Publications Archives

From the Derivatives Practice Group: This week, the CFTC issued a staff advisory that provides additional guidance on the criteria used to determine whether to refer self-reported violations or supervision or non-compliance issues to the Division of Enforcement.

New Developments

CFTC Staff Issues Advisory on Referrals to the Division of Enforcement. On April 17, the CFTC’s Market Participants Division, the Division of Clearing and Risk, and the Division of Market Oversight (“Operating Divisions”) and the Division of Enforcement (“DOE”) issued a staff advisory providing guidance on the materiality or other criteria that the Operating Divisions will use to determine whether to make a referral to DOE for self-reported violations, or supervision or non-compliance issues. According to the CFTC, this advisory furthers the implementation of DOE’s recent advisory, issued February 25, 2025, addressing its updated policy on self-reporting, cooperation, and remediation. [NEW]
CFTC Staff Issues No-Action Letter Regarding the Merger of UBS Group and Credit Suisse Group. On April 15, the CFTC’s Market Participants Division (“MPD”) and Division of Clearing and Risk (“DCR”) issued a no-action letter in response to a request from UBS AG regarding the CFTC’s swap clearing and uncleared swap margin requirements. The CFTC said that the letter is in connection with a court-supervised transfer, consistent with United Kingdom laws, of certain swaps from Credit Suisse International to UBS AG London Branch following the merger of UBS Group AG and Credit Suisse Group AG. The no-action letter states, in connection with such transfer and subject to certain specified conditions: (1) MPD will not recommend the Commission take an enforcement action against certain of UBS AG London Branch’s swap dealer counterparties for their failure to comply with the CFTC’s uncleared swap margin requirements for such transferred swaps; and (2) DCR will not recommend the Commission take an enforcement action against UBS AG or certain of its counterparties for their failure to comply with the CFTC’s swap clearing requirement for such transferred swaps. [NEW]
CFTC Staff Issues Interpretation Regarding U.S. Treasury Exchange-Traded Funds as Eligible Margin Collateral for Uncleared Swaps. On April 14, MPD issued an interpretation intended to clarify the types of assets that qualify as eligible margin collateral for certain uncleared swap transactions under CFTC regulations. CFTC Regulation 23.156 lists the types of collateral that covered swaps entities can post or collect as initial margin (“IM”) and variation margin (“VM”) for uncleared swap transactions. The CFTC indicated that the regulation, which includes “redeemable securities in a pooled investment fund” as eligible IM collateral, aims to identify assets that are liquid and will hold their value in times of financial stress. Additionally, MPD noted that the interpretation clarifies its view that shares of certain U.S. Treasury exchange-traded funds may be considered redeemable securities in a pooled investment fund and may qualify as eligible IM and VM collateral subject to the conditions in CFTC Regulation 23.156. According to MPD, swap dealers, therefore, (1) may post and collect shares of certain UST ETFs as IM collateral for uncleared swap transactions with any covered counterparty and (2) may also post and collect such UST ETF shares as VM for uncleared swap transactions with financial end users. [NEW]
Senate confirms Atkins as SEC chair. On April 9, the Senate voted 52-44 to confirm Paul Atkins as the next chair of the SEC. Atkins, a former SEC commissioner and a longtime financial industry consultant, was tapped in December by Donald Trump for the position. In his March 27 confirmation hearing before the Senate Banking Committee, Atkins indicated he would streamline the agency’s regulatory activity. Atkins is expected to be friendlier toward the financial industry than the previous SEC chair, Gary Gensler.
CFTC Releases Staff Letter Relating to Certain Foreign Exchange Transactions. On April 9, MPD and DMO issued an interpretative letter providing the divisions’ views on the characterization of certain foreign exchange (“FX”) transactions as being “swaps,” “foreign exchange forwards,” or “foreign exchange swaps,” in each case, as defined in the Commodity Exchange Act. Specifically, the interpretative letter states: Window FX Forwards, as described in the letter, should be considered to be “foreign exchange forwards;” and Package FX Spot Transactions, as described in the letter, should not be considered to be “foreign exchange swaps” or “swaps.”
Acting Chairman Pham Lauds DOJ Policy Ending Regulation by Prosecution of Digital Assets Industry and Directs CFTC Staff to Comply with Executive Orders. On April 8, CFTC Acting Chairman Caroline D. Pham praised a recently-announced Justice Department policy ending the practice of regulation by prosecution that has targeted the digital asset industry in recent years, and directed CFTC staff to comply with the President’s executive orders and Administration policy, consistent with DOJ’s digital assets enforcement priorities and charging considerations. The DOJ policy comes as Acting Chairman Pham has similarly refocused the CFTC’s enforcement resources on cases involving fraud and manipulation.
CFTC Staff Issues No-Action Letter Regarding Pre-Trade Mid-Market Mark. On April 4, MPD issued a no-action letter in relation to the Pre-Trade Mid-Market Mark (“PTMMM”) requirement in Regulation 23.431 for swap dealers and major swap participants. The CFTC first issued a no-action letter regarding the PTMMM requirement in 2012, shortly after the PTMMM compliance date, because it did not provide significant informational value and created costly operational challenges. Unlike prior no-action letters which provided relief nofor certain specified types of swaps, this relief under this no-action letter applies to all swaps and does not require advanced counterparty consent.
Rahul Varma Named Acting Director of CFTC Division of Market Oversight. On April 2, CFTC Acting Chairman Caroline D. Pham announced Rahul Varma will serve as the Acting Director of DMO. Varma joined the CFTC in 2013 as an Associate Director for Market Surveillance in DMO, with responsibility for energy, metals, agricultural, and softs markets. In 2017, he helped start the Market Intelligence Branch in DMO and served as its Acting Deputy Director. In 2024, he took on the role of Deputy Director for the combined Market Intelligence and Product Review branches.

New Developments Outside the U.S.

EC Publishes Consultation on the Integration of EU Capital Markets. On April 15, the European Commission (“EC”) published a targeted consultation on the integration of EU capital markets. This forms part of the EC’s plan to progress the Savings and Investment Union (“SIU”) strategy, published in March. According to the EC, the objective of the consultation is to identify legal, regulatory, technological and operational barriers hindering the development of integrated capital markets. Its focus includes barriers related to trading, post-trading infrastructures and the cross-border distribution of funds, as well as barriers specifically linked to supervision. The deadline for responses is June 10, 2025. [NEW]
JFSA Publishes Explanatory Document on Counterparty Credit Risk Management. On April 14, Japan’s Financial Services Agency published an explanatory document on the Basel Committee on Banking Supervision’s Guidelines for Counterparty Credit Risk Management. The document, co-authored with the Bank of Japan, indicates that it was published to facilitate better understanding of the Basel Committee’s guidelines and is available in Japanese only. [NEW]
ESMA Publishes Consultation on Clearing Thresholds. On April 8, ESMA published a consultation on a revised approach to clearing thresholds under the European Market Infrastructure Regulation (“EMIR”) 3. The consultation covers the following topics: proposals for a revised set of clearing thresholds; considerations for hedging exemptions for non-financial counterparties; and a trigger mechanism for reviewing the clearing thresholds.
FCA Publishes Policy Statement on the Derivatives Trading Obligation and Post-trade Risk Reduction Services. On April 3, the UK Financial Conduct Authority (“FCA”) published policy statement PS25/2 on changes to the scope of the UK derivatives trading obligation (“DTO”) and an extension of exemptions from certain obligations under the UK Markets in Financial Instruments Directive (“MIFID”) and MIFIR.
ESMA Consults on Transparency Requirements for Derivatives Under MiFIR Review. On April 3, ESMA asked for input on proposals for Regulatory Technical Standards (“RTS”) on transparency requirements for derivatives, amendments to RTS on package orders, and RTS on input/output data for the over-the-counter (“OTC”) derivatives consolidated tape. ESMA said that it is developing various technical standards further specifying certain provisions set out in the Market in Financial Instruments Regulation Review. The consultation paper covers the following three areas: transparency requirements for derivatives, RTS on package orders, and RTS on input/output data for the OTC derivatives consolidated tape. The consultation will remain open until 3 July 2025.
ESMA Publishes Annual Peer Review of EU CCP Supervision CCP Supervisory Convergence. On April 2, ESMA published its annual peer review report on the supervision of European Union (“EU”) Central Counterparties (“CCPs”) by National Competent Authorities (“NCAs”). The peer review measures the effectiveness of NCA supervisory practices in assessing CCP compliance with the European Market Infrastructure Regulation (“EMIR”) requirements on outsourcing and intragroup governance arrangements. ESMA indicated, for this exercise, the review of the functioning of CCP colleges remains overall positive. ESMA also said that the peer review identified the need to promote further supervisory convergence in respect of the definition of major activities linked to risk management.
The European Supervisory Authorities Publish Evaluation Report on the Securitization Regulation. On March 31, the Joint Committee of the European Supervisory Authorities published its evaluation report on the functioning of the EU Securitization Regulation. The report purports to put forward recommendations to strengthen the overall effectiveness of Europe’s securitization framework through simplification, while ensuring a high level of protection for investors and safeguarding financial stability. This report identifies areas where the regulatory and supervisory framework can be enhanced, supporting the growth of robust and sound securitization markets in Europe.

New Industry-Led Developments

ISDA Submits Letter on Environmental Credits. On April 15, ISDA submitted a response to the Financial Accounting Standards Board’s (FASB) consultation on environmental credits and environmental credit obligations. ISDA said that the response supports the FASB’s overall proposals to establish clear and consistent accounting guidance for environmental credits, but highlights that clarification is needed in certain areas, including those related to recognition, derecognition, impairment and hedge accounting impacts. [NEW]
ISDA CEO Testifies Before House Financial Services Committee Task Force. On April 8, ISDA CEO Scott O’Malia testified on the implementation of mandatory US Treasury clearing before the House Committee on Financial Services Task Force on Monetary Policy, Treasury Market Resilience, and Economic Prosperity. The testimony highlighted several key issues that need to be resolved before the clearing mandate comes into effect, including recalibration of the supplementary leverage ratio to ensure banks have the balance sheet capacity to provide intermediation and client clearing services in the US Treasury market, making changes to the proposed Basel III endgame and surcharge for global systemically important banks to avoid a disproportionate capital charge for client clearing businesses, and ensuring the margining and capital treatment of client exposures reflects the actual risk of a client’s overall portfolio.
ISDA Responds to ESMA Consultation on CCP Model Validation. On April 7, ISDA responded to ESMA’s consultation on the draft RTS under article 49(5) of the EMIR, on the conditions for an application for validation of model changes and parameters under Articles 49 and 49a of EMIR, which have been revised as part of EMIR 3. In the consultation paper, ESMA sets out proposed quantitative thresholds and qualitative elements to be considered when determining whether a model change is significant. In the response, ISDA noted that more information would be necessary to understand the rationale behind the thresholds that are proposed. ISDA provided comments on ESMA’s interpretation of ‘concentration risk’ and on the proposed lookback period for assessing whether a change in significant.
Cross-product Netting Under the US Regulatory Capital Framework. On April 4, ISDA, the Futures Industry Association (“FIA”) and the Securities Industry and Financial Markets Association (“SIFMA”) developed a discussion paper to: (i) provide an overview of cross-margining programs developed by clearing organizations and their importance in the context of implementing recent market reforms with respect to US Treasury securities clearing; (ii) describe cross-product netting arrangements with customers as a means to effectively reduce risk and their relation to cross-margining programs; (iii) describe the treatment of cross-product netting arrangements under the current US regulatory capital framework; and (iv) propose potential targeted changes to US regulatory capital rules to more appropriately reflect the economics of, and facilitate firms’ use of, cross-product netting arrangements with customers, particularly with respect to transactions based on US Treasury securities.
ISDA/IIB/SIFMA Request to Extend 22-14. On April 3, a joint ISDA/IIB/SIFMA letter requested reporting relief for certain non-US swap dealers in Australia, Canada, the European Union, Japan, Switzerland or the United Kingdom with respect to their swaps with non-US persons. The joint trade association letter, submitted to CFTC on 26 March 2025, requests an extension of the no-action relief in Letter 22-14 until the adoption and effectiveness of final rules addressing the cross-border application of Part 45/46.
IOSCO Issues Final Report on Standards Implementation Monitoring for Regulator Principle. On April 2, IOSCO published a Final Report following its review of IOSCO Standards Implementation Monitoring (ISIM) for Regulator Principles 6 and 7, which address systemic risk and perimeter of regulation. IOSCO’s Objectives and Principles of Securities Regulation 6 and 7 stipulate that regulators should have or contribute to processes to identify, monitor, mitigate and manage systemic risk, as well as have or contribute to a process to review the perimeter of regulation regularly. This ISIM Review by IOSCO’s Assessment Committee found a high level of implementation across the 55 jurisdictions from both emerging and advanced markets. According to IOSCO, the report highlights some good practices and also identifies a few areas where there is room for improvement, observed primarily in some emerging markets. For example, the Report notes that some jurisdictions do not have clear responsibilities, definitions and regulatory processes with respect to systemic risk.
ISDA Sends Letter on Changes to the French General Tax Code. On March 31, ISDA, the Association for Financial Markets in Europe and the International Securities Lending Association sent a letter to the French tax authority about changes being made to Articles 119 bis A and 119 bis 2 of the general French tax code in the Loi des Finances pour 2025. In February, the French parliament passed budget legislation that broadened the application of withholding tax for both cleared and non-cleared derivatives involving payments related to manufactured dividends. In the letter, the associations request that detailed administrative guidelines are issued as soon as possible. The lack of guidelines makes it more difficult for the associations’ member firms to accurately determine the scope of the new legislation and calculation of the withholding tax when due.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus, New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt, Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki, New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This update provides a brief overview of ERISA pension risk transfer litigation, a summary of the recent Camire and Konya decisions, and an update on what may be next for ERISA plan sponsors and fiduciaries in light of these court orders.

On March 28, 2025, two federal district courts issued divergent decisions on whether plaintiffs had Article III standing to bring class action lawsuits challenging pension risk transfer transactions under the Employee Retirement Income Security Act (ERISA). The cases—Camire v. Alcoa USA Corp. and Konya v. Lockheed Martin Corp.—are two of ten class action lawsuits filed over the past 12 months targeting employers with substantial pension plans that have executed pension risk transactions with Athene Annuity & Life Assurance Company.[1] Plaintiffs rely for standing not on any reduction in their current benefits, but on allegations of an increased risk that, if Athene fails, they will not receive the benefits their pension plans guarantee them. These two decisions provide the earliest indications of how courts might rule on plaintiffs’ standing to bring this new wave of ERISA litigation. The court in Camire granted defendants’ motion to dismiss, holding that plaintiffs lacked standing because they had received all benefits owed to them and were not at substantial risk of failing to receive future benefits. In contrast, the Konya court denied a similar motion to dismiss, finding that it was a “close call” but plaintiffs had stated sufficient facts to nudge that case into discovery.

Background on Pension Risk Transfers

Pension risk transfers, also known as de-risking transactions, are a mechanism used by employers to help reduce pension liabilities.[2] In a pension risk transfer, an employer causes its defined benefit pension plan to transfer some or all of its pension benefit obligations to an insurance company that in turn assumes responsibility for making payments to impacted pensioners.[3] The transfer reduces the plan’s liabilities to the pensioners (and thus the employer’s future funding risks), and the pensioners continue to receive benefits pursuant to the terms of their benefit plans (albeit from a different source).[4] These transfer transactions can be very large, extending into the hundreds of millions—or even billions—of dollars.[5]

Recent Litigation

Beginning in March 2024, pension recipients have brought a series of class action lawsuits against employers that engaged in pension risk transfers.[6] Many of the cases involve a private equity-backed insurance provider (Athene), which is not named as a defendant.[7] The plaintiffs in the cases argue that Athene is a particularly high risk annuity provider, and that plaintiffs’ employers, motivated by a desire for cost savings that was not in pensioners’ best interests, breached their fiduciary duties by failing to choose the safest annuity provider available.[8] The plaintiffs argue that the transfer puts their savings at risk by stripping them of federal protection available to them under ERISA and by instead placing them in the state-regulated insurance market, which, according to the plaintiffs, provides inferior protections in the case of insolvency compared to those available to them from the federal Pension Benefit Guaranty Corporation.[9]

These pension risk transfer lawsuits recount the 1991 bankruptcy of California-based Executive Life Insurance Company, which resulted in financial losses to pension annuitants.[10] As a result of the incident, Congress passed the Pension Annuitants Protection Act of 1994, which created a right of action to obtain appropriate relief for ERISA violations involving the “purchase of an insurance contract or insurance annuity.”[11]

The plaintiffs also argue that the U.S. Department of Labor’s Interpretive Bulletin 95-1 requires employers to find the “safest annuity available” in the case of a de-risking transaction, unless doing otherwise would be in the interest of participants and the plan.[12] The complaints involving Athene allege that Athene’s private equity backing and structure demonstrate that the employer’s choice is out of alignment with this DOL guidance and ERISA.[13]

This new wave of lawsuits is not the first time that employers have been sued over pension de-risking. In 2012, a group of Verizon retirees sued Verizon in an attempt to prevent it from transferring $7.4 billion in pension obligations in exchange for a group annuity contract from Prudential.[14] After the pensioners lost their bid to enjoin the transfer, the Fifth Circuit Court of Appeals ultimately dismissed the case because the plaintiffs lacked Article III standing and the transfer did not breach Verizon’s ERISA obligations.[15]

In the present cases, the employers’ motions to dismiss argue that plaintiffs lack standing because, as in the 2012 Verizon case, plaintiffs cannot point to any concrete, imminent injury that they have suffered as a result of the pension risk transfers.[16] In other words, there is no evidence that any plaintiff is in imminent risk of not receiving a pension payment. And even if the plaintiffs did have standing, the motions argue, the decision whether to terminate an ERISA plan is a settlor function exempt from ERISA’s fiduciary obligations.[17]

The Recent Decisions

On March 28, 2025, two federal district courts ruled on employers’ motions to dismiss two of the pending pension risk transfer cases. Despite substantially similar allegations, the courts reached divergent conclusions, with one court granting a motion to dismiss on standing grounds and the other denying it (including a standing argument).

Camire v. Alcoa USA Corp.

On March 28, 2025, the U.S. District Court for the District of Columbia granted Alcoa’s motion to dismiss on standing grounds.[18] The court held that the plaintiffs had not established Article III standing because they had suffered neither actual harm nor was there a risk of future harm.[19] The plaintiffs had not suffered actual harm from the pension risk transfer to Athene because they continued to receive their benefit payments.[20] And the plaintiffs had not established future harm because they had not shown a sufficiently substantial risk of Athene being unable to fulfill its obligations under the annuity contract; instead, they merely alleged that Athene was “at a greater risk of failure than its competitors.”[21] The court relied heavily on the constitutional requirement that an injury be “imminent” for standing to exist.[22] A risk is not sufficiently “imminent” unless there is a “substantial probability of harm” to the plaintiff.[23] Because the court dismissed the lawsuit on standing grounds, it did not reach Alcoa’s arguments that the plaintiffs had failed to state a claim.[24]

Konya v. Lockheed Martin Corp.

Conversely, on March 28, 2025, the U.S. District Court for the District of Maryland denied Lockheed Martin Corp.’s motion to dismiss.[25] The court held that the plaintiffs had standing and had stated a plausible claim that Lockheed Martin had violated ERISA by selecting Athene as its annuity provider.[26] The court explained that the plaintiffs had established Article III standing (albeit “barely”) because they “provided plausible allegations that the transfer to Athene put their pensions at serious risk” and that the Pension Benefit Guaranty Corporation would not “provide a requisite backstop to protect their retirement,” thus potentially causing the plaintiffs harm.[27] The court added that the plaintiffs’ requested remedy, the posting of security and disgorgement, “would serve to protect their ability to receive their vested retirement benefits.”[28] The court went on to reject Lockheed Martin’s argument that the plaintiffs’ claims were unripe, explaining that, because the pension risk transfers had already occurred, the evidence needed to adjudicate the decision already existed and was not contingent on future events.[29] The court also explained that the plaintiffs had statutory standing because, although they were no longer participants in the plans at the time of the lawsuit (by virtue of being part of the pension risk transfer to Athene), they were participants at the time of the alleged breach of fiduciary duty.[30]

Because the court denied the motion to dismiss for lack of standing, it proceeded to address the merits of the ERISA claim. The court rejected Lockheed Martin’s arguments that the plaintiffs had failed to state an ERISA claim. With regard to the plaintiffs’ claims for breach of fiduciary duties and failure to monitor fiduciaries (which are not identified in the Complaint), the court held that the plaintiffs had plausibly alleged that Lockheed Martin was acting as a fiduciary and had “breached its fiduciary duty when it transacted with Athene to increase its own profits,” explaining that the plaintiffs need not show harm to state a claim for breach of fiduciary duty.[31] The court also declined to dismiss the plaintiffs’ claim that Lockheed Martin had engaged in a prohibited transaction with Athene because “it is plausible enough that Lockheed acted for its own benefit in selecting Athene if, in fact, it proves true that the decision to choose Athene placed Lockheed’s interests, even if only in the short run, over those of participants in the Plans.”[32]

What’s Next for Plan Sponsors and Fiduciaries

It remains to be seen whether other courts will follow the lead of the courts in Camire or Konya or will forge a new path. The plaintiffs’ mixed record in these early cases may well be enough to suggest that plan sponsors and fiduciaries can expect to see more suits alleging claims related to pension risk transfers. Over the next year, the prognosis for these cases will no doubt become clearer as motions to dismiss that are currently pending in the remaining cases are decided. Additionally, the Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo, which overruled Chevron deference to administrative agencies’ interpretations of statutes, may impact whether and how much courts weigh the Department of Labor’s Interpretive Bulletin 95-1 when evaluating the merits of plaintiffs’ claims.[33] But for now, and absent further guidance from the courts or the Department of Labor, Interpretive Bulletin 95-1 remains in place and provides guidance to plan sponsors and fiduciaries when selecting an annuity provider as part of a de-risking transaction for an ERISA-governed pension plan.[34] Plan sponsors and fiduciaries evaluating de-risking transactions should review this guidance in connection with implementing any pension de-risking transaction.

[1] See Camire v. Alcoa USA Corp., No. 1:24-cv-01062, 2025 WL 947526 (D.D.C. Mar. 28, 2025); Konya v. Lockheed Martin Corp., No. 8:24-cv-00750, 2025 WL 962066 (D. Md. Mar. 28, 2025).

[2] See Dept. of Labor Rpt. to Congress on Employee Benefits Security Administration’s Interpretive Bulletin 95-1 2–3, 5 (June 2024), available at https://www.dol.gov/sites/dolgov/files/EBSA/laws-and-regulations/laws/secure-2.0/report-to-congress-on-interpretive-bulletin-95-1.pdf (last accessed Apr. 11, 2025).

[3] See id. at 3.

[4] See id.

[5] See id. at 5.

[6] See, e.g., Konya, No. 8:24-cv-00750 (D. Md. 2024); Camire, No. 1:24-cv-01062 (D.D.C. 2024); Doherty v. Bristol-Myers Squibb Co., No. 1:24-cv-06628 (S.D.N.Y. 2024).

[7] See, e.g., Complaint, Konya, No. 8:24-cv-00750, at ¶ 3 (D. Md. Mar. 13, 2024), ECF 1; Amended Complaint, Camire, No. 1:24-cv-01062, at ¶ 3 (D.D.C. July 2, 2024), ECF 28; Consolidated Class Action Complaint, Doherty, No. 1:24-cv-06628, at ¶ 3 (S.D.N.Y. Nov. 4, 2024), ECF 45.

[8] See Complaint, Konya, No. 8:24-cv-00750, at ¶¶ 3–4; Consolidated Class Action Complaint, Doherty, No. 1:24-cv-06628, at ¶¶ 29–30.

[9] See Complaint, Konya, No. 8:24-cv-00750, at ¶¶ 30–32; Consolidated Class Action Complaint, Doherty, No. 1:24-cv-06628, at ¶¶ 68–69.

[10] See Complaint, Konya, No. 8:24-cv-00750, at ¶ 33; Consolidated Class Action Complaint, Doherty, No. 1:24-cv-06628, at ¶¶ 75–76.

[11] See 29 U.S.C. § 1132(a)(9); see also Complaint, Konya, No. 8:24-cv-00750, at ¶ 39; Consolidated Class Action Complaint, Doherty, No. 1:24-cv-06628, at ¶¶ 80–82.

[12] See 29 C.F.R. § 2509.95-1(d); see also Complaint, Konya, No. 8:24-cv-00750, at ¶ 21; Consolidated Class Action Complaint, Doherty, No. 1:24-cv-06628, at ¶ 86.

[13] See Complaint, Konya, No. 8:24-cv-00750, at ¶ 60; Consolidated Class Action Complaint, Doherty, No. 1:24-cv-06628, at ¶ 149.

[14] See Lee v. Verizon Commc’ns, Inc., 837 F.3d 523, 532 (5th Cir. 2016).

[15] Id. at 529–31.

[16] See, e.g., Memorandum of Law in Support of Defendant’s Motion to Dismiss, Konya, No. 8:24-cv-00750, at 2 (D. Md. May 3, 2024), ECF 26-1; Memorandum of Law in Support of the Bristol-Myers Squibb Defendants’ Motion to Dismiss Plaintiffs’ Consolidated Complaint, Doherty, No. 1:24-cv-06628, at 2 (S.D.N.Y. Jan. 15, 2025), ECF 51.

[17] See, e.g., Memorandum of Law in Support of Defendant’s Motion to Dismiss, Konya, No. 8:24-cv-00750, at 2; Memorandum of Law in Support of the Bristol-Myers Squibb Defendants’ Motion to Dismiss Plaintiffs’ Consolidated Complaint, Doherty, No. 1:24-cv-06628, at 2.

[18] See Camire v. Alcoa USA Corp., No. 1:24-cv-01062, 2025 WL 947526 (D.D.C. Mar. 28, 2025).

[19] Id. at *4, *7.

[20] Id. at *4.

[21] Id. at *7.

[22] Id.

[23] Id.

[24] See id. at *8.

[25] See Konya v. Lockheed Martin Corp., No. 8:24-cv-00750, 2025 WL 962066 (D. Md. Mar. 28, 2025).

[26] Id. at *13, *17–18.

[27] Id. at *10.

[28] Id. at *9.

[29] Id. at *15.

[30] Id. at *14.

[31] Id. at *16–17.

[32] Id. at *18.

[33] See Loper Bright Enters. v. Raimondo, 603 U.S. 369 (2024).

[34] Dept. of Labor, News Release, UPDATED: US Department of Labor issues report to Congress on considerations for defined benefit pension plan fiduciaries choosing an annuity provider, available at https://www.dol.gov/newsroom/releases/ebsa/ebsa20240624 (last accessed Apr. 11, 2025); see also Dept. of Labor Rpt. to Congress on Employee Benefits Security Administration’s Interpretive Bulletin 95-1 (June 2024), available at https://www.dol.gov/sites/dolgov/files/EBSA/laws-and-regulations/laws/secure-2.0/report-to-congress-on-interpretive-bulletin-95-1.pdf (last accessed Apr. 11, 2025).

The following Gibson Dunn lawyers prepared this update: Michael Collins, Ashley Johnson, Jennafer Tryck, and Rachel K. Nardone.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Labor & Employment or Executive Compensation & Employee Benefits practice groups, or the authors:

Labor & Employment:

Karl G. Nelson – Dallas (+1 214.698.3203, [email protected])
Geoffrey Sigler – Washington, D.C. (+1 202.887.3752, [email protected])
Katherine V.A. Smith – Los Angeles (+1 213.229.7107, [email protected])
Heather L. Richardson – Los Angeles (+1 213.229.7409,[email protected])
Ashley E. Johnson – Dallas (+1 214.698.3111, [email protected])
Jennafer M. Tryck – Orange County (+1 949.451.4089, [email protected])

Executive Compensation & Employee Benefits:

Michael J. Collins – Washington, D.C. (+1 202-887-3551, [email protected])
Sean C. Feller – Los Angeles (+1 310.551.8746, [email protected])
Krista Hanvey – Dallas (+1 214.698.3425, [email protected])

Cunningham v. Cornell University, No. 23-1007 – Decided April 17, 2025

Today, the Supreme Court unanimously held that plaintiffs bringing a prohibited-transaction claim under ERISA Section 406(a)(1)(C) need only allege, in their complaints, the elements set forth in that provision—they need not negate the affirmative defenses set forth in ERISA Section 408. The Court also emphasized that district courts have a variety of other means to screen out insubstantial claims at the pleading stage.

“[P]laintiffs seeking to state a [Section 406(a)(1)(C)] claim must plausibly allege that a plan fiduciary engaged in a transaction proscribed therein, no more, no less. … To the extent future plaintiffs do bring barebones [Section 406] suits, district courts can use existing tools at their disposal to screen out meritless claims before discovery.”

Justice SOTOMAYOR, writing for the Court

Background:

Health and retirement plans governed by the Employee Retirement Income Security Act (ERISA) commonly transact with third-party entities for various services that benefit plan participants, such as recordkeeping and investment advising. But Section 406(a)(1)(C) of ERISA prohibits a plan fiduciary from “caus[ing] the plan to engage in a transaction” that the fiduciary “knows or should know … constitutes a direct or indirect … furnishing of goods, services, or facilities between the plan and” a service provider for the plan, 29 U.S.C. § 1106(a)(1)(C); see id. § 1002(a)(14)(B), subject to exemptions listed in Section 408 (29 U.S.C. § 1108). Among other things, Section 408 exempts “reasonable arrangements with” a plan service provider “for office space, or legal, accounting, or other services necessary for the establishment or operation of the plan, if no more than reasonable compensation is paid therefor.” Id. § 1108(b)(2)(A).

The Eighth and Ninth Circuits held that merely alleging the elements set forth in Section 406(a)(1)(C)—that a plan fiduciary caused a plan to enter into a service transaction with a third-party service provider—is sufficient to plead a prohibited-transaction claim and proceed to discovery. But the Second Circuit held that a plaintiff also must plausibly allege that the Section 408(b)(2)(A) exemption does not apply—i.e., that the services were unnecessary or the compensation was unreasonable. The Supreme Court granted review to resolve the conflict.

Issue:

Whether a plaintiff can state a prohibited-transaction claim under Section 406(a)(1)(C) of ERISA solely by alleging that a plan fiduciary engaged in a service transaction with a plan service provider.

Court’s Holding:

Yes. The only elements of a prohibited-transaction claim under Section 406(a)(1)(C) are the elements set forth in that provision. To state a claim, the plaintiff need not allege facts negating Section 408’s exemptions, such as the exemption for necessary service transactions that are compensated reasonably. But district courts have several other tools at their disposal to weed out unmeritorious claims at the pleading stage.

What It Means:

The Court’s decision clarifies that, under ERISA’s text and structure, Section 408’s exemptions are affirmative defenses that defendants must plead—not elements of a prohibited-transaction claim under Section 406. So ERISA plaintiffs need not allege, in their complaints, facts that negate the necessity or reasonableness of a service transaction with a plan service provider.
The Court acknowledged, however, that this scheme raises “serious concerns” for ERISA plans and fiduciaries given the ubiquity of service transactions in the plan-administration context. The Court thus highlighted several tools that district courts can deploy to prevent meritless prohibited-transaction claims from reaching full-blown discovery. For example, the Court suggested that, once a defendant pleads a Section 408 exemption as an affirmative defense in its answer, the district court could order the plaintiff to file a reply setting forth “specific, nonconclusory factual allegations” showing that the exemption does not apply. The plaintiff’s inability to do so could result in dismissal.
The Court also highlighted four other mechanisms of protecting ERISA plans and fiduciaries from onerous and costly discovery: (1) Article III standing principles require dismissal of suits that fail to allege a concrete injury; (2) district courts retain discretion to expedite or limit discovery; (3) district courts can impose Rule 11 sanctions if a Section 408 exemption “obviously applies,” and “a plaintiff and his counsel lack a good-faith basis to believe otherwise”; and (4) ERISA authorizes district courts to shift attorneys’ fees and costs to plaintiffs.
In a concurring opinion, Justice Alito, joined by Justices Thomas and Kavanaugh, likewise acknowledged that the Court’s decision could cause “untoward practical results.” They urged district courts to “strongly consider” using the various mechanisms outlined by the majority opinion—especially the option of requiring plaintiffs to file post-answer replies—to ensure “the prompt disposition of insubstantial claims.”

The Court’s opinion is available HERE.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the U.S. Supreme Court. Please feel free to contact the following practice group leaders:

Appellate and Constitutional Law

Thomas H. Dupree Jr. +1 202.955.8547 [email protected]	Allyson N. Ho +1 214.698.3233 [email protected]	Julian W. Poon +1 213.229.7758 [email protected]
Lucas C. Townsend +1 202.887.3731 [email protected]	Bradley J. Hamburger +1 213.229.7658 [email protected]	Brad G. Hubbard +1 214.698.3326 [email protected]
Ashley E. Johnson +1 214.698.3111 [email protected]

Related Practice: Insurance and Reinsurance

Geoffrey M. Sigler
+1 202.887.3752
[email protected]

Heather L. Richardson
+1 213.229.7409
[email protected]

Related Practice: Labor and Employment

Jason C. Schwartz
+1 202.955.8242
[email protected]

Katherine V.A. Smith
+1 213.229.7107
[email protected]

This alert was prepared by associates Robert Batista and Maya Jeyendran.

This edition of Gibson Dunn’s Federal Circuit Update for March summarizes the current status of petitions pending before the Supreme Court and recent Federal Circuit decisions concerning forfeiture, obviousness, patent term extensions, whether separately recited components in a claim must refer to distinct components in the patented invention, and 35 U.S.C. § 102(e).

Federal Circuit News

Noteworthy Petitions for a Writ of Certiorari:

There were no new potentially impactful petitions filed before the Supreme Court in March 2025. We provide an update below of the petitions pending before the Supreme Court, which were summarized in our February 2025 update:

In Converter Manufacturing, LLC v. Tekni-Plex, Inc. (US No. 24-866), a response was filed April 16, 2025.

The Court will consider the petitions filed in Brumfield v. IBG LLC, et al. (US No. 24-764) and Celanese International Corp. v. International Trade Commission (US No. 24-635) at its April 17, 2025 and April 25, 2025 conferences, respectively.

The Court denied the petitions in Koss Corp. v. Bose Corp. (US No. 24-916), Lighting Defense Group LLC v. SnapRays, LLC (US No. 24-524), and Parker Vision, Inc. v. TCL Industries Holdings Co., et al. (US No. 24-518).

Upcoming Oral Argument Calendar

The list of upcoming arguments at the Federal Circuit is available on the court’s website. .

Key Case Summaries (March 2025)

Odyssey Logistics & Technology Corp. v. Stewart, No. 23-2077 (Fed. Cir. Mar. 6, 2025): Odyssey appealed an examiner’s rejection of its patent application, which was affirmed by the Federal Circuit in 2020. Over a year later, the Supreme Court issued its decision in United States v. Arthrex, Inc., 594 U.S. 1 (2021), which held that administrative patent judges’ unreviewable authority in inter partes review proceedings violated the Appointments Clause. Odyssey petitioned for review by the Director of the United States Patent and Trademark Office (USPTO) based on that decision. The Director denied the request. Odyssey then filed a complaint in district court to compel Director review, but the district court dismissed Odyssey’s complaint for lack of subject matter jurisdiction, reasoning that whether the Director decides to review Odyssey’s request was committed to the agency’s discretion and judicial review of that decision is improper.

The Federal Circuit (Dyk, J., joined by Reyna and Stoll, JJ.) affirmed. The Court held that Odyssey had forfeited its Appointments Clause challenge by not raising it in its first appeal despite its knowledge of the Appointments Clause challenge addressed by the Federal Circuit in Arthrex in 2019. Considering the standard set forth in Fed. R. Civ. P. 60(b), the Federal Circuit found no extraordinary circumstances existed that would excuse Odyssey’s failure to raise its stated ground for relief earlier and decided that the USPTO did not abuse its discretion in denying Odyssey’s request for review. Therefore, the Court concluded that Odyssey’s complaint failed to state a claim for relief and affirmed the district court’s decision on that basis, rather than for lack of subject matter jurisdiction.

ImmunoGen, Inc. v. Stewart, No. 23-1762 (Fed. Cir. March 6, 2025): ImmunoGen’s patent application is directed to a dosing regimen for administering IMGN853, an antibody drug conjugate (ADC) for treating certain ovarian and peritoneal cancers. While a promising cancer therapy, the drug was known to cause ocular toxicity, including keratitis and blurred vision. ImmunoGen developed an effective dosing regimen that resulted in minimal adverse effects and sought to patent its solution, which included limitations reciting the administration of IMGN853 at a dose of 6 mg/kg based on an adjusted ideal body weight (AIBW) of the patient (the “dosing limitation”). The examiner rejected the claims as obvious primarily relying on ImmunoGen’s own prior patent publication related to IMGN853, which disclosed the 6mg/kg AIBW dosage. ImmunoGen brought an action under 35 U.S.C. § 145, and the district court determined that the claims are unpatentable as obvious.

The Federal Circuit (Lourie, J., joined by Dyk and Prost, JJ.) affirmed. ImmunoGen argued that the prior art did not disclose that IMGN853 caused ocular toxicity in humans and therefore did not render the dosing limitation obvious. However, the Federal Circuit held that a solution to “an unknown problem is not necessarily non-obvious.” Instead, “any need or problem known in the field of endeavor at the time of invention can provide a reason for combining the elements in the manner claimed.” Accordingly, the Court determined that it would have been obvious to a skilled artisan to experiment with changing the dosage to reduce toxicity, and AIBW was a known dosing methodology for anticancer drugs. Furthermore, the Court found that ImmunoGen’s own prior patent publication disclosed the 6mg/kg AIBW dosing regimen for ADCs. Thus, the Court concluded that a person of ordinary skill in the art would have been motivated to try an AIBW dosing methodology with IMGN853 at the 6 mg/kg AIBW dosage.

Merck Sharp & Dohme B.V. et al v. Aurobindo Pharma USA, Inc., No. 23-2254 (Fed. Cir. Mar. 13, 2025): Merck owns a patent directed to sugammadex, which is the active ingredient in BRIDION®, a drug that reverses neuromuscular blockade, which is a certain form of paralysis induced by certain types of surgery. While regulatory review for sugammadex was pending, Merck filed an application to reissue the patent. After both the patent reissued and the regulatory process concluded, Merck sought and received a five-year patent term extension (PTE) under 35 U.S.C. § 156(c), which provides limited extensions of patent terms due to regulatory review delay. Merck sued Aurobindo for infringement of its reissued patent based on Aurobindo’s filing of an abbreviated new drug application (ANDA) for approval to sell generic versions of BRIDION®. Aurobindo challenged the length of the reissued patent’s PTE and argued that 35 U.S.C. § 156(c) requires calculating the extension for “the patent,” as recited in the statute, from the date of issuance of the reissued patent, not the original patent. The district court disagreed, concluding that the amount of delay should be calculated from the date of issuance of the original patent.

The Federal Circuit (Dyk, J., joined by Mayer and Reyna, JJ.) affirmed. The Court held that, when calculating a patent term extension for reissued patents that include “the same claims directed to a drug product subject to FDA review” as the original patent, the statutory language of “the patent” in 35 U.S.C. § 156(c) refers to the original patent. The Court reasoned that the purpose of the Hatch-Waxman Act, in providing patent term extensions to recover a portion of market exclusivity lost during regulatory review, required interpreting “the patent” as the original patent in the context of reissued patents to fully compensate patent owners for the period of exclusivity lost due to regulatory delay.

Regeneron Pharmaceuticals, Inc. v. Mylan Pharmaceuticals Inc., No. 24-2351 (Fed. Cir. March 14, 2025): Regeneron owns a patent directed to pharmaceutical formulations for a fusion protein known as aflibercept, claiming “a vascular endothelial growth factor (VEGF) antagonist” and “a buffer,” among other limitations. The patent covers Regeneron’s biologic product EYLEA® (“Eylea”) and is listed in FDA’s Purple Book, which is a searchable online database that lists all FDA-approved biological products. Eylea is used to treat angiogenic eye disorders associated with uncontrolled blood vessel growth in the retina, which can cause vision loss or blindness. Amgen filed an abbreviated Biologics License Application (aBLA) at the FDA, which stated that its formulation differs from Regeneron’s formulation because it does not contain a separate buffer protein. Regeneron sued Amgen alleging infringement of its patent and filed a motion for preliminary injunction. Amgen opposed the preliminary injection arguing that the claims separately require a VEGF antagonist and a buffer, so Amgen’s formulation did not infringe. The district court determined that the claims required that the claimed VEGF antagonist be a separate component from the claimed buffer, concluded that Regeneron had not demonstrated a likelihood of success on the merits, and denied the preliminary injunction.

The Federal Circuit (Lourie, J., joined by Moore, C.J. and Stark, J.) affirmed. The Court held that “where a claim lists elements separately, the clear implication of the claim language is that those elements are distinct components of the patented invention,” citing Becton, Dickinson & Co. v. Tyco Healthcare Grp., LP, 616 F.3d 1249 (Fed. Cir. 2010). The Court further determined that the claims and specification only reinforced the interpretation that the claimed components are distinct, and therefore, the implication of separateness had not been overcome.

In re Riggs et al., No. 22-1945 (Fed. Cir. March 24, 2025): The named inventors (collectively, “Riggs”) filed a patent application directed to an integrated logistics system, which an examiner rejected in part as anticipated by prior art reference, Lettich, under 35 U.S.C. § 102(e). Riggs appealed to the Patent Trial and Appeal Board (Board), and the Board sustained the examiner’s rejections. Applying Dynamic Drinkware, LLC v. National Graphics, Inc., 800 F.3d 1375 (Fed. Cir. 2015), the Board determined that Lettich was entitled to the priority date of its provisional application as at least one claim in the Lettich non-provisional application was supported by the Lettich provisional application, and thus, qualified as prior art.

The Federal Circuit (Stoll, J., joined by Moore, C.J., and Cunningham, J.) vacated and remanded. The Court explained that while Dynamic Drinkware held that a patent “cannot be accorded the benefit of its provisional application’s filing date absent a showing that the provisional application provides support for the claims of the patent or published application,” it did not stand for the conclusion that support for only one claim from the provisional would be sufficient for the other portions of the specification to be afforded the provisional’s filing date. Instead, the Board needed to analyze whether Lettich’s provisional application provided “written description support for the specific disclosures in Lettich that the Examiner identified and relied on in the prior art rejections.”

The following Gibson Dunn lawyers assisted in preparing this update: Blaine Evanson, Audrey Yang, Al Suarez, Hannah Bedard, and Michelle Zhu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups, or the following authors:

Blaine H. Evanson – Orange County (+1 949.451.3805, [email protected])
Audrey Yang – Dallas (+1 214.698.3215, [email protected])

Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, [email protected])
Allyson N. Ho – Dallas (+1 214.698.3233, [email protected])
Julian W. Poon – Los Angeles (+ 213.229.7758, [email protected])

Intellectual Property:
Kate Dominguez – New York (+1 212.351.2338, [email protected])
Josh Krevitt – New York (+1 212.351.4000, [email protected])
Jane M. Love, Ph.D. – New York (+1 212.351.3922, [email protected])

New U.S. Department of Justice regulations are now in effect, imposing significant restrictions on the flow of bulk sensitive personal data and government-related data from the United States to China and other “countries of concern.”

On April 8, 2025, new regulations [1] came into effect to address broad national security risks related to sensitive personal data and U.S. government-related data (the “Rule”). The Rule is the cornerstone of the U.S. Department of Justice’s (DOJ’s) new Data Security Program (DSP). The Rule, in concert with a Compliance Guide,[2] more than 100 Frequently Asked Questions (FAQs),[3] and an Implementation and Enforcement Policy [4] released in connection with a press release [5] on April 11, 2025, launch DOJ into a new role as data regulator—and impose broad-reaching obligations for U.S. and multinational organizations to comply with new restrictions on cross-border transfers of Americans’ sensitive personal data. The DSP marks a significant shift in U.S. policy towards the free cross-border flow of data.

The Rule, implemented by DOJ’s National Security Division pursuant to President Biden’s 2024 Executive Order 14117,[6] addresses national security threats relating to the “weaponization” of sensitive personal data that have been a consistent focus across both the first Trump administration and the recent Biden administration. Indeed, the Rule was finalized in the waning days of the Biden administration but was subject to a 90-day period before becoming effective.[7] In DOJ’s announcement, Deputy Attorney General Todd Blanche made DOJ’s policy goals clear, stating, “If you’re a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access? … The Data Security Program makes getting that data a lot harder.[8]

The Rule will meaningfully alter international data flows—including intracompany transfers—involving Americans’ sensitive personal data and U.S. government-related data. Specifically, it will prohibit or restrict “covered data transactions” that involve the sharing of or access to such data by “covered persons” or a “country of concern” (most importantly, the People’s Republic of China, inclusive of Hong Kong and Macau).

The DSP Compliance Guide and Implementation and Enforcement Policy signal this will be an area of focus for DOJ. These documents outline robust steps that entities must promptly undertake to ensure compliance under the Rule. Notably, the Compliance Guide contains prescriptive requirements that highlight the expectation that entities handling U.S. sensitive personal data and/or U.S. government-related data will have a keen understanding of their data, who has access to such data, whether they engage in covered data transactions, and will develop and implement a tailored compliance program to ensure regulatory requirements are met.

DOJ has noted in the Implementation and Enforcement Policy that it will not prioritize civil enforcement actions for violations occurring between April 8 and July 8, 2025 as long as companies make “good faith efforts to comply with or come into compliance with” the Rule, though DOJ “will pursue penalties and other enforcement actions as appropriate for egregious, willful violations.”[9]

While the Rule is complex and requires careful analysis to assess compliance requirements, below are high-level areas of impact on which companies should focus to assess their obligations under the Rule and to ensure compliance:

Review your data and data flows. Know your data. Understand (i) the nature, volume, geographic location and cybersecurity measures pertaining to covered data and (ii) where you are sending your data – and who has access. This should include review of intracompany transfers and access, as well as access by counterparties and vendors. The Compliance Guide highlights the importance of ascertaining the identity of parties to a covered data transaction and the end-use of the data, as well as the method of transfer.
Assess impact of the regulatory prohibitions and restrictions. Conduct legal analysis of covered data transactions to assess whether such transactions are prohibited or restricted under the Rule, and whether any potential exemptions may apply. While the Rule includes exemptions to facilitate the continued cross-border flow of data, these exemptions are narrow and often complex to apply in practice.
Develop and implement a tailored compliance program. A comprehensive risk assessment may facilitate the development of a compliance approach tailored to the nature and scope of covered data transactions. The compliance program should also address the various auditing, reporting, and recordkeeping requirements required under the Rule. The Compliance Guide and FAQs provide detailed guidance on DOJ’s expectations for compliance programs, including written policies and procedures, due diligence protocols, senior leader and board review of annual attestations, training, and testing of internal controls.
Establish the tone from the top—and resource the compliance team. DOJ is clear that a strong program will have senior management support and buy-in and set forth specific responsibilities for senior leadership. Notably, the CEO and board of directors are expected to review annual attestations and compliance reports—which must include whether the CEO has met with compliance personnel to discuss the DSP implementation, as well as engaged appropriate outside experts to verify the statements made in the annual certification. Companies are also expected to designate an individual with sufficient authority, technical expertise, and resourcing to lead the development and implementation of the data compliance program.
Expect this landscape to evolve. Many open questions remain concerning the implementation of the Rule. DOJ has invited companies to submit informal inquiries about the Rule and related guidance and noted that companies can request new FAQ answers by email, though it recommended companies wait to submit requests for formal licenses or advisory opinions until after July 8, 2025.

Overview of the Rule

At the core, the Rule applies to transactions fulfilling the following three elements:

The transaction must constitute a “covered data transaction”;
The “covered data transaction” must involve (i) “bulk” “U.S. sensitive personal data” or (ii) “government-related data”; and
The transaction must involve providing a “country of concern” or “covered person” with “access” to such controlled data.

Below, we present a high-level overview of the Rule and related guidance and highlight that given the complexities therein and the overall policy objectives the Rule seeks to address, it is important to also consult DOJ’s commentary throughout the rule-making process—and particularly in its final rule notice—and potentially outside counsel.

A. What types of transactions are “covered data transactions”?

“Covered data transactions” are those that involve “any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involve[]” one of the following:[10]

Data brokerage: “the sale of data, licensing of access to data, or similar commercial transactions … where the recipient did not collect or process the data directly from the individuals” linkable to the data;[11]
A Vendor Agreement: “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person” for consideration;[12]
An Employment Agreement: “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person” for consideration;[13] or
An Investment Agreement: an “arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to” U.S. real estate or a U.S. legal entity.[14] There is an exception for certain passive investments.[15]

B. What types of data are covered?

The Rule covers two types of data: (1) “government-related data” and (2) “bulk U.S. sensitive personal data” involved in covered data transactions.

“Government-related data” includes the following types of data regardless of volume:
1. “Any precise geolocation data”[16] for any location on an enumerated list (e.g., military bases and other sensitive government sites)[17]; and
2. “Any sensitive personal data” marketed as linked or linkable to U.S. government employees, contractors, and officials.[18]
“Bulk U.S. sensitive personal data” includes a set of “sensitive personal data relating to U.S. persons,” even if de-identified or encrypted,”[19] exceeding specified thresholds in the preceding 12 months (beginning on April 8, 2025), whether through a single or multiple covered data transactions:[20]

Data Type	Threshold
“Human ’omic data” (i.e., genomic data and similar[21])	1,000 U.S. persons, or 100 persons for genomic data
Biometric identifiers[22]	1,000 U.S. persons
Precise geolocation data[23]	1,000 U.S. devices
Personal health data[24]	10,000 U.S. persons
Personal financial data[25]	10,000 U.S. persons
“Covered personal identifiers” (see below)	100,000 U.S. persons
Combined data	Lowest applicable threshold of U.S. persons or U.S. devices for any controlled data in the data set

“[C]overed personal identifiers” is a broad category that covers many types of commonly circulated personal data. To define this category, the Rule first enumerates a set of “listed identifiers” (discussed below). “Covered personal identifiers” means data containing either (1) any listed identifier combined with another listed identifier; or (2) any listed identifier combined with other data enabling it to be linked to other identifiers or other sensitive personal data.[26]

The “listed identifiers” defined by the Rule include any piece of data in these categories:

Government identification or account numbers (e.g., Social Security numbers);
Full financial account numbers or personal identification numbers;
Device-based or hardware-based identifiers (e.g., “SIM” numbers);
Demographic or contact data (e.g., name, birth date, or mailing address);
Advertising identifiers (e.g., Google Advertising ID, Apple ID for Advertisers);
Account-authentication data (e.g., username or password);
Network-based identifier (e.g., IP address); or
Call-detail data (e.g., Customer Proprietary Network Information).[27]

Thus, for example, the Rule would cover a dataset of first and last names linked to Social Security numbers or mobile advertising IDs linked to email addresses.

The Rule does exclude two categories of common data:

Demographic or contact data that is linked only to other demographic or contact data (such as first and last name linked to an email address); and
A network-based identifier, account-authentication data, or call-detail data linked only to other such data, when necessary to provide telecommunications, networking, or similar services.[28]

Finally, the Rule also covers combinations of multiple covered data types, or data that contains any listed identifier linked to any of the above, if any individual data-type threshold is met.

C. To whom does the Rule apply?

The Rule applies directly to “U.S. persons,” defined to include U.S. citizens, nationals, lawful permanent residents, refugees, and asylees; entities organized solely under the laws of the United States (including foreign branches of U.S. persons); and any persons within the United States.[29]

D. What recipients of information are covered?

The prohibitions and restrictions apply when U.S. persons provide “access”[30] to covered data to a “country of concern” or “covered person.”

“Countries of Concern” currently include China (including Hong Kong and Macau),[31] Cuba, Iran, North Korea, Russia, and Venezuela.[32]

“Covered Persons” include the following:[33]

Non-U.S. entities headquartered in or organized under the laws of a country of concern;
Non-U.S. entities 50% or more owned by a country of concern or covered person;
Non-U.S. individuals primarily resident in a country of concern;
Non-U.S. individuals who are employees or contractors of a covered person entity or a country-of-concern government; and
Any person—including a U.S. person—designated to DOJ’s Covered Persons List[34] (which has not yet been publicly released).

E. What types of transactions are prohibited?

Absent a license granted by DOJ, U.S. persons are prohibited from knowingly engaging in the following types of data brokerage transactions:[35]

Data brokerage transactions involving covered data with a country of concern or covered person;[36]
Covered data transactions with a country of concern or covered person that involves access to bulk human ’omic data or to biospecimens from which such data could be derived;[37]
Any transaction with the purpose of evading the regulations, or that would cause or attempt to cause a violation of the regulations;[38] and
Any transaction in which a U.S. person knowingly directs a transaction by a non-U.S. person that would be prohibited if engaged in by a U.S. person (or that would be restricted, when the requirements for a restricted transaction are not satisfied).[39]

In addition, the Rule affects data brokerage transactions with any foreign persons, even if they are not “covered persons.” A U.S. person may not knowingly engage in any data brokerage transaction involving access to the covered data types unless the U.S. person “[c]ontractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person”; and “[r]eports any known or suspected violations of this contractual requirement.”[40] Reports are due to DOJ within 14 days of the U.S. person becoming aware of an actual or potential violation.[41]

Finally, under the data security requirements developed by the Cybersecurity and Infrastructure Agency (CISA) described below, even when a data transaction does not fall within the prohibitions described above, covered persons are functionally prohibited from accessing covered data “that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and countries of concern.”[42]

F. What types of transactions are restricted?

The Rule also creates a second category of “restricted transactions”: covered data transactions with a country of concern or covered person involving a (1) vendor agreement, (2) employment agreement, or (3) investment agreement.[43] U.S. persons are prohibited from engaging in such transactions unless they meet specified data security requirements developed by CISA.[44] Yet, even if the CISA security requirements are fulfilled, some covered data transactions that involve a vendor, employment, or investment agreement remain de facto prohibited by the security requirements, namely those which “involve access by countries of concern or covered persons to bulk human genomic data or human biospecimens from which such data can be derived.”[45] The CISA security requirements applicable to restricted transactions include organizational- and system-level requirements (such as cybersecurity policies, access controls, and internal risk assessments) as well as data-level requirements (such as data minimization, data masking, and encryption).[46]

As of October 6, 2025, U.S. persons must also fulfill specific due diligence and audit requirements before engaging in restricted transactions.[47] The Compliance Guide issued by DOJ on April 11, 2025, outlines a framework for compliance.[48] Due diligence programs should include, among other things, procedures for identifying the identity of vendors and written data compliance and cybersecurity policies.[49] The Rule also requires a yearly independent audit to verify compliance with the requirements.[50]

U.S. persons engaged in restricted transactions involving cloud-computing services must file annual reports to DOJ if twenty-five percent or more of the U.S. person’s equity interests are owned, directly or indirectly, by a country of concern or covered person.[51] These annual reports must contain specific components outlined in the Rule.[52]

G. What if it is unclear whether a transaction is prohibited or restricted?

If a party is unsure whether a contemplated transaction is prohibited or restricted, it may request an advisory opinion from DOJ. The agency will attempt to respond within 30 days, and the requestor may rely on the written response,[53] provided its disclosures were accurate and complete and the opinion remains in force.[54]

H. What exemptions exist?

The Rule contains a variety of exemptions, though many are narrow and require careful review to confirm that they apply. At a high level, there are exemptions for:

Transactions involving personal communications (e.g., by telephone) that do not involve the transfer of anything of value[55] or information or informational materials;[56]
Transactions ordinarily incident to international travel;[57]
Official business transactions of the U.S. government;[58]
Transactions ordinarily incident to and part of financial services, including payment processing and regulatory compliance;[59]
Transactions within corporate entities ordinarily incident to and part of administrative or ancillary business operations such as human resources, payroll, business travel, or customer support;[60]
Transactions required or authorized by federal law or international agreements, or necessary for compliance with federal law;[61]
Investment agreements subject to action by the Committee on Foreign Investment in the United States;[62]
Transactions ordinarily incident to and part of the provision of telecommunications services;[63]
Transactions related to drug, biological product, and medical device authorizations and data necessary to obtain those authorizations;[64] and
Transactions ordinarily incident to and part of clinical investigations and post-marketing surveillance data.[65]

The application of the Rule is likely to be especially complex when a U.S. business wishes to share information with a foreign subsidiary, which in turn may wish to share data with its own employees. U.S. businesses in this situation may wish to seek the advice of counsel.

I. Are any licenses available?

The Rule adopts a licensing structure reminiscent of sanctions and export controls. These licenses would permit otherwise prohibited or restricted transactions.[66] However, the Federal Register notice accompanying the final rule notes that DOJ anticipates that “licenses will be issued only in rare circumstances” and that their issuance may be contingent on any requirements that DOJ deems appropriate.[67] When issued, general licenses will apply to all U.S. persons unless otherwise specified, while specific licenses will apply only to the parties seeking the license for a particular transaction.[68] To date, no licenses have been released publicly.

J. Are completed transactions affected?

No, the Rule does not apply to transactions completed prior to April 8, 2025.[69] However, DOJ may request information about transactions completed before the effective date.[70]

K. What other recordkeeping requirements exist?

The Rule requires U.S. persons to generate (and save for ten years) a complete record of each non-exempt covered data transaction.[71] For restricted transactions, the Rule prescribes a specific list of documentation that must be maintained, such as annual audit results.[72] The Rule also permits DOJ to request, at any time, reports on any act, transaction, or covered data transaction subject to the Rule.[73]

Additionally, and as noted above, beginning on October 6, 2025, U.S. persons that have received and affirmatively rejected an offer from another person to engage in a prohibited data brokerage transaction must file a report within 14 days.[74]

L. What are the penalties for noncompliance?

Violations of the Rule can result in civil monetary fines of up to $374,474 per violation (an amount adjusted annually for inflation) or twice the value of the transaction, whichever is greater.[75] Criminal penalties of up to US $1,000,000 or 20 years’ imprisonment are available for willful violations.[76] As opposed to most violations under U.S. export controls and economic sanctions, which are subject to a strict liability standard, penalties under the Rule operate under a “knowledge” standard, meaning “with respect to conduct, a circumstance, or a result, that the U.S. person had actual knowledge of, or reasonably should have known about, the conduct, circumstance, or result.”[77] In determining whether an entity knew or had reason to know of the violation, DOJ has stated that it will “take into account the relevant facts and circumstances, including the relative sophistication of the individual or entity at issue, the scale and sensitivity of data involved, and the extent to which the parties to the transaction . . . appear to have been aware of and sought to evade the application of” the Rule.[78] DOJ also noted that it will take into account companies’ voluntary self-disclosures (VSDs) in assessing violations and that failure to implement data compliance programs could be an “aggravating factor in any enforcement action.”[79]

Gibson Dunn lawyers are actively advising in this space and are available to assist in addressing any questions you may have regarding these issues.

[1] See 28 C.F.R. Part 202.

[2] See Dep’t of Just., Nat’l Sec. Div., Data Security Program: Compliance Guide (Apr. 11, 2025) [hereinafter DOJ Compliance Guide], https://www.justice.gov/opa/media/1396356/dl.

[3] See U.S. Dep’t of Just., Nat’l Sec. Div., Data Security Program: Frequently Asked Questions (Apr. 11, 2025) [hereinafter DSP FAQs], https://www.justice.gov/opa/media/1396351/dl.

[4] See U.S. Dep’t of Just., Nat’l Sec. Div., Data Security Program: Implementation and Enforcement Policy Through July 8, 2025 (Apr. 11, 2025) [hereinafter DOJ Enforcement Policy], https://www.justice.gov/opa/media/1396346/dl?inline.

[5] See Press Release, U.S. Dep’t of Just., Nat’l Sec. Div., Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries (Apr. 11, 2025) [hereinafter DOJ Press Release], https://www.justice.gov/opa/pr/justice-department-implements-critical-national-security-program-protect-americans-sensitive.

[6] Exec. Order 14117, 89 Fed. Reg. 15,421 (Mar. 1, 2024).

[7] See Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, 90 Fed. Reg. 1636 (Jan. 8, 2025) [hereinafter DSP Final Rule].

[8] DOJ Press Release, supra note 5.

[9] DOJ Enforcement Policy, supra note at 2.

[10] 28 C.F.R. § 202.210.

[11] Id. § 202.214. The regulations on brokerage transactions overlap significantly with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA), 15 U.S.C. § 9901. Although DOJ has acknowledged that the Final Rule and PADFAA are likely to place overlapping and conflicting obligations on businesses, DOJ declined to modify the rule to harmonize it to the law. It has promised to coordinate closely with the Federal Trade Commission (FTC) to harmonize enforcement. See DSP FAQs, supra note 3, at FAQ 12.

[12] 28 C.F.R. § 202.258.

[13] Id. § 202.217.

[14] Id. § 202.228(a).

[15] See id. § 202.228(b).

[16] See id. § 202.242.

[17] See id. § 202.1401.

[18] See id. § 202.222.

[19] Id. § 202.206.

[20] DSP FAQs, supra note 3, at FAQ 38.

[21] Human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data but excludes pathogen-specific data embedded in human ‘omic data sets. See 28 C.F.R. § 202.224.

[22] “[M]easurable physical characteristics or behaviors used to recognize or verify the identity of an individual.” Id. § 202.204.

[23] “[D]ata, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters.” Id. § 202.242.

[24] “[H]ealth information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.” Id. § 202.241.

[25] “[D]ata about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a ‘consumer report’ (as defined in 15 U.S.C. 1681a(d)).” Id. § 202.240.

[26] See id. § 202.212.

[27] Id. § 202.234.

[28] Id. § 202.212(b).

[29] See id. § 202.256.

[30] “Access” is a defined term that includes among other things “the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive” the information.” Id. § 202.201.

[31] See id. § 202.208.

[32] See id. § 202.601; see also id. § 202.209.

[33] See DSP FAQs, supra note 3, at FAQ 14; see also 28 C.F.R. § 202.211.

[34] See DSP FAQs, supra note 3, FAQs 42, 43, & 52.

[35] See id., supra note 3, at FAQ 16.

[36] 28 C.F.R. § 202.301.

[37] Id. § 202.303.

[38] Id. § 202.304.

[39] Id. § 202.305. DOJ has noted, however, that although U.S. persons must conduct “know your customer” and “know your data” due diligence on foreign persons involved in data transactions, it does not expect or require “second-level due diligence on the employment practices of those foreign persons to determine whether their employees qualify as covered persons.” DSP FAQs, supra note 3, at FAQ 58; see id. at FAQ 79.

[40] 28 C.F.R. § 202.302 (emphasis added); see DSP FAQs, supra note 3, at FAQ 62. For sample contractual language, see DOJ Compliance Guide, supra note 2, at 5–6.

[41] See 28 C.F.R. § 202.302(b).

[42] See DSP FAQs, supra note 3, at FAQ 67.

[43] See 28 C.F.R. § 202.401; see also DSP FAQs, supra note 3, at FAQ 17.

[44] See Cybersecurity & Infrastructure Sec. Agency, Security Requirements for Restricted Transactions (Jan. 3, 2025) [hereinafter CISA Security Requirements], https://www.cisa.gov/sites/default/files/2025-01/Security_Requirements_for_Restricted_Transaction-EO_14117_Implementation508.pdf.

[45] See DSP FAQs, supra note 3, at FAQ 67.

[46] See CISA Security Requirements, supra note 45; see also DSP FAQs, supra note 3, at FAQs 66, 67, & 69.

[47] 28 C.F.R. §§ 202.1001–02.

[48] See DOJ Compliance Guide, supra note 2, at 11–16.

[49] See 28 C.F.R. § 202.1001.

[50] See id. § 202.1002.

[51] See id. § 202.1103.

[52] See id.; see also DSP FAQs, supra note 3, at FAQs 87–88.

[53] See DSP FAQs, supra note 3, at FAQs 98–99.

[54] 28 C.F.R. § 202.901(i).

[55] See id. § 202.501.

[56] See id. § 202.502.

[57] See id. § 202.503.

[58] See id. § 202.504.

[59] See id. § 202.505.

[60] See id. § 202.506.

[61] See id. § 202.507.

[62] See id. § 202.508.

[63] See id. § 202.509.

[64] See id. § 202.510.

[65] See id. § 202.511.

[66] See id. §§ 202.801–202.803; see also DSP FAQs, supra note 3, at FAQs 40–41.

[67] DSP Final Rule, 90 Fed. Reg. at 1,693.

[68] 28 C.F.R. §§ 202.801–02.

[69] DSP Final Rule, 90 Fed. Reg. at 1,645.

[70] See DSP FAQs, supra note 3, at FAQ 104.

[71] See 28 C.F.R. § 202.1101(a); see also DOJ Compliance Guide, supra note 2, at 9.

[72] See 28 C.F.R. § 202.1101(b); see also DSP FAQs, supra note 3, at FAQ 92.

[73] See 28 C.F.R. § 202.1102; see also DOJ Compliance Guide, supra note 2, at 9–10.

[74] See 28 C.F.R. § 202.1104; see also DSP FAQs, supra note 3, at FAQ 64.

[75] See 28 C.F.R. § 202.1301.

[76] See id.

[77] DSP FAQs, supra note 3, at FAQ 107.

[78] Id.

[79] Id.; see DOJ Compliance Guide, supra note 2, at 11. DOJ will also accept tips concerning non-compliance from third parties and notes that individual whistleblowers “may be eligible for substantial financial awards” to incentivize compliance monitoring. DSP FAQs, supra note 3, at FAQ 106.

The following Gibson Dunn lawyers prepared this update: Stephenie Gosnell Handler, Vivek Mohan, Chris Mullen, Eric Brooks, Karsten Ball, Hugh Danilack, and Roxana Akbari.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s Privacy, Cybersecurity & Data Innovation / Artificial Intelligence, and International Trade Advisory & Enforcement, practice groups:

Privacy, Cybersecurity & Data Innovation / Artificial Intelligence:

United States:
Ashlie Beringer – Palo Alto (+1 650.849.5327, [email protected])
Keith Enright – Palo Alto (+1 650.849.5386, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, [email protected])

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])

International Trade Advisory & Enforcement:

United States:
David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, [email protected])
Roxana Akbari – Orange County (+1 949.475.4650, [email protected])
Karsten Ball – Washington, D.C. (+1 202.777.9341, [email protected])
Mason Gauch – Houston (+1 346.718.6723, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, [email protected])
Sarah L. Pongrace – New York (+1 212.351.3972, [email protected])
Anna Searcey – Washington, D.C. (+1 202.887.3655, [email protected])

An overview of environmental, health, and safety (EH&S) considerations in M&A transactions, which can impact risk allocation, valuation and the ability to operate after closing.

EH&S considerations can pose material issues and risks in M&A transactions, and early identification of these critical issues can assist buyers in evaluating problems and structuring solutions. It is therefore important to engage environmental subject matter experts early in the deal process, so they can effectively evaluate compliance with applicable EH&S laws and assess liability risks. Often, if a transaction deals with manufacturing, chemicals, or owned real estate, consultants will be used to visit sites or perform a Phase I Environmental Site Assessment (ESA) or “Phase I-lite” ESA. We are also seeing increased seller-led due diligence, which often includes presentations by consultants or pre-prepared Phase Is upon which buyers can rely. The purpose of seller diligence is to identify issues early so they can be presented in a favorable manner, guide valuations, and avoid surprises which could delay a transaction.

Environmental diligence may include: reviewing a target’s environmental operations, permit obligations and compliance, and permit transfer obligations that may be triggered in a transaction; evaluating non-compliances and remedial measures (including capital expenditures); and reviewing potential litigation risks, including from the current or past use of hazardous materials such as asbestos, solvents, per- and polyfluoroalkyl substances (PFAS), polychlorinated biphenyls (PCBs), or other emerging environmental issues. For both identified and unidentifiable risks, it may be necessary to develop strategies to mitigate future responsibility through indemnities, escrows, or insurance products. For transactions involving non-U.S. target companies, businesses, or assets, local environmental laws and obligations should also be assessed.

Discovery of environmental issues during the due diligence process may lead the parties to modify the agreement to re-allocate costs and/or potential liabilities, including a reduction in the purchase price, contamination indemnities benefiting the buyer, adding escrow to secure the completion of any required environmental cleanup after closing, and/or purchasing a pollution legal liability insurance policy to protect the buyer.

1. Impact of Transaction Structure

Understanding the transaction type and scope, and the associated assets and liabilities, should be a primary EH&S concern for a prospective buyer. The transaction structure will impact the scope of environmental diligence and can affect the range of potential liabilities to be assessed. For example, the type of transaction may impact some state filing requirements, determine permit transfer obligations, and limit the utility of obtaining insurance. A targeted asset purchase which carves out certain high environmental exposure assets may better insulate a buyer from environmental liabilities or obligations. In addition, some environmental permitting or property transfer obligations are not triggered in transactions occurring several corporate levels above the permitted entity. However, permit and/or property transfer obligations may be triggered regardless of the corporate organizational structure in an asset purchase, and will need to be accounted for as part of the transaction.

After evaluating the type and scope of the transaction, the next step is often deciding whether to hire environmental consultants to perform diligence, complete environmental assessment reports (typically a Phase I or Phase II ESA), and assess other technical issues. Understanding the target’s operations, real estate portfolio, and potential intersection with environmental laws is critical to making this determination. Some transactions—for example, those involving software companies that only lease commercial office space—are typically not environmentally intensive, and may not require EH&S consultants or more technical diligence. However, if real estate is owned and/or if a target’s operations are environmentally intensive (such as chemical manufacturing), then more extensive diligence by EH&S consultants may be appropriate.

2. Understanding and Managing Pre-Existing Contamination Liability

While transaction parties often seek to limit future liabilities post-closing, many environmental laws fundamentally attach liability from “cradle-to-grave,” even when an entity is no longer associated with a property. Therefore, understanding and managing potential environmental liabilities is crucial in any contemplated transaction.

a. CERCLA Liability

The federal Comprehensive Environmental Response, Compensation, and Liability Act of 1980 (CERCLA), 42 U.S.C. § 9601 et seq., as amended, generally determines liability for addressing the cleanup of hazardous materials released into the environment. Notably, liability under CERCLA can be imposed for the presence of hazardous substances at a site even in the absence of fault or knowledge, and any one potentially responsible party can be held jointly and severally liable for the entire cost of the cleanup. As a result, current owners and operators of a site can be held liable for releases occurring at any time in the past—including before the owner or operator was present at the site. Relatedly, former owners and operators remain liable for releases that occurred during their ownership/occupancy.

Liable parties can include (1) current owners and operators of a facility from which there has been a “release or threatened release” of hazardous substances; (2) past owners and operators of a facility at the time hazardous substances were disposed; (3) generators and parties that arranged for the disposal or transport of the hazardous substances to or from the site; and (4) transporters of hazardous waste that selected the site to which the hazardous substances were brought.

With this backdrop, it is essential to understand how transaction structure can impact environmental liability under CERCLA and state equivalents.

In an asset acquisition, a buyer can avoid or limit environmental real estate exposure by qualifying for certain defenses to liability under CERCLA (and often state equivalents), including the Innocent Landowner and Bona Fide Prospective Purchaser defenses. These defenses have various elements that must be satisfied both before and after the purchase of real property, including that the buyer has conducted “all appropriate inquiries” (AAI) into the history and condition of the property before acquisition. The AAI standard requires obtaining an up-to-date Phase I ESA that meets the current ASTM standard.

In an equity purchase, prospective purchasers cannot avail themselves of the same defenses to liability, even with the completion of a Phase I ESA. Instead, a purchaser in an acquisition of equity interests indirectly inherits the liability of the acquisition target by purchasing its equity interests, standing in place of the former owner. In this situation, because the AAI standard does not apply, the parties have broader latitude to structure diligence, and a formal Phase I ESA is not required. Therefore, a mix of site visits, desktop reviews, or management calls may be sufficient to provide a buyer with an adequate sense of environmental risk or liability. Representations and Warranties Insurers and lenders also are becoming more flexible and accepting of “Phase I-lite” diligence approaches in the context of an equity purchase.

In either case, completing a Phase I ESA and other typical environmental diligence (including standard review of materials, and more limited environmental surveys or reports such as a desktop review and searches of public records) is common and a best practice, as this diligence may provide a prospective purchaser with valuable information that can inform key deal terms even if it does not provide a defense to liability. Additionally, a third-party lender may condition the funding arrangement on the borrower obtaining and providing Phase I ESAs for any property.

b. State Environmental Protection Act Liabilities

Beyond CERCLA, states may have analogous or unique statutory schemes for the assignment of historic environmental liabilities. For example, in Michigan, the Michigan Natural Resources and Environmental Protection Act (NREPA) impacts transactions involving assets and operations in the state. Under this scheme, a buyer can purchase contaminated property and be shielded from liability for remediation of known, existing contamination caused by others, but only for certain contamination under specific programs regulated by Michigan’s NREPA. To qualify, the buyer must (1) perform a baseline environmental assessment (BEA) and (2) disclose the BEA to the Michigan Department of Environment, Great Lakes, and Energy (EGLE), as well as to subsequent buyers and transferees. A BEA assesses the environmental condition of the property to determine if it is contaminated above Michigan’s unrestricted residential criteria and includes the results of an AAI and sampling analysis of the property. To provide a liability defense, the BEA must be conducted within 45 days of the buyer becoming the owner/operator of a property.

A BEA does not automatically protect the new owner/operator from other state or federal laws. However, EGLE and U.S. EPA have entered into an agreement that EPA will not act against a property owner who has disclosed a BEA, except under certain circumstances.

3. Managing Compliance Obligations Triggered by the Transaction

Because the federal government and state governments concurrently regulate air and water contamination and discharges of pollutants, state and local governments often regulate or require recordkeeping and filings related to transactions involving property transfers and contamination. For example, for the transfer of certain types of industrial properties and/or properties which are known or suspected to have contamination, several states have laws that require pre-closing evaluations and filings that can affect deal timelines. Below, we discuss two examples: Connecticut and New Jersey.

a. Connecticut Transfer Act

The Connecticut Transfer Act (CTA), CGS §§ 22a-134 to 22a-134e (1985), regulates the “transfer” of certain “establishments” in Connecticut. The CTA term “transfer” refers to a change in ownership of the real property or business, and “establishments” are a defined subset of real properties and businesses. Certain transactions are exempted, including transfers of ownership interests of 50 percent or less. In addition, the CTA may not be triggered in a transaction which occurs several levels above the direct ownership level of the property where the direct property owner remains unchanged. Such a transaction would qualify as an exempt “corporate reorganization not substantially affecting the ownership of the establishment.” See Conn. Gen. Stat. §§ 22a-134(1)(H), (22).

Once triggered, the CTA requires disclosure of environmental conditions, investigation, remediation, and liability for transferors and transferees of establishments. The CTA also allows property transferees to recover damages from a transferor who fails to comply with the CTA. Unlike most states, investigation and remediation liabilities under the CTA depend not on whether there has been a documented release of hazardous substances but rather on the volume of hazardous waste generated at the site and whether certain enumerated activities (including dry cleaning operations, furniture stripping, or vehicle body repair) have occurred onsite. As a threshold issue, then, transaction parties need to evaluate the historical and present operations at the site, including any hazardous waste generation.

Next, the parties must decide which entity will be responsible for CTA compliance and to perform a site investigation to determine if prior releases have occurred. Then, the responsible party must enlist a licensed environmental professional to file specific form notices with the Connecticut Department of Energy & Environmental Protection (DEEP) prior to the transfer, informing DEEP either that no action is required, or that some additional investigation/remediation is needed. No approval is necessary.

The CTA regulatory scheme is evolving. In February 2025, DEEP submitted its “Release Based Cleanup Regulations” (RBCRs) to the Connecticut General Assembly for review and approval. The RBCRs are intended to better align Connecticut with other states’ approaches to releases on real property by applying a uniform regulatory scheme to all properties, without requiring different properties and cleanups be approached in different ways. In March 2025, the Connecticut General Assembly’s Legislative Regulation Review Committee rejected the RBCRs without prejudice, and directed DEEP to make certain changes to the proposed regulation.[1] Until the RBCRs are approved and take effect, the CTA will continue to apply.

b. New Jersey Industrial Site Recovery Act

New Jersey’s Industrial Site Recovery Act (ISRA), N.J. Stat. §§ 13:1K-6 to 13:1K-14 (1983), is triggered by the transfer of a qualifying “industrial establishment,” and requires the completion of certain reporting, site evaluation, and potential remediation efforts before the transfer or closure of certain industrial properties that may have been contaminated by hazardous substances. This includes transfers of operations, not just ownership. ISRA only applies to industrial establishments meeting three conditions: (1) the business has a North American Industry Classification System (NAICS) number listed in ISRA’s Appendix C,[2] (2) the business operated in New Jersey on or after December 31, 1983, and (3) the business uses or stores hazardous substances as defined by the New Jersey Spill Compensation and Control Act.

Establishments may be able to qualify for an exemption, obtain a waiver, or meet alternate compliance conditions with the New Jersey Department of Environmental Protection (NJDEP).

The De Minimis Quantity Exemption exempts small quantity generators of hazardous materials, so long as the business/property has not exceeded certain gallon/weight thresholds for use, storage, or disposal of hazardous substances at any one time during the owner or operator’s tenure.
The Remediation in Progress Waiver allows for the transfer of sites already undergoing remediation with oversight by NJDEP or a Licensed Site Remediation Professional (LSRP).
The Regulated Underground Storage Tank Only Waiver allows for the transfer of sites without conducting remediation where the only potential Area of Concern (AOC) or hazardous substance discharge is in connection with a regulated underground storage tank.

If a property or business in a transaction is subject to ISRA and does not qualify for any waivers, exemptions, or alternate compliance processes, then all necessary remediation must be performed pursuant to ISRA. ISRA compliance will result in one of three outcomes: (1) a LSRP issues an Unrestricted Use Response Action Outcome (RAO), (2) a LSRP certifies a Remedial Action Workplan (RAW) prior to the transfer, or (3) the parties execute a Remediation Certificate to allow the transaction to be consummated prior to full ISRA compliance.

ISRA compliance starts with filing a General Information Notice (GIN) with NJDEP within five days of any triggering event, including transaction signing. An environmental investigation follows, and any required remediation must be completed by a LSRP. This includes a Preliminary Assessment (PA) to identify potential AOCs and, if necessary, a Site Investigation (SI) Report to check for contaminants above remediation standards. If the PA identifies no issues, an SI is not needed, and a RAO will be recommended, ending the investigation. If contamination is found, a Remedial Investigation will determine its nature and extent, and a proposed RAW will outline the remediation plan to meet regulatory standards.

As outlined above, compliance with ISRA is a multi-step process that can be costly and time consuming. Determining ISRA’s applicability, and whether any waivers, exemptions, or alternate compliance are feasible, are important steps early in a transaction.

4. Permit Transfer Obligations (Change in Control States v. Change in Ownership)

As with the transfer of real property, some transactions may require filings to transfer an environmental permit. Typically, when there is only a change in control several levels above the permit-holder, it is rare that a permit needs to be transferred. For example, it is common that air permits need not be transferred when the direct entity owning a permitted facility does not change. There are, however, certain state regimes that require an air permit transfer application in the event of a change in control of the permitted facility itself. The same typically applies to wastewater discharge or use permits.

5. Evolving Regulations, Areas of Focus, and Technical Understanding Impacting Risk

Environmental laws, regulations, guidance, and areas of regulatory focus—and thus the resulting liabilities—are ever-changing as a result of scientific advancements, changes in political leadership and policy goals, and public interest. For example, regulation of emerging or newly identified contaminants often changes quickly and requires an up-to-date understanding of technical advancements in both testing and remediation technology. These issues can quickly make “stock”/template environmental deal terms outdated—particularly representations regarding compliance with environmental laws and regulations, and regarding use, storage, and disposal of hazardous substances. As a result of the changing environmental status quo, buyers should consider close engagement with specialists and consultants to understand the current status and potential future risks implicated by a transaction.

One such contaminant of increasing scrutiny is per- and polyfluoroalkyl substances (PFAS), a ubiquitous category of chemicals subject to expanding federal and state regulation. PFAS are of particular concern for manufacturers, waste treatment and/or disposal sites, and sites with a history of fires, but may present a risk in other types of transactions, as well. Other examples of chemicals that have become the focus of recent regulatory scrutiny include 1, 4-dioxane, a chemical used in various industrial processes; glyphosate, a broad-spectrum systemic herbicide that can be of concern for companies involved in landscaping and agricultural operations; and ethylene oxide, a gas often used in chemical manufacturing facilities producing a range of products such as antifreeze, textiles, plastics, detergents, and adhesives. Understanding a target company’s operations and the potential presence of emerging contaminants at the target facilities should be an early focus of any buyer.

6. The Role of Insurance in Managing Unknown Liabilities

During due diligence, a Phase I or Phase II ESA may identify potential environmental liabilities and concerns; or, a lack of deep knowledge on the part of a seller may cause a buyer to worry about the “unknown unknowns.” In such cases, environmental insurance may provide protection from both identified and unexpected pollution not typically covered by standard casualty and property policies. Environmental insurance can also help cover compliance costs which otherwise could lead to significant fines and issues.

Representations and Warranties Insurance (RWI) deals are prevalent, particularly because sellers desire a “clean break” post-closing. Adding environmental provisions to RWI coverage may be more efficient than obtaining a separate policy and can be a useful tool to reduce or eliminate unknown risks. In addition to RWI, there are several potentially useful insurance products available depending on the deal structure and nature of the target business.

Pollution Legal Liability Insurance (PLLI) generally covers third-party claims for property damage, personal injury, and cleanup costs related to environmental contamination.
Contractor’s Pollution Liability Insurance (CPLI) generally covers pollution incidents caused by contractors during their work.
Environmental Site Liability Insurance (ESLI) generally covers environmental risks stemming from owned real estate or operating facilities, whether the source is traceable to conditions on the insured property or a neighboring property.

PLLI can help manage and allocate environmental risks associated with a transaction. In addition to protection for known and unknown historic pollution risks, it can also cover pollution that arises between signing and closing, or post-closing. Unknown site contamination can lead to significant financial losses, and insurance can smooth out such unpredictable costs.

In a deal environment where sellers wish for a clean break, environmental insurance can bridge the gap and help make an offer more attractive. Post-closing, environmental insurance continues to provide protection against covered environmental liabilities that may arise. This can be particularly valuable for competitive bid transactions where the diligence period is truncated and can provide buyers with some comfort that any inherited environmental liabilities will be covered by the known cost of insurance.

[1] https://eregulations.ct.gov/eRegsPortal/Search/RMRView/PR2024-025; https://eregulations.ct.gov/eRegsPortal/Search/getDocument?guid={D071CE95-0000-CA19-89A4-CFC56373AF95}.

[2] https://www.nj.gov/dep/srp/isra/isra_c.htm.

The following Gibson Dunn lawyers prepared this update: Michael Murphy, Rachel Levick, Rob Little, Saee Muzumdar, George Sampas, Taylor Amato, and Phil Washburn.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. For further information, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Mergers & Acquisitions, Private Equity, or Environmental Litigation & Transactions practice groups:

Environmental Litigation & Transactions:
Rachel Levick – Washington, D.C. (+1 202.887.3574, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202.955.8238, [email protected])

Mergers & Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, [email protected])
Saee Muzumdar – New York (+1 212.351.3966, [email protected])
George Sampas – New York (+1 212.351.6300, [email protected])

Private Equity:
Richard J. Birns – New York (+1 212.351.4032, [email protected])
Ari Lanin – Los Angeles (+1 310.552.8581, [email protected])
Michael Piazza – Houston (+1 346.718.6670, [email protected])
John M. Pollack – New York (+1 212.351.3903, [email protected])

An article in The New York Times describes the findings of a report filed in federal court in Manhattan by partner Mylan Denerstein in her role as court-appointed NYPD Monitor. The report found that NYPD anti-crime units continued to make unlawful stops, frisks, and searches in 2023, and that supervisors failed to rein in the unlawful activity.

Mylan was appointed in 2022 to serve as the independent NYPD Monitor to oversee a court-ordered reform process. She is Co-Chair of the Gibson Dunn Public Policy Practice Group and Co-Partner in Charge of the firm’s New York office.

https://www.nytimes.com/2025/02/04/nyregion/the-persistent-problem-of-stop-and-frisk.html

A report filed in federal court in Manhattan by partner Mylan Denerstein in her capacity as NYPD Monitor is the subject of a New York Times article. The report found that the NYPD made unlawful stop-and-frisk stops at least a quarter of the time in 2023 and that command-level supervisors had regularly failed to address them.

Mylan is Co-Chair of our Public Policy Practice Group and Co-Partner in Charge of the firm’s New York office. She was appointed in 2022 to serve as the independent NYPD Monitor to oversee a court-ordered reform process.

https://www.nytimes.com/2025/02/03/nyregion/nypd-stop-and-frisk-monitor.html

A quarterly update of high-quality education opportunities for Boards of Directors.

Gibson Dunn’s summary of director education opportunities has been updated as of April 2025. A copy is available at this link. Boards of Directors of public and private companies find this a useful resource as they look for high quality education opportunities.

This quarter’s update to the summary of director education opportunities includes a number of new opportunities as well as updates to the programs offered by organizations that have been included in our prior updates. Some of the new opportunities are available for both public and private companies’ boards.

Read More

The following Gibson Dunn attorneys assisted in preparing this update: Hillary Holmes, Lori Zyskowski, Elizabeth Ising, Ronald Mueller, Jason Ferrari, and To Nhu Huynh.

Please view this and additional information on Gibson Dunn’s Securities Regulation and Corporate Governance Monitor Blog.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Regulation and Corporate Governance practice group, or the following authors:

Hillary H. Holmes – Houston (+1 346.718.6602, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Lori Zyskowski – New York (+1 212.351.2309, [email protected])

Gibson Dunn partners Winston Chan (San Francisco), Patrick Stokes (Washington, D.C.), and Oleh Vretsona (Washington, D.C.) discuss California Attorney General Rob Bonta’s recent reminder to businesses operating in California that, despite President Trump pausing enforcement of the Foreign Corrupt Practices Act, making payments to foreign officials to obtain or retain business remains illegal. The Attorney General added that California may step up corruption-related enforcement if federal authorities’ priorities shift to other areas.

In view of these and other developments, the authors conclude that “companies would be well served by reviewing their compliance programs and calibrating their compliance-related risk assessments to mitigate against changing risk calculi and enforcement realities.”

Read their discussion in Law360 [PDF].

Partner Stephen Glover (Washington, D.C.) spoke extensively with Financier Worldwide Magazine about the challenges and opportunities presented by joint venture governance, including the link to performance. “There is a very strong correlation between JV governance and JV performance,” Stephen told the magazine. “Governance systems should be designed to ensure that the partners have a voice in the decisions that they view as most important, that they are incentivised to resolve disputes, and that JV management has sufficient flexibility to respond to changing business conditions.”

Read the full interview.

Elizabeth Penava is the author of “AI Art Is in Legal Greyscale” [PDF] published by The Regulatory Review.

Reprinted with permission from The Regulatory Review. Originally published on January 24, 2023

We are pleased to provide you with Gibson Dunn’s ESG update covering the following key developments during March 2025. Please click on the links below for further details.

I. GLOBAL

Fidelity updates voting guidelines regarding director diversity

As discussed in our February 2025 ESG Update, Institutional Shareholder Services, Glass Lewis, and institutional investors State Street, BlackRock, and Vanguard released updates to their proxy voting policies for 2025 with implications for how they intend to analyze director diversity. In March, Fidelity also published updated proxy voting guidelines that no longer set numeric expectations for director diversity but instead reflect Fidelity’s policy to “consider factors that [it] believe[s] are relevant to achieving effective governance practices, which may include the range of experience, perspectives, skills, and personal characteristics represented on the board.”

II. UNITED KINGDOM

Loan Market Association (LMA) publishes its revised Green, Social, and Sustainability-Linked Loan Principles

On March 26, 2025, the LMA published its revised Green, Social, and Sustainability-Linked Loan Principles and related guidance. The principles provide a recommended framework of market standards and guidelines, while also promoting the development of each of the three different types of loans (i.e., green, social, and sustainability-linked). The principles and related guidance are voluntary recommended guidelines to be applied on a deal-by-deal basis, depending on the nature of the transaction. These are mostly clarifying revisions, but there are also more detailed revisions relating to distinctions between what the principles consider to be mandatory requirements to comply with the principles compared to recommendations and optional courses of action. We previously reported on these principles here and here.

UK Home Office publishes updated supply chain guidance

On March 24, 2025, the UK Home Office published updated statutory guidance on transparency in supply chains. This guidance follows the December 2024 Policy Paper in which the Government stated that it was reviewing how it can strengthen penalties for non-compliance with its supply chain requirement. The updated guidance is intended to assist in-scope commercial organizations with preparing their mandatory modern slavery statements. The guidance sets out the Government’s expectations and provides practical advice based on learnings from the last ten years since the Modern Slavery Act 2015 came into force.

The Financial Conduct Authority (FCA) issues survey to Environmental, Social, and Governance (ESG) rating providers 2025

On March 21, 2025, the FCA distributed a voluntary survey to ESG rating providers to gather information the FCA hopes will help inform the future regulatory regime for ESG rating providers and sustainability disclosures. The survey aims to facilitate the FCA’s understanding of the ESG rating market, including the business models and methodologies of ESG rating providers, and the policies and processes of ESG rating providers. The FCA also expects the survey to help inform its approach to climate-related disclosure rules for listed companies, including possible incorporation of International Sustainability Standards Board (ISSB) standards and the Transition Plan Taskforce Disclosure Framework. Responses to the survey are due by May 16, 2025.

UK Government consults on mandatory ethnicity and disability pay gap reporting

On March 18, 2025, the UK Government published a consultation paper on its proposal to introduce mandatory ethnicity and disability pay gap reporting for large employers (defined as those with at least 250 employees). The proposed reporting obligation will be included in the upcoming Equality (Race and Disability) Bill and is expected to create a similar reporting framework to existing gender pay gap reporting (including the same “snapshot dates” and pay gap measures) in order to enhance transparency for both employers and employees. The consultation, which remains open until June 10, 2025, seeks views on several items, including how data should be collected and calculated taking into account the data privacy of individual employees.

Prudential Regulation Authority (PRA) and FCA will not pursue proposals relating to diversity and inclusion at financial services firms

On March 12, 2025, the FCA and the PRA announced that they will not proceed with their proposals to improve diversity and inclusion in financial services firms, which they consulted on in September 2023. The regulators cited feedback, expected legislation, duplication and regulatory burden as reasons for their decision and noted they will continue to support voluntary industry initiatives. The FCA also confirmed that it will continue to prioritize its work on non-financial misconduct in firms and will set out next steps by the end of June 2025. The regulators also referred to their review of the impact of removing the bonus cap on gender pay and inequality, which is likely to take place in 2026/27.

FCA clarifies sustainability rules and UK defense

On March 11, 2025, the FCA issued a statement explaining that its sustainability rules do not prevent investment in or financing for defense companies. The FCA said that its rules apply to financial products and services and some listed companies, but do not require them to treat defense companies differently. The FCA also noted that financial institutions can decide their own policies and risk appetites regarding support for the defense sector.

FCA publishes findings from review of firms’ treatment of vulnerable customers

On March 7, 2025, the FCA published its findings from its multi-firm review of firms’ treatment of customers in vulnerable circumstances. The review assessed how firms have implemented the FCA’s guidance on the fair treatment of vulnerable customers (FG21/1) and the consumer duty. The FCA found that many firms had taken positive action and made good progress, but also identified areas for improvement, such as outcomes monitoring, staff support, communications, and product and service design. The FCA decided not to update FG21/1 and encouraged firms to use the examples of good practice it published.

III. EUROPE

Germany plans to drop German Supply Chain Due Diligence Act (SCDDA)

On April 9, 2025, Germany’s new two-party coalition government presented its coalition agreement, including plans to suspend the SCDDA, which came into effect in 2023. The government announced that the SCDDA will be replaced by the Corporate Sustainability Due Diligence Directive (CSDDD), once it comes into effect (i.e., July 2028). Until then, due diligence obligations in the supply chain will not be sanctioned, except for severe human rights violations. Reporting obligations under the SCDDA for companies will be revoked immediately.

Green light for “Stop-the-Clock” EU proposal

On April 3, 2025, the European Parliament approved the so-called “Stop-the-Clock” proposal (the Postponement Directive), following the EU Council’s endorsement on March 26, 2025. As anticipated in our previous client alert, the proposal has progressed swiftly and is now expected to move toward formal adoption without further legislative negotiations. The Postponement Directive is likely to be formally adopted by the EU Council soon and to be transposed into national law by member states by December 31, 2025. While broad support for the Postponement Directive was expected, the forthcoming debate on the separate Amendment Directive addressing substantive changes to existing requirements—also outlined in our earlier coverage—is expected to be significantly more contentious.

A first draft of the Amendment Directive is currently expected in early June 2025. As with the Postponement Directive, the EU Parliament intends to apply a fast-track procedure. The aim is to resolve on the Amendment Directive as soon as October 2025, if possible.

Commission letter tasks the European Financial Reporting Advisory Group (EFRAG) to review European Sustainability Reporting Standards (ESRS) and reduce its datapoints

In a letter, the Commission has tasked EFRAG with reviewing the ESRS by October 31, 2025, suggesting that technical refinements to the sustainability framework will proceed regardless of the legislative timeline. The letter asks EFRAG to initiate the process to develop technical advice for the modification of the ESRS, with a particular focus on substantially reducing the number of mandatory datapoints. Proposed revisions include the removal of less relevant datapoints for general-purpose sustainability reporting, prioritization of quantitative over narrative disclosures, and ensuring continued interoperability with global standards without undermining the materiality assessment.

Several cases targeting greenwashing and climate change in Germany

Litigation: Greenwashing claims continue to significantly impact companies and courts in Germany. Environmental Action Germany (Deutsche Umwelthilfe e.V. – DUH) has brought five new claims against major companies in Germany (e.g., Tchibo and Toom) challenging slogans such as “ocean-friendly,” “sustainable,” and “sustainable commitment.” Since the end of 2024, the DUH has taken action against approximately 20 companies’ ESG claims. Additionally, three German courts have ruled in favor of claimants in greenwashing cases tackling companies’ claims regarding net-zero aims, carbon offsetting, and recyclability (e.g., Adidas).

Public prosecution: German public prosecutors have fined asset management company DWS EUR 25 million (USD 27 million) for greenwashing. Claims such as “ESG is an integral part of our DNA” or about being a leader in the ESG context were considered misleading, as they could not be proven to be accurate. The company had already been fined USD 25 million in the United States for greenwashing at the end of 2023.

CSRD Transposition: French Senate votes on delay of implementation for four years

No countries transposed the CSRD in March. In France, the Senate voted in favor of a proposal to delay the implementation of CSRD requirements by four years, citing major operational challenges for companies, but the measure still needs approval from the National Assembly to take effect. If adopted, the delay could put France in potential conflict with EU obligations, as companies may still be required to comply with CSRD under EU law. An overview of the current transposition status of CSRD into national laws can be found here.

IV. NORTH AMERICA

Securities and Exchange Commission (SEC) ends its defense of climate disclosure rules

On March 27, 2025, the SEC announced that it had voted to end its defense of the climate disclosure rules it adopted in March 2024 that would have required public companies to disclose certain climate risk-related information in their SEC filings. As discussed in our April 2024 ESG Update, the SEC had stayed effectiveness of the new disclosure rules pending legal challenges brought by states and private parties, which had been consolidated for review by the Eighth Circuit. Following the vote, the SEC sent a letter to the court withdrawing its defense of the rules.

On April 3, 2025, 18 states filed a motion to intervene in the cases, and on April 4, 2025 the same states filed a motion to hold the cases in abeyance until the SEC takes action to amend or rescind the rules.

New York Department of Environmental Conservation (DEC) releases draft regulations establishing greenhouse gas (GHG) emissions reporting program

On March 26, 2025, the DEC announced the release of draft regulations that would establish a mandatory reporting program requiring certain entities to annually report GHG emissions data to DEC, starting with reporting calendar year 2026 emissions data by June 1, 2027. Entities that meet “large emission source” thresholds will be required to verify their emissions data by DEC-accredited third-party verifiers and submit verification reports by August 10, 2027. Covered entities would generally include the following, subject to certain reporting thresholds: (i) owners and operators of electricity generation, stationary combustion, landfill, waste-to-energy, natural gas compressor station, and other facilities in New York; (ii) fuel suppliers, including natural gas, liquid fuels, petroleum, and coal; (iii) waste haulers and transporters; (iv) electric power entities; (v) suppliers of agricultural lime and fertilizer; and (vi) owners and operators of anaerobic digestion and liquid waste storage facilities. The public comment period on the draft regulations is open from April 2 to July 1, 2025, and final regulations are anticipated by the end of the year.

Sustainalytics publishes diversity, equity, and inclusion (DEI) rollback metrics and investor implications

On March 19, 2025, Sustainalytics published a report highlighting the potential impacts of the recent rollback of corporate DEI initiatives. In its report, Sustainalytics noted that not all rollbacks will have the same impact, and differences may depend on which of three categories the rollbacks fall into: (i) substantive changes to corporate policies, initiatives, or programs, (ii) reframing of existing policies, programs, or teams, and (iii) discontinuation of DEI-adjacent initiatives.

Sustainalytics’s ESG Risk Rating framework considers diversity programs, discrimination policies, gender pay equality programs, and gender pay disclosure, with the heaviest weight being placed on diversity programs. However, Sustainalytics notes that because human capital is only a portion of its ESG Risk Rating, the weight of human capital (and thus of DEI programs) on a company’s ESG Risk Rating can vary depending on the materiality of the workforce to the company’s business. This means that, in practice, DEI rollbacks are likely to have a greater impact on ESG Risk Ratings in more labor-intensive or knowledge-intensive industries that are more exposed to human capital-related risks, such as information technology, real estate, and healthcare, than in more capital-intensive industries, such as energy and utilities.

Environmental Protection Agency (EPA) initiated funding freeze blocked

On March 18, 2025, a federal judge issued an order granting a temporary restraining order blocking the EPA’s efforts to cancel $20 billion in grants issued under the Greenhouse Gas Reduction Fund. The funds were initially frozen prior to the cancellation of the grant. In the memorandum opinion, federal judge Tanya Chutkan stated that the EPA had failed to follow proper procedures related to the grant cancellations and that “based on the record before the court, and under the relevant statutes and various agreements, it does not appear that EPA Defendants took the legally required steps necessary to terminate these grants, such that its actions were arbitrary and capricious.” The ruling ordered Citibank, which held the funds for grant recipients, to process and disburse all funds requested under the Account Control Agreement and prohibited the funds from being moved to other accounts without further court order. The suit is ongoing.

Canada eliminates consumer carbon tax

On March 15, 2025, Canadian Prime Minister Mark Carney signed an order eliminating the country’s consumer carbon tax. This was Carney’s first act as Prime Minister (as the Liberal Party’s successor to Prime Minister Justin Trudeau). The new policy goes into effect on April 1, 2025.

Previously, under the Greenhouse Gas Pollution Pricing Act (GGPPA), Canadian citizens paid a charge for using or consuming any of 21 greenhouse gas-producing fuels. The charges varied by fuel type and were offset by a refundable tax credit provided to eligible individuals and small and medium-sized businesses. While this change in carbon tax policy affects the majority of Canadian provinces, British Columbia and the Northwest Territories impose their own provincial carbon tax regulations and will not be directly affected by the new policy.

U.S. Minister Counselor to United Nations (UN) Criticizes Sustainable Development Goals (SDGs)

On March 4, 2025, Edward Heartney, U.S. Minister Counselor to the UN Economic and Social Council, delivered remarks at the UN’s 58th Plenary Meeting of the General Assembly regarding the UN 2030 Agenda and Sustainable Development Goals, stating that “Agenda 2030 and the SDGs advance a program of soft global governance that is inconsistent with U.S. sovereignty and adverse to the rights and interests of Americans.” Heartney’s remarks made clear that the “United States rejects and denounces the 2030 Agenda for Sustainable Development and the Sustainable Development Goals, and it will no longer reaffirm them as a matter of course.”

In case you missed it…

The Gibson Dunn Workplace DEI Task Force has published its updates for March summarizing the latest key developments, media coverage, case updates, and legislation related to diversity, equity, and inclusion, including a dedicated alert describing the Equal Employment Opportunity Commission and Department of Justice guidance regarding discrimination related to DEI at work.

A collection of our analyses of the legal and industry impacts from the presidential transition is available here.

V. APAC

Sustainability Standards Board of Japan (SSBJ) finalizes sustainability disclosure standards

On March 5, 2025, the SSBJ issued three sustainability disclosure standards (SSBJ Standards), which align with the ISSB’s International Financial Reporting Standards Sustainability Disclosure Standards. The SSBJ Standards are composed of a universal sustainability disclosure standard and two theme-based standards on general and climate-related disclosures. The SSBJ anticipates that Tokyo Stock Exchange Prime Market-listed companies will eventually be required to adhere to the SSBJ Standards, with specific timelines to be set through a future amendment to the Japanese Disclosure Ordinance.

New Australian Environmental Claims Code took effect March 1, 2025

On March 1, 2025, the new Australian Environmental Claims Code, which is aimed at combating greenwashing, became effective. This code establishes standards for businesses making environmental and sustainability claims in advertisements. The implementation of the code reflects a broader effort to enhance transparency and accountability in environmental advertising.

The following Gibson Dunn lawyers prepared this update: Lauren Assaf-Holmes, Carla Baum, Susy Bullock, Mitasha Chandok, Becky Chung, Martin Coombes, Georgia Derbyshire, Mellissa Duru, Sam Fernandez*, Ferdinand Fromholzer, Muriel Hague, Saad Khan*, Michelle Kirschner, Julia Lapitskaya, Vanessa Ludwig, Babette Milz, Johannes Reul, Meghan Sherley, and Nicholas Tok.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s ESG: Risk, Litigation, and Reporting practice group:

ESG: Risk, Litigation, and Reporting Leaders and Members:
Susy Bullock – London (+44 20 7071 4283, [email protected])
Perlette M. Jura – Los Angeles (+1 213.229.7121, [email protected])
Ronald Kirk – Dallas (+1 214.698.3295, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202.955.8238, [email protected])
Robert Spano – London/Paris (+33 1 56 43 13 00, [email protected])

*Sam Fernandez and Saad Khan are trainee solicitors in London and not admitted to practice law.

Tariffs and customs compliance is an area of rapidly increasing risk for companies under the federal False Claims Act given the steep tariffs imposed on key U.S. trading partners by the Trump Administration that affects a broad swath of industries.

Introduction

The U.S. Department of Justice (DOJ) has signaled its intent to ramp up use of the FCA—DOJ’s primary tool for redressing fraud against government agencies—to police customs and tariff compliance.[1] Regardless of the particulars of country-specific tariff levels, the effect is likely to be a redoubling of the government’s already aggressive application of the FCA to trade matters, fueled by tariffs’ status as a top policy and political priority. The risks for businesses are significant and likely will affect a broader range of industries than DOJ has historically targeted with trade-related FCA investigations and litigation.

Tariff Developments Under President Trump

President Trump has imposed unprecedented and far-reaching tariffs on imports from some of the United States’ largest trading partners. The president imposed a 10% tariff on all Chinese imports on February 4.[2] He did so again on March 4, also assessing a 25% tariff on most imports from Canada and Mexico.[3] On a broader scale, President Trump levied a 25% tariff on all aluminum and steel imports beginning on March 12.[4] And on April 2, the president announced the most sweeping tariffs yet: a universal baseline tariff of 10% on all countries and reciprocal tariffs “on the countries with which the United States has the largest trade deficits.”[5] Although Canada and Mexico will be exempt from the new measures, they will remain subject to the 25% tariff on products that do not qualify for preferential treatment that was imposed on March 4.[6] On April 9, President Trump announced a 90-day freeze on tariffs for goods from some countries—leaving reinstatement of some or all of those tariffs a distinct possibility.[7] The same day, the president increased duties on goods from China, further advancing an escalating trade war between the world’s two largest economies. You can find additional analysis of the president’s tariffs in this recent client alert.

While the tariffs have implications for international politics and the global economy, their economic impact is being felt most immediately by companies that import goods from other countries. Under the new tariff regime, any company importing virtually any item from anywhere now owes at least 10% of the value of that item to the U.S. government—and up to 145%, or more, for goods from China.[8] Particularly for companies that import expensive products and materials in large volumes, this can mean massive sums in financial obligations to the U.S. government. All told, tariffs owed on goods imported into the United States could surpass $1 trillion—a nearly 13-fold increase compared to last year’s $78 billion figure.[9]

FCA Enforcement Against Alleged Customs Fraud

The FCA prohibits, among other things, the fraudulent retention of monies that a person or company is obligated to pay to the United States.[10] DOJ and qui tam relators have brought such allegations based on alleged avoidance of tariffs, customs duties, and similar “obligations” in a wide variety of contexts. For example, DOJ has frequently deployed this “reverse” FCA theory against companies that receive payments from the government in the ordinary course of business that the government then seeks to recoup. The thrust of DOJ’s allegations in those scenarios is typically that the company was required to return the money and knowingly or recklessly failed to satisfy that obligation. The reverse FCA often features in cases against health care companies and government contractors, which regularly receive payments from the U.S. government.[11] Courts have acknowledged the viability of reverse FCA theories premised on allegations of customs avoidance.[12]

Consistent with the nature of tariffs as money owed to the U.S. government in the first instance, use of the reverse FCA across industries and with significant financial consequences has been a hallmark of the statute’s enforcement in the trade arena. Since 2011, there have been over 40 resolutions of FCA matters involving alleged customs violations, with nearly half of those resolutions occurring since 2023. The resolutions since 2011 have netted the government nearly $250 million in recoveries, with larger settlements reaching into the tens of millions of dollars. In a trend generally consistent with the relative numbers of FCA matters brought by qui tam relators versus by DOJ without relator involvement, 35 of the resolutions involved relators, the majority of whom were former employees of the defendant companies.

DOJ’s use of the FCA against alleged customs fraud has historically targeted three main areas of conduct, the consequence of which is typically an alleged underpayment of tariffs to the government: (1) misclassification of imported products; (2) undervaluation of imported products; and (3) misrepresentation of imported products’ countries of origin. The following are representative examples of FCA resolutions that DOJ has reached with companies based on these theories. They provide a window into the kinds of cases DOJ is likely to pursue in higher volumes, and with greater potential financial consequences, in the future.

Misclassification. In March 2024, DOJ reached a $3.1 million settlement with a U.S. chemical products company which allegedly imported hazardous chemicals into the United States and misclassified them as non-hazardous goods.[13]
Undervaluation. On consecutive days on August 2024, DOJ settled for over $10 million with wiring and power products companies and almost $7.7 million with a clothing manufacturer, each of whom allegedly altered the prices on the invoices they submitted to the government.[14]
Country of origin. In November 2023, a German cutting tools manufacturer paid $1.9 million to settle allegations that it manufactured tools in a Chinese factory, shipped them to Germany to perform additional processing on some (not all) of the products, and then shipped them to the United States as “German” products to avoid certain tariffs on Chinese goods.[15] Several years earlier, a printing inks manufacturer reached a $45 million settlement with DOJ for allegedly misrepresenting its imports’ countries of origin as Japan and Mexico, rather than China and India, to avoid paying antidumping and countervailing duties.[16]

The FCA also imposes liability on companies that cause fraudulent underpayments to the government or conspire with others to fraudulently underpay.[17] Consistent with these provisions, DOJ also has sought recoveries from businesses elsewhere in the import chain, including upstream foreign exporters and suppliers as well as downstream U.S.-based companies. The upstream and downstream entities in these cases did not themselves owe customs duties, but they faced similar enforcement consequences under a conspiracy theory.

For example:

In 2016, both the importer and manufacturer of clothing goods agreed to pay $13.375 million to settle claims that they conspired to underpay customs duties using invoices that misrepresented the value of the goods at issue.[18]
The same year, a U.S. defense contractor paid $6 million for allegedly using ultrafine magnesium imported from China in flares it manufactured and sold to the U.S. Army in violation of its contract with the military.[19] While it was the importer who allegedly misrepresented the magnesium’s country of origin, DOJ alleged that the contractor conspired with the importer to sell the government the nonconforming goods.

At least one customs case under the FCA has gone to trial—resulting in a more than $8 million jury verdict.[20] In that case, Island Industries, Inc. accused its competitor Sigma Corporation of avoiding antidumping duties on “carbon steel butt-weld pipe fittings,” by falsely certifying to customs agents that the pipe fittings were “steel couplings.”[21] Island Industries pursued the FCA litigation notwithstanding the government’s decision not to intervene in the matter, and a vigorous dispute is still ongoing in the Ninth Circuit over whether the Court of International Trade has exclusive jurisdiction over the FCA claims in the suit.[22]

Implications for Industry

The Trump Administration’s new tariffs mean that the frequency and financial stakes of customs-related FCA cases are likely to increase. By the same token, DOJ’s past experience with similar cases means that this shift will be building on a foundation of existing enforcement activity, with little of the learning curve that the government often experiences in pursuing brand-new FCA theories. Prior cases have already given DOJ and relators the ability to test the factual and legal theories discussed above. Those theories will continue to feature in the government’s investigations, with both DOJ and relators likely to be emboldened by the potential for significantly higher monetary recoveries and by the perceived enforcement flexibility afforded by the application of the new tariff regime to all companies and all imports. We expect DOJ and relators will seek the same nine- and ten-figure monetary recoveries in customs-related cases that they have long sought—and frequently obtained—in cases in the health care and government contracting spaces.

Companies across the industry spectrum will face these enforcement risks, and we anticipate importers and manufacturers in the following industries will face particularly close scrutiny:

Automobile and automobile parts;
Medical devices;
Pharmaceuticals and dietary supplements;
Furniture, textiles, and other retail products;
Steel, aluminum, and other metals or metal alloys; and
Technology hardware.

While it is difficult to predict where these cases will arise, we can expect to see at least some cases being pursued by U.S. Attorneys’ Offices in the jurisdictions that are home to the country’s largest ports. Of the ten largest U.S. ports by annual container volume, seven are in jurisdictions where there has been at least one FCA customs enforcement case since 2011.[23] Accordingly, U.S. Attorneys’ Offices in the Southern and Eastern Districts of New York, the District of New Jersey, the Central District of California, the Eastern District of Virginia, the Southern District of Texas, the District of South Carolina, and the Southern District of Georgia may prove to be sites of particularly rapid expansion in this area. As in other areas of FCA enforcement, significant risks and costs are likely to be felt by companies given the relator and DOJ scrutiny that invariably accompanies the long investigative period preceding active litigation and dispositive briefing on legal issues.

To mitigate risk, companies should ensure that they have robust mechanisms in place to detect, report, and remedy instances of noncompliance with customs requirements. Such mechanisms should include comprehensive training on relevant legal requirements and the consequences of noncompliance. Companies should also review their compensation practices to ensure that any incentive compensation tied to cost reduction and process optimization is not incentivizing inappropriate attempts to reduce customs duty obligations. It will also be critical for companies to review the terms of their contractual relationships with upstream and downstream business partners, to ensure that the risk of government scrutiny is appropriately allocated and, where appropriate, to require contractual counterparties to comply with company policies and procedures.

[1] For example, at the February 2025 qui tam conference of the Federal Bar Association, DOJ Commercial Litigation Branch director Jamie Ann Yavelberg characterized customs fraud as a “key area” FCA enforcement.

[2] See Executive Order No. 14195 of Feb. 1, 2025, Imposing Duties To Address the Synthetic Opioid Supply Chain in the People’s Republic of China, 90 Fed. Reg. 9121 (Feb. 7, 2025).

[3] See Executive Order No. 14228 of March 3, 2025, Further Amendment to Duties Addressing the Synthetic Opioid Supply Chain in the People’s Republic of China, 90 Fed. Reg. 11463 (Mar. 7, 2025); Executive Order No. 14193 of Feb. 1 2025, Imposing Duties To Address the Flow of Illicit Drugs Across Our Northern Border, 90 Fed. Reg. 9113 (Feb. 7, 2025); Executive Order No. 14194 of Feb. 1, 2025, Imposing Duties To Address the Situation at Our Southern Border, 90 Fed. Reg. 9117 (Feb. 7, 2025).

[4] Proclamation No. 10896, Adjusting Imports of Steel into the United States, 90 Fed. Reg. 9817 (Feb. 10, 2025); Proclamation No. 10895, Adjusting Imports of Aluminum into the United States, 90 Fed. Reg. 9807 (Feb. 11, 2025).

[5] Fact Sheet, The White House, President Donald J. Trump Declares National Emergency to Increase our Competitive Edge, Protect our Sovereignty, and Strengthen our National and Economic Security (Apr. 2, 2025), https://www.whitehouse.gov/fact-sheets/2025/04/fact-sheet-president-donald-j-trump-declares-national-emergency-to-increase-our-competitive-edge-protect-our-sovereignty-and-strengthen-our-national-and-economic-security/.

[6] Id.

[7] See Stocks surge after 90-day pause announced for most countries, NBC News, Apr. 10, 2025, https://www.nbcnews.com/politics/trump-administration/live-blog/trump-administration-live-updates-global-tariffs-china-rcna200346.

[8] See Sean Conlon, Trump’s triple-digit tariff essentially cuts off most trade with China, says economist, CNBC, Apr. 10, 2025, https://www.cnbc.com/2025/04/10/trumps-triple-digit-tariff-essentially-cuts-off-most-trade-with-china-says-economist.html.

[9] Ana Swanson and Tony Romm, Trump Unveils Expansive Global Tariffs, N.Y. Times, Apr. 2, 2025, https://www.nytimes.com/2025/04/02/business/economy/trump-tariffs.html.

[10] See 31 U.S.C. § 3729(a)(1)(G).

[11] See, e.g., Press Release, U.S. Dep’t of Justice, Mallinckrodt Agrees to Pay $260 Million to Settle Lawsuits Alleging Underpayments of Medicaid Drug Rebates and Payment of Illegal Kickbacks (Mar. 7, 2022), https://www.justice.gov/archives/opa/pr/mallinckrodt-agrees-pay-260-million-settle-lawsuits-alleging-underpayments-medicaid-drug; .

[12] See, e.g., United States ex rel. Customs Fraud Investigations, LLC v. Victaulic Co., 839 F.3d 242 (3d Cir. 2016).

[13] Press Release, U.S. Dep’t of Justice, Owner of New Jersey Company Admits to Evading U.S. Customs Duties and His Company Agrees to $3.1 Million Settlement Agreement (Mar. 21, 2024), https://www.justice.gov/usao-nj/pr/owner-new-jersey-company-admits-evading-us-customs-duties-and-his-company-agrees-31.

[14] Press Release, U.S. Dep’t of Justice, Two Brookfield, Wisconsin-Based Companies and Their Owners Pay Over $10 Million to Resolve Allegations that They Evaded Customs Duties (Aug. 8, 2024), https://www.justice.gov/usao-edwi/pr/two-brookfield-wisconsin-based-companies-and-their-owners-pay-over-10-million-resolve; Press Release, U.S. Dep’t of Justice, U.S. Attorney Lapointe Announces $7.6 Million Settlement of Civil False Claims Act Lawsuit Against Womenswear Company for Underpaying Customs Duties on Imported Women’s Apparel (Aug. 9, 2024), https://www.justice.gov/usao-sdfl/pr/us-attorney-lapointe-announces-76-million-settlement-civil-false-claims-act-lawsuit.

[15] Id.

[16] Press Release, U.S. Dep’t of Justice, Japanese-Based Toyo Ink and Affiliates in New Jersey and Illinois Settle False Claims Allegation for $45 Million (Dec. 17, 2012), here.

[17] See 31 U.S.C. § 3729(a)(1)(C), (G).

[18] Press Release, U.S. Dep’t of Justice, Manhattan U.S. Attorney Settles Civil Fraud Lawsuit Against Clothing Importer And Manufacturers For Evading Customs Duties (July 13, 2016), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-settles-civil-fraud-lawsuit-against-clothing-importer-and.

[19] Press Release, U.S. Dep’t of Justice, Tennessee and New York-Based Defense Contractors Agree to Pay $8 Million to Settle False Claims Act Allegations Involving Defective Countermeasure Flares Sold to the U.S. Army (Mar. 28, 2016), https://www.justice.gov/archives/opa/pr/tennessee-and-new-york-based-defense-contractors-agree-pay-8-million-settle-false-claims-act.

[20] See United States ex rel. Island Indus. B. Vandewater Int’l Inc., 2021 WL 6104402 (C.D. Cal. 2021); Island Indus., Inc. v. Sigma Corp., No. 22-55063 (9th Cir.).

[21] 2021 WL 6104402, at *1.

[22] See, e.g., Island Indus., Inc. v. Sigma Corp., No. 22-55063 (9th Cir.).

[23] 2024 Port Performance Freight Statistics Program: Annual Report to Congress, U.S. Dep’t of Transportation, Bureau of Transportation Statistics (Jan. 2024), https://www.bts.gov/sites/bts.dot.gov/files/2024-01/2024_Port_Performance_Report_0.pdf.

The following Gibson Dunn lawyers prepared this update: Jake Shields, Winston Chan, Jonathan Phillips, Lindsay Paulin, Michael Dziuban, and Andrew Becker.

Gibson Dunn lawyers regularly counsel clients on the False Claims Act issues and are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s False Claims Act/Qui Tam Defense or International Trade Advisory & Enforcement practice groups:

False Claims Act/Qui Tam Defense:

Washington, D.C.
Jonathan M. Phillips – Co-Chair (+1 202.887.3546, [email protected])
Stuart F. Delery (+1 202.955.8515,[email protected])
F. Joseph Warin (+1 202.887.3609, [email protected])
Jake M. Shields (+1 202.955.8201, [email protected])
Gustav W. Eyler (+1 202.955.8610, [email protected])
Lindsay M. Paulin (+1 202.887.3701, [email protected])
Geoffrey M. Sigler (+1 202.887.3752, [email protected])
Joseph D. West (+1 202.955.8658, [email protected])

San Francisco
Winston Y. Chan – Co-Chair (+1 415.393.8362, [email protected])
Charles J. Stevens (+1 415.393.8391, [email protected])

New York
Reed Brodsky (+1 212.351.5334, [email protected])
Mylan Denerstein (+1 212.351.3850, [email protected])

Denver
John D.W. Partridge (+1 303.298.5931, [email protected])
Ryan T. Bergsieker (+1 303.298.5774, [email protected])
Monica K. Loseman (+1 303.298.5784, [email protected])

Dallas
Andrew LeGrand (+1 214.698.3405, [email protected])

Los Angeles
James L. Zelenay Jr. (+1 213.229.7449, [email protected])
Nicola T. Hanna (+1 213.229.7269, [email protected])
Jeremy S. Smith (+1 213.229.7973, [email protected])
Deborah L. Stein (+1 213.229.7164, [email protected])
Dhananjay S. Manthripragada (+1 213.229.7366, [email protected])

Palo Alto
Benjamin Wagner (+1 650.849.5395, [email protected])

International Trade Advisory & Enforcement:

United States:
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, [email protected])
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Donald Harrison – Washington, D.C. (+1 202.955.8560, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, [email protected])
Matthew S. Axelrod – Washington, D.C. (+1 202.955.8517, [email protected])
David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, [email protected])
Amanda H. Neely – Washington, D.C. (+1 202.777.9566, [email protected])
Samantha Sewall – Washington, D.C. (+1 202.887.3509, [email protected])
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, [email protected])

Asia:
Kelly Austin – Denver/Hong Kong (+1 303.298.5980, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing (+86 10 6502 8534, [email protected])

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Patrick Doris – London (+44 207 071 4276, [email protected])
Michelle M. Kirschner – London (+44 20 7071 4212, [email protected])
Penny Madden KC – London (+44 20 7071 4226, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])

From the Derivatives Practice Group: This week, the SEC has a new Chairman, and the CFTC issued an important interpretative letter on certain FX products.

New Developments

Senate confirms Atkins as SEC chair. On April 9, the Senate voted 52-44 to confirm Paul Atkins as the next chair of the SEC. Atkins, a former SEC commissioner and a longtime financial industry consultant, was tapped in December by Donald Trump for the position. In his March 27 confirmation hearing before the Senate Banking Committee, Atkins indicated he would streamline the agency’s regulatory activity. Atkins is expected to be friendlier toward the financial industry than the previous SEC chair, Gary Gensler.
CFTC Releases Staff Letter Relating to Certain Foreign Exchange Transactions. On April 9, the CFTC’s Market Participants Division and Division of Market Oversight (“DMO”) issued an interpretative letter providing the Divisions’ views on the characterization of certain foreign exchange (“FX”) transactions as being “swaps,” “foreign exchange forwards,” or “foreign exchange swaps,” in each case, as defined in the Commodity Exchange Act. Specifically, the interpretative letter states: Window FX Forwards, as described in the letter, should be considered to be “foreign exchange forwards;” and Package FX Spot Transactions, as described in the letter, should not be considered to be “foreign exchange swaps” or “swaps.” [NEW]
Acting Chairman Pham Lauds DOJ Policy Ending Regulation by Prosecution of Digital Assets Industry and Directs CFTC Staff to Comply with Executive Orders. On April 8, CFTC Acting Chairman Caroline D. Pham praised a recently-announced Justice Department policy ending the practice of regulation by prosecution that has targeted the digital asset industry in recent years, and directed CFTC staff to comply with the President’s executive orders and Administration policy, consistent with DOJ’s digital assets enforcement priorities and charging considerations. The DOJ policy comes as Acting Chairman Pham has similarly refocused the CFTC’s enforcement resources on cases involving fraud and manipulation. [NEW]
CFTC Staff Issues No-Action Letter Regarding Pre-Trade Mid-Market Mark. On April 4, the CFTC’s Market Participants Division issued a no-action letter in relation to the Pre-Trade Mid-Market Mark (“PTMMM”) requirement in Regulation 23.431 for swap dealers and major swap participants. The CFTC first issued a no-action letter regarding the PTMMM requirement in 2012, shortly after the PTMMM compliance date, because it did not provide significant informational value and created costly operational challenges. Unlike prior no-action letters which provided relief nofor certain specified types of swaps, this relief under this no-action letter applies to all swaps and does not require advanced counterparty consent. [NEW]
Rahul Varma Named Acting Director of CFTC Division of Market Oversight. On April 2, CFTC Acting Chairman Caroline D. Pham announced Rahul Varma will serve as the Acting Director of the DMO. Varma joined the CFTC in 2013 as an Associate Director for Market Surveillance in DMO, with responsibility for energy, metals, agricultural, and softs markets. In 2017, he helped start the Market Intelligence Branch in DMO and served as its Acting Deputy Director. In 2024, he took on the role of Deputy Director for the combined Market Intelligence and Product Review branches.
CFTC Staff Withdraws Advisory on Review of Risks Related to Clearing Digital Assets. On March 28, the CFTC’s Division of Clearing and Risk (“DCR”) announced it is withdrawing CFTC Staff Advisory No. 23-07, Review of Risks Associated with Expansion of DCO Clearing of Digital Assets, effective immediately. As stated in the withdrawal letter, DCR determined to withdraw the advisory to ensure that it does not suggest that its regulatory treatment of digital asset derivatives will vary from its treatment of other products.
CFTC Staff Withdraws Advisory on Virtual Currency Derivative Product Listings. On March 28, DMO and DCR announced they are withdrawing CFTC Staff Advisory No. 18-14, Advisory with Respect to Virtual Currency Derivative Product Listings, effective immediately. As stated in the withdrawal letter, DMO and DCR determined that the advisory is no longer needed given additional staff experience with virtual currency derivative product listings and increasing market growth and maturity.
ICE and Circle Sign MOU to Explore Product Innovation Based on Circle’s USDC and USYC Digital Assets. On March 27, Intercontinental Exchange Inc. (“ICE”), a leading global provider of technology and data, and Circle Internet Group, Inc. (“Circle”), a global financial technology company and stablecoin market leader, today announced an agreement whereby ICE plans to explore using Circle’s stablecoin USDC, as well as tokenized money market offering US Yield Coin (“USYC”), to develop new products and solutions for its customers. Under the MoU, Circle and ICE plan to collaborate to explore applications for using Circle’s stablecoins and other product offerings within ICE’s derivatives exchanges, clearinghouses, data services, and other markets, to deliver innovation and build new markets and product offerings based on Circle’s products.
Updated FIA Disclosures For New CFTC Rules. On March 24, the FIA announced that is has published updated versions of the FIA Uniform Futures and Options on Futures Risk Disclosures Booklet and FIA Template Disclosures Regarding Separate Accounts for new CFTC rules. Both documents are available in the “Regulatory Disclosures” section of FIA’s US Documentation Library. The CFTC approved new rules in December revising the list of permitted investments for Futures Commissions Merchants (“FCMs”) and DCOs in CFTC Regulation 1.25 (“1.25 Rule”) and codifying no-action relief governing treatment of separate accounts (“Separate Accounts Rule”). The 1.25 Rule requires FCMs and Introducing Brokers to use a revised form of the 1.55 risk disclosure statement for customers onboarded on or after March 31, 2025. The revised disclosure statement reflects the scope of permissible investments, as modified by the 1.25 Rule. The FIA Uniform Futures and Options on Futures Risk Disclosures Booklet is intended to assist FCMs in delivering mandatory customer disclosures under CFTC, exchange and Self-Regulatory Organization rules. Among the disclosures contained in the booklet is the FIA Combined Risk Disclosure Statement. That document has been updated in accordance with the 1.25 Rule to reflect the modified list of permissible investments.

New Developments Outside the U.S.

ESMA Publishes Consultation on Clearing Thresholds. On April 8, ESMA published a consultation on a revised approach to clearing thresholds under the European Market Infrastructure Regulation (“EMIR”) 3. The consultation covers the following topics: proposals for a revised set of clearing thresholds; considerations for hedging exemptions for non-financial counterparties; and a trigger mechanism for reviewing the clearing thresholds. [NEW]
FCA Publishes Policy Statement on the Derivatives Trading Obligation and Post-trade Risk Reduction Services. On April 3, the UK Financial Conduct Authority (“FCA”) published policy statement PS25/2 on changes to the scope of the UK derivatives trading obligation (“DTO”) and an extension of exemptions from certain obligations under the UK Markets in Financial Instruments Directive (“MIFID”) and MIFIR. [NEW]
ESMA Consults on Transparency Requirements for Derivatives Under MiFIR Review. On April 3, ESMA asked for input on proposals for Regulatory Technical Standards (“RTS”) on transparency requirements for derivatives, amendments to RTS on package orders, and RTS on input/output data for the over-the-counter (“OTC”) derivatives consolidated tape. ESMA said that it is developing various technical standards further specifying certain provisions set out in the Market in Financial Instruments Regulation Review. The consultation paper covers the following three areas: transparency requirements for derivatives, RTS on package orders, and RTS on input/output data for the OTC derivatives consolidated tape. The consultation will remain open until 3 July 2025.
ESMA Publishes Annual Peer Review of EU CCP Supervision CCP Supervisory Convergence. On April 2, ESMA published its annual peer review report on the supervision of European Union (“EU”) Central Counterparties (“CCPs”) by National Competent Authorities (“NCAs”). The peer review measures the effectiveness of NCA supervisory practices in assessing CCP compliance with the European Market Infrastructure Regulation (“EMIR”) requirements on outsourcing and intragroup governance arrangements. ESMA indicated, for this exercise, the review of the functioning of CCP colleges remains overall positive. ESMA also said that the peer review identified the need to promote further supervisory convergence in respect of the definition of major activities linked to risk management.
The European Supervisory Authorities Publish Evaluation Report on the Securitization Regulation. On March 31, the Joint Committee of the European Supervisory Authorities published its evaluation report on the functioning of the EU Securitization Regulation. The report purports to put forward recommendations to strengthen the overall effectiveness of Europe’s securitization framework through simplification, while ensuring a high level of protection for investors and safeguarding financial stability. This report identifies areas where the regulatory and supervisory framework can be enhanced, supporting the growth of robust and sound securitization markets in Europe.
PRA, FCA Consult on Margin Requirements for Non-centrally Cleared Derivatives. On March 27, the UK Prudential Regulation Authority (“PRA”) and the Financial Conduct Authority published CP5/25 – Margin requirements for non-centrally cleared derivatives: Amendments to BTS 2016/2251. The consultation paper proposes to indefinitely exempt single-stock equity and index options from the bilateral margining requirements in the UK. In addition, it proposes to remove the requirement to exchange initial margin (“IM”) for legacy contracts once a counterparty falls out of scope of the margin requirements. It also proposes to permit UK firms, when transacting with a counterparty subject to the margin requirements in another jurisdiction, to use that jurisdiction’s threshold assessment calculation periods and dates of entry into the scope of IM requirements to determine whether those transactions are subject to IM requirements.
MAS Responds to Feedback on Proposed Changes to Capital Framework. On March 27, the Monetary Authority of Singapore (“MAS”) published its response to feedback received to the consultation paper on proposed amendments to the capital framework for approved exchanges and approved clearing houses. The consultation was later extended to licensed trade repositories. MAS’s response addresses liquidity requirements, eligible capital, and total risk requirements.
ESMA Makes Recommendations for the Supervision of STS Securitizations. On March 27, ESMA published its Peer Review Report on NCAs supervision of Simple, Transparent and Standardized (“STS”) securitizations. The Report looks into and provides recommendations on the supervisory approaches adopted by selected NCAs when supervising STS securitization transactions and the activities of their originators, sponsors and securitization special purpose entities. The Peer Review focused on the NCAs of France, Germany, Portugal, and the Netherlands.

New Industry-Led Developments

ISDA CEO Testifies Before House Financial Services Committee Task Force. On April 8, ISDA CEO Scott O’Malia testified on the implementation of mandatory US Treasury clearing before the House Committee on Financial Services Task Force on Monetary Policy, Treasury Market Resilience, and Economic Prosperity. The testimony highlighted several key issues that need to be resolved before the clearing mandate comes into effect, including recalibration of the supplementary leverage ratio to ensure banks have the balance sheet capacity to provide intermediation and client clearing services in the US Treasury market, making changes to the proposed Basel III endgame and surcharge for global systemically important banks to avoid a disproportionate capital charge for client clearing businesses, and ensuring the margining and capital treatment of client exposures reflects the actual risk of a client’s overall portfolio. [NEW]
ISDA Responds to ESMA Consultation on CCP Model Validation. On April 7, ISDA responded to ESMA’s consultation on the draft RTS under article 49(5) of the EMIR, on the conditions for an application for validation of model changes and parameters under Articles 49 and 49a of EMIR, which have been revised as part of EMIR 3. In the consultation paper, ESMA sets out proposed quantitative thresholds and qualitative elements to be considered when determining whether a model change is significant. In the response, ISDA noted that more information would be necessary to understand the rationale behind the thresholds that are proposed. ISDA provided comments on ESMA’s interpretation of ‘concentration risk’ and on the proposed lookback period for assessing whether a change in significant. [NEW]
Cross-product Netting Under the US Regulatory Capital Framework. On April 4, ISDA, the Futures Industry Association (“FIA”) and the Securities Industry and Financial Markets Association (“SIFMA”) developed a discussion paper to: (i) provide an overview of cross-margining programs developed by clearing organizations and their importance in the context of implementing recent market reforms with respect to US Treasury securities clearing; (ii) describe cross-product netting arrangements with customers as a means to effectively reduce risk and their relation to cross-margining programs; (iii) describe the treatment of cross-product netting arrangements under the current US regulatory capital framework; and (iv) propose potential targeted changes to US regulatory capital rules to more appropriately reflect the economics of, and facilitate firms’ use of, cross-product netting arrangements with customers, particularly with respect to transactions based on US Treasury securities. [NEW]
ISDA/IIB/SIFMA Request to Extend 22-14. On April 3, a joint ISDA/IIB/SIFMA letter requested reporting relief for certain non-US swap dealers in Australia, Canada, the European Union, Japan, Switzerland or the United Kingdom with respect to their swaps with non-US persons. The joint trade association letter, submitted to CFTC on 26 March 2025, requests an extension of the no-action relief in Letter 22-14 until the adoption and effectiveness of final rules addressing the cross-border application of Part 45/46. [NEW]
IOSCO Issues Final Report on Standards Implementation Monitoring for Regulator Principle. On April 2, IOSCO published a Final Report following its review of IOSCO Standards Implementation Monitoring (ISIM) for Regulator Principles 6 and 7, which address systemic risk and perimeter of regulation. IOSCO’s Objectives and Principles of Securities Regulation 6 and 7 stipulate that regulators should have or contribute to processes to identify, monitor, mitigate and manage systemic risk, as well as have or contribute to a process to review the perimeter of regulation regularly. This ISIM Review by IOSCO’s Assessment Committee found a high level of implementation across the 55 jurisdictions from both emerging and advanced markets. According to IOSCO, the report highlights some good practices and also identifies a few areas where there is room for improvement, observed primarily in some emerging markets. For example, the Report notes that some jurisdictions do not have clear responsibilities, definitions and regulatory processes with respect to systemic risk.
ISDA Sends Letter on Changes to the French General Tax Code. On March 31, ISDA, the Association for Financial Markets in Europe and the International Securities Lending Association sent a letter to the French tax authority about changes being made to Articles 119 bis A and 119 bis 2 of the general French tax code in the Loi des Finances pour 2025. In February, the French parliament passed budget legislation that broadened the application of withholding tax for both cleared and non-cleared derivatives involving payments related to manufactured dividends. In the letter, the associations request that detailed administrative guidelines are issued as soon as possible. The lack of guidelines makes it more difficult for the associations’ member firms to accurately determine the scope of the new legislation and calculation of the withholding tax when due. [NEW]
ISDA Responds to EC on Amendments to Taxonomy Regulation Delegated Act. On March 26, ISDA and the Association for Financial Markets in Europe submitted a joint response to the EC’s proposed changes to EU Taxonomy Regulation reporting. The associations indicated that they welcome the EC’s commitment in the context of the Omnibus sustainability package to reduce Taxonomy reporting burdens and provide swift relief to reporters. However, they also noted concerns over whether the proposals go far enough to achieve these objectives, opining that they would not provide sufficient reduction in reporting burdens for banks and their clients and they would not achieve meaningful disclosures. The responses sets our specific priority measures for consideration.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus, New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt, Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki, New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

Ronald Mueller, James Moloney, Aaron Briggs, Elizabeth Ising, Thomas Kim, Brian Lane, Lori Zyskowski, Mickal Haile, and Matt Staugaard are the authors of “The Passive/Aggressive Investor: Significant New SEC StaffInterpretive Guidance on Schedule 13G Eligibility” [PDF] published by The Corporate Governance Advisor in its May/June 2025 issue.

In 2015, partners Theane Evangelis and Michele Maryott began their successful representation of Grubhub in a case where the plaintiff alleged that he was misclassified as an independent contractor instead of an employee, which would have entitled him to minimum wage and benefits. In 2018, a California federal court ruled in Grubhub’s favor, for which Theane and Michele were named Litigation Daily’s Litigators of the Week.

An article in The AmLaw Litigation Daily [PDF] marking the tenth anniversary of this bellwether case, examines how the “critical precedent” it set has forged a roadmap for litigating the status of app-based gig workers in the U.S. and launched a decade of gig economy litigation in California and beyond.

The Monetary Authority of Singapore (MAS) has issued a consultation paper setting out proposed amendments to its anti-money laundering and countering the financing of terrorism (AML/CFT) Notices and Guidelines applicable to financial institutions and variable capital companies (VCCs).

The amendments aim to enhance AML/CFT measures, align with international standards and clarify existing supervisory expectations. The consultation period ends on 8 May 2025, with the amendments expected to take effect from 30 June 2025.

Proposed amendments

The proposed amendments—which apply across the financial sector to banks, merchant banks, finance companies, payment service providers, direct life insurers, capital markets intermediaries, financial advisers, the central depository, approved exchanges and recognised market operators, approved trustees, trust companies, non-bank credit and charge card licensees, digital token service providers (FIs) and VCCs—broadly cover the following areas:

Clarification of timelines for filing of suspicious transaction reports (STRs)

MAS proposes to amend the AML/CFT Guidelines to state that the filing of an STR should not exceed five business days after suspicion was first established, unless the circumstances are exceptional or extraordinary. In cases involving sanctioned parties and parties acting on behalf of or under the direction of sanctioned parties, FIs and VCCs should file the STRs as soon as possible and no later than one business day after suspicion was first established.

MAS also proposes to set out its supervisory expectations with respect to the controls and processes for timely review of suspicious transactions and mitigation of ML/TF concerns identified, such as the need for FIs and VCCs to identify, prioritise and promptly review concerns of higher ML/TF risks and escalate any such concerns to senior management where necessary.

MAS further intends to remove the requirement for FIs and VCCs to extend a copy of STRs filed to MAS for information and to replace it with a requirement for FIs and VCCs to extend a copy of STRs to MAS upon request.

Expanding the definition of money laundering (ML) to include proliferation financing (PF) and incorporating PF risk assessments in ML/TF risk assessments

MAS proposes to clarify that ML includes PF and that FIs and VCCs must include PF risk assessments in their ML/TF risk evaluations. This aligns with the latest Financial Action Task Force (FATF) Standards, which require FIs and designated non-financial businesses and professions to identify, assess, understand and mitigate PF risks. MAS further acknowledges that most FIs would likely already consider PF risks within their existing AML/CFT and sanctions compliance frameworks, in line with guidance issued by MAS over the years.

Updates to MAS Notice TCA-N03 for trust companies

MAS proposes to amend the wording of MAS Notice TCA-N03 to align with the Trustees Act 1967 and anticipated legislative changes, flowing from the revised FATF Recommendation 25. The amendments will broaden the definition of a trust relevant party and clarify the requirements for identifying all related parties to a legal arrangement and to collecting relevant information. Additionally, the amendments will mandate the collection of certain information about the legal arrangement, such as the full name, unique identifier, trust deed and the purpose for which the legal arrangement was established, in line with the FATF’s recommendations.

Other amendments to the AML/CFT Guidelines

MAS is also proposing further changes to clarify and reflect MAS’ supervisory expectations and guidance over the years. These amendments cover the areas of screening, source of wealth (SoW) and source of funds (SoF) establishment, as well as the characteristics of a higher-risk shell company. Key proposed amendments include:

Clarifying that ML/TF information sources for screening should include relevant search engines used in countries or jurisdictions closely associated with the person screened, and that screening should be conducted in the native language(s) of the person screened.
Ensuring processes are in place to share customer and related account information across business units, including customer due diligence and SoW information.
Providing staff with adequate guidance on identifying indicators of fraudulent or tampered data, documents, or information and ensuring timely application of appropriate ML/TF risk mitigation measures.
Various SoW and SoF-related clarifications, including the need for corroboration of SoW and SoF that are more material and/or present a higher risk for ML/TF and the assessment of the plausibility and legitimacy of SoW and SoF.
Clarifying the need to assess whether a further or supplementary STR is warranted when further suspicion is raised.
Including characteristics of a higher-risk shell company as examples of potentially higher-risk categories.
Including participation in a tax amnesty programme under examples of suspicious transactions related to tax crimes.
Replacing references to ‘settlors’ and ‘protectors’ with ‘trust relevant parties’ to reflect the expanded definition and replacing the term ‘trust’ with ‘legal arrangement’ in the Guidelines.

Concluding observations

The consultation paper underscores MAS’ ongoing efforts to maintain a robust and clear AML/CFT framework that meets international standards. The proposed amendments are also a significant step towards enhancing the effectiveness of AML/CFT measures across the financial sector. FIs and VCCs should thoroughly review these proposed amendments, evaluate their implications on current practices and provide feedback (if any) by 8 May 2025.

The following Gibson Dunn lawyers prepared this update: Hagen Rooke, Jun Qi Chin, QX Toh, and Nicholas Tok.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Financial Regulatory team, including the following:

Hagen H. Rooke – Singapore (+65 6507 3620, [email protected])
William R. Hallatt – Hong Kong (+852 2214 3836, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, [email protected])
Michelle M. Kirschner – London (+44 20 7071 4212, [email protected])
Emily Rumble – Hong Kong (+852 2214 3839, [email protected])
Becky Chung – Hong Kong (+852 2214 3837, [email protected])
Jun Qi Chin – Singapore (+65 6507 3622, j[email protected])
QX Toh – Singapore (+65 6507 3610, [email protected])
Nicholas Tok – Singapore (+65 6507 3621, n[email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])
Jane Lu – Hong Kong (+852 2214 3735, [email protected])

Securities fraud trials are high-stakes proceedings that require careful navigation of complex legal, factual, and procedural challenges. From indictment to verdict, prosecutors and defense counsel deploy distinct strategies to shape the narrative, present evidence, and persuade the jury. This webcast breaks down the key phases of a federal criminal securities fraud trial, including pretrial motions, Rule 17 subpoenas, witness preparation, jury selection, expert testimony, cross-examinations, and jury addresses. Our panel also discusses recent trial trends, prosecutorial tactics, and defense strategies that can influence case outcomes.

MCLE CREDIT INFORMATION:

This program has been approved for credit by the New York State Continuing Legal Education Board for a maximum of 1.5 credit hour in the professional practice category. This course is approved for transitional and non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies this activity is approved for 1.5 hour of MCLE credit by the State Bar of California in the General Category.

California attorneys may claim self-study credit for viewing the archived webcast. No certificate of attendance is required for self-study credit.

PANELISTS:

George J. Hazel is a partner in the Washington office and a member of the firm’s Litigation and White Collar Defense and Investigations Practice Groups. A former federal trial judge and criminal prosecutor, George brings a broad range of trial experience, having presided over approximately 50 jury trials in federal court and handled 20 jury trials and 30 bench trials as an attorney in federal and state court.

Barry Berke is renowned nationwide as a leading trial lawyer and white-collar criminal defense attorney. He is Co-Chair of the firm’s Litigation Practice Group and a member of the Trials and White Collar Defense and Investigations Practice Groups. Barry represents individuals and corporations in high-stakes trials, investigations, and complex litigation. He is a fellow of the American College of Trial Lawyers. Barry served as chief impeachment counsel to the U.S. House of Representatives during the Senate impeachment trial of the former President of the United States. As lead counsel, Barry was instrumental in preparing and presenting a case that garnered widespread recognition for its precise choreography and compelling presentation of factual evidence and constitutional arguments.

Jordan Estes is a partner in the New York office. A trial attorney and former federal prosecutor, she has been lead or co-lead counsel in 14 federal jury trials. She represents individuals and corporations in sensitive, complicated and often high-profile criminal and regulatory trials, hearings, investigations and other proceedings conducted by federal and state agencies, as well as in internal investigations. Jordan brings over a decade of experience in white-collar criminal law to her practice, including more than eight years with the U.S. Attorney’s Office for the Southern District of New York. Her extensive experience and proven track record make her a formidable advocate for her clients in the most challenging legal environments.

Dani R. James is a partner in the New York office. A former federal prosecutor, Dani defends clients in a broad range of white collar criminal and regulatory matters, including allegations of insider trading, market manipulation, public corruption, bid-rigging, tax fraud and violations of the Foreign Corrupt Practices Act. She represents executives, directors and officers, and other individuals, as well as companies, in sensitive, complicated and often high-profile criminal and regulatory trials, hearings, investigations and other proceedings conducted by federal and state agencies, including the U.S. Department of Justice, the Securities and Exchange Commission, the U.S. Attorney’s Office, the New York State Attorney General’s Office and the Manhattan District Attorney’s Office, among other agencies.

Europe

03/19/2025

European Data Protection Board | Approval Procedure | Binding Corporate Rules

The European Data Protection Board (“EDPB”) published a document outlining the cooperation procedure for approving Binding Corporate Rules (“BCRs”) for both controllers and processors.

Drawing from practical experience of the previous version of the Guidelines on BCR approval, the procedure presented aims to streamline the approval of BCRs, promoting consistent data protection practices across organizations operating within the EU.

For more information: EDPB Website

03/05/2025

European Commission | Publication | European Health Data Space Regulation

On March 5, 2025, the European Health Data Space Regulation was published in the Official Journal of the European Union.

The regulation aims to establish a common framework for the use and exchange of electronic health data across the EU. It will also enhance individuals’ access to and control over their personal electronic health data, for instance, patients will have the right to restrict the access for health professionals to all or parts of their personal electronic health data exchanged though EHDS infrastructures. The regulation will enter into force on March 26, 2025, and will become applicable two years later.

For further information: European Commission Website and Official Journal of the EU

03/05/2025

European Data Protection Board | Coordinated Enforcement | Right to Erasure

On March 5, 2025, the European Data Protection Board (EDPB) published that they are launching a Europe-wide review of the right to erasure.

This initiative involves 32 data protection authorities across Europe. The aim is to evaluate how well the right to erasure, which allows individuals to request the deletion of their personal data, is being implemented in practice. The assessment will be conducted using a standardized questionnaire to analyze and compare procedures established by various data controllers. The results will be published in a report by the EDPB, highlighting best practices and areas for improvement.

For further information: EDPB Website

03/04/2025

European Commission | EU Adequacy Decision | Article 45 GDPR

On March 4, 2025, the European Commission proposed the first EU adequacy decision under Article 45 GDPR for an international organization.

The European Commission proposed an EU adequacy decision for the European Patent Organisation (EPO). The decision, based on Article 45 GDPR, finds EPO’s data protection rules comparable to the EU’s. The EPO is an international organization comprising the member states of the EU and various other European states to grant patents. The adequacy decision will enable safe data flow between the EU and EPO. Once adopted, companies in the EU can transfer data such as for patent applications to EPO without extra safeguards. The draft will be reviewed by the European Data Protection Board (EDPB) and other EU bodies before final adoption.

For further information: European Commission Website

France

03/27/2025

French Supervisory Authority | Work Program | 2025 Priorities

As part of its mission to guide professionals towards compliance, the French Data Protection Authority (“CNIL”) issued the main guidance materials it will issue in 2025.

The CNIL regularly issues soft law guidance (e.g., recommendations, guidelines, code of practice) to clarify the applicable law and provide best practices. In 2025, the CNIL will issue fact sheets on artificial intelligence (help professionals balance innovation and data subject rights), recommendations on the use of pixels in emails, and continue clarifying the use of dashcams.

For more information: CNIL Website [FR]

03/25/2025

French Supervisory Authority | Public Consultation | Connected Vehicles and Location Data

The French Supervisory Authority (“CNIL”) is submitting for public consultation a draft recommendation on the use of location data of connected vehicles.

The CNIL indicated that location data is considered as highly personal data as it can reveal individuals’ frequently visited places, habits, or areas of interest. The draft focuses on the use of connected vehicles by private individuals and aims at helping main actors to ensure compliance with GDPR principles. The public consultation will end on 20 May 2025. Any public or private actor can participate in the consultation.

For more information: CNIL Website [FR]

03/21/2025

French Supervisory Authority | Investigation | 2025 Priorities

The French Supervisory Authority (“CNIL”) announced its 2025 data protection priorities.

This year, the CNIL announced that it will focus on enforcing rules with respect to mobile app data collection, local government cybersecurity, penitentiary data management, and the enforcement of the right to erasure.

For more information: CNIL Website [FR]

03/05/2025

French Supervisory Authority | Guidelines | Case Law and Doctrine

The French Supervisory Authority (“CNIL”) published its “Tables Informatiques et Libertés” and its recap books (“Cahiers récapitulatifs”) for the year 2024.

The Tables are designed to give access to data professionals and academics to the CNIL’s doctrinal positions as well as case law from national and European courts. This tool allows practitioners to easily find precedents based on thematic classification.

For more information: CNIL Website [FR]

03/06/2025

French National Cybersecurity Authority | Strategic Plan | 2025-2027

The French National Cybersecurity Authority (“ANSSI”) published its strategic plan for 2025-2027.

The plan developed by ANSSI focuses on four key areas: (i) amplifying and coordinating the cyber response to the growing threat, (ii) developing the expertise needed to counter cyber threats, (iii) promoting effective European and international cyber action, and (iv) reinforcing the consideration of societal issues in ANSSI’s actions.

For further information: ANSSI Website [FR]

Germany

03/27/2025

German Federal Court of Justice | Judgement | GDPR and Competition Law

On March 27, 2025, the German Federal Court of Justice (BGH) ruled (I ZR 186/17) that a breach of information obligations by the controller may give rise to claims for injunctive relief under the German Act Against Unfair Competition (UWG). These can be pursued by consumer protection associations by way of an action before the civil courts.

According to the BGH, the Unfair Competition Act (UWG) and the Injunctions Act (UKlaG) provide for a legal basis under Article 80 Abs. 2 DSGVO for consumer protection associations to pursue violations of the GDPR. Consumer associations can take legal action against breaches of information obligations under Art. 12(1) and Art. 13(1)(c) and (e) GDPR, even without specific authorization from affected individuals. Breaches of data protection information obligations may constitute unfair competition if material information is withheld.

For further information: BGH Website [DE]

03/27/2025

German Federal Court of Justice | Judgement | GDPR and Competition Law

On March 27, 2025, the German Federal Court of Justice (BGH) ruled in two cases (I ZR 222/19, I ZR 223/19) that a breach of GDPR regulations regarding special categories of data by the controller may give rise to claims for injunctive relief under the German Act Against Unfair Competition (UWG). These can be pursued by competitors by way of an action before the civil courts.

According to the BGH, the Unfair Competition Act (UWG) provides a legal basis for competitors to pursue violations of the GDPR. In the decisions, the BGH ruled that a violation of Article 9(1) GDPR can be pursued by a competitor by way of a competition law action before the civil courts under Article 8(3)(1) UWG.

For further information: BGH Website (I ZR 222/19 [DE], I ZR 223/19 [DE])

03/20/2025

German Federal Office for Information Security | Certification | Cybersecurity Act

The German Federal Office for Information Security (“BSI”) was designated by the European Commission as the German certification body under the Cybersecurity Act.

The BSI is now the body in charge of the approval of applications from manufacturers seeking to obtain a European cybersecurity certificate for products with a high assurance level under the Implementing Regulation on the adoption of European Common Criteria-based cybersecurity certification scheme (EUCC).

For more information: BSI Website [DE]

03/19/2025

Hamburg Supervisory Authority | Recommendations | Data Retention

The Hamburg Supervisory Authority (“HmbBfDI”) recommends organizations to review and delete outdated data as part of a “digital spring cleaning”.

The HmbBfDI particularly recalls that, with the Fourth Bureaucracy Relief Act (BEG IV) , the federal legislator has reduced some retention periods defined under the German Fiscal and Commercial Codes, requiring businesses to adjust their data retention policies accordingly. In particular, the data retention period for accounting documents under tax law is reduced from ten to eight years which also affects the right to erasure under the GDPR.

For more information: HmbBfDI Website [DE]

03/13/2025

German Data Protection Conference | Statement | Data Act

On March 13, 2025, the German Data Protection Conference (DSK) published a statement on the implementation legislation for the EU Data Act.

The DSK, the conference of the independent data protection supervisory authorities of the German federal states, has published a position paper on the German legislation for the implementation of the EU Data Act, emphasizing the need for harmonized regulations across member states to be implemented effectively and in harmony with the legal requirements from the European legislation. The DSK criticizes the current German draft legislation in various aspects and emphasizes the interplay of EU regulations and their implementation in each member state, even in the case of regulation with direct application.

For further information: DSK Website [DE]

03/12/2025

Hamburg Supervisory Authority | Guest Orders | Online Retail

The Hamburg Supervisory Authority (“HmbBfDI”) announced having ordered a Hamburg-based online retailer to allow guest orders, without requiring users to create a customer account.

The HmbBfDI notes that in a resolution dated March 24, 2022, the German Data Protection Conference (DSK) stated that requiring users to create a customer account to place orders is incompatible with the principle of data minimization. As part of its enforcement actions, the HmbBfDI examined multiple online shops in January 2025 and will continue to monitor their practices. Online shops which are considered a marketplace do not have to allow guest orders.

For more information: HmbBfDI Website [DE]

03/06/2025

Bavarian Supervisory Authority | Guidance | Article 28 GDPR

On March 6, 2025, the Bavarian Supervisory Authority (“BayLDA”) published an updated version of their guidance on the correct classification of data controllers and data processors.

The new guidance focusses on explaining the different legal criteria for proper classification of controllers and processors by providing detailed elaborations on the exact wording of the GDPR to facilitate case by case decisions.

For further information: BayLDA Website [DE]

03/2025

German Supervisory Authorities | Activity Reports

In March 2025, several Supervisory Authorities published their annual Activity Reports.

In addition to the increasingly important interplay between AI regulations and the GDPR, the reports also focus on data protection in employment contexts. By way of example, the Supervisory Authority of Bremen (LfDI Bremen) highlighted that video surveillance of areas frequented by employees is only permissible in non-sensitive areas and always demands an assessment of interests. The Bavarian Supervisory Authority (LDA Bayern) recommends that the publishing of images of employees after their employment ends should be contractually agreed upon in advance to ensure GDPR compliance.

For further information: LfDI Baden-Württemberg Website [DE], LfDI Bremen Website [DE], LfDI Sachsen Website [DE] and LDA Bayern Website [DE]

02/25/2025

Higher Regional Court of Stuttgart | Judgement | Data Processing and Employment

In a recent decision (2 ORbs 16 Ss 336/24), the Higher Regional Court of Stuttgart (OLG Stuttgart) dealt with the so-called employee excess in data protection law. Of practical relevance is the OLG’s classification of when employees, who process personal data for non-work purposes, become data controllers themselves.Thus replacing the employer as addressee of potential GDPR fines.

If the data protection breach is committed deliberately and intentionally for reasons unrelated to work, the employee may be considered as an independent controller not solely acting contrary to employer instructions.

For further information: Official Court Website [DE]

02/21/2025

Higher Administrative Court of Bavaria | Judgement | Access to Controller Agreements

On February 21, 2025, the Higher Administrative Court of Bavaria (VGH Bayern) ruled (7 ZB 24.651) that data subjects cannot demand access to data processing agreements as part of their information rights under Art. 15 GDPR.

Art. 15 GDPR only grants data subjects a right to access their own personal data. The court argues that the supervisory authorities and not the data subjects are responsible for monitoring the application of the GDPR, including the data processing agreements and its requirements between a controller and the processor.

For further information: Official Court Website [DE]

Ireland

03/07/2025

Irish Supervisory Authority | Complaints | Data Access Requests

The Irish Supervisory Authority (“DPC”) has published a blog post on how it handles complaints related to data subjects’ access requests.

The DPC states that it regularly deals with complaints from data subjects concerned that their access requests have not been fulfilled. The authority details how it determines the validity of the restrictions that organizations use to refuse access requests, emphasizing that each restriction must be justified on an evidential basis.

For more information: DPC Website

03/05/2025

Irish Government | AI Act | Designation of Competent Authorities

The Irish Government approved the designation of eight public authorities as competent authorities, responsible for implementing and enforcing the AI Act.

These authorities are the Central Bank of Ireland, the Commission for Communications Regulation, the Commission for Railway Regulation, the Competition and Consumer Protection Commission, the Data Protection Commission, the Health and Safety Authority, the Health Products Regulatory Authority, the Marine Survey Office of the Department of Transport. Additional authorities, as well as a lead regulator, will be designated through a forthcoming decision.

For further information: Irish Government Website

Netherlands

03/06/2025

Dutch Supervisory Authority | Public Consultation | Human Intervention in Algorithmic Decision-making

The Dutch Supervisory Authority (“AP”) launched a public consultation on the tools it has developed to enable meaningful human intervention in algorithmic decision-making.

The AP recalls that organizations using algorithmic decision-making must comply with the obligation to ensure human intervention. Such intervention must be meaningful — not merely symbolic — and designed to guarantee that decisions are made carefully, without discrimination. Organizations must also ensure that human intervention is not undermined by factors such as time pressure or lack of knowledge about the system.

For further information: AP Website [NL]

United Kingdom

03/28/2025

Information Commissioner’s Office | Guidance | Data Anonymisation

The Information Commissioner’s Office (“ICO”) has published new guidance on data anonymisation.

This guidance explains the distinction between anonymisation and pseudonymisation, discusses what should be considered when anonymizing personal data, provides good practice advice and case studies, and discusses technical and organisational measures to mitigate the risks to people. It applies to all mediums, including tabular data, free text, video, images, and audio.

For more information: ICO Website

03/27/2025

Information Commissioner’s Office | Fine | Hacker Attack

The Information Commissioner’s Office (“ICO”) imposed a fine of £3.07 million (approx. €3.67 million) on a computer software company for security failures that compromised the personal data of 79,404 individuals.

In 2022, the company suffered a ransomware attack that was initiated through a customer account. The attack affected personal data processed on behalf of multiple organizations, including the National Health Service and healthcare providers. The ICO found that the software provider failed to implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR (e.g., lack of multi-factor authentication, insufficient vulnerability scanning, and inadequate patch management).

For more information: ICO Website

03/24/2025

Information Commissioner’s Office | Notice of Intent | Data Breach

The Information Commissioner’s Office (“ICO”) issued a notice of intent to fine a DNA testing company £4.59 million (EUR 5.5 million).

The ICO had launched a joint investigation with the Office of the Privacy Commissioner of Canada (“OPC”) after the company reported a data breach in October 2023. The breach concerned genetic information which the ICO considers is “among the most sensitive personal data that a person can entrust to a company”.

For more information: ICO Website

03/01/2025

Information Commissioner’s Office | Code of Practice | Children’s Data Protection

The Information Commissioner’s Office (“ICO”) has updated its Children’s Code of Practice to enhance the protection of children’s data in the digital world.

The revised code includes stronger guidelines for businesses regarding age-appropriate design and data minimization principles, aiming to ensure children’s privacy online. The code highlights the importance of high privacy by default settings, limitation of the processing of geolocation data, and switching off by default targeted advertisement for children.

For further information: ICO Code of practice and Press release

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison; Thomas Baculard, Billur Cinar, Hermine Hubert, Christoph Jacob, and Yannick Oberacker.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, [email protected])
Ashlie Beringer – Palo Alto (+1 650.849.5327, [email protected])
Ryan T. Bergsieker – Denver (+1 303.298.5774, [email protected])
Keith Enright – Palo Alto (+1 650.849.5386, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, [email protected])
Lauren R. Goldman – New York (+1 212.351.2375, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Natalie J. Hausknecht – Denver (+1 303.298.5783, [email protected])
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, [email protected])
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, [email protected])
Kristin A. Linsley – San Francisco (+1 415.393.8395, [email protected])
Timothy W. Loose – Los Angeles (+1 213.229.7746, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Rosemarie T. Ring – San Francisco (+1 415.393.8247, [email protected])
Ashley Rogers – Dallas (+1 214.698.3316, [email protected])
Sophie C. Rohnke – Dallas (+1 214.698.3344, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, [email protected])
Frances A. Waldmann – Los Angeles (+1 213.229.7914,[email protected])
Debra Wong Yang – Los Angeles (+1 213.229.7472, [email protected])

Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, [email protected])
Patrick Doris – London (+44 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Joel Harrison – London (+44 20 7071 4289, [email protected])
Lore Leitner – London (+44 20 7071 4987, [email protected])
Vera Lukic – Paris (+33 1 56 43 13 00, [email protected])
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, [email protected])
Christian Riis-Madsen – Brussels (+32 2 554 72 05, [email protected])
Robert Spano – London/Paris (+44 20 7071 4000, [email protected])

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])