJ has defined this term as:

the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.

This is quite a broad and vague definition that will leave many situations that are not vendor, employment, or investment agreements in a grey area — DOJ has stated that the transaction must be “commercial” in nature (i.e., must involve some form of compensation or consideration), but that still leaves many types of normal commercial partnerships potentially covered.

    • Critically, the prohibitions on data brokerage include transactions with non-covered foreign persons in third countries (i.e., where there is no specific link at all to China or another country of concern or covered person), unless the U.S. person: (1) contractually requires the foreign person to refrain from engaging in a subsequent covered data brokerage transaction involving the same data with a country of concern or covered person; and (2) reports any known or suspected violations of this contractual requirement within 14 days. This is among the few instances under these regulations when contractual provisions are the focus of the compliance expectation, as compared to implementing security measures or business process changes to satisfy the Security Requirements, which are discussed below. But even here mere contractual provisions are not sufficient, and DOJ expects adherence to those commitments to be monitored and suspected violations to be reported.

    • In addition to data brokerage, the final rule prohibits the following:

      • Covered transactions involving “human `omic data” or human biospecimens from which such data could be derived. Companies with such data are on a very tight leash with DOJ and must take a careful compliance approach under these rules.

      • Evasion, causing violations, and conspiracy (and “knowingly directing” violations): The DOJ personnel who will be enforcing these regulations are part of the same organization — and will share a mindset — with U.S. sanctions and export controls prosecutors. The underlying statutory authority is also the same as that which underlies most U.S. sanctions, which is where most of these particular prohibitions come from. So any efforts to circumvent these rules should be expected to meet with an aggressive enforcement response. A good rule of thumb is to apply these rules based on their letter and spirit, and not to play games or seek “paper compliance” where the reality is the requirements are not being met. Similarly, trying to work around the rules by conducting covered transactions in a non-compliant manner through contractors, business partners, etc., may be high-risk, and concealing activity from partners or other parties can also lead to liability.

  • Restricted Transactions: Covered transactions that involve vendor agreements, employment agreements, or investment agreements are “restricted,” meaning that they are prohibited unless the U.S. person complies with the stringent “Security Requirements” established by the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS). The Security Requirements are discussed in more detail below. Where applicable, the Security Requirements will often prove to be hugely challenging to comply with. In addition, when conducting restricted transactions, there are due diligence, audit, reporting, and recordkeeping requirements that apply and that may be quite burdensome.

    • Excluded investment agreements: While the definitions of vendor agreement and employment agreement are fairly straightforward, there are carve-outs built in to the definition of investment agreement that in essence exclude passive investments, as well as investments in certain non-U.S. assets.

  • Exempt Transactions: The final rule contains several exemptions, most of which are quite broad. However, in their breadth they leave a lot of gray area, which may create considerable discomfort for many businesses seeking certainty in this high-stakes national security regulatory area. In most (but not all) cases, certain reporting requirements of the final rule still apply to exempt activity. The exemptions cover:

    • Transactions that are “required or authorized by Federal law or pursuant to an international agreement to which the United States is a party,” or by certain global health frameworks, as well as transactions that are “ordinarily incident to and part of ensuring compliance with any Federal laws and regulations.”

    • Another exemption covers transactions that are for official U.S. government business, including government contracting and federally funded research.

    • Corporate group transactions: This exemption is relatively broad, but contains critical limitations. It applies to transactions “[b]etween a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern” that are “[o]rdinarily incident to and part of administrative or ancillary business operations.”

    • Financial services: This exemption is also broad but with important limitations. It applies to transactions that are “ordinarily incident to and part of the provision of financial services.”

    • Telecommunications services: This exemption is similarly broad (though it excludes data brokerage), covering transactions that are “ordinarily incident to and part of the provision of telecommunications services.”

    • There is another exemption for transactions that involve investment agreements that are “subject to a CFIUS action.”

    • Drug, biological product, and medical device authorizations: Certain types of data are exempt if the transaction is “necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product.”

    • Other clinical investigations and post-marketing surveillance data: Transactions are exempt in certain cases if they are “[o]rdinarily incident to and part of” clinical investigations regulated by the FDA or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products, or infant formula, or are “[o]rdinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA, provided the data is de-identified or pseudonymized.”

    • The final rule also reflects the exemptions in the underlying statutory authority (IEEPA) for (1) “personal communications” that do not “involve the transfer of anything of value,” (2) the international exchange of “information or informational materials,” and (3) transactions that “are ordinarily incident to travel to or from any country.” These are the same statutory exemptions as apply under most U.S. sanctions programs. We would expect these exemptions to be construed narrowly and only to be relevant in limited circumstances.

  • Licensed Transactions: In rare instances, U.S. persons may be able to obtain a license to conduct otherwise prohibited activity (including not fully implementing the Security Requirements or other obligations for a restricted transaction). The DOJ has indicated it may consider issuing general licenses in certain instances, e.g., where market participants may require more time to wind down otherwise prohibited activity. Parties may also submit applications to the DOJ for specific licenses that cover particular intended transactions. The DOJ intends to issue separate instructions on how to apply for a specific license and the criteria that will be applied. We would expect that such license applications will be reviewed quite strictly, and it will be important to make the case that the request is consistent with U.S. national security interests.

Security Requirements

For restricted transactions that are not licensed or exempt, companies must comply with the Security Requirements promulgated by CISA. If the Security Requirements are not properly implemented, such transactions are prohibited. Transactions that are generally prohibited (e.g., involving data brokerage or human `omic data or related biospecimens) cannot be authorized by complying with the Security Requirements – those are strict prohibitions that can only be overcome with a license (or an applicable exemption). The Security Requirements only come into play for vendor agreements, employment agreements and investment agreements, and where an exemption does not apply.

The Security Requirements in essence require the data to be “fully and effectively” blocked from access by a country of concern or covered person. This is a highly demanding requirement that will be quite challenging to meet in many cases. In addition, the Security Requirements impose a number of organizational-level and system-level requirements that are broadly consistent with the existing obligations and practices of many types of organizations (e.g., regulated financial institutions), but with a few important nuances that are particular to the DOJ final rule.

The most challenging part of the Security Requirements are generally going to be the data-level requirements, which require the U.S. person to “implement a combination of [specifically listed categories of] mitigations that, taken together, is sufficient to fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern.” The types of measures that can be employed to achieve this required end result include data minimization, encryption, access controls, and others, with specified requirements (e.g., with respect to management of encryption keys when relying on encryption). At the end of the day, whichever combination of measures is used, this highly demanding standard must be met, and the burden is on the regulated U.S. person to establish that it is met.

For data that does not meet the data-level security requirements, “logical and physical access controls” must be put in place “to prevent covered persons or countries of concern from gaining access” to such data.

The effectiveness of the data-level measures determines whether they are compliant: CISA says that, if “a combination of security mechanisms proves to be insufficient to prevent such access, that combination of security mechanisms will be considered invalid in protecting future access to covered data by covered persons.” So testing the effectiveness of the measures, and adjusting them as needed (e.g., based on the company’s own risk assessment, technological developments and business process changes) will be important.

Recordkeeping, Reporting, Due Diligence, and Audit Requirements

There is a broad, 10-year recordkeeping requirement under the final rule. This is consistent with the new, 10-year recordkeeping requirement that will soon apply under U.S. economic sanctions regulations, but longer than the five-year recordkeeping requirement that applies under U.S. export controls.

In addition, there are specific requirements regarding due diligence, audits, and reporting (e.g., annually and for rejected prohibited transactions) that must be adhered to. Licenses may include additional requirements and conditions.

Exempt transactions are generally not subject to these requirements, except in certain instances there are limited reporting requirements that apply under the exemptions. 

Even for non-covered or exempt transactions, it is generally a prudent best practice to maintain records for at least 10 years showing the non-applicability of the final rule (or the applicability of the exemption) to those transactions.

Conclusion

The DOJ’s final rule marks a pivotal shift in U.S. data security policy. These rules apply even to activity conducted between the U.S. and third countries, and where all parties are commercial operators. They reflect concerns over foreign adversaries’ access to this sensitive U.S. data through a variety of means, including compulsion and even covert action.

Where applicable, CISA’s Security Requirements will be very challenging for many organizations to meet, and there are serious questions about how these regulations will work in practice for many types of companies that rely on these cross-border data flows.

It is imperative that companies carefully review their data maps and analyze their data types and flows to analyze these new federal requirements that could impact their data governance programs and critical compliance obligations.

If your organization is covered by the final rule, but you believe that full compliance by April 8 may not be possible, it is critical to engage as soon as possible with DOJ. While receiving favorable guidance or licenses will require a thoughtful approach to DOJ, the regulators have indicated that they will be amenable to working with companies that are taking these regulations seriously and implementing them as quickly as they can and to the extent possible.

If you have any questions about the DOJ final rule, PADFA, or the impact of these new data restrictions on your commercial or compliance activities, do not hesitate to contact the authors of this article for guidance.

Enacted in 2022, the Inflation Reduction Act (IRA) allows the transfer of certain tax credits, enabling unrelated parties to purchase them for cash. Lenders who want to use tax credits to secure loans should consider tax credit insurance and consult legal, tax, and insurance professionals to navigate new financing structures.

Click here to read the full article in Secured Lender Magazine.

State attorneys general (AGs) continue to play a pivotal role as innovators, shaping the regulatory environment by leveraging their expertise and resources to influence policy and practice. The public-facing nature of AG offices across the U.S. compels them to respond to constituent concerns on abbreviated timetables. This political sensitivity, combined with the AGs’ authority to address both local and national issues, underscores their significant influence in the current regulatory environment.

Troutman Pepper Locke’s nationally recognized State AG team closely monitors developments in this complex and rapidly evolving regulatory landscape, serving as a trusted partner for clients seeking assistance with state AG enforcement, litigation, and compliance matters. The 2024 State AG Year in Review provides a comprehensive overview of the evolving regulatory landscape, highlighting key events and trends that defined the year. This report underscores the state AGs’ focus on several sectors, themes, and industries, including: (1) antitrust; (2) artificial intelligence; (3) consumer financial services; (4) environmental and energy; (5) marketing and advertising; (6) pharma and health sciences; (7) privacy and cyber; and (8) private equity.

Our team is committed to guiding companies through current challenges and preparing for future obligations, enabling them to concentrate on business growth rather than regulatory concerns. We trust that this report will be a valuable resource in these efforts.

To access the report, please click here.

A Practice Note discussing the Section 45X advanced manufacturing production tax credit available for qualifying energy components including solar energy components, wind energy components, inverters, qualifying battery components, and applicable critical minerals. This Note also discusses the amount of the credit available to taxpayers and the eligibility and substantiation requirements that taxpayers must satisfy to qualify for the credit including production in the U.S. and sales to unrelated parties.

Click here to read the full article in Thomson Reuters.