Prosecutors will now focus more on bribery involving cartels and transnational criminal organizations (TCOs), especially where there is a link to money laundering or corrupt foreign officials. This focus aligns with the Trump administration’s broader efforts to label cartels as foreign terrorist organizations and dismantle their operations globally. Companies working in areas influenced by cartels—particularly in Latin America—should expect increased scrutiny if their operations intersect with criminal groups or compromised government entities. The DOJ also is prioritizing cases where bribery denies U.S. businesses fair access to global markets, marking a shift toward protecting American commercial interests and away from cases lacking clear indicia of economic harm to U.S. companies. Additionally, minor gifts or customary low-dollar business courtesies will no longer be an enforcement priority. Instead, the DOJ will focus on serious misconduct, such as large bribe payments, sophisticated concealment efforts, fraud tied to bribery schemes, and obstruction of justice. The June 9 guidelines also indicate that DOJ may decline to pursue enforcement if a credible foreign authority is willing and able to prosecute the same conduct. Prosecutorial discretion remains central, and all investigations must align with DOJ policies, including the Principles of Federal Prosecution.

As directed by EO 14209, the DOJ has been undertaking a 180-day review of all active FCPA investigations, which are supervised by DOJ’s Criminal Division. In remarks on June 10, the Head of the Criminal Division, Matthew R. Galeotti, clarified that the DOJ has already been applying the criteria set forth in the new guidelines in deciding whether to close or proceed with active FCPA cases. As the DOJ continues to reassess cases in line with its new guidelines, companies with international operations and interactions with government officials—as broadly defined under the FCPA—should continue to evaluate compliance risks, strengthen internal controls and remediate identified misconduct. While the DOJ’s newly announced FCPA enforcement focus may be narrower than during prior administrations, the Department still retains broad discretion to enforce the FCPA as it is written. As Galeotti underscored in his remarks, “priority connotes precedence, not exclusivity.” Statutes of limitations often extend beyond a presidential term and can be tolled under certain conditions, meaning that today’s misconduct may create a risk of liability that lasts for years. In addition, misconduct that violates the FCPA may breach other U.S. laws, such as those governing fraud, racketeering or money laundering. Both federal and state prosecutors may use such laws to pursue bribery cases. The SEC also is not necessarily tied to the DOJ’s approach when bringing civil FCPA actions against issuers on U.S. exchanges. Meanwhile, foreign regulators like the UK’s Serious Fraud Office have clearly signaled plans to increase their own enforcement efforts. And Galeotti emphasized that the Criminal Division “won’t hesitate to work with our foreign counterparts or domestic regulators to provide assistance and ensure that those countries and regulators can vindicate their interests and pursue their mandates.”

With the DOJ’s newly updated enforcement priorities in hand, companies with potential FCPA exposure should not view any changes as a relaxation of standards. The DOJ retains the authority to pursue serious violations, and overlapping legal regimes—including those enforced by the SEC, state and foreign regulators—ensure that foreign bribery remains a significant legal risk. Companies should remain proactive in monitoring compliance, identifying vulnerabilities and responding decisively to misconduct. For companies involved in global trade, a robust anti-corruption program remains essential to minimizing liability in an evolving enforcement landscape.

The post DOJ Refocuses FCPA Enforcement on National Security, Cartels and U.S. Business Interests appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

In “New DOJ Initiative Expands FCA Use to Enforce Civil Rights Compliance and Target DEI Initiatives,” colleagues Thomas C. Hill, Jeffrey P. Metzler, Kimberly D. Jaimez, Dylan M. Aste and Jeffrey J. Izant explore the significance of this new Initiative.

The post The DOJ Recasts the False Claims Act as a Civil Rights Enforcement Tool appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

In “DOJ Announces Shift in Approach to Prosecuting Corporate Crime,” colleagues Jeffrey J. Izant and Dylan M. Aste take a closer look at the newly announced changes to the Criminal Division’s enforcement policies.

The post DOJ Revisions to White-Collar Enforcement Policies Seek a New Balance appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

In “DOJ Releases Its Data Security Program Compliance Guide,” colleagues Tony Phillips, Shruti Bhutani Arora, Sahar J. Hafeez, Christine Mastromonaco, Leighton Watson and Sheetal Misra discuss the key components of the DSP and offer thoughts about compliance.

The post The Data Security Program Compliance Guide Is Released by the DOJ appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

In U.S. Department of Justice Curtails “Regulation by Prosecution” in Digital Asset Enforcement, colleagues Jeffrey J. Izant, David Oliwenstein and Alexis N. Wansac put the new policy in context and explain why, while the new policy represents a shift in the agency’s tone, the practical effect on digital asset prosecutions may be limited.

The post New DOJ Policy Signals New Approach to Digital Assets and Criminal Enforcement appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

President Trump Signs Executive Order Designed to Support U.S. Crypto Industry
On January 23, 2025, President Trump signed an executive order that sets forth the administration’s policy “to support the responsible growth and use of digital assets, blockchain technology, and related technologies across all sectors of the economy.” The Executive Order focuses on several key priorities, including:

• Establishing the President’s Working Group on Digital Asset Markets (the Working Group) within the National Economic Council;
• Restricting agencies from engaging in actions to establish, issue or promote central bank digital currencies;
• Promoting the growth of U.S. dollar-backed stablecoins;
• Protecting and promoting crypto companies’ access to banking services; and
• Providing regulatory clarity and certainty for the crypto industry.

The Working Group will be chaired by venture capitalist David Sacks, whom President Trump previously selected to be the administration’s “Crypto and AI Czar.” It will consist of a dozen official members, including the chairs of the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC), the Secretaries of the Treasury and Commerce Departments, the Attorney General, and several other senior officials from the administration. The Working Group may also solicit input from other relevant federal agencies and stakeholders, including private citizens who are “leaders in digital assets and digital markets.”

The Executive Order directs the Working Group to submit a report to President Trump within 180 days that proposes a comprehensive federal regulatory framework for digital assets, including stablecoins, and that evaluates the potential for a national “stockpile” of digital assets. President Trump signaled an interest in creating a national bitcoin reserve based in part on the federal government’s existing Bitcoin holdings, and the Executive Order appears to be the first official step toward creating that reserve.

The Working Group will also review regulations, guidance documents, orders, and other policy items that impact the crypto industry and, within 60 days, submit recommendations to the chair of the Working Group for whether those items should be rescinded, modified or remain in place. The Executive Order itself directly repeals one aspect of the Biden administration’s crypto policy: Executive Order 14067 of March 9, 2022, which set forth the Biden administration’s policy objectives for the regulation of digital assets. In other words, the Trump administration appears to be moving swiftly to remove perceived obstacles to the widespread use of blockchain technology and development of the crypto asset markets. By assessing the merits of relevant regulation, guidance and policy that impact the crypto industry, the Working Group will act to further the President’s agenda of generating actionable ideas to provide increased regulatory certainty and concrete guidance to market participants regarding the rules of the road.

SEC Forms New Crypto Task Force
On January 21, 2024, Acting SEC Chairman Mark T. Uyeda announced the creation of a new “Crypto 2.0” task force charged with creating a clear crypto regulatory framework. Commissioner Hester Peirce, who has previously supported regulatory clarity for the crypto industry, will lead the task force. The SEC’s press release announcing the task force critiqued the SEC’s previous “novel and untested” legal interpretations and enforcement actions that attempted to regulate crypto “retroactively and reactively.” The Crypto 2.0 task force will instead look to develop “a comprehensive and clear regulatory framework” for crypto. It will also help the SEC “deploy enforcement resources judiciously.” The task force will collaborate with other federal officials and agencies, including the CFTC, and state and international regulators, and will also seek input from stakeholders and the public.

Pro-Crypto Appointments in Key Roles
In Washington, as the saying goes, “personnel is policy.” President Trump’s appointees for key regulatory positions are already beginning to shape the administration’s crypto policy agenda, will continue to further the President’s agenda, and are widely expected to take a more even-handed and industry friendly approach to crypto regulation and enforcement than their predecessors in the Biden administration.

In the newly created role of “Crypto and AI Czar,” David Sacks advises the President and guides the administration’s policy on matters related to crypto. In a social media post announcing the selection, President Trump stated that Sacks “will work on a legal framework so the Crypto industry has the clarity it has been asking for, and can thrive in the U.S.” As the chair of the crypto Working Group, Sacks is now positioned to carry out that directive. Sacks is a longtime supporter of the crypto industry and is expected to push for more permissive crypto policy that supports innovation and the growth of the industry in the United States.

As described above, the SEC has already launched a new task force aimed at providing clear rules of the road for the crypto industry. Trump has also nominated Paul Atkins to chair the SEC. Atkins, a former SEC commissioner, has expressed support for the crypto industry and served on advisory boards and at advocacy groups that promote crypto and blockchain technology. He is expected to take a considerably different approach to crypto than Biden administration SEC Chair Gary Gensler, who brought high-profile enforcement actions against crypto companies and their executives and was criticized for “regulation by enforcement.” We anticipate that Atkins will take a more even-handed approach to regulating the crypto industry, including by reviewing and reconsidering the enforcement positions the SEC took under former Chair Gensler. The SEC under Atkins will also likely attempt to provide clear rules and guidance to the crypto industry, through the work of the new Crypto 2.0 task force and participation in the crypto Working Group.

On January 27, 2025, the Senate confirmed Scott Bessent as secretary of the Treasury Department. Bessent has been similarly celebrated by the crypto community. In contrast to Biden administration Treasury Secretary Janet Yellen, who at times expressed skepticism of the crypto industry, Bessent has been a vocal proponent of blockchain technology and digital assets. Bessent will shape U.S. financial and economic policy and, like other senior Trump appointees, is expected to push for more measured oversight of the crypto industry that promotes growth and innovation.

Federal Banking Regulators Will Likely Revisit Biden Administration Crypto Policy
During the Biden administration, the federal banking regulators closely scrutinized banks’ own crypto activity and banks’ arrangements with crypto companies. Most notably, the Federal Deposit Insurance Corporation (FDIC) recently disclosed that it issued so-called “pause” letters to more than 20 banks requesting that those banks pause crypto-asset-related activity while the FDIC evaluated whether it would require banks to make regulatory filings or provide additional information before engaging in such activity. The Federal Reserve and Office of the Comptroller (OCC) of the Currency similarly suggested that banks obtain prior approval before engaging in or expanding crypto asset-related activities. In many instances, these policies had the effect of making it more challenging for crypto companies to access the banking system and to provide their products and services to the public.

Under President Trump, new senior officials will be in leadership positions at each of the federal banking agencies. On January 20, President Trump appointed Travis Hill as acting chairman of the FDIC, and Hill issued a statement outlining his short-term policy priorities, including adopting “a more transparent approach to fintech partnerships and to digital assets and tokenization.” Hill has also stated that the FDIC should consider issuing additional guidance that lays out clear expectations for how banks may engage in crypto-related activities. In addition, Michelle Bowman, a leading contender to be nominated the vice chair for Supervision of the Federal Reserve, has also expressed support for clarity and transparency in regulators’ supervision of banks’ crypto-related activities.

The Executive Order specifically names “fair and open access to banking services” for the crypto industry a key priority. We expect that Trump administration banking regulators will provide a clearer framework for banks to engage in crypto-related activities (such as providing custodial services) and to partner with crypto companies to facilitate providing crypto products and services. These officials will also play a key role in shaping the administration’s overall crypto policy and in the development of a comprehensive regulatory framework.

Congress Likely to Consider Crypto Legislation
House Financial Services Committee Chair French Hill and Senate Banking Committee Chair Tim Scott have stated their interest in passing the Financial Innovation and Technology for the 21st Century Act (FIT21), which previously made it through the House of Representatives with bipartisan support. This bill would classify cryptocurrency as a commodity, giving the CFTC the  exclusive authority over cash or spot markets for digital commodities, and the SEC authority when a digital asset is associated with a blockchain that is not decentralized. Whether Congress will enact this legislation remains uncertain, but there is clear interest in Congress to take action to provide clarity in the regulation of crypto.

Companies Must Still Contend with State Regulators
Even if the Trump administration provides a clearer regulatory framework for the crypto industry and expands opportunities for companies to provide innovative crypto services, the federal government is likely to continue prosecuting cases of fraud, money laundering, sanctions violations, and similar crimes in the crypto context. In addition, many companies will still need to navigate the complex web of state regulation that applies to crypto and other digital assets. For example, crypto companies operating in New York will remain subject to New York’s “BitLicense” regulatory and licensing regime. California also recently enacted and is now implementing its Digital Financial Assets Law, which will similarly require many crypto companies to obtain a license. Many states’ money transmission licensing laws will also continue to apply to crypto companies.

In addition, state attorneys general and securities regulators may attempt to fill a perceived gap in crypto-related enforcement. New York Attorney General Letitia James has been particularly active in bringing enforcement actions against prominent crypto companies. This state enforcement activity will continue, and is in fact likely to increase, during President Trump’s second term.

Compliance Considerations and Other Action Items
The prospect of decreased regulation and enforcement under the Trump administration does not necessarily decrease overall risk for the crypto industry, and firms should not compromise on compliance. Complying with the existing rules of the road, including anti-money laundering laws and regulations, will continue to be critically important for crypto companies. In addition, regulated entities will need to satisfy their usual compliance obligations, including by implementing and maintaining appropriate policies and procedures, training, and other controls.

There is clear momentum in the executive and legislative branches of the federal government to design and implement a clearer roadmap that allows digital assets and blockchain technology companies to operate and grow with a greater degree of regulatory certainty. However, change takes time, and companies should continue to carefully assess how their products and services fit within the existing, as well as the evolving, regulatory framework.

The post Trump 2.0: A New Era for the Regulation of Cryptocurrency and Digital Assets appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

The post Preparing for Congressional Oversight and Investigations appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

Key Takeaways from the Decisions

• Excessive data retention: Both companies stored customer data for six years after the end of the commercial relationship, mainly for marketing purposes. CNIL found this retention period to be excessive, recommending a maximum retention period of three years. Telemaque, in particular, failed to implement any restrictions on access to the data, keeping it in active databases without sorting or limiting access over this six-year period.
• Processing sensitive data without explicit consent: Both companies processed sensitive personal data—such as sexual orientation and health information—during clairvoyance consultations without obtaining explicit consent. CNIL emphasized that merely using the service does not meet the GDPR’s requirement for explicit consent when processing special categories of data.
• Unlawful marketing communications: The companies sent marketing communications via email and SMS without obtaining valid consent. The forms used to collect customer data did not clearly inform users that their data could be shared for marketing purposes by both Cosmospace and Telemaque, resulting in a breach of consent requirements.
• Recording of calls: Cosmospace recorded all customer calls for several purposes: (i) to monitor service quality and for employee training, (ii) to demonstrate that contracts had been concluded and properly executed, (iii) to respond to legal requests, and (iv) for safeguarding purposes. However, the CNIL found that these justifications did not warrant the systematic recording of all calls. Instead, CNIL recommended that a sample of calls could be recorded for quality monitoring and training, and only the portions of calls directly relevant to contract conclusions should be retained. Additionally, recordings could be manually triggered by employees in situations involving distress or safeguarding concerns. CNIL found that recording all calls in this manner breached the GDPR’s data minimization principle.

Next steps for consumer-facing businesses
These decisions are particularly relevant for any consumer-facing businesses operating in the EU or UK, especially those with operations in France. It’s a timely reminder to review current practices regarding:

• Marketing consents: Ensure that proper consent is obtained before sending marketing communications, and that consumers are fully informed about how their data will be used.
• Processing of sensitive data: Review consent mechanisms for any data collection activities involving special categories of personal data, such as health or sexual orientation, to ensure compliance with GDPR.
• Data retention: Assess your data retention policies, particularly for marketing purposes, to ensure personal data is not held longer than necessary and that appropriate restrictions on access and use are in place.

This is an opportunity to reassess compliance frameworks, particularly in light of guidance from EU supervisory authorities.

The post GDPR Enforcement: Lessons from Recent Data Privacy Penalties appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

In March 2024, Deputy Attorney General Lisa Monaco requested that the DOJ Criminal Division “incorporate assessment of disruptive technology risks, including risks associated with AI” so that prosecutors could “assess a company’s ability to manage AI-related risks as part of its overall compliance efforts.” This guidance is the latest in a variety of executive actions aimed at regulating the use of AI by bolstering the security of the technology and protection of users.

ECCP Guidance on AI
The ECCP guidance incorporates the framework for defining AI outlined in the Office of Budget and Management directive on Advancing Governance, Innovation and Risk Management for Agency Use of Artificial Intelligence. The ECCP guidance specifies that “no system should be considered too simple to qualify as a covered AI system due to a lack of technical complexity” and that AI includes even the use of smaller models that were trained on small subsets of data. Thus, machine learning developed and trained only using a corporation’s own data would likely still qualify as AI for the purpose of this guidance and be scrutinized accordingly.

The guidance instructs prosecutors to consider whether companies have adequately considered the risk that new and emerging technologies may pose to their ability to comply with criminal laws when evaluating a corporation’s risk assessment processes. In particular, regarding the use of AI, the guidance instructs that adequate risk assessments should consider whether the corporation has:

• a mechanism by which it can assess the impact of AI to comply with criminal laws;
• considered the management risk related to the use of AI within the broader context of its enterprise risk management;
• governance and compliance polices related to the responsible use of AI;
• considered the risks that reckless or deliberate misuse of technologies such as AI by insiders could have to their operations and whether they have implemented policies and controls responsive to these risks;
• considered what is the baseline of human decision making used to assess any AI-generated content including, but not limited to, monitoring for bias or inaccuracy; and
• developed and implemented appropriate training to ensure that employees understand the responsible use of AI and other emerging technologies.

In her remarks announcing the guidance, Principal Deputy Assistant Attorney General and head of DOJ Criminal Division Nicole Argentieri stated that prosecutors will use the new guidance to assess how corporations manage risks “related to the use of new technology such as artificial intelligence both in their business and in their compliance programs.” Thus, investigations under the new guidance will appear to be two-fold and assess both how a company is using AI in its own operations and how a company’s interactions with external AI may expose vulnerabilities.

So, for example, a DOJ evaluation under the new ECCP guidance may concern how the use of AI by a company’s employee might make it vulnerable to violating its own internal policies, such as its code of conduct. But an ECCP evaluation may also consider whether a company is vulnerable to criminal schemes that utilize AI generated content or images. Corporate risk assessments and polices are expected to account for vulnerabilities related to its own use of AI within the organization and the use of AI by others outside the organization.

Implications for Compliance Programs
Given the new DOJ guidance, corporations should assess their own compliance programs to ensure that they have adequately considered the risks that AI and similar emerging technologies may pose to their operations, and companies must implement policies and controls to adequately address those risks. Companies should begin by assessing how AI or other emerging technologies do or could affect their operations. Companies should be sure to investigate within their operations teams to determine if and how their employees may be utilizing AI to perform their functions. Companies will also want to consider how their operations may be vulnerable to manipulation by AI tools. If companies utilize AI or other emerging technologies even in minor ways, they should ensure they have considered the risks associated with such use, craft policies to protect against those risks, and develop and implement training to educate their employees regarding both the risks and applicable policy.

The post DOJ Debuts Updates to Its Evaluation of Corporate Compliance Programs Aimed at the Responsible Use of Artificial Intelligence appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.

The post United Kingdom: White Collar Crime appeared first on Compliance in Focus: Readiness, Investigations and Enforcement.