The regulation of per- and polyfluoroalkyl substances (PFAS), or “forever chemicals,” was a focal point for the Biden administration. In April 2024, the administration, through the U.S. Environmental Protection Agency (EPA), issued two key PFAS rules. The first set nationwide drinking water standards, or maximum contaminant levels (MCLs), for six types of PFAS, and the second designated PFOA and PFOS, and their salts and structural isomers, as “hazardous substances” under the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA). Both rules are currently being challenged in court, although no judicial stays were requested or are in place.

EPA also proposed other key PFAS regulations in 2024. Under the Resource Conservation and Recovery Act (RCRA), EPA proposed to add nine PFAS, including their salts and structural isomers, to the list of “hazardous constituents” in Appendix VIII of 40 C.F.R. Part 261, requiring their consideration in facility assessments and potential corrective actions. Another proposed rule sought to clarify that emerging contaminants, including PFAS, can be managed under RCRA’s Corrective Action Program. EPA also proposed a Clean Water Act (CWA) rule regulating PFAS discharges from certain facilities. This rule primarily targets industries such as manufacturers and formulators of Organic Chemicals, Plastics, and Synthetic Fibers, which are likely to discharge PFAS into wastewater.

On January 20, 2025, the Trump administration issued a memorandum, as is common for incoming administrations, ordering executive agencies not to “propose or issue any rule in any manner” until the current administration has reviewed and approved the rule. Accordingly, the two pending RCRA PFAS-related proposals and the proposed CWA discharge limits are effectively on ice unless the new administration decides to pursue them.

It is highly unlikely the proposed PFAS regulations under RCRA and the CWA will be finalized as proposed, and at the very least, they will be materially delayed. However, since the PFAS Action Plan was initiated during the first Trump administration, it remains to be seen whether the administration will continue to focus on PFAS in its second term, despite its deregulatory agenda.

As the administration assesses which PFAS regulations align with its goals, it may not only scrutinize pending proposals, but may also reexamine EPA’s final regulations establishing PFAS MCLs and designating PFOA and PFOS as “hazardous substances” under CERCLA. In fact, it remains to be seen whether DOJ will continue to defend the lawsuits challenging these rules or seek to have them delayed/remanded for further administrative reconsideration. Should the administration decide to revise or reverse these regulations, EPA will have to engage in notice and comment rulemaking justifying its change of direction (and EPA should expect that its actions will be immediately challenged). Revisions to the PFAS MCLs would have significant implications for public water supply systems nationwide and the trickle-down effect would be substantial, given state reliance on the MCLs in state level regulations, including those governing wastewater discharges and remediation.

Another final PFAS-related regulation that could be impacted by the change in administration is the October 2023 TSCA PFAS reporting rule, which requires submittal of a one-time report from companies that manufactured or imported certain PFAS between January 1, 2011, and December 31, 2022. The final rule established a six-month reporting period beginning on November 12, 2024, but EPA issued a direct final rule in September 2024 delaying the start of the reporting period to July 11, 2025, explaining that its software was not yet ready to accommodate the expected volume of reporting. The new administration could push this reporting deadline even further out if it wants time to assess possible revisions to the rule, presumably also through a direct final rule based on the same reasons identified by the prior administration.

Up until 2024, states were generally left to regulate PFAS on their own, with little guidance or direction from the federal government. If the new administration decides not to pursue or significantly delays additional PFAS regulation, or even rolls back existing regulations, states could find themselves again left to chart their own paths. States that have been at the forefront of PFAS regulation, including California, Connecticut, Maine, New Hampshire, Michigan, New Jersey, and New York, to name a few, can be expected to continue to push forward with PFAS regulation, but other states that have not been active to date may also move to begin regulating PFAS in the face of growing public concern if faced with a lack of federal direction. At the very least, we may see more states attempting to assess the scope of PFAS contamination in their jurisdictions through the collection of PFAS data via state remediation or wastewater discharge programs. As long as the federal regulatory landscape remains in flux, states will continue advancing their own PFAS regulations, leading to an ever-growing patchwork of standards and requirements across the U.S.

A groundbreaking new regulatory regime, imposing rules unlike any in existing U.S. law, may surprise many companies due to its sudden adoption and complexity. This article tries to simplify the changing regulatory landscape, highlighting key points for any company with a U.S. presence that may be transferring data abroad.

On January 8, the U.S. Department of Justice’s (DOJ) National Security Division (NSD) released its final rule, regulating access to sensitive U.S. data by “countries of concern,” i.e., China (including Hong Kong and Macau), along with Russia, Iran, North Korea, Cuba, and Venezuela, or by “covered persons” anywhere in the world that are linked to those countries. This final rule comes in response to rising concerns over these governments’ exploiting sensitive U.S. personal data and government data for purposes such as espionage. The final rule closely aligns with the DOJ’s earlier proposed rule.

The final rule sets out a sweeping data security regime based on national security policy. It is important to understand that this is not like traditional data privacy regimes; for example, there is no exception to the restrictions based on consent. In many cases, contractual provisions alone will not suffice as a compliance approach. Rather, these are in some respects much more stringent rules that stem from U.S. national security concerns. Therefore, companies should not be comfortable that their activity is compliant with the final rule merely because it satisfies other existing data privacy and security laws. These new regulations are a different ballgame altogether and will often require very challenging steps to be taken, such as changes to existing data security practices and business processes. When applicable, these steps need to be in place by April 8 — a very short timeline.

There are some big carve-outs that will provide relief for many companies. For example, these new regulations do not apply to activity that takes place entirely within the United States among U.S. persons, even if they are owned or controlled by Chinese or other non-U.S. persons (unless they are specifically designated by DOJ). But the rules can cover, for example, U.S. companies that share data with their own affiliates (or third parties) in China or elsewhere, as well as commercial data licensing and other forms of data access across borders. Even for companies that may ultimately fall under one or more carve-outs, it is important to assess and document those positions, and be prepared to answer questions from DOJ.

The core of the final rule is set to take effect on April 8. There is no indication at this point that the Trump administration intends to change course, and, in light of the China and national security focus of the final rule, we expect it to move forward. Given the complexity of the final rule, this is a very short timeline for companies that are not already deep into their preparations for compliance with these regulations. DOJ has provided a delayed implementation timeline, until October 5, for certain requirements under the final rule (i.e., affirmative due diligence, auditing and reporting obligations). Additionally, DOJ has indicated they could potentially provide a degree of flexibility in extenuating circumstances (e.g., by the issuance of authorizations or guidance). Nonetheless, companies that may be impacted by these rules should move urgently to bring themselves into compliance or analyze and document the non-applicability of these rules, in order to be in a strong position with the regulator prior to April 8.

The final rule is similar to — but distinct in important ways from — the 2024 Protecting Americans’ Data from Foreign Adversaries Act (PADFA), administered by the Federal Trade Commission (FTC). PADFA is focused on “data brokers,” whereas the DOJ final rule applies to a much broader array of companies and transactions, including vendor agreements, employment agreements, and investment agreements that do not involve data brokering. Moreover, PADFA includes broad carve-outs that are not present in the final rule, such as for the provision of services where the data transfers are only ancillary to the services provided. On the other hand, the DOJ final rule has a more limited scope when it comes to covered data, which must meet specified “bulk” thresholds. There are other differences between the laws, but both carry consequential compliance obligations. Companies should carefully review (or refresh) their data maps and analyze their data types and flows in light of PADFA and the DOJ final rule to ensure they understand if either or both of these new sets of requirements could impact their compliance approach.

Scope of the Final Rule

The final rule generally applies to U.S. persons that “knowingly” provide “access” (very broadly defined) to listed types of covered data involving a country of concern or covered person.

These restrictions can apply to activity involving the U.S. and a third country (e.g., Singapore, the UK, or any other country that is not a “country of concern”), when there are certain links to a country of concern (e.g., a “covered person” that is owned by a Chinese entity). But these rules generally do not apply to activity that is 100% located in the U.S., even when conducted by persons linked to a country of concern.

The key elements that must be met for the main restrictions under these rules to apply are as follows:

• Covered Data: This includes the types of data listed below where the specified volume thresholds are met (except for U.S. government-related data, any amount of which triggers the rules) at any point in the preceding 12 months, whether through a single transaction or aggregated across several transactions involving the same parties:

  • Human genomic data: more than 100 U.S. persons;

  • Other human `omic data: more than 1,000 U.S. persons;

  • Biometric identifiers: more than 1,000 U.S. persons;

  • Precise geolocation data: more than 1,000 U.S. devices;

  • Personal health data: more than 10,000 U.S. persons;

  • Personal financial data: more than 10,000 U.S. persons; or

  • Covered personal identifiers: more than 100,000 U.S. persons.

For combinations of these types of data, the lowest applicable threshold applies.

Even if data is anonymized, pseudonymized, de-identified, or encrypted, it is still covered (though such measures will be relevant in implementing the Security Requirements, as discussed below).

There can be complexities (including important carve-outs) built into these definitions of covered data. For example, “personal identifiers” are not covered if they are not linked or linkable in specified ways to other covered data. Dissecting these nuances can be hugely important for determining that certain types of data flows are not subject to these rules at all.

• Knowingly: The final rule only applies in the first instance to covered activity that is conducted “knowingly,” which includes situations where a person “reasonably should have known” of the relevant facts. This means, for example, that electronic services or platforms would generally not be responsible for the activities of their customers (e.g., an email provider whose user emails covered data to a covered person). But DOJ will expect risk-based due diligence and controls around this.

• U.S. Person: This includes U.S.-based entities, U.S. citizens or “green card” holders, and any person with asylum or refugee status granted by the U.S. government. (These categories are consistent with U.S. export control rules.) But also (unlike under U.S. export controls), a U.S. person includes “any person in the United States.” For example, Chinese or Russian citizens located in the U.S. would be treated as U.S. persons and would not be covered persons (unless individually designated by DOJ). Those individuals may require U.S. export control licensing if they have access to controlled technology (i.e., “deemed exports”), but they would not trigger the applicability of this DOJ final rule. This is an important limitation to the final rule that will facilitate compliance in some cases.

• Covered Persons: This includes an individual or entity that is not a U.S. person and that is:

  • An individual primarily resident in a country of concern;

  • An employee or contractor of a country of concern or a covered person entity;

  • An entity based in a country of concern; or

  • An entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by countries of concern or covered persons. (This aligns with the U.S. sanctions (OFAC) “50% rule.”)

In addition, DOJ can designate any person as a covered person (e.g., if a person is determined to be acting on behalf of China or another country of concern, or to be violating these rules). So DOJ may in the future develop such a “blacklist.” That list may then need to be incorporated into restricted party screening procedures (e.g., if currently in place for OFAC compliance).

The final rule essentially divides transactions into the following five categories: not covered, prohibited, restricted, exempt, and licensed.

• Non-Covered Transactions: If any of the key elements of the rules are not met (e.g., there’s no U.S. person, no covered person, no covered data, no “access” to covered data, etc.), the final rule is not applicable at all. This goes without saying, but as a practical point it is critical to confirm in the first instance whether each of the elements of a prohibition or restriction is met, as there are significant carve-outs built into these basic elements. For transactions that are not covered, even the final rule’s recordkeeping requirements do not apply. However, if there is any nuance involved in determining that the final rule is inapplicable, a record of that analysis should be kept for at least 10 years as a best practice and protective measure in case DOJ comes knocking.

• Prohibited Transactions: The final rule prohibits covered transactions involving “data brokerage,” which may extend well beyond what many companies would normally think of as data brokerage. DOJ has defined this term as:

the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.

This is quite a broad and vague definition that will leave many situations that are not vendor, employment, or investment agreements in a grey area — DOJ has stated that the transaction must be “commercial” in nature (i.e., must involve some form of compensation or consideration), but that still leaves many types of normal commercial partnerships potentially covered.

• • Critically, the prohibitions on data brokerage include transactions with non-covered foreign persons in third countries (i.e., where there is no specific link at all to China or another country of concern or covered person), unless the U.S. person: (1) contractually requires the foreign person to refrain from engaging in a subsequent covered data brokerage transaction involving the same data with a country of concern or covered person; and (2) reports any known or suspected violations of this contractual requirement within 14 days. This is among the few instances under these regulations when contractual provisions are the focus of the compliance expectation, as compared to implementing security measures or business process changes to satisfy the Security Requirements, which are discussed below. But even here mere contractual provisions are not sufficient, and DOJ expects adherence to those commitments to be monitored and suspected violations to be reported.

  • In addition to data brokerage, the final rule prohibits the following:

    • Covered transactions involving “human `omic data” or human biospecimens from which such data could be derived. Companies with such data are on a very tight leash with DOJ and must take a careful compliance approach under these rules.

    • Evasion, causing violations, and conspiracy (and “knowingly directing” violations): The DOJ personnel who will be enforcing these regulations are part of the same organization — and will share a mindset — with U.S. sanctions and export controls prosecutors. The underlying statutory authority is also the same as that which underlies most U.S. sanctions, which is where most of these particular prohibitions come from. So any efforts to circumvent these rules should be expected to meet with an aggressive enforcement response. A good rule of thumb is to apply these rules based on their letter and spirit, and not to play games or seek “paper compliance” where the reality is the requirements are not being met. Similarly, trying to work around the rules by conducting covered transactions in a non-compliant manner through contractors, business partners, etc., may be high-risk, and concealing activity from partners or other parties can also lead to liability.

• Restricted Transactions: Covered transactions that involve vendor agreements, employment agreements, or investment agreements are “restricted,” meaning that they are prohibited unless the U.S. person complies with the stringent “Security Requirements” established by the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS). The Security Requirements are discussed in more detail below. Where applicable, the Security Requirements will often prove to be hugely challenging to comply with. In addition, when conducting restricted transactions, there are due diligence, audit, reporting, and recordkeeping requirements that apply and that may be quite burdensome.

  • Excluded investment agreements: While the definitions of vendor agreement and employment agreement are fairly straightforward, there are carve-outs built in to the definition of investment agreement that in essence exclude passive investments, as well as investments in certain non-U.S. assets.

• Exempt Transactions: The final rule contains several exemptions, most of which are quite broad. However, in their breadth they leave a lot of gray area, which may create considerable discomfort for many businesses seeking certainty in this high-stakes national security regulatory area. In most (but not all) cases, certain reporting requirements of the final rule still apply to exempt activity. The exemptions cover:

  • Transactions that are “required or authorized by Federal law or pursuant to an international agreement to which the United States is a party,” or by certain global health frameworks, as well as transactions that are “ordinarily incident to and part of ensuring compliance with any Federal laws and regulations.”

  • Another exemption covers transactions that are for official U.S. government business, including government contracting and federally funded research.

  • Corporate group transactions: This exemption is relatively broad, but contains critical limitations. It applies to transactions “[b]etween a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern” that are “[o]rdinarily incident to and part of administrative or ancillary business operations.”

  • Financial services: This exemption is also broad but with important limitations. It applies to transactions that are “ordinarily incident to and part of the provision of financial services.”

  • Telecommunications services: This exemption is similarly broad (though it excludes data brokerage), covering transactions that are “ordinarily incident to and part of the provision of telecommunications services.”

  • There is another exemption for transactions that involve investment agreements that are “subject to a CFIUS action.”

  • Drug, biological product, and medical device authorizations: Certain types of data are exempt if the transaction is “necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product.”

  • Other clinical investigations and post-marketing surveillance data: Transactions are exempt in certain cases if they are “[o]rdinarily incident to and part of” clinical investigations regulated by the FDA or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products, or infant formula, or are “[o]rdinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA, provided the data is de-identified or pseudonymized.”

  • The final rule also reflects the exemptions in the underlying statutory authority (IEEPA) for (1) “personal communications” that do not “involve the transfer of anything of value,” (2) the international exchange of “information or informational materials,” and (3) transactions that “are ordinarily incident to travel to or from any country.” These are the same statutory exemptions as apply under most U.S. sanctions programs. We would expect these exemptions to be construed narrowly and only to be relevant in limited circumstances.

• Licensed Transactions: In rare instances, U.S. persons may be able to obtain a license to conduct otherwise prohibited activity (including not fully implementing the Security Requirements or other obligations for a restricted transaction). The DOJ has indicated it may consider issuing general licenses in certain instances, e.g., where market participants may require more time to wind down otherwise prohibited activity. Parties may also submit applications to the DOJ for specific licenses that cover particular intended transactions. The DOJ intends to issue separate instructions on how to apply for a specific license and the criteria that will be applied. We would expect that such license applications will be reviewed quite strictly, and it will be important to make the case that the request is consistent with U.S. national security interests.

Security Requirements

For restricted transactions that are not licensed or exempt, companies must comply with the Security Requirements promulgated by CISA. If the Security Requirements are not properly implemented, such transactions are prohibited. Transactions that are generally prohibited (e.g., involving data brokerage or human `omic data or related biospecimens) cannot be authorized by complying with the Security Requirements – those are strict prohibitions that can only be overcome with a license (or an applicable exemption). The Security Requirements only come into play for vendor agreements, employment agreements and investment agreements, and where an exemption does not apply.

The Security Requirements in essence require the data to be “fully and effectively” blocked from access by a country of concern or covered person. This is a highly demanding requirement that will be quite challenging to meet in many cases. In addition, the Security Requirements impose a number of organizational-level and system-level requirements that are broadly consistent with the existing obligations and practices of many types of organizations (e.g., regulated financial institutions), but with a few important nuances that are particular to the DOJ final rule.

The most challenging part of the Security Requirements are generally going to be the data-level requirements, which require the U.S. person to “implement a combination of [specifically listed categories of] mitigations that, taken together, is sufficient to fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern.” The types of measures that can be employed to achieve this required end result include data minimization, encryption, access controls, and others, with specified requirements (e.g., with respect to management of encryption keys when relying on encryption). At the end of the day, whichever combination of measures is used, this highly demanding standard must be met, and the burden is on the regulated U.S. person to establish that it is met.

For data that does not meet the data-level security requirements, “logical and physical access controls” must be put in place “to prevent covered persons or countries of concern from gaining access” to such data.

The effectiveness of the data-level measures determines whether they are compliant: CISA says that, if “a combination of security mechanisms proves to be insufficient to prevent such access, that combination of security mechanisms will be considered invalid in protecting future access to covered data by covered persons.” So testing the effectiveness of the measures, and adjusting them as needed (e.g., based on the company’s own risk assessment, technological developments and business process changes) will be important.

Recordkeeping, Reporting, Due Diligence, and Audit Requirements

There is a broad, 10-year recordkeeping requirement under the final rule. This is consistent with the new, 10-year recordkeeping requirement that will soon apply under U.S. economic sanctions regulations, but longer than the five-year recordkeeping requirement that applies under U.S. export controls.

In addition, there are specific requirements regarding due diligence, audits, and reporting (e.g., annually and for rejected prohibited transactions) that must be adhered to. Licenses may include additional requirements and conditions.

Exempt transactions are generally not subject to these requirements, except in certain instances there are limited reporting requirements that apply under the exemptions. 

Even for non-covered or exempt transactions, it is generally a prudent best practice to maintain records for at least 10 years showing the non-applicability of the final rule (or the applicability of the exemption) to those transactions.

Conclusion

The DOJ’s final rule marks a pivotal shift in U.S. data security policy. These rules apply even to activity conducted between the U.S. and third countries, and where all parties are commercial operators. They reflect concerns over foreign adversaries’ access to this sensitive U.S. data through a variety of means, including compulsion and even covert action.

Where applicable, CISA’s Security Requirements will be very challenging for many organizations to meet, and there are serious questions about how these regulations will work in practice for many types of companies that rely on these cross-border data flows.

It is imperative that companies carefully review their data maps and analyze their data types and flows to analyze these new federal requirements that could impact their data governance programs and critical compliance obligations.

If your organization is covered by the final rule, but you believe that full compliance by April 8 may not be possible, it is critical to engage as soon as possible with DOJ. While receiving favorable guidance or licenses will require a thoughtful approach to DOJ, the regulators have indicated that they will be amenable to working with companies that are taking these regulations seriously and implementing them as quickly as they can and to the extent possible.

If you have any questions about the DOJ final rule, PADFA, or the impact of these new data restrictions on your commercial or compliance activities, do not hesitate to contact the authors of this article for guidance.

Enacted in 2022, the Inflation Reduction Act (IRA) allows the transfer of certain tax credits, enabling unrelated parties to purchase them for cash. Lenders who want to use tax credits to secure loans should consider tax credit insurance and consult legal, tax, and insurance professionals to navigate new financing structures.

Click here to read the full article in Secured Lender Magazine.

State attorneys general (AGs) continue to play a pivotal role as innovators, shaping the regulatory environment by leveraging their expertise and resources to influence policy and practice. The public-facing nature of AG offices across the U.S. compels them to respond to constituent concerns on abbreviated timetables. This political sensitivity, combined with the AGs’ authority to address both local and national issues, underscores their significant influence in the current regulatory environment.

Troutman Pepper Locke’s nationally recognized State AG team closely monitors developments in this complex and rapidly evolving regulatory landscape, serving as a trusted partner for clients seeking assistance with state AG enforcement, litigation, and compliance matters. The 2024 State AG Year in Review provides a comprehensive overview of the evolving regulatory landscape, highlighting key events and trends that defined the year. This report underscores the state AGs’ focus on several sectors, themes, and industries, including: (1) antitrust; (2) artificial intelligence; (3) consumer financial services; (4) environmental and energy; (5) marketing and advertising; (6) pharma and health sciences; (7) privacy and cyber; and (8) private equity.

Our team is committed to guiding companies through current challenges and preparing for future obligations, enabling them to concentrate on business growth rather than regulatory concerns. We trust that this report will be a valuable resource in these efforts.

To access the report, please click here.

A Practice Note discussing the Section 45X advanced manufacturing production tax credit available for qualifying energy components including solar energy components, wind energy components, inverters, qualifying battery components, and applicable critical minerals. This Note also discusses the amount of the credit available to taxpayers and the eligibility and substantiation requirements that taxpayers must satisfy to qualify for the credit including production in the U.S. and sales to unrelated parties.

Click here to read the full article in Thomson Reuters.

On January 17, the District of Columbia Circuit issued a pivotal opinion regarding the Fifth Amendment rights of a defendant-appellant compelled by the FBI to unlock his cellphone using his thumbprint. The D.C. Circuit’s decision in United States v. Brown has significant implications for law enforcement practices and the protection of constitutional rights in the digital age.

The appellants in Brown were arrested in connection with the events on the U.S. Capitol grounds on January 6, 2021. On February 4, 2021, an FBI Agent participated in executing a search warrant at one of the appellant’s residences. The appellant was already in custody when the agent discovered a black cellphone in his apartment. The agent attempted to unlock the phone using passwords provided by the appellant, but none were successful. Subsequently, the agent used the appellant’s thumbprint to unlock the phone, although the agent could not recall the specifics of how this was done or his conversation with the appellant. Importantly, the government could not recall whether the request for the thumbprint occurred before or after the appellant had asked for an attorney. The district court found that the appellant was compelled to put his thumb on the phone in response to the agent’s request, thereby unlocking it.

The unlocked phone revealed incriminating text messages, which were photographed by another FBI agent. Seven months later, the FBI obtained a second warrant for a forensic search of the phone, relying on the initial evidence obtained through the compelled thumbprint.

The appellant moved to suppress the evidence obtained from his cellphone, arguing that the compelled use of his thumbprint violated his Fifth Amendment rights. The Fifth Amendment protects persons from being compelled to be a witness against themselves in a criminal case; but for that protection to apply, the communication must be testimonial, incriminating, and compelled. See U.S. Const. Amend. V; Hiibel v. Sixth Jud. Dist. Ct. of Nevada, Humboldt County, 542 U.S. 177, 189 (2004). The district court denied the motion, concluding that no constitutional violation occurred because the act of using a thumbprint, even if compelled, was not testimonial and thus not protected by the Fifth Amendment.

On appeal, the D.C. Circuit considered whether the compelled act of using the thumb to unlock the phone was “testimonial,” as required to fall within the Fifth Amendment’s protection. The court’s analysis focused on two key points:

1. Physical manifestation of testimonial thoughts: The D.C. Circuit concluded that the physical act of unlocking a cellphone was a “manifestation[] of testimonial thoughts.” The court distinguished this from furnishing a blood sample, providing a handwriting or voice exemplar, standing in a police lineup, or donning particular clothing, which courts generally do not consider to be testimonial. In contrast, the court held this was more akin to responding to a lie detector test, where the physical action requires no additional information to communicate an incriminatory message. Unlocking the cellphone represented the appellant’s thoughts of “I know how to open the phone,” “I have control over access to this phone,” and “the print of this specific finger is the password to this phone.”

2. Act of production: The court noted that compelling the appellant to open the phone communicated to the government the appellant’s knowledge of how the phone could be opened, his ownership or control over the phone, and the existence, authenticity, and ownership of documents within it.

Given the testimonial nature of the compelled act, the court ruled that both the direct evidence obtained from the phone and any derivative evidence must be suppressed. The court rejected the government’s arguments for inevitable discovery and good faith exceptions, noting that the government failed to prove that the evidence would have been discovered independently of the Fifth Amendment violation and failed to provide support for extending the Fourth Amendment’s good faith exception to the Fifth Amendment.

While the D.C. Circuit disagrees, the decision seems to be at odds with a recent decision from the Ninth Circuit in United States v. Payne, 99 F. 4th 495 (9th Cir. 2024). In Payne, the Ninth Circuit found that “the compelled use of a biometric to unlock an electronic device was not testimonial because it required no cognitive exertion.” The D.C. Circuit distinguished Payne from the case at hand by noting that in Payne the police “forcibly grabbed Payne’s thumb and used it to unlock the phone.”

Implications for Law Enforcement and Legal Practice

By affirming that compelled biometric unlocking of cellphones is testimonial and protected by the Fifth Amendment, the court has reinforced the importance of safeguarding individual rights in the digital era. It also highlights the inherent tension in balancing investigative needs with constitutional protections.

While the court in Brown distinguished the case from Payne, reconciling both decisions leaves ambiguities as to when Fifth Amendment protections are triggered in the compelled use of a biometric to unlock an electronic device. Therefore, law enforcement agencies must be cautious when compelling individuals to unlock their devices, and attorneys should be vigilant in challenging evidence obtained through potentially unconstitutional means.

For further information or specific legal advice regarding this ruling and its implications, please contact our office.

You Are Invited: SEC Enforcement Priorities Webinar

Thursday, February 6, 2025 | 12:00 – 1:00 pm ET

Please join Troutman Pepper Locke for a discussion hosted by the Atlanta Bar Association with Regional Securities and Exchange Commission Directors Nicholas Grippo (Philadelphia Regional Office) and Nekia Jones (Atlanta Regional Office) on the SEC’s 2025 enforcement and examination priorities.

Invitation and more details to follow.

Click here to register.

---

In the Spotlight

Domenic Cervoni, a partner in Troutman Pepper Locke’s New York office, represents financial institutions, fintech companies, and major corporations in complex, sensitive, and high-profile litigation in federal and state courts. As former associate general counsel for HSBC North America Holdings, Inc., he has driven case strategy for class actions, banking, antitrust, securities, and corporate trustee litigation. Domenic is also a dedicated mentor and frequent speaker on leadership, best practices for outside counsel, and mental health awareness in the legal industry. For more information, see Domenic’s bio.

Jay Dubow was recently recognized by Securities Docket on its “Enforcement Elite” list for 2024, which honors the top securities enforcement defense lawyers.

Jay Dubow was recently quoted in:

• “Trump Nominee for SEC Chair May Slow Rulemaking, Enforcement,” FundFire, December 2024.
• “A Paul Atkins-Led SEC Will Be More Industry Friendly, Accommodating to Crypto, Experts Say,” Pensions & Investments, December 6, 2024.
• “Trump Picks Crypto-Friendly Former Commish to Chair SEC,” FundFire, December 5, 2024.
• “Trump Picks SEC Alum to Chair Regulator,” PlanAdviser, December 4, 2024.
• “Gensler’s Chapter Leading SEC Approaches Close,” FundFire, November 22, 2024.
• “SEC Chair Gensler to Step Down When Trump Takes Office,” Law360, November 21, 2024.

Ghillaine Reid was recently quoted in:

• “Recent Charges Against Financial Firms Show That the SEC’s Texting Probe Is Far From Over,” International Banker, October 14, 2024.

---

Safeguarding Individual Rights in a Digital Era

US v. Brown: District of Columbia Circuit Rules on Compelled Biometric Unlocking of Cellphones

By Jay Dubow, Ghillaine Reid, and Isabela Herlihy

On January 17, the District of Columbia Circuit issued a pivotal opinion regarding the Fifth Amendment rights of a defendant-appellant compelled by the FBI to unlock his cellphone using his thumbprint. The D.C. Circuit’s decision in United States v. Brown has significant implications for law enforcement practices and the protection of constitutional rights in the digital age.

Read More

---

SEC Updates

Regulatory Monitor: SEC Update

This article was originally published in the January 2025 issue of The Investment Lawyer and is republished here with permission.

By Genna Garver and Theodore Edwards

It’s been only two years since the required compliance date for the US Securities and Exchange Commission’s (SEC) amended Rule 206(4)-1 (the Marketing Rule) under the Investment Advisers Act of 1940, as amended (Advisers Act). Since the Marketing Rule’s adoption, the SEC Staff of the Division of Investment Management (IM) has issued four FAQs and the SEC’s Division of Examinations (EXAMS) has issued three risk alerts on the rule. Despite this guidance, advisers are still struggling with implementation and interpretation issues, making the Marketing Rule ripe for further regulation through enforcement.

Read More

SEC 2024 Enforcement Results: A Decline in Total Enforcement, but a Record-Breaking Recovery of Financial Remedies

By Jay Dubow, Ghillaine Reid, Casselle Smith, and Isabela Herlihy

On November 22, the Securities and Exchange Commission (SEC) announced its enforcement results for fiscal year (FY) 2024. As compared to FY 2023, the Division of Enforcement (the division) reported a 26% decline in the total volume of enforcement actions filed, accompanied by a $3.2 billion increase in the orders obtained for financial remedies. Below is a high-level summary of the division’s FY 2024 statistics and key takeaways regarding the division’s substantive focus.

Read More

Evolution of Administrative Adjudication Post-Jarkesy

By Jay Dubow, Ghillaine Reid, and Alyssa Cavanaugh

On June 27, 2024 the US Supreme Court released its 6-3 decision in SEC v. Jarkesy, et al., ending the Securities and Exchange Commission’s (SEC) long-standing use of in-house Administrative Law Judge (ALJ) tribunals in cases involving allegations of fraud in which the SEC seeks civil penalties. The majority held that the Seventh Amendment entitles the defendant to trial by jury when the SEC seeks civil penalties for securities fraud, thus requiring that the action be brought in a court of law. This effectively closes one of the SEC’s key enforcement avenues for seeking financial penalties when it believes investors have been misled and forces the SEC to bring more of its actions in courts of law.

Click here to read the full article in The Investment Lawyer.

The SEC’s Division of Examinations Announces 2025 Priorities

By Jay Dubow, Genna Garver, Ghillaine Reid, and Tim Bado

On October 21, the Securities and Exchange Commission’s (SEC) Division of Examinations announced its 2025 examination priorities (2025 guidance) for registered investment advisers and investment companies, broker-dealers, clearing agencies, self-regulatory organizations, and other registered entities that are subject to inspection by the Division. The annual guidance aims to align with the Division’s four pillars: to promote and improve compliance, prevent fraud, monitor risk, and inform policy. The 2025 guidance lists plenty of familiar topics, but also includes new priorities that reflect the evolution of U.S. and global markets. Next year’s examinations will prioritize areas such as fiduciary duties and standards of conduct for investment advisers, and cybersecurity, artificial intelligence (AI), and anti-money laundering (AML) for various market participants. More generally, the Division’s acting director, Keith Cassidy, stated the 2025 guidance aims to “identify the key areas of potentially increased risks and related harm for investors” In addition to conducting examinations in core areas such as disclosures and governance practices, the Division will also examine compliance with new rules, the use of emerging technologies, and the soundness of controls intended to protect investor information, records, and assets.

Read More

---

Securities Class Action Updates

The Increase in Artificial Intelligence-Related Securities Class Actions

By Jay Dubow, Joanna Cline, and Millie Krnjaja

With the increasing prominence of Artificial Intelligence technology (AI), the potential for legal disputes regarding its use has grown. While the full scope of AI-related legal risks is still developing, both the Securities and Exchange Commission (SEC) and Federal Trade Commission (FTC) have revealed the kinds of AI-related corporate behaviors they consider problematic. The problematic corporate behavior the agencies emphasized the most is “AI Washing”—the practice of making unfounded claims about AI capabilities.

Read More

On January 16, the Treasury Department (Treasury) and the Internal Revenue Service (IRS) issued Notice 2025-08 (Notice), which provides an updated safe harbor (First Updated Elective Safe Harbor) that modifies and otherwise clarifies the safe harbor (New Elective Safe Harbor) provided in Notice 2024-41 (which modified Notice 2023-38) that taxpayers may elect to use to calculate the domestic cost of Manufactured Products (defined below) and Manufactured Product Components (defined below) within a project. Under the Inflation Reduction Act of 2022 (IRA), projects that satisfy applicable “Buy American” requirements (the domestic content requirement) qualify for enhanced credit amounts for several clean energy tax credits, including investment tax credits under Sections 48 and 48E (ITC) and production tax credits under Sections 45 and 45Y (PTC).

Treasury and the IRS intend to include the rules in Notice 2023-38, as modified by Notice 2024-41 and further modified by the Notice, in forthcoming proposed regulations concerning domestic content, which will apply to taxable years ending after May 12, 2023. Taxpayers may rely on the rules set forth in Notice 2023-38 (including Table 2 thereof, as modified by Notice 2024-41), as modified by the Notice, with respect to the domestic content requirements for any qualified facility, energy project, or energy storage technology (each, an Applicable Project) the construction of which begins before the date that is 90 days after the date of publication of the forthcoming proposed regulations in the Federal Register. Taxpayers may rely on the New Elective Safe Harbor (as modified by the Notice to clarify such safe harbor’s availability to Applicable Projects satisfying the 80/20 Rule (described below)) for any Applicable Project the construction of which begins before April 16, 2025 (the date that is 90 days after the effective date of the Notice). Taxpayers may rely on the First Updated Elective Safe Harbor for any Applicable Project the construction of which begins before the date that is 90 days after any future modification, update, or withdrawal of the First Updated Elective Safe Harbor. Where taxpayers may rely on either the New Elective Safe Harbor or the First Updated Elective Safe Harbor, a taxpayer may apply only one of the above-referenced safe harbors and its associated cost percentages and must use it exclusively.

Overview

In general, the domestic content requirement applies to any steel, iron, or item produced as part of a manufacturing process (a Manufactured Product) that is a component of an Applicable Project (an Applicable Project Component).

The domestic content requirement with respect to Manufactured Products (Manufactured Products Requirement) is met if all Applicable Project Components that are Manufactured Products are produced in the U.S. or are deemed to be produced in the U.S. All Applicable Project Components that are Manufactured Products are deemed to be produced in the U.S. if the Adjusted Percentage Rule (described below) is satisfied.

The domestic content requirement with respect to steel or iron (Steel or Iron Requirement) is met if, consistent with 49 CFR § 661.5(b) and (c), all manufacturing processes with respect to any steel or iron items that are Applicable Project Components take place in the U.S., except metallurgical processes involving refinement of steel additives. Notice 2023-38 provided that the Steel or Iron Requirement applies to Applicable Project Components that are construction materials made primarily of steel or iron and are structural in function, but does not apply to steel or iron used in articles, materials, or supplies, whether manufactured or unmanufactured, that are directly incorporated into an Applicable Project Component that is a Manufactured Product (Manufactured Product Components) or subcomponents of Manufactured Product Components.

For purposes of classifying certain Applicable Project Components as steel or iron or as Manufactured Products, and for identifying certain Manufactured Product Components, Table 2 of Notice 2023-38, as modified by Notice 2024-41, provided a safe harbor that categorized certain items with respect to ground-mount and rooftop photovoltaic systems, land-based and offshore wind facilities, battery energy storage facilities, hydropower facilities, and pumped hydropower storage facilities as either subject to the Steel or Iron Requirement or Manufactured Product Requirement (Safe Harbor Classifications). However, Notice 2023-38 provides that the Safe Harbor Classifications may not be an exhaustive set of all components for a Project. Taxpayers that elect to use the New Elective Safe Harbor provided by Notice 2024-41 must use a list included in Table 1 of Notice 2024-41 (Table 1) as the exclusive and exhaustive set of all Applicable Project Components and Manufactured Product Components for an Applicable Project.

• By treating Table 1 as the exclusive set of Applicable Project Components, taxpayers can rule out the possibility that any items not included in Table 1 could be subject to the Steel or Iron Requirement, which is critical given that the Steel or Iron Requirement is absolute.

The First Updated Elective Safe Harbor, which applies to both the Steel or Iron Requirement and Manufactured Products Requirement, provides for the classification of identified Applicable Project Components (as steel or iron or Manufactured Products), and taxpayers that elect to use the First Updated Elective Safe Harbor must use the lists provided in the updated tables set forth in the Notice as the exclusive and exhaustive set of all Applicable Project Components and Manufactured Product Components. Taxpayers must affirmatively elect to rely on the First Updated Elective Safe Harbor by providing notice to the IRS on the Domestic Content Certification Statement required by Notice 2023-38.

Adjusted Percentage Rule

The Domestic Cost Percentage for an Applicable Project is equal to the percentage produced by dividing the Domestic Manufactured Products and Components Cost by the Total Manufactured Products Cost. If the Domestic Cost Percentage for an Applicable Project equals or exceeds the adjusted percentage that applies to the Applicable Project, then the Applicable Project satisfies the Adjusted Percentage Rule. For most projects under the rules now in effect, the adjusted percentage is either 40% or 45%.

Under Notice 2023-38, the Domestic Manufactured Products and Components Cost is based on the sum of (1) the direct materials and direct labor costs incurred by U.S. Manufactured Product manufacturers to produce each U.S. Manufactured Product (products that are manufactured in the U.S. using only U.S. Components) and (2) the direct materials and direct labor costs incurred by non-U.S. Manufactured Product manufacturers to produce or acquire U.S. Components. The relevant direct costs are determined by reference to Treasury Regulation Section 263A-1(e)(2)(i). The Total Manufactured Products Cost for an Applicable Project is the sum of the costs of each Applicable Project Component that is a Manufactured Product.

Notice 2024-41 established the New Elective Safe Harbor, which allows taxpayers to satisfy the Adjusted Percentage Rule without obtaining manufacturer direct cost data. Specifically, in Table 1, the New Elective Safe Harbor provided for the associated cost percentages for each of the identified Manufactured Products and Manufactured Product Components, consistent with those identified in the Safe Harbor Classifications. To apply the New Elective Safe Harbor, a taxpayer adds up the assigned cost percentages from Table 1 for each U.S. Component and U.S. Manufactured Product of the Applicable Project, which equals the Domestic Cost Percentage.

Like the New Elective Safe Harbor, the First Updated Elective Safe Harbor in the Notice provides for the associated cost percentages for each of the identified Manufactured Products and Manufactured Product Components. The Notice clarifies that the assigned cost percentages apply regardless of whether property listed in such updated tables is fully or fractionally owned or shared.

First Updated Elective Safe Harbor Modifications

The First Updated Elective Safe Harbor modifies or otherwise clarifies the New Elective Safe Harbor in several ways, as further discussed below.

1. Clarification of Application to Projects Satisfying the 80/20 Rule

The so-called “80/20 Rule” applies to determine whether a retrofitted Applicable Project qualifies as originally placed in service even if it contains some used components. Under the 80/20 Rule, an Applicable Project may be considered originally placed in service only if the fair market value of the used components is not more than 20% of the total value of the Applicable Project, taking into account the cost of the new components and the value of the used components. The Notice clarifies that a taxpayer may elect to use the New Elective Safe Harbor or the First Updated Elective Safe Harbor, as applicable, to qualify for the domestic content bonus credit amount for Applicable Projects that are eligible for a credit by virtue of the 80/20 Rule.

The Notice further clarifies that only new U.S. Manufactured Products and U.S. Components of the Applicable Project that are listed in Table 1, as modified by the Notice, would be considered in the calculation of the Domestic Cost Percentage (with no changes to the percentages therein). All other Manufactured Products or Manufactured Product Components, including the used property in an Applicable Project that qualifies as originally placed in service by virtue of the 80/20 Rule, will be treated as foreign-sourced Manufactured Products or Manufactured Product Components (solely for purposes of calculating the Domestic Cost Percentage when applying the New Elective Safe Harbor or the First Updated Elective Safe Harbor) and must be assigned a zero value. Retrofitted Applicable Projects must also satisfy the Steel or Iron Requirement only with respect to new Applicable Project Components that are specified in Table 1, as modified by the Notice, as subject to the Steel or Iron Requirement.

2. Modifications to Table 1 for Solar PV

The First Updated Elective Safe Harbor modifies the Solar PV Table of Table 1 by expanding it into two distinct tables, one for photovoltaic (PV) ground-mount (tracking and fixed) Applicable Projects and one for PV rooftop (MLPE and string) Applicable Projects, and by providing updated associated cost percentages for each table (Updated Assigned Cost Percentages for PV Solar). Additionally, the Notice clarifies that in instances in which a U.S. Component meets the criteria of more than one listed Manufactured Product Component, the taxpayer may claim all relevant Updated Assigned Cost Percentages for purposes of calculating the Domestic Cost Percentage.

• The Notice indicates that the Department of Energy (DOE) calculated the Updated Assigned Cost Percentages for PV Solar using its new ground-mount and rooftop PV component costs for 2024, which the DOE derived from cost data from a variety of sources, including datasets of system characteristics, price indices, U.S. survey data from the government (for example, the U.S. Bureau of Labor Statistics and the Department of Labor) and private sector, public filings from corporations, and comprehensive interviews of manufacturers, installers, developers, and owners of the representative technologies. In addition, the DOE used data collected from three different national laboratories to generate the Updated Assigned Cost Percentages for PV Solar, rather than the single national laboratory survey that the DOE relied upon for the methodology used to generate the original assigned cost percentages in Notice 2024-41.

The First Updated Elective Safe Harbor also modifies the Table 1 for Solar PV by adding a new column with a second set of Updated Assigned Cost Percentages for each type of ground-mount PV system and each type of rooftop PV system. This alternative set of Updated Assigned Cost Percentages can be used if a PV system has PV modules that incorporate crystalline silicon photovoltaic (c-Si PV) cells and wafers manufactured within the U.S.

• These alternative Updated Assigned Cost Percentages for PV Solar were incorporated to reflect the significant cost premium this type of cell would carry relative to other types of domestic cells, such as those with foreign wafers or domestic thin-film cells. The Notice reflects that Treasury and the IRS, in consultation with the DOE, implemented these additional columns after review of comments received in response to Notice 2024-41, concluding that Table 1 as originally published therein could misrepresent the expected costs of domestically produced c-Si PV cells made with domestically produced silicon wafers. Because this inaccuracy could risk under-crediting a component whose value is, to a significant extent, created domestically, while over-crediting other components within the table, Treasury and the IRS, in consultation with the DOE, determined that it was appropriate to provide taxpayers the option of using a cost safe harbor that more specifically reflects the cost of c-Si PV cells produced with domestically produced wafers.

  • For Ground-mount (Tracking) Projects with domestically sourced c-SI PV Cells & domestic wafers, the cells contribute 51.6 Updated Assigned Cost Percentage points. Accordingly, a Project that includes such cells could satisfy the Adjusted Percentage Rule Requirement without incorporating any other U.S. Manufactured Product Components.

• The Notice clarifies that taxpayers with ground-mount (tracking or fixed) or rooftop (MLPE or string) solar PV systems may elect to use these alternative Updated Assigned Cost Percentages for PV Solar if all, or a portion of, the PV modules in the Applicable Project use domestically manufactured c-Si PV cells that exclusively use domestically manufactured wafers. However, the Notice further clarifies that taxpayers that elect to use these alternative associated cost percentages where only a portion of the Applicable Project’s PV cells are domestic c-Si PV cells that exclusively use domestically manufactured wafers must treat any domestically manufactured PV cells that do not exclusively use domestic wafers as though such PV cells are foreign sourced for purposes of using the associated cost percentages in the Notice, and may not include the “Production” cost percentage for PV modules containing such cells that otherwise meet the definition of a U.S. Manufactured Product. Additionally, taxpayers that use these alternative associated cost percentages must use the corresponding Updated Assigned Cost Percentages for PV Solar for all the Manufactured Products and Manufactured Product Components in the Applicable Project for purposes of determining the Domestic Cost Percentage.

  • Treating domestically manufactured PV cells that do not exclusively use domestic wafers as foreign sourced seems harsh given that the Notice could have attributed a lesser Updated Assigned Cost Percentage value to the cells for purposes of the mixed source item calculation.

Additionally, the First Updated Elective Safe Harbor modifies Table 1 for Solar PV by renaming certain Applicable Project Components and Manufactured Product Components. Most notably, the First Updated Elective Safe Harbor renames “Steel or iron rebar in foundation” to “Steel or iron reinforcing products in foundation” to better reflect its function and to clarify that non-rebar steel or iron reinforcement is also covered.

• The change to reference “reinforcing products” rather than rebar adds some incremental risk that an item not identified by a taxpayer as a reinforcing product could be treated as subject to the Steel or Iron Requirement.

Further, the First Updated Elective Safe Harbor modifies Table 1 for Solar PV to redefine, recategorize, and reclassify certain components.

• First, the First Updated Elective Safe Harbor revises the definition of (i) “Ground-mounted PV (fixed-tilt)” to clarify that it includes canopy steel racking structures and structures floating on a body of water, (ii) “Ground-mounted PV (tracker)” to clarify that it includes structures floating on a body of water, and (iii) “Rooftop PV ((MLPE)” to clarify that it refers to a system where the microinverters or DC-optimizers regulate the DC electricity from each of its solar PV modules independently before the electricity is converted into alternating current electricity.

• Second, with respect to “Solar PV Ground-Mount,” the First Updated Elective Safe Harbor clarifies that the Manufactured Product Component “Electrical Parts” includes the following components that are not on printed board assemblies: control transformers, capacitors, inductors, bus/cables, and circuit protection.

• Third, with respect to “Solar PV Rooftop,” the First Updated Elective Safe Harbor categorizes DC to DC and DC to AC “Printed Circuit Board Assemblies” as separate Manufactured Products Components and clarifies that domestic Printed Circuit Board Assemblies that perform both functions (that is, convert both DC to DC and DC to AC) can receive credit for each associated cost percentage. Additionally, the First Updated Elective Safe Harbor removes “Electrical Parts for rooftop PV systems” and adds their costs to “Printed Circuit Board Assemblies (DC-DC)” and “Printed Circuit Board Assemblies (DC-AC)”.

• Fourth, the First Updated Elective Safe Harbor removes “Adhesives” from the original list of Manufactured Product Components for Solar PV in Table 1 to avoid redundancy and confusion because “Pottants” and “Edge Seals,” which are listed as Manufactured Product Components within the First Updated Elected Safe Harbor, are also adhesives. To account for such removal, Treasury and the IRS increased the associated cost percentage for both “Pottants” and “Edge Seals.”

3. Modifications to Table 1 for Land-Based Wind.

The First Updated Elective Safe Harbor modifies Table 1 for Land-based Wind by renaming “Steel or iron rebar in foundation,” the Applicable Project Component for wind turbine foundation steel, to “Steel or iron reinforcing products in foundation.”

• As with the same modification for Solar PV, this change adds some incremental risk that an item not identified by a taxpayer as a reinforcing product could be treated as subject to the Steel or Iron Requirement.

The First Updated Elective Safe Harbor also modifies Table 1 for Land-Based Wind by renaming “Material,” the Manufactured Product Component for wind tower flanges, to “Preform.” The Notice further clarifies that flanges are typically made from single pieces of steel bar or pre-formed steel ingot; therefore, the only component of a flange would be the preform.

• We note the First Updated Elective Safe Harbor’s values (Updated Assigned Cost Percentages for Land-Based Wind) are the same values as the original assigned cost percentages for land-based wind set forth in Notice 2024-41. The Notice indicates that the same values were used because the DOE found only minor changes in the component cost data underlying the original Assigned Cost Percentages for the Land-Based Wind Table, and thus did not independently publish updates to this data.

4. Modifications to Table 1 for Battery Energy Storage Systems (BESS).

The First Updated Elective Safe Harbor modifies the BESS table of Table 1 by providing updated associated cost percentages (Updated Assigned Cost Percentages for BESS), which the DOE sourced from its new BESS component costs for 2024. The Notice indicates that the Updated Assigned Cost Percentages for BESS more closely reflect the direct cost methodology outlined in Notice 2023-38.

• The DOE derived the Updated Assigned Cost Percentages for BESS in a similar manner to that discussed above in relation to the Updated Assigned Cost Percentages for PV Solar.

Additionally, the First Updated Elective Safe Harbor modifies the BESS table of Table 1 by renaming certain Applicable Project Components and Manufactured Product Components, recategorizing certain Manufactured Product Components, and removing the cost values for the “Electrical Parts and Thermal Management System for Inverter” Manufactured Product Component (within the “Inverter/Converter” Applicable Project Component) from the Distributed BESS column and adding such cost values to the “Printed Circuit Board Assemblies” Manufactured Product Component within the same column. The Notice indicates that these modifications were made to better represent the variety of the Manufactured Product Components that are used for particular functions within Applicable Project Components.

• The First Updated Elective Safe Harbor renames certain Applicable Project Components and Manufactured Product Components. Like the modifications to Table 1 for Solar PV and Land Based Wind, the First Updated Elective Safe Harbor also renames the “Steel or iron rebar in foundation” Applicable Project Component to “Steel or iron reinforcing products in foundation”.

• The First Updated Safe Harbor additionally recategorizes the following Manufactured Product Components: (i) “Thermal Management System” and “Battery Management System” are recategorized from the Applicable Project Component row of “Battery Pack,” to the Applicable Project Component row of “Battery Container/Housing,” and (ii) “Battery Racks and Metal Enclosures” are recategorized as “Enclosures” within the Applicable Project Component row of “Battery Container/Housing.” With respect to “Thermal Management Systems” and “Battery Management Systems,” the DOE advised that most of these systems are located in the container outside of the battery pack/module. For this reason, the Notice indicates that the reclassification described above more accurately represents the Manufactured Product Components for “Battery Packs/Modules” and for “Battery Container/Housing.”

Conclusion

Unlike Notice 2024-41, the Notice does not provide a novel alternative path to meeting the domestic content requirements. However, the Notice should be welcome to any taxpayers utilizing PV modules that incorporate crystalline silicon photovoltaic (c-Si PV) cells and wafers in Solar PV Projects and could eliminate the need to source other domestic Manufactured Products or Manufactured Product Components in order for certain Projects to satisfy the requirements.

We note that the Notice continues to leave some notable gaps, once again not addressing Safe Harbor Classifications for renewable natural gas projects or the application of the Adjusted Percentage Rule (and the calculation of assigned cost percentages) to integral parts used by more than one qualified facility for purposes of 45Y and 48E.

Many of the developments from increased restructuring activity in 2024 will shape the trends we expect to see in 2025, including increased use of liability management transactions, increased distressed M&A activity, a surge in private equity and private credit and increasingly active lenders. This article explores these trends and their implications for the middle-market ecosystem in the coming year.

Click here to read the full article on Middle Market Growth.

On January 16, the Internal Revenue Service (IRS) published proposed regulations (90 FR 4691) under Section 162(m) of the Internal Revenue Code. Section 162(m) generally limits the deductibility of compensation paid in any tax year to covered employees of a publicly held corporation to $1 million.

The purpose of the proposed regulations is to clarify certain ambiguities created by the Section 162(m) amendments in the American Rescue Plan Act of 2021 (ARPA), which expanded the definition of a “covered employee” for taxable years beginning after December 31, 2026.

Background

Prior to the passage of the ARPA, Code Section 162(m) provided that a “covered employee” included the principal executive officer (PEO), principal financial officer (PFO), and the three highest compensated officers, other than the PEO and PFO, at any time during the taxable year, as determined by the Securities Exchange Act of 1934. For tax years beginning after December 31, 2016, such a covered employee remains a covered employee for future years, even if such individual no longer serves in the covered position or is among the three highest compensated officers (the “once in, always in” concept). The ARPA expanded the definition of “covered employee” to also include, beginning after December 31, 2026, the next five highest compensated employees of the publicly held corporation for the taxable year (other than its PEO, PFO, and three highest compensated officers), but only for the taxable year in which they are part of the next five group.

Proposed Regulations

The proposed regulations clarify that “employee” includes not only the executive officers, but also (i) common law employees of the publicly held corporation and its affiliated group, and (ii) individuals who are employed by a separate employer (such as a related but unaffiliated organization or a certified professional employer organization) but nevertheless function as employees of the publicly held corporation by providing substantially all of their services during the taxable year for the publicly held corporation or its affiliated group. For this purpose, the affiliated group includes foreign corporations. Further, the proposed regulations provide that an individual is considered an employee if such individual is an employee on any day in the year, regardless of whether the employee is employed on the last day of the year.

For purposes of determining whether a common law employee (including an executive officer) of the publicly held corporation is one of the next five most highly compensated employees, the proposed regulations define “compensation” as compensation that would otherwise be deductible for the taxable year but for Section 162(m). The IRS commented that this approach should be easily administrable because companies currently track compensation to determine their tax liability for the tax year. However, the proposed regulations do not address how to treat compensation that is not deductible at all by the corporation (such as incentive stock options) or compensation that is not deductible by the corporation in the current taxable year.

To address the IRS’s concern that a publicly held corporation may attempt to alter the composition of its next five highest compensated employees by transferring highly compensated employees to a subsidiary or adopting a holding company structure, the proposed regulations confirm that any employee of any member of the affiliated group that includes the publicly held corporation may be among the next five highest compensated employees, regardless of whether the employee is an employee or performs services for the publicly held corporation. The proposed regulations also include specific rules for addressing situations where an affiliated group includes a foreign corporation and where more than one publicly held corporation is a member of the affiliated group.

Practical Takeaways

Companies should keep in mind that an individual can simultaneously qualify as a covered employee by being one of the five most highly compensated employees for the tax year and a covered executive officer from a preceding tax year. Also, the “once in always in” rule that applies to the PEO, PFO, and three highest compensated officers is not applicable to individuals who are covered employees by virtue of being among the next five highest compensated employees. Such individuals will be covered employees only for the current taxable year. Companies should carefully track the basis for including an individual in their covered employee population to ensure they know which covered employees must remain covered or fall out of coverage year-to-year.

Further, the proposed regulations require that a different definition of “compensation” be used when determining whether an employee is one of the three most highly compensated executive officers of the taxpayer (other than the PEO or PFO), which is determined by Regulation S-K Item 402 under the Security and Exchange Commission’s proxy disclosure rules, or one of the next five most highly compensated employees for the tax year, which is determined by an employee’s tax-deductible compensation but for Section 162(m), as discussed above. The applicable definition of “compensation” should therefore be carefully reviewed when making these determinations each year.

Although the new rules will not apply until taxable years beginning after December 31, 2026, publicly held corporations should begin to gather information on their employee population and who may qualify as a “covered employee” as part of the next five group.