Gibson Dunn

We are pleased to provide you with the March 2026 edition of Gibson Dunn’s monthly European privacy, cybersecurity, and data innovation update. Please feel free to reach out to us to discuss any of the below topics further.

Europe

03/26/2026

EDPB | Report | Legitimate Interest

The European Data Protection Board (EDPB) provides practical enforcement insight into how supervisory authorities assess reliance on legitimate interest under the GDPR.

This thematic digest compiles and analyses one-stop-shop decisions from the EDPB register, showing how supervisory authorities apply the three-step test under Article 6(1)(f) of the GDPR in different factual scenarios. The report includes compliant and non-compliant examples, reflects recent guidance, and refers to relevant EU case law and national decisions. It is intended as a practical tool for authorities and controllers by clarifying how necessity and balancing tests are assessed in enforcement practice.

For more information: EDPB Commissioned Report

03/26/2026

ENISA | Guidance | Cybersecurity Market Analysis Framework

The European Union Agency for Cybersecurity (ENISA) updated its guidance on how to conduct market analysis in the field of cybersecurity.

This new version of the ENISA Cybersecurity Market Analysis Framework incorporates lessons learned from previous applications. It strengthens the framework’s ability to respond to both immediate policy needs and long-term monitoring requirements while aligning with recent EU legislation such as the NIS 2 Directive and the Cyber Resilience Act.

For more information: ENISA Cybersecurity Market Analysis Framework

03/19/2026

EDPB | GDPR | Transparency

The European Data Protection Board (EDPB) launches coordinated enforcement action on transparency and information obligations under the GDPR.

On March 19, the EDPB launched its 2026 Coordinated Enforcement Framework CEF action, shifting focus from the 2025 right-to-erasure work to GDPR transparency and information obligations. In 2026, 25 European data protection authorities will review how organizations inform individuals about data processing, using enforcement and fact-finding across sectors. Findings will be pooled in the second half of the year, culminating in an EDPB report to guide follow-up at both national and EU levels.

For more information: EDPB Website

03/19/2026

CJEU | Judgment | GDPR Access Request

The European Court of Justice (CJEU) clarifies that a GDPR access request may be considered abusive and refused.

In its judgment in Case C-526/24, the EU Court of Justice held that even a first GDPR access request made under Article 15 of the GDPR can be refused as “excessive” or abusive where it’s made solely to manufacture a compensation claim. Controllers may rely on patterns of repeated requests and litigation to demonstrate abusive intent. The Court also confirmed that compensation under the GDPR requires proof of actual material or non-material damage and cannot be granted where the data subject’s own conduct is the determining cause of the harm.

For more information: CJEU Website

03/18/2026

EDPB-EDPS | Joint Opinion | Cybersecurity Act 2 and NIS 2

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint opinion on proposals for a Cybersecurity Act 2 (CSA2) and amendments to the NIS 2 Directive.

The EDPB and EDPS support the CSA2 and NIS2 proposals to strengthen ENISA’s role, facilitate cybersecurity certification, and address ICT supply chain risks, including the non-technical ones. In addition, the EDPB and EDPS strongly support the establishment of a single-entry point for the notification of personal data breaches.

For more information: EDPB Website

03/12/2026

EDPB-EDPS | Joint Opinion | European Biotech Act and Clinical Trials

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) support the European Commission’s proposal for a European Biotech Act to harmonize clinical trials across the EU, while insisting on robust, purpose-specific safeguards to protect sensitive health and genetic data.

In their Joint Opinion, the EDPB and EDPS welcome the introduction of a single legal basis for the processing of personal data by sponsors and investigators under the Clinical Trials Regulation, as a means to reduce fragmentation and increase legal certainty. At the same time, they stress that simplification must not lower data protection standards and recommend targeted safeguards, including clearer controller roles, limits on data retention, strict conditions for further processing, coherence with the AI Act, and the use of appropriate technical and organizational measures such as pseudonymization.

For more information: EDPB Website

03/04/2026

EDPB | Study | Data Brokers

The EDPB has released a new study mapping the data-broker market and identifying high-risk personal data providers and intermediaries.

The EDPB’s Data Brokers Market Study, completed in November 2025 at the request of the Belgian DPA, provides a methodology for identifying data brokers and assesses their business models and associated risks. Focused on the Belgian market, the study reveals a highly diverse landscape of data brokers and providers with varying levels of risk related to personal data use. Beyond its national scope, the report offers a broader framework to help detect high-risk data brokers across Europe.

For more information: EDPB Website

France

03/20/2026

CNIL | Guidance | Sound Recording

The French Supervisory Authority (CNIL) reiterated that sound recording is generally prohibited in video surveillance systems.

The CNIL confirms that audio capture integrated into video surveillance is banned due to significant risks to privacy and freedom of expression. However, standalone audio recording systems may be permitted in limited cases, provided they are not automatically linked to cameras and are triggered manually (e.g. in case of aggression). Such systems must remain exceptional, necessary, and proportionate, with strict safeguards on activation, retention (only in case of incidents), staff training, and transparency toward individuals.

For more information: CNIL Website [FR]

03/10/2026

CNIL | Guidance | Data Governance Act

The French Supervisory Authority (CNIL) published guidance on Data Altruism Organizations (DAOs) under the EU Data Governance Act.

DAOs enable voluntary data sharing for general interest purposes and must meet specific requirements, including non-profit status, legal independence from for-profit entities, and transparent governance. The CNIL serves as France’s competent authority for DAO registration and clarifies key operational questions, including permissible legal forms, subcontracting rules, and how DAOs may receive fees or provide compensation to data holders.

For more information: CNIL Website [FR]

03/04/2026

French Council of State | Judgment | GDPR

The French Council of State (Conseil d’État) upheld the French supervisory authority (CNIL) €40 million fine against an adtech company for GDPR violations related to its targeted advertising practices.

The court considered that the company failed to demonstrate valid user consent for data processing, provided inadequate transparency about its data use purposes (including algorithm training), and did not properly erase data when users withdrew consent. Notably, the ruling reaffirms that pseudonymized cookie identifiers linked to browsing data, IP addresses, and purchase history constitute personal data under the GDPR, as re-identification remains technically feasible without disproportionate effort.

For more information: Conseil d’État Website [FR]

03/02/2026

CNIL | Caselaw Compilation | 2026 Data Protection Caselaw Table

The French Supervisory Authority (CNIL) has released its 2026 update to the “Tables Informatique et Libertés,” a reference document compiling key case law and regulatory decisions on personal data protection.

Designed for legal professionals and academics, the tables summarize rulings from the CNIL, the CJEU, the ECtHR, French courts, and the EDPB, organized by theme (principles, legal bases, individual rights, security, transfers, and sanctions). The publication aims to promote consistency in the CNIL’s enforcement practices while increasing transparency around its legal reasoning.

For more information: CNIL Website [FR]

Germany

03/26/2026

German Parliament | Legislation | EU Data Act and Data Governance Act

Germany has adopted two laws implementing the Data Act and the Data Governance Act.

The two implementing laws establish national rules on supervision, procedures and sanctions for the enforcement of both EU instruments. The Federal Network Agency (Bundesnetzagentur) has been designated as the competent authority for enforcing both the Data Act and the Data Governance Act, while the Federal Statistical Office will act as the central information point and provide support to public bodies in connection with decisions on the reuse of protected public-sector data under the Data Governance Act. The new national measures also introduce administrative fines of up to €500,000.

For more information: German Parliament Website [DE]

03/25/2026

Hamburg Supervisory Authority | Report | 2025 Data Protection Activity

Hamburg Supervisory Authority (HmbBfDI) has published its 2025 report, highlighting a significant increase in complaints and the role of AI in this development.

The report records over 4,200 complaints, representing an increase of 60% compared to 2024, and observes that this upward trend has continued into 2026. It points to growing public dissatisfaction with digital services, particularly social networks, where complaint volumes have nearly tripled. According to the authority, the increasing use of AI has contributed to this trend in two ways. On the one hand, individuals are making growing use of AI tools to assist them in submitting complaints. On the other hand, the deployment of insufficiently mature AI systems is negatively affecting digital customer service and giving rise to data protection concerns.

For more information: HmbBfDI Website [DE]

03/06/2026

Federal Administrative Court | Judgment | Health Data and Preventive Programs

Germany’s Federal Administrative Court (BVerwG) has held that private health insurers may not, without consent, analyze diagnoses contained in reimbursement invoices to identify potential participants for preventive programs.

The Court held that the insurer’s practice did not breach Article 9(1) GDPR because the health-prevention derogation in Article 9(2)(h) GDPR could in principle apply, and Section 22(1) no. 1(b) BDSG provided the necessary national-law basis. It nevertheless found the processing unlawful because it could not be justified under Article 6(1)(f) GDPR. In the Court’s view, the insured persons’ interests prevailed in the balancing exercise, given the heightened protection of health data under Article 9, the fact that the programs were outside the medical core area, the broad scope of the analysis, and the insurer’s failure to explain its interests clearly enough to data subjects. The Court left open whether the re-use of the data also infringed the purpose-limitation principle.

For more information: Federal Administrative Court Website [DE]

Spain

03/25/2026

Spanish Supervisory Authority | Strategy | 2026 Action Plan and 2025 Implementation Report

The Spanish Supervisory Authority (AEPD) published a near-complete 2025 scorecard and a 2026 action plan with a heavier emphasis on privacy technology and AI.

The AEPD says five of the seven strategic axes from 2025 were completed at 100%, while the other two exceeded 97%, with overall execution above 99%. Its 2026 plan sets 32 operational objectives and 115 actions, including privacy-lab work, technological experimentation, AI tools and automation.

For more information: AEPD Website [ES]

03/24/2026

Spanish Supervisory Authority | Guidance | Personal Data Breaches

The Spanish Supervisory Authority (AEPD) refreshed its operational guidance on how organizations should notify personal data breaches, reinforcing Article 33 compliance expectations.

The AEPD updated its guidance page on notifying personal data breaches to the supervisory authority, reiterating that breach notifications should be submitted electronically via the designated e-filing process and that notifying a breach does not automatically mean an investigation will follow. The page restates core GDPR framing: timely notification is part of accountability, failure to notify where required is an infringement, and controllers must document breaches even where they assess no risk to individuals’ rights and freedoms. This is a practical reference for incident response playbooks, particularly for multinational teams coordinating EU breach notifications.

For more information: AEPD Website [ES]

03/04/2026

National Cryptologic Center | Infographics | NIS2 Compliance

Spain’s National Cryptologic Center (CNN) has published four infographics to help entities navigate NIS2 compliance.

The materials cover the Directive’s key points, core requirements, scope, and a practical compliance guide, and stress that ENS Certificates of Conformity can be used to support demonstration of NIS2 compliance. The initiative builds on the CCN’s wider work aligning ENS tools with NIS2 requirements and gives organizations a short operational reference for scoping obligations and evidencing baseline cybersecurity governance.

For more information: CCN Website [ES]

03/04/2026

Spanish Supervisory Authority | Sanction | Data Protection Impact Assessment

The Spanish Supervisory Authority (AEPD) fined a football club €500,000 for rolling out biometric identity checks for members without a compliant prior DPIA.

The case concerns the club’s 2023 digital census update, which used facial biometrics and optional voice biometrics for member verification. According to the published reporting on the decision, the AEPD found that the scale of the processing, the use of biometrics, the involvement of minors and the potential legal impact for members required a full Article 35 GDPR assessment before deployment, and that the club’s internal risk documentation did not meet that standard.

For more information: AEPD Resolution [ES]

United Kingdom

03/31/2026

ICO | Report | Use of Automated Decision Making in Recruitment

The UK Supervisory Authority (ICO) has published a report highlighting risks and regulatory expectations for the use of automated decision-making (ADM) in recruitment.

The report identifies concerns around lack of transparency, insufficient human involvement, misuse of automated tools, and risks of bias or discrimination in relation to ADM in recruitment. It stresses that employers must assess whether recruitment decisions are solely automated, apply the safeguards required under UK GDPR, provide clear information to candidates, ensure genuine human review where ADM is relied on, and carry out robust DPIAs for high-risk processing.

For more information: ICO Website and Report

03/26/2026

ICO | Sanction | Company Fined £100,000 for Unlawful Direct Marketing Calls

The UK Supervisory Authority (ICO) sanctioned a UK company for large-scale unlawful telemarketing targeting vulnerable individuals.

The ICO issued a fine of £100,000 (€115,447) after a company made over 260,000 unsolicited marketing calls to individuals registered with the Telephone Preference Service, in breach of Privacy and Electronic Communications Regulations (PECR) requirements. Investigations revealed misleading practices, including false caller identities and targeting of older individuals, as well as the use of unlawfully obtained third-party data. The enforcement action, issued under the Data Protection Act 1998 and PECR, underscores the regulator’s continued focus on intrusive direct marketing and the importance of consent, transparency and lawful data sourcing.

For more information: ICO Website

03/25/2026

ICO-Ofcom | Joint Statement | Age Assurance

The UK Supervisory Authority (ICO) and the UK’s regulator for communications services (Ofcom) aligned their age-assurance expectations and reiterated that self-declaration alone is not enough.

The joint statement is aimed at child-accessed services subject to both the Online Safety Act and UK data protection law (UK GDPR and Data Protection Act 2018), and presents a risk-based, tech-neutral approach to age assurance. It states that age assurance must be effective, necessary, and proportionate, notes that self-declaration alone is not an effective means of preventing underage access, and links robust age gates to avoiding unlawful processing of children’s data.

For more information: ICO Website

03/02/2026

UK Government I Public Consultation I Online Child Safety

The UK Government opened a consultation on online child safety and AI chatbots.

The consultation has five chapters covering how children use technology, possible intervention strategies, approaches to enforcement and compliance, preparing children for a digital future and supporting families. The consultation includes several questions on AI chatbots and social media, including whether such offerings should be subject to minimum age restrictions, and whether the digital age of consent should be raised. The consultation is open until 26 May.

For more information: Government Website

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Ioana Burtea, Billur Cinar, Hermine Hubert, Christoph Jacob, Yannick Oberacker and Phoebe Rowson-Stevens.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

From the Derivatives Practice Group: This week, the CFTC approved an order to grant a limited exemption to the Chicago Mercantile Exchange and the Fixed Income Clearing Corporation to make their existing cross-margining arrangement available to certain customers.

New Developments

CFTC and Kansas State University Announce Return of AgCon Conference. On April 17, the CFTC and the Risk Management Center at Kansas State University announced the return of the Agricultural Commodity Futures Conference, known as AgCon. From October 22-23, the CFTC and KSU will jointly host the fourth AgCon, bringing government officials, agribusiness leaders, and academia together to discuss critical issues affecting America’s agricultural futures markets. [NEW]

Chairman Michael Selig Testifies Before the U.S. House Committee on Agriculture. On April 16, CFTC Chairman Selig testified before the House Committee on Agriculture. As part of his prepared remarks, Chairman Selig highlighted recent efforts to reduce regulatory burdens for farmers and small businesses, advance crypto regulation, and oversee emerging prediction markets. He also emphasized the CFTC’s dual commitment to combating fraud and manipulation while updating its regulatory tools to address the challenges of evolving financial markets. [NEW]

CFTC Approves Order to Further Strengthen U.S. Treasury Market Liquidity. On April 15, the CFTC approved an order to grant a limited exemption necessary for the Chicago Mercantile Exchange Inc. (CME) and the Fixed Income Clearing Corporation (FICC) to make their existing cross-margining arrangement available to certain customers with appropriate safeguards. The order permits joint clearing members of CME and FICC that are dually registered as broker-dealers with the Securities and Exchange Commission and futures commission merchants with the Commission to hold futures customer funds in a commingled customer account at FICC. [NEW]

CFTC Announces Innovation Task Force Staff. On April 10, the CFTC announced the members of the Innovation Task Force (ITF). The CFTC said that the ITF will work with the CFTC to develop a clear regulatory framework for innovators focused on crypto assets and blockchain technologies; artificial intelligence and autonomous systems; and prediction markets and event contracts. The complete list of ITF members can be found here.

CFTC Announces Agricultural Advisory Committee Members. On April 10, the CFTC announced the members of the Agricultural Advisory Committee (AAC). Chairman Selig is the sponsor of the AAC and nominated Emma Johnston as the committee’s designated federal officer. The complete list of AAC members can be found here.

CFTC Seeks to Enjoin Arizona Criminal and Civil Enforcement Against Prediction Markets. On April 8, the CFTC filed a motion in the U.S. District Court for the District of Arizona asking the court for a preliminary injunction and temporary restraining order that would halt Arizona’s efforts to apply state criminal and gambling laws against CFTC-regulated prediction markets. According to the CFTC, the motion builds on last week’s filing, with the Department of Justice, of a lawsuit challenging Arizona’s preempted conduct. To date, the CFTC has filed complaints against Arizona, Connecticut, and Illinois, seeking declaratory judgments that federal law grants the CFTC exclusive authority to regulate event contracts and requesting permanent injunctions preventing the states from enforcing preempted state laws against its registrants.

CFTC Chairman Selig Announces Deputy General Counsel Appointments. On April 3, the CFTC announced Stephen D. Andrews and M. Jordan Minot have been named deputy general counsel for regulation and litigation, respectively. Andrews joins the CFTC from the United States Senate, where he served as general counsel to Senator Josh Hawley. Minot comes to the CFTC from the Virginia Attorney General’s Office, where he served as an assistant solicitor general and senior assistant attorney general.

New Developments Outside the U.S.

ESMA Launches Call for Evidence on Restricted Subscription and Private Credit Ratings. On April 16, ESMA launched a call for evidence to gather stakeholder views on the purposes, market practices, needs and risks associated with restricted subscription and private credit ratings. ESMA invites stakeholders to provide evidence‑based responses, including quantitative information where available, as well as concrete examples drawn from market practice. [NEW]

ESMA Releases Reporting Templates and Instructions for the Active Account Requirement. On April 13, ESMA published the reporting templates and instructions for the Active Account Requirement (AAR) reporting under European Market Infrastructure Regulation. The new templates set out in detail how entities subject to the AAR should report the required information to their competent authorities. Through this development, ESMA stated that it aims to ensure a harmonized and efficient approach to AAR reporting across the EU. [NEW]

ESMA Clarifies Expectations in the Run-up to the Launch of EU’s Consolidated Tapes. On April 1, ESMA published Q&As on the onboarding of data contributors to the EU’s Consolidated Tapes (CTs), and on the operational rules for the Consolidated Tape Providers (CTPs). According to ESMA, the goal is to increase certainty for all market participants in anticipation of the go-live of the EU’s CTs for bonds and for equities. In this context, ESMA expects the relevant data contributors to engage with the selected CTPs ahead of their formal authorization, to ensure that the data transmission setup is in place before the CTs’ go‑live.

New Industry-Led Developments

CPMI-IOSCO Assesses that U.K. has Implemented Principles for Financial Market Infrastructures (FMI) for Two FMI Types. On April 16, IOSCO and the Committee on Payments and Market Infrastructures (CPMI) released a report that assesses whether, and to what degree, the content of the legal, regulatory and oversight frameworks–including rules and regulations, any relevant policy statements or other forms of implementation–are complete and consistent with the IOSCO’s principles for financial market infrastructures. [NEW]

ISDA Published Research Note on Global Trading in INR Derivatives and the Indian OTC Derivatives Market. On April 13, ISDA published a research note that provides a global perspective on the Indian rupee (INR) derivatives markets, followed by an analysis of over-the-counter (OTC) derivatives activity reported by sales desks in India. The research note examines market size, growth trends and the composition of trading by geography, currency, product and counterparty. [NEW]

ISDA, CMCE, ETE, and FIA Respond to FCA on Commodity Derivatives Clearing Threshold. On April 9, ISDA, the Commodity Markets Council Europe (CMCE), Energy Traders Europe (ETE), and the Futures Industry Association (FIA) jointly responded to Chapter 7 of the UK Financial Conduct Authority’s (FCA) Quarterly Consultation CP26/8 on increasing the clearing threshold for commodity derivatives under the UK European Market Infrastructure Regulation.

ISDA Responds to EC’s Settlement Finality Regulation Proposal. On April 9, ISDA published technical comments on the European Commission’s (EC) proposed Settlement Finality Regulation as it applies to designated EU systems and registered third-country systems. According to ISDA, one significant concern is that the scope of insolvency protections provided to registered third-country systems by the new framework is unduly restricted. ISDA’s technical comments also cover proposed changes to the Financial Collateral Directive to facilitate the implementation of distributed ledger technology.

ISDA, AFME, ICMA and EBF Publish Paper on Proposals Relating to MiFIR PTT. On April 7, the Association for Financial Markets in Europe (AFME), the International Capital Market Association (ICMA) and the European Banking Federation (EBF) published a paper on proposals relating to post-trade transparency (PTT) under the Markets in Financial Instruments Regulation (MiFIR) contained in the European Commission’s Market Integration and Supervisions Package. ISDA said that the paper supports the EC’s proposal to remove forward rate agreements and basis swaps from the scope of public transparency due to their illiquid nature and also backs the existing proposal to disapply PTT requirements under MiFIR for over-the-counter derivatives concluded on certain third-country trading venues, effectively superseding an existing European Securities and Markets Authority opinion that currently provides for this. However, ISDA also said, the paper urges the EC and co-legislators to be more ambitious by extending the scope of the proposal to cover all asset classes in the scope of PTT and to disapply PTT for transactions executed away from trading venues and made public on suitably qualified third-country approved publication arrangements.

ISDA Publishes Paper on Maintaining Data Integrity for Single-sided Reporting. On April 2, ISDA published a paper that it described as addressing concerns among regulators that moving from dual-sided to single-sided reporting would adversely affect the quality of data they receive. ISDA said that the paper reinforces its longstanding advocacy that true single-sided reporting would reduce reporting costs and administrative workload in alignment with the EU’s simplification and burden reduction agenda and would enhance consistency with other global reporting regimes.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Karin Thrasher, and Alice Wang.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus, New York (212.351.3869, alapidus@gibsondunn.com )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com )

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com )

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Alice Yiqian Wang, Washington, D.C. (202.777.9587, awang@gibsondunn.com)

Gibson Dunn advised Landmark Properties, a fully integrated real estate investment management firm specializing in the development, construction, acquisition, and operation of high-quality residential communities, on the final close of the Landmark Sponsor Fund, LP, at $300 million, exceeding its initial $200 million target.

The firm’s corporate team was led by partner Roger Singer and included of counsel Robert Harrington and associate Maggie Valachovic. Partner Evan Gusler and associate Galya Savir advised on tax aspects.

In an interview with The Banker (“The ‘Uncomfortable Fiction’ of AI Agent Compliance,” April 15, 2026), partner Michelle Kirschner discusses the “uncomfortable fiction” of liability for AI decisions in the U.K., which holds (human) senior managers responsible. “We are holding a person accountable for a decision they did not make, may not have foreseen and potentially could not have prevented,” she says.

The Banker’s in-depth feature looks at how banks using AI agents for operational tasks face risks due to the lack of a compliance framework governing what happens when AI causes a financial loss, as well as how that risk sharpens when it comes to cross-border activity.

Shout-out to a Gibson Dunn team led by Christopher Joralemon and David Kusnetz, who have been representing mining giant Vale S.A. in securities litigation stemming from the 2019 collapse of the tailings dam at the Brumadinho iron mine in southeastern Brazil, which killed hundreds and led to extensive environmental damage. U.S. District Judge Eric Komitee in Brooklyn this week excluded the plaintiffs’ expert report on damages, finding it failed to distinguish the investment losses caused by Vale’s alleged misrepresentations about the risk of a dam collapse from those caused by the collapse itself. The Gibson Dunn team includes Chase Weidner, Andrew Freire, Nicholas Canelos, Jabari Julien, Nathalie Gunasekera, Amanda Bello, Amir Heidari, Simone Rivera and Carolyn Ye.

Shout-out to a team at DLA Piper that represented the firm in a pregnancy discrimination lawsuit filed by a former associate. After a six-day trial, federal jurors in Manhattan this week found that plaintiff Anisha Mehta failed to prove that the firm was liable for discrimination under the New York City Human Rights Law. Jurors further found the firm was not liable for interfering with Mehta’s Family and Medical Leave Act rights and had not committed retaliation in response to her leave request. The trial team was led by DLA Piper partners Brett Ingerman, Jessica Masella and Jon Kinney, with support from Gibson, Dunn & Crutcher partner Molly Senger.

To read the complete article visit Law.com (subscription required)

Reprinted with permission from the April 17, 2026 edition of “The AmLaw Litigation Daily” © 2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.

Join us for a recorded webcast offering a comprehensive guide to the challenges inherent in data center development and the legal risks that may arise. Gain practical insights into key considerations and emerging patterns in digital infrastructure disputes and learn how to identify and mitigate issues before they become obstacles.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the area of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour in the General category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

PANELISTS:

Tory Lauterbach is a partner in Gibson Dunn’s Washington, D.C. office and Co-Chair of the Energy Regulation and Litigation Practice Group. She has extensive experience providing transactional and regulatory advice to energy companies, large energy users, and their lenders and investors. Tory is a leader within the firm’s data centers and digital infrastructure practice, where she advises data center developers, investors, and lenders regarding all aspects of delivering electric power to data centers. This work includes negotiating power supply and infrastructure agreements with utilities, power purchase and tolling agreements for both grid-connected and on-site generation, natural gas supply arrangements, and the power and energy portions of customer agreements, such as data center leases and service orders. Tory brings deep knowledge of the electricity and natural gas businesses to bear to take complex data center projects to market, including many of the largest data center campuses announced in North America. As a transactional attorney with regulatory training, Tory’s strong grounding in federal and state energy regulatory issues enhances her ability to advise data center clients who need to interface with public utilities and their regulators.

David Casazza is a partner in the Washington, D.C. office of Gibson Dunn. He practices in the firm’s Appellate and Constitutional Law and Administrative Law and Regulatory Practice Groups. David has represented clients in appellate and regulatory litigation before the Supreme Court of the United States, federal appellate courts, and federal district courts. These cases have involved a wide range of subjects including separation of powers, federal rulemaking challenges, business reorganization, anti-terrorism claims and foreign sovereign immunity, energy infrastructure permitting, and a variety of First Amendment speech and religious liberty claims. He has also represented clients in complex litigation, including large class actions, antitrust, and racketeering cases.

John Craig is of counsel in the Washington, D.C. office of Gibson Dunn where he is a member of the Tax Controversy and Litigation Practice Group. His practice focuses on federal tax controversies. John has assisted clients during the pre-litigation stages of federal tax disputes from examinations to protests before the IRS Independent Office of Appeals, represented clients in docketed cases covering transfer-pricing disputes and a variety of international and employment tax issues, and maintains an active pro bono practice before the U.S. Tax Court. Prior to joining Gibson Dunn, he was an associate in the tax group of another law firm in Washington, D.C. and served as a law clerk to the Honorable Maurice B. Foley of the United States Tax Court.

A Global Investigations Review article describing how the U.S. Bureau of Industry and Security suspended a $1.7 million penalty against a California company for breaching US export controls by cleaning up its compliance program (“BIS Suspends $1.7m Fine on California Semiconductor Tool Company,” April 14, 2026), includes commentary by partner Matt Axelrod.

Matt said that BIS occasionally uses suspended fines to show a violation is serious enough to warrant a high penalty even if the agency knows the company can’t pay. “BIS doesn’t want companies to go out of business, but there is a public education aspect to bringing an enforcement action,” he said.

Matt, who co-chairs Gibson Dunn’s Sanctions and Export Enforcement practice group, is a former Assistant Secretary for Export Enforcement at the Bureau of Industry and Security.

Gibson Dunn is the only firm that placed in the Top 10 in Vault’s Prestige and Best Law Firms to Work For rankings, ranking eighth and fifth, respectively. In addition, the firm ranked first in the following categories: Regional Prestige – Mountain States; Practice Area Prestige – Real Estate; and Quality of Life – Business Outlook.

Vault’s 2026–2027 rankings are derived from Vault’s Annual Associate Survey conducted from October 22, 2025, to January 23, 2026. Associates’ ratings of the prestige of peer firms are reflected in the Prestige rankings, while the Best Law Firms to Work For rankings are based on associates’ ratings of their own firms on a range of workplace issues related to career development, job satisfaction, and quality of life.

Gibson Dunn represented Diginex Limited (Nasdaq: DGNX), a leading provider of Sustainability RegTech solutions, in the signing of a definitive Share Purchase Agreement to acquire Resulticks Global Companies Pte Limited, a globally recognized leader in real‑time, AI‑driven customer intelligence solutions, in an all‑share transaction valued at $1.5 billion.

Led by partners Robert Giannattasio, Christopher Lang, and Fang Xue, the firm’s global team included of counsel Gwenlynne Lee and Marie Kwon and associates Joey Herman and Kai Wen Chua.

Spearheaded by Miguel Estrada, the U.S. Supreme Court Round-Up keeps clients apprised of the Court’s most recent actions. The Round-Up previews cases scheduled for argument, tracks the actions of the Office of the Solicitor General, and recaps recent opinions. The Round-Up provides a concise, substantive analysis of the Court’s actions. Its easy-to-use format allows the reader to identify what is on the Court’s docket at any given time, and to see what issues the Court will be taking up next. The Round-Up is the ideal resource for busy practitioners seeking an in-depth, timely, and objective report on the Court’s actions.

Gibson Dunn’s U.S. Supreme Court Round-Up provides summaries of cases decided during the October 2025 Term and highlights other key developments on the Court’s docket. For the October 2025 Term, the Court has granted 61 petitions and set one application for oral argument, in addition to two cases from last Term set for reargument, for a total of 58 arguments. To date, the Court has heard 49 arguments in 53 cases and has released 18 opinions in 20 cases.

View the Round-Up Here

Gibson Dunn has a longstanding, high-profile presence before the Supreme Court of the United States, appearing numerous times in the past decade in a variety of cases. Twelve current Gibson Dunn lawyers have argued before the Supreme Court, and during the Court’s ten most recent Terms, the firm has argued a total of 28 cases, including closely watched cases with far-reaching significance in the areas of intellectual property, securities, separation of powers, and federalism. Moreover, although the grant rate for petitions for certiorari is below 1%, Gibson Dunn’s petitions have captured the Court’s attention: Gibson Dunn has persuaded the Court to grant over 40 petitions for certiorari since 2006.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the U.S. Supreme Court. Please feel free to contact the following authors in the firm’s Washington, D.C. office, or any member of the Appellate and Constitutional Law Practice Group.

Miguel A. Estrada (+1 202.955.8257, mestrada@gibsondunn.com)

Jessica L. Wagner (+1 202.955.8652, jwagner@gibsondunn.com)

Lavi Ben Dor (+1 202.777.9331, lbendor@gibsondunn.com)

Christian Talley (+1 202.777.9537, ctalley@gibsondunn.com)

Partner Karin Portlock was interviewed by KTUL-TV about an amended complaint filed on April 10 in an ongoing federal lawsuit against Tulsa Public Schools. Gibson Dunn brought the case on behalf of the family of a special needs first-grade student who was assaulted in 2024 by a staff member who later pleaded guilty to felony child abuse. According to the amended complaint, the assault was one of several examples of school employees using improper force and violence against disabled students.

“What we’ve uncovered is that the mistreatment of special needs children in Tulsa Public Schools is endemic,” said Karin.

In an in-depth interview with The AmLaw Litigation Daily [PDF] (“Speed by Itself Is Not Enough: How Gibson Dunn’s Trey Cox Thinks AI Is Reshaping Litigation Strategy,” April 14, 2026), partner Trey Cox asserts that the main value of AI is not speed but rather what he refers to as “strategic compression”—the ability to get “to the point of decision-making faster.”

Trey explains that “In complex litigation, trial teams can spend days and weeks and months gathering documents, organizing facts, mapping the factual terrain, the legal standards and pressure-testing things.” With AI, he says, “we can compress those weeks and months into hours and days.”

Trey adds that this compression isn’t about locking into a theory earlier—it’s about testing it harder, which is what the best trial teams do. “You should use AI … to test the assumptions, to challenge the facts,” he said. “That’s the magic of what AI allows you to do.”

Trey is Co-Chair of the firm’s global Litigation Practice Group and Co-Partner in Charge of the Dallas office.

A Gibson Dunn team has achieved a significant victory on behalf of Vale S.A.—the world’s largest iron mining company—in a long-running multibillion-dollar securities litigation in the U.S. District Court for the Eastern District of New York.

After pending for nearly two years, Vale’s motion to exclude Dr. Steven Feinstein’s expert damages model in its entirety was granted by Judge Eric Komitee—a pathbreaking ruling that will reverberate far beyond this case. The Court’s decision provides robust guidance on the proper damages methodology experts must employ in event-driven securities class actions involving realization of understated risks. For far too long, securities class action plaintiffs in these cases have sought to “supersize” damage amounts by hiring experts who assume maximum artificial inflation from day one of a class period and then label as “damages” every penny of market losses on alleged corrective disclosure dates. This decision should end that practice once and for all.

Led by Christopher Joralemon and David Kusnetz, the firm’s winning team included Chase Weidner, Andrew Freire, Nicholas Canelos, Jabari Julien, Nathalie Gunasekera, Amanda Bello, Amir Heidari, Simone Rivera, and Carolyn Ye.

Gibson Dunn is monitoring regulatory developments closely. Our lawyers are available to assist companies as they navigate the challenges and opportunities posed by the current, evolving legal landscape.

On April 7, 2026 the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (the Proposed Rule) revising regulation of financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs under the Bank Secrecy Act (BSA).[1] In support of the Proposed Rule, FinCEN issued a press release (the Press Release),[2] a fact sheet (the Fact Sheet),[3] and a list of “key changes” (the Key Changes Document).[4] FinCEN states that the Proposed Rule will fundamentally reform financial institution programs designed to fight illicit finance. FinCEN also intends for the Proposed Rule to modernize the U.S. AML/CFT regulatory framework by promoting risk-based programs and greater consistency across banks and financial institutions. FinCEN asserts that the Rule intends to ensure that AML/CFT programs better achieve the purposes of the BSA and lead to more effective outcomes for financial institutions and law enforcement.[5] The Proposed Rule has a sixty-day notice-and-comment period, ending on June 9.[6]

FinCEN advised that the Proposed Rule was “prepared in consultation with” the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Board of Governors of the Federal Reserve System (FRB) “in order to collectively issue proposed amendments to their respective BSA compliance program rules for the institutions they supervise.”[7] Concurrently with the Proposed Rule, on April 7, 2026, the OCC, FDIC, and NCUA issued a joint NPRM (Concurrent NPRM) meant to ensure “that their program requirements for banks remain consistent with those imposed by FinCEN” and prevent “any additional burden or confusion from needing to comply with differing standards between FinCEN and the Agencies.”[8] The Concurrent NPRM was also published in the Federal Register on April 10, 2026 and has a comment deadline of June 9, 2026.[9]

The below update summarizes some of the key changes and priorities described in the Proposed Rule, as analyzed by Gibson Dunn’s market-leading Anti-Money Laundering and Administrative Law and Regulatory Practice Groups.

1. The Proposed Rule reframes FinCEN enforcement and introduces a new supervisory role for banks’ AML/CFT programs. The Proposed Rule reforms AML/CFT supervision and enforcement related to banks. Banking regulators—including the OCC, FRB, FDIC, and NCUA—have independent authority under their own statutes to prescribe regulations requiring banks to establish and maintain procedures reasonably designed to assure and monitor compliance with the BSA. Under the Proposed Rule, the banking regulators must provide FinCEN at least 30 days’ advance written notice to review and provide input on any potential “significant supervisory action.”[10] The Proposed Rule defines a significant supervisory action as “any written communication or other formal supervisory determination issued by FinCEN or an Agency, when acting under supervisory authority delegated by FinCEN, that identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement.”[11] This excludes examiner observations, suggestions, or other informal comments,[12] and notably does not impose an affirmative notice obligation to FinCEN when banking regulators decline to bring a supervisory action. The notice to FinCEN should provide the relevant AML/CFT information underlying the proposed significant supervisory action.[13]

Additionally, as described below, the Proposed Rule outlines that FinCEN will generally not bring an enforcement action against a bank that has established an AML/CFT program under the Proposed Rule, unless there is a significant or systemic failure to implement that program.[14]

The Proposed Rule also establishes three factors that the FinCEN Director must weigh when either determining whether to bring an enforcement action or evaluating a proposed significant supervisory action from the federal banking agencies.[15] Those factors are (1) evaluation of the “four pillars” of an AML/CFT program, described further below, (2) whether the institution has advanced any of FinCEN’s AML/CFT Priorities such as providing useful information to law enforcement or effectively utilizing artificial intelligence, and (3) any other factor the Director deems appropriate, including the bank’s size, complexity, and risk profile.[16]

2. The Proposed Rule creates a “two-pronged framework” that deems a financial institution’s AML/CFT program effective if “the financial institution establishes and maintains their program.”[17] According to FinCEN, existing regulations do not provide standards for an AML/CFT program’s effectiveness.[18] While the 2024 NPRM would have required “effective, risk-based, and reasonably designed” AML/CFT programs, commenters complained to FinCEN that the meaning of each of these terms was unclear.[19]

FinCEN is replacing the language in the 2024 NPRM with a two-pronged framework. The Proposed Rule distinguishes between: (1) whether a financial institution has established an AML/CFT program at all; and (2) how the financial institution is maintaining that program, if established. FinCEN seeks through the Proposed Rule to establish standards for each of the two prongs. In the Fact Sheet, FinCEN argues that by so doing, the Proposed Rule will set clearer expectations for program effectiveness and “prevent conflating criticisms of program design with criticisms of day-to-day implementation.”[20]

To establish an AML/CFT program under the Proposed Rule, financial institutions must design a risk-based framework integrating “four core required pillars”[21] and providing for updates to the program as necessary to reflect significant risk changes.[22] The four core pillars, which are discussed in greater detail below, include (1) internal policies, procedures, and controls, (2) independent program testing, (3) a U.S.-based program head, and (4) ongoing employee training.[23]

Once a program is initially established, FinCEN states that a financial institution must continue to take appropriate steps to update the program to reflect current risk profiles.[24] A financial institution’s failure to update the program to reflect significant changes to the institution’s risk profile may result in the program no longer meeting the program establishment requirements.[25] Significant changes in a risk profile might include providing a new product or service or operating existing products or services in a new geographic location.[26]

In addition, the Proposed Rule would require financial institutions to maintain the AML/CFT program, once established, by “implementing it, in all material respects.”[27] FinCEN provides examples of an improperly maintained program, including where the program’s internal processes and policies are irregularly or inconsistently followed, or where deficiencies in risk assessment processes materially impact the mitigation of risk related to money laundering or terrorist financing.[28]

The proposed distinction between establishment and maintenance matters with respect to enforcement or “significant supervisory actions”[29] against banks (as opposed to other financial institutions). “[T]he Proposed Rule would not limit enforcement or supervisory actions [against banks] for failure to establish an AML/CFT program.” However, under the Proposed Rule, enforcement and significant supervisory actions against banks for failure to satisfy the maintenance prong should be limited “to a significant or systemic failure to implement an effective AML/CFT program.”[30] Compared to current regulations, that means the Proposed Rule’s two-pronged framework should result in a higher threshold for enforcement or significant supervisory actions against banks based on program implementation.[31]

3. The Proposed Rule reframes requirements for customer due diligence. Customer due diligence (CDD) has widely been known as the “fifth pillar” of an AML compliance program for those financial institutions required to implement CDD procedures.[32] While the Proposed Rule does not make substantive changes to financial institutions’ CDD requirements, FinCEN proposes to include them as part of the broader requirement that financial institutions “establish a risk-based set of internal policies, procedures, and controls that is reasonably designed.”[33] This, in effect, leaves “four pillars” of an AML compliance program, described above as (1) internal policies, procedures, and controls, (2) independent program testing, (3) a U.S.-based program head, and (4) ongoing employee training.[34]

4. The Proposed Rule requires financial institutions to establish and maintain risk assessment processes as a part of their risk-based internal policies, procedures, and controls.[35] The 2024 NPRM would have required financial institutions to implement risk assessments.[36] Many financial institutions already had engaged in regular risk assessments voluntarily or as required by federal regulators. The Proposed Rule supersedes the 2024 NPRM, and imposes an explicit requirement that banks, casinos, money-service businesses (MSBs), broker-dealers, mutual funds, future commission merchants (FCMs), and introducing brokers in commodities (IBs) must perform risk assessments as part of their AML program obligations.[37] The Proposed Rule does not prescribe “any particular processes or methodologies other than the critical elements described in [the] proposed rule,” but it does standardize the requirement for risk assessment processes across different types of financial institutions.[38]

Among other things, the critical elements include requirements that risk assessment processes (1) evaluate the money laundering and terrorist financing risks of the financial institution’s business activities, (2) review and incorporate FinCEN’s AML/CFT priorities as appropriate, and (3) are updated when the financial institution knows, or should know, there was a significant change to those risks.[39] The relevant business activities a risk assessment process should consider include products, services, distribution channels, customers, and geographic locations.[40]

5. The Proposed Rule instructs financial institutions to allocate more attention and resources toward higher-risk customers and activities rather than toward lower-risk customers and activities. Mirroring the requirement of the Anti-Money Laundering Act of 2020 (AML Act)[41] that AML/CFT programs be risk-based, the Proposed Rule calls for financial institutions to direct more attention and resources toward higher-risk customers and activities.[42] The Proposed Rule expresses FinCEN’s goal as to ensure that financial institutions “spend less time, energy, and resources on lower priority activities that may result in fewer resources devoted to, and potentially distract from, more serious threats.”[43] In line with this goal, FinCEN notes that it believes financial institutions are best positioned to determine their own money laundering and terrorist financing risks, and therefore, FinCEN does not contemplate second-guessing a financial institution’s reasonable determinations.[44] Although FinCEN’s position means examiners of financial institutions should not use “subjective judgment in place of the financial institution,” examiners should still assess whether: (1) a financial institution’s resource allocation decisions are based on reasonably designed risk assessment processes; and (2) the financial institution knows or should know of resource-related issues involving its internal policies, procedures, and controls.[45]

6. The Proposed Rule requires the financial institution’s AML/CFT Officer to be located in the United States.[46] Since the AML Act was enacted, there has been some lack of clarity about FinCEN’s expectations for the onshoring of compliance staff.[47] The Proposed Rule would require a financial institution’s AML/CFT Officer to be located in the United States in order to be accessible to, and subject to oversight and supervision by, FinCEN and any agency to which FinCEN has delegated examination authority.[48] This new requirement reflects similar language in the AML Act providing that “The duty to establish, maintain and enforce an anti-money laundering and countering the financing of terrorism program as required by this subsection shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator.”[49]

The Proposed Rule acknowledges that personnel located outside of the United States may still perform certain AML/CFT functions for cost efficiencies, cross-border operations, and other purposes.[50] Lastly, the Proposed Rule explicitly notes that there is no change to “existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States.”[51]

7. The Proposed Rule requires AML/CFT programs to be approved by the financial institution’s Board of Directors, an equivalent governing body, or appropriate senior management.[52] Some financial institutions are already required by the BSA or their functional regulator to have their AML/CTF programs approved by their Boards. The Proposed Rule would extend that requirement to all financial institutions.[53] The Proposed Rule is meant to simultaneously “reflec[t] the importance of a financial institution maintaining a strong culture of compliance,” while also providing flexibility by “allowing financial institutions to determine the appropriate approving authority consistent with their legal structure and other regulatory and legal requirements.”[54] For example, an equivalent governing body could be a sole proprietor, general partner, trustee, or senior officers. For the U.S. branch of a foreign bank, the equivalent governing body could be the foreign banking organization’s Board.[55]

8. The Proposed Rule allows use of technological innovation such as artificial intelligence to serve as evidence of an effective AML/CFT program. Under the Proposed Rule, the FinCEN Director will consider “whether the bank is employing innovative tools such as artificial intelligence that demonstrate the effectiveness of the bank’s AML/CFT program” as a factor in determining whether to pursue an enforcement action or a significant supervisory action.[56] FinCEN notes that this proposal aligns with one of the AML Act’s key purposes, namely to “encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and financing of terrorism.”[57] This does not mean that the Proposed Rule requires the use of any particular technology, but that “proactive analytics” or “other innovative activities producing demonstrable outputs” may serve as evidence of the effectiveness of an AML/CFT program.[58] FinCEN advises that responsible experimentation will not incur additional risk of AML/CFT enforcement or significant supervisory action.[59]

9. The Proposed Rule consolidates bank program requirements into a single standard. Under current regulations, banks with a federal functional regulator and banks without a federal functional regulator are subject to different AML/CFT program rules.[60] Since 2020, these rules have been almost identical, with the most significant difference being that banks lacking a federal functional regulator must (1) have their AML/CFT program approved by the board of directors or its equivalent governing body, and (2) make a copy of their AML program available to FinCEN or its designee upon request.[61]

The Proposed Rule would create one standard for banks regardless of whether they have a federal functional regulator.[62] As discussed above, the Proposed Rule would require that all banks have AML/CFT programs approved by their board, its equivalent governing body, or appropriate senior management.[63] Additionally, all banks must make AML/CFT programs available to FinCEN or its designee upon request.[64]

10. The Proposed Rule extends the implementation timeline. In the Proposed Rule, FinCEN also extends the implementation timeline to twelve months from issuance of the final rule, rather than the six-month compliance period contemplated by the 2024 NPRM.[65] In explaining that change, FinCEN notes that commenters to the 2024 NPRM reacted negatively to the six-month timeline and were “nearly unanimous” in requesting more time; some asked for at least one year, while others requested two years or more.[66] Commenters cited the need for additional time to review the final rule, make technological and process changes, incorporate the AML/CFT Priorities, reallocate resources, and provide training.[67]

If adopted, the Proposed Rule would significantly reform the BSA obligations of regulated entities. The Proposed Rule also provides an important indicator of the Trump Administration’s priorities in the AML/CFT space. Interested parties should provide comments proposing any changes or alternatives to the Proposed Rule by the comment deadline (June 9). We will continue to monitor the Proposed Rule and other developments, and report accordingly on steps individuals and entities should take to navigate the ever-evolving BSA/AML regulatory regime.

[1] https://www.federalregister.gov/documents/2026/04/10/2026-07033/anti-money-laundering-and-countering-the-financing-of-terrorism-programs, 91 Fed. Reg. 18704. The Proposed Rule supersedes and responds to comments made on FinCEN’s July 3, 2024 notice of proposed rulemaking (the 2024 NPRM), which is now withdrawn. The Proposed Rule was published in the Federal Register on April 10, 2026, triggering the 60-day comment period.

[2] FinCEN, FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs Designed to Fight Illicit Finance (Apr. 7, 2026), https://www.fincen.gov/news/news-releases/fincen-proposes-rule-fundamentally-reform-financial-institution-programs.

[3] FinCEN, Fact Sheet: Proposed Rule to Fundamentally Reform Financial Institution AML/CFT Programs (Apr. 7, 2026), https://www.fincen.gov/system/files/2026-04/Program-NPRM-FactSheet.pdf.

[4] FinCEN, Key Changes in FinCEN’s Proposed Rule to Refocus AML/CFT Programs on Higher-Risk Activity While Reducing Unnecessary Burden (Apr. 7, 2026), https://www.fincen.gov/system/files/2026-04/Key-Changes-Program-NPRM.pdf.

[5] The Press Release.

[6] Id.

[7] The Key Changes Document.

[8] 91 Fed. Reg. 18305 (April 10, 2026), https://www.govinfo.gov/content/pkg/FR-2026-04-10/pdf/2026-06948.pdf; The Office of the Comptroller of the Currency, Agencies Request Comment on Anti-Money Laundering/Countering the Financing of Terrorism Proposed Rule (April 7, 2026), https://www.occ.gov/news-issuances/news-releases/2026/nr-ia-2026-25.html. The Federal Reserve Board did not join the Concurrent NPRM and, as of the publication date, has not yet issued an NPRM related to the Proposed Rule.

[9] 91 Fed. Reg. 18304.

[10] Id. at 18722.

[11] Id. at 18721–22.

[12] Id. at 18722.

[13] Id.

[14] Fact Sheet at 5.

[15] Proposed Rule at 18722

[16] Id.

[17] Proposed Rule at 18713.

[18] The Key Changes Document.

[19] Proposed Rule at 18706.

[20] Fact Sheet at 3.

[21] Id.

[22] Id.

[23] Id.

[24] Proposed Rule at 18714.

[25] Id.

[26] Id.

[27] Id.

[28] Id.

[29] This term is defined further below.

[30] Proposed Rule at 18713.

[31] Id. at 18710.

[32] Id. at 18717. Such financial institutions are banks, broker-dealers, mutual funds, futures commission merchants and introducing brokers in commodities, and operators of credit card machines.

[33] Id.

[34] Fact Sheet at 3.

[35] Proposed Rule at 18715.

[36] Id. at 18706.

[37]Id. at 18715.

[38] Id.

[39] Id.

[40] Id.

[41] William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan. 1, 2021).

[42] Proposed Rule at 18717.

[43] Id.

[44] Id.

[45] Id.

[46] Id. at 18720.

[47] The AML Act amended the BSA to state: “[t]he duty to establish, maintain and enforce an anti-money laundering and countering the financing of terrorism program as required by this subsection shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator . . . “ 31 U.S.C. § 5318(h)(5). Through the 2024 NPRM, FinCEN sought to issue a regulation to explicate this duty.

[48] Proposed Rule at 18720.

[49] 31 U.S.C. 5318(h)(5).

[50] Proposed Rule at 18720.

[51] Id.

[52] Id. at 18720–21.

[53] Id. This is consistent with language in the 2024 NPRM.

[54] Id. at 18721.

[55] Id.

[56] Fact Sheet at 5.

[57] Proposed Rule at 18712.

[58] Id. at 18722.

[59] Id. at 18712.

[60] Id. at 18723.

[61] Id.

[62] Id.

[63] Id.

[64] Id.

[65] Id. at 18707, 18724.

[66] Id. at 18707.

[67] Id.

The following Gibson Dunn lawyers prepared this update: Stephanie Brooker, M. Kendall Day, Amy Feagles, Matt Gregory, Ella Alves Capone, Sam Raymond, Akila Bhargava, and Jimmy Scoville.

Gibson Dunn has deep experience with issues relating to the Bank Secrecy Act, other AML and sanctions laws and regulations, and the defense of financial institutions more broadly. For assistance, please contact any of the authors, the Gibson Dunn lawyer with whom you usually work, or any of the leaders and members of the firm’s Anti-Money Laundering / Financial Institutions, Administrative Law & Regulatory, Financial Regulatory, and White Collar Defense & Investigations practice groups:

Anti-Money Laundering / Financial Institutions:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, sbrooker@gibsondunn.com)
Jason J. Cabral – New York (+1 212.351.6267, jcabral@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202.955.8220, kday@gibsondunn.com)
Ro Spaziani – New York (+1 212.351.6255, rspaziani@gibsondunn.com)
Ella Alves Capone – Washington, D.C. (+1 202.887.3511, ecapone@gibsondunn.com)
Sam Raymond – New York (+1 212.351.2499, sraymond@gibsondunn.com)

Administrative Law & Regulatory:
Stuart F. Delery – Washington, D.C. (+1 202.955.8515, sdelery@gibsondunn.com)
Matt Gregory – Washington, D.C. (+1 202.887.3635, mgregory@gibsondunn.com)
Eugene Scalia – Washington, D.C. (+1 202.955.8543, escalia@gibsondunn.com)
Helgi C. Walker – Washington, D.C. (+1 202.887.3599, hwalker@gibsondunn.com)

Financial Regulatory:
William R. Hallatt – Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Michelle M. Kirschner – London (:+44 20 7071 4212, mkirschner@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, jsteiner@gibsondunn.com)

White Collar Defense & Investigations:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, sbrooker@gibsondunn.com)
Winston Y. Chan – San Francisco (+1 415.393.8362, wchan@gibsondunn.com)
Amy Feagles – Washington, D.C. (+1 202.887.3699, afeagles@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213.229.7269, nhanna@gibsondunn.com)
F. Joseph Warin – Washington, D.C. (+1 202.887.3609, fwarin@gibsondunn.com)

Gibson Dunn advised Apollo-managed funds on the acquisition of Gatehouse Living Group, a vertically integrated U.K. residential investment and management platform.

The investment will expand upon Apollo’s investment activity in the U.K. housing ecosystem.

Gibson Dunn’s London corporate real estate team was led by partner Patrick Hennessy and included of counsel Sarah Leiper-Jennings and Manjinder Tiwana and associates Bansaree Shah and Carmen Heredia. Partner James Chandler and associate Sarah Johnson advised on tax matters. Associates Georgia Derbyshire and Olivia Sadler advised on employment matters. Partner Alison Beal and associates Libby Pica and Phoebe Rowson-Stevens advised on IP/IT/GDPR matters. Associate Amy Cooke advised on AML/ABC matters.

Gibson Dunn is advising American Ocean Minerals Corporation on its merger with Odyssey Marine Exploration, Inc. creating a $1 billion U.S.-controlled deep-sea critical minerals platform.

The Gibson Dunn corporate team includes partners John Gaffney and Eric Scarazzo and associate Vlad Zinovyev. Partner Matt Donnelly is advising on tax aspects, and partner Michael Collins is advising on benefits. Partner Andy Chen is advising on financing. Partner Bradley Smith is advising on antitrust aspects. Partner Michael Murphy is advising on environmental aspects. Partner Howard Hogan and associate Ellie Schwietering are advising on IP aspects. Associate Audi Syarief is advising on international trade aspects.

A Wall Street Journal article describing how Hong Kong has flourished as China’s hub for helping Iran survive punishing sanctions, much to the frustration of U.S. officials (“How Hong Kong Helps the Flow of Iran’s Hidden Billions,” April 11, 2026), includes commentary by partner Matt Axelrod.

Matt told the publication that, during the Biden administration, Chinese officials were reluctant to act when materials restricted by U.S. law were shipped through China. “There was definitely denial of responsibility to take action because it didn’t violate their laws,” he said. “And there was talk about sovereignty and what they viewed as our attempts to impose some sort of extraterritorial restrictions on U.S. items.”

Matt, who co-chairs Gibson Dunn’s Sanctions and Export Enforcement practice group, is a former Assistant Secretary for Export Enforcement at the Bureau of Industry and Security.

Gibson Dunn’s Geopolitical Strategy and International Law team—together with our International Arbitration, and ESG Risk Advisory teams—can help investors understand and navigate the multi-dimensional legal and regulatory risks of deep-sea mining.

On 19 March 2026, the United States and Japan signed a Memorandum of Cooperation Regarding Deep-Sea Mineral Resource Development (the MOC), formalizing their collaboration on deep-sea mining efforts.[1] Pursuant to the MOC, the countries have agreed to share research and cooperate on the development of deep-sea science and mineral extraction.

This MOC is the latest deep-sea mining sector development in the United States—and in the sector more broadly, which is evolving at pace.[2] The MOC follows a joint statement of cooperation on deep-sea mining between the United States and the Cook Islands, published in August 2025.[3]

The MOC

The three-page MOC was signed following recent talks between President Trump and Prime Minister Sanae Takaichi in Washington D.C. The MOC establishes a framework for bilateral cooperation in deep-sea mining, though it is not legally binding.[4]

After signing, the MOC was presented to the International Seabed Authority (ISA)—the intergovernmental body that regulates the ocean floor in international waters established under the United Nations Convention on the Law of the Sea (UNCLOS).[5]

A central component of the MOC is the creation of a Japan-U.S. Working Group on Deep-Sea Mineral Resource Development (the Working Group), which aims to “facilitate bilateral cooperation in science and technology, and support efforts to accelerate deep-sea mineral resource development”.[6] The MOC tasks the Working Group with various responsibilities, including information sharing on deep-sea science and mining projects as well as related technology.[7] This information sharing includes insights from Japan’s recent rare-earth muds project near Minamitorishima Island, the easternmost territory belonging to Japan, which is believed to have significant potential for the long-term supply of certain critical minerals.[8]

The MOC also encourages engagement with US and Japanese private sector actors to “obtain input, discuss regulatory approaches and best practices, share information, and facilitate partnerships to inform research priorities and support development of new economic opportunities”.[9]

Broader US-Japan Partnership on Critical Minerals

The deep-sea mining partnership between the United States and Japan is not the only area of cooperation between the States in the mining context—they are increasingly working together in the critical-minerals sphere. In October 2025, they announced the United States-Japan Framework For Securing the Supply of Critical Minerals and Rare Earths through Mining and Processing (the Framework), a plan outlining collaborative policies within this sphere. The Framework includes policies that focus on joint investment in mining and processing, permitting, and supply chain coordination.[10]

On the same day the MOC was signed, the United States and Japan also expanded their cooperation on critical minerals and rare earths supply chains with the enactment of the U.S.-Japan Action Plan on Critical Minerals (the Action Plan).[11] Under the Action Plan, both governments have agreed to discuss and develop coordinated trade policies and mechanisms relating to critical minerals, with the end goals of addressing vulnerabilities in global supply chains and protecting downstream industries dependent on critical minerals imports.[12]

Comment

This latest development demonstrates the continued prioritization by the Trump Administration of developing alliances to pursue deep-sea mining, and doing so outside of the UNCLOS framework—frustrated, as we have reported previously, by the pace of progress in the development of an international regulatory framework by the ISA. Aside from governance complexities, there are significant concerns about the potential impact of deep-sea mining on the environment, which has prompted many States to call for a moratorium on deep-sea mining.

We will continue to monitor and report on developments in the deep-sea mining space.

[1] See Memorandum of Cooperation Regarding Deep-Sea Mineral Resource Development Between the Ministry of Economy, Trade, and Industry of Japan and the Department of Commerce of the United States of America, 19 March 2026, available at: https://www.mofa.go.jp/files/100998735.pdf.

[2] See Gibson Dunn, US Moves to Reduce Deep-Sea Mining Permit Times Under New NOAA Rule, 12 February 2026, available at: https://www.gibsondunn.com/us-moves-to-reduce-deep-sea-mining-permit-times-under-new-noaa-rule/; Gibson Dunn, Mining of the Deep-Sea—The Trump Administration’s Executive Order, the International Law Framework and Implications for Investors, 21 July 2025, available at: https://www.gibsondunn.com/mining-of-the-deep-sea-trump-administration-executive-order-international-law-framework-and-implications-for-investors/.

[3] See U.S. Department of State, Joint Statement on U.S.-Cook Islands Cooperation on Seabed Mineral Resources, 5 August 2025, available at: https://www.state.gov/releases/office-of-the-spokesperson/2025/08/joint-statement-on-u-s-cook-islands-cooperation-on-seabed-mineral-resources.

[4] See New York Times, Japan and the U.S. Agree to Team Up on Seabed Mining, 27 March 2028, available at: https://www.nytimes.com/2026/03/27/climate/japan-united-states-seabed-mining.html.

[5] See New York Times, Japan and the U.S. Agree to Team Up on Seabed Mining, 27 March 2028, available at: https://www.state.gov/releases/office-of-the-spokesperson/2025/08/joint-statement-on-u-s-cook-islands-cooperation-on-seabed-mineral-resources.

[6] Memorandum of Cooperation Regarding Deep-Sea Mineral Resource Development Between the Ministry of Economy, Trade, and Industry of Japan and the Department of Commerce of the United States of America, 19 March 2026, available at: https://www.mofa.go.jp/files/100998735.pdf.

[7] See Memorandum of Cooperation Regarding Deep-Sea Mineral Resource Development Between the Ministry of Economy, Trade, and Industry of Japan and the Department of Commerce of the United States of America, 19 March 2026, available at: https://www.mofa.go.jp/files/100998735.pdf.

[8] See Mining Weekly, US-Japan deal targets supply chains, backs deep-sea minerals push, 20 March 2026, available at: https://www.miningweekly.com/article/us-japan-deal-targets-supply-chains-backs-deep-sea-minerals-push-2026-03-20.

[9] Memorandum of Cooperation Regarding Deep-Sea Mineral Resource Development Between the Ministry of Economy, Trade, and Industry of Japan and the Department of Commerce of the United States of America, 19 March 2026, available at: https://www.mofa.go.jp/files/100998735.pdf.

[10] See The White House, United States-Japan Framework For Securing the Supply of Critical Minerals and Rare Earths through Mining and Processing, 27 October 2025, available at: https://www.whitehouse.gov/briefings-statements/2025/10/united-states-japan-framework-for-securing-the-supply-of-critical-minerals-and-rare-earths-through-mining-and-processing/.

[11] See Office of the United States Trade Representative, Ambassador Jamieson Greer Announces U.S.-Japan Action Plan on Critical Minerals, 19 March 2026, available at: https://ustr.gov/about/policy-offices/press-office/press-releases/2026/march/ambassador-jamieson-greer-announces-us-japan-action-plan-critical-minerals.

[12] See Office of the United States Trade Representative, Ambassador Jamieson Greer Announces U.S.-Japan Action Plan on Critical Minerals, 19 March 2026, available at: https://ustr.gov/about/policy-offices/press-office/press-releases/2026/march/ambassador-jamieson-greer-announces-us-japan-action-plan-critical-minerals.

The following Gibson Dunn lawyers prepared this update: Patrick Pearsall, Lindsey Schmidt, Ceyda Knoebel, Stephanie Collins, and Vivian Fernandez.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s International Arbitration or Geopolitical Strategy & International Law practice groups:

Robert Spano – Co-Chair, Geopolitical Strategy & International Law Group,
London/Paris (+33 1 56 43 13 00, rspano@gibsondunn.com)

Rahim Moloo – Co-Chair, Geopolitical Strategy & International Law Group,
New York (+1 212.351.2413, rmoloo@gibsondunn.com)

Patrick W. Pearsall – Co-Chair, Geopolitical Strategy & International Law Group,
Washington, D.C. (+1 202.955.8516, ppearsall@gibsondunn.com)

Lindsey D. Schmidt – New York (+1 212.351.5395, lschmidt@gibsondunn.com)

Ceyda Knoebel – London (+44 20 7071 4243, cknoebel@gibsondunn.com)

Stephanie Collins – London (+44 20 7071 4216, scollins@gibsondunn.com)

Interviewed by Global Investigations Review for its article “BIS on Hiring Spree as Trump Calls for ‘Historic’ Budget Boost” (April 3, 2026), partner Matt Axelrod, former Assistant Secretary for Export Enforcement at the Bureau of Industry and Security, noted that the funding boost and additional hirings will expand the agency’s enforcement capabilities. “The math is pretty simple,” Matt said. “More agents means more investigations, which ultimately means more enforcement actions.”

A quarterly update of high-quality education opportunities for Boards of Directors.

Gibson Dunn’s summary of director education opportunities has been updated as of April 2026. A copy is available at this link. Boards of Directors of public and private companies find this a useful resource as they look for high quality education opportunities.

This quarter’s update to the summary of director education opportunities includes a number of new opportunities as well as updates to the programs offered by organizations that have been included in our prior updates.

The following Gibson Dunn lawyers prepared this update: Hillary Holmes, Lori Zyskowski, Elizabeth Ising, Ronald Mueller, Jason Ferrari, Ashlyne Polynice, and Deborah Gillis-Harry.

Please view this and additional information on Gibson Dunn’s Securities Regulation and Corporate Governance Monitor:

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Regulation and Corporate Governance practice group, or the following:

Hillary H. Holmes – Houston (+1 346.718.6602, hholmes@gibsondunn.com)
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, tkim@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, rmueller@gibsondunn.com)
Lori Zyskowski – New York (+1 212.351.2309, lzyskowski@gibsondunn.com)