All posts by Paul E. Paray

Behavioral Advertising, Media, Privacy, Risk Management, Social Media

CA Gets the DROP on Data Brokers

Beginning in 2026, California residents can access the Delete Request and Opt-out Platform (DROP) and request data brokers delete their personal information – information collected from third parties or from consumers in a non-“first party” capacity (i.e., through an interaction where the consumer did not intend or expect to interact with the data broker).

Under the California Consumer Privacy Act, such personal information includes any data that identifies, relates to, or could reasonably be linked to a resident or their household, directly or indirectly. For example, it would include name or nickname; email address; purchase history; browsing history; location data: employment data; IP address; profiles businesses create about you, including pseudonymous profiles (“user1234”); and sensitive personal information.

Relying on Civil Code section 1798.99.80 et seq and Civil Code section 1798.140(v), DROP is administered by the California Privacy Protection Agency and is a great step in better consumer control of personal information.

Blockchain, Digital Assets, DLT, Financial Reporting

Banking’s Unwise Genius Act

For years now, stablecoins have quietly led the DeFi assault on the banking industry.  Given standard trading markets dwarf the miniscule numbers thrown by stablecoins, the banking industry never openly feared them.  Indeed, Big Banks chose to spin stablecoin buzz into PR by launching their own projects.  For example, J.P. Morgan launched its inter-bank JPM “stablecoin” in early 2019.  Much has changed since 2019.  The “JPM” is now officially the “JPMD” – admittedly not a stablecoin but rather a “deposit token that’s designed to serve as a digital representation of commercial bank money”, and in so doing J.P. Morgan officially jumped off the stablecoin train.  

Recognizing the dangers to their bottom line, Big Banks lobbied hard to ensure regulated stablecoins could not make interest payments.  To that end, on July 18, 2025, the GENIUS Act – or “Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025” was signed into law with such a prohibition in place.  Moreover, fully baked with the rigors of regulatory oversight, required identifiable reserves backing the outstanding payment stablecoins, and compliance with the Bank Secrecy Act, bankers were laughing all the way to their banks when it passed, believing they sufficiently quashed the stablecoin threat. 

Despite its girth, the banking lobby misplayed the GENIUS Act’s ability to curtail the stablecoin threat.  According to an August 12, 2025 letter from the Banking Policy Institute (“BPI”) – “a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks”, the GENIUS Act allows stablecoins to “indirectly” provide holders with interest yield on their assets: 

The GENIUS Act contained a prohibition on stablecoin issuers offering interest or yield, as well as other financial and non-financial rewards, to holders of stablecoins. However, without an explicit prohibition applying to exchanges, which act as a distribution channel for stablecoin issuers or business affiliates, the requirements in the GENIUS Act can be easily evaded and undermined by allowing payment of interest indirectly to holders of stablecoins.

These arrangements between stablecoin issuers and affiliates or exchanges, often jointly and explicitly marketed to consumers, will undermine the GENIUS Act’s prohibition regarding payment of interest and yield. The result will be greater deposit flight risk, especially in times of stress, that will undermine credit creation throughout the economy. The corresponding reduction in credit supply means higher interest rates, fewer loans, and increased costs for Main Street businesses and households.

In other words, despite their heavy lobbying, the banking industry now wants another bite at the apple that closes out this “loophole” which potentially allows stablecoin holders to receive interest on their holdings – no different than placing cash in a bank savings account.  Indeed, existing stablecoin issuers are now moving full speed with smaller banks to compete with the Leviathan banks that sought their destruction.

On August 18, 2025, the U.S. Office of the Comptroller of the Currency (“OCC”) released a social media post stating:  “Community banks can partner with companies developing stablecoins to foster innovation and offer new products. The OCC will review and update as necessary its regulatory and supervisory approach to ensure it supports innovations in banking and the vitality of community banks.”

This fundamental shift emanating from the OCC signifies a policy which better aligns crypto payment systems and the banking sector – just not with the Big Bank banking sector.  Recognizing the writing on the wall, even the venerated McKinsey – often relied upon by those very same Big Banks for management consultant gigs, has jumped on the stablecoin bandwagon. 

In a piece released on July 21, 2025, McKinsey recognizes that stablecoin transaction volume has risen sharply over the past two years – exceeding $27 trillion per year.  More to the point, the mega-consulting firm offers the following observation:

If that rate of growth were to continue, stablecoin transactions could surpass legacy payment volumes in less than a decade—and potentially sooner, based on expanding applications. The ability for tokenized cash to operate continuously, satisfy demand for instant settlement, and offer improved operational risk controls solves real-world pain points and offers a compelling value proposition to end users that could accelerate adoption.

Back to the Big Bank problem.  The GENIUS Act prohibits stablecoin issuers from paying “any form of interest or yield (whether in cash, tokens, or other consideration) solely in connection with the holding, use, or retention of such payment stablecoin.”  See 12 U.S.C. § 5903(a)(11) (emphasis added).

This section expressly bans interest-yielding stablecoins, but leaves a gaping hole that allows exchanges and issuers to sidestep such prohibition by creating earned yields on the stablecoin based on factors other than the “holding, use, or retention” of the stablecoin.  Big Banks obviously have some ideas regarding what that will look like – which is why they want a redo on the law and why the Crypto Council for Innovation (“CCI”) and the Blockchain Association (“BA”) jointly urged the Senate Banking Committee to resist efforts by the BPI to revise the GENIUS Act.  Turns out the Big Bank lobby can learn a thing or two from the Crypto lobby, namely when it comes to whether Big Business or Consumers should benefit from new technology, the current Congressional mood swings towards the Consumer. 

The CCI/BA Letter sent to the Senate Banking Committee explains why there should be no redo: 

Allowing responsible, robustly regulated platforms to share benefits with customers is not a loophole—it is a feature that promotes financial inclusion, fosters innovation, and ensures American leadership in the next generation of payments. This balance, between consumer protection and innovation, has been thoughtfully struck by a shrewd and thoughtful bipartisan coalition of legislators in both the House and Senate. Altering the provisions already enshrined in the GENIUS Act would be unwise and would fundamentally weaken a legislative framework designed to encourage competition and democratize the benefits of technological advancement in digital finance.

Pushing aside whether or not Big Banks eventually lose this major battle, the more-interesting question remains whether the GENIUS Act’s allowance for non-financial institutions to offer “regulated” stablecoins manifests into yet another Congressionally-enacted quiver in Big Tech’s quest to conquer the world.   After the implementing regulations arrive on July 18, 2026, we will all learn whether the law’s stringent safeguards – including capital and liquidity requirements, merely switches us from Big Bank mode to Big Tech mode or the law genuinely benefits consumers.

Accounting Firm, Copyright Infringement, Intellectual Property, Network Security, Risk Management, Small Business, Social Media

CHIP Away Risk and Grow Your Business

While many business owners recognize the importance of maintaining their Cybersecurity Hygiene and protecting their Intellectual Property (“IP”), they are often too pressed for time and money to implement any serious plans of action.  There are ways to improve your cybersecurity and IP postures without breaking the bank or ignoring revenue goals.

Be proactive and not take for granted good cybersecurity hygiene exists in your company.  To start this exercise, every business owner should at least have someone review the readily available free resources on the subject. For example, the U.S. Small Business Administration (“SBA”) has online resources dedicated to informing small businesses on how to bolster their cybersecurity. And, the National Institute of Standards and Technology (“NIST”) helps companies who admittedly have modest or no cybersecurity plans in place by offering to “kick-start their cybersecurity risk management strategy” with the NIST Cybersecurity Framework (CSF) 2.0.

Tip #1:  Choose WordPress for your website.   After reviewing free resources, business owners can determine which direction to turn when it comes to preparing for the worst.  For example, you may want to start out by looking at one of your main sources of credibility in the marketplace – your website.  A secure site will always score higher on SEO than an insecure site – which makes it crucial for business to focus on reputational integrity and protection of customer data.  The WordPress platform is extremely popular with small business owners given its content management system allows owners to easily upload and modify content – without the need for a developer charging for every edit. 

Given that a large portion of the Internet is using WordPress, Corporate websites built using WordPress allow for secure custom shops and can securely mesh with your own separate e-commerce shop built using tools such as Shopify

Some WordPress tips include keeping WordPress on auto-update to ensure all security updates are in place as soon as possible; choosing a mature template with many thousands of downloads that has been security tested over a long period and routinely updated; limiting the use of Plugins to those essential for WordPress security, including WordFence (or a similar firewall/scanning plugin) and WPS Hide Login (or similar plugin that hides the default login URL frequented by hackers) because many incidents are directly tied to insecure plugins – those that may have not been updated in years yet are still active on your site; and making sure you install an SSL (Secure Sockets Layer) Certificate allowing for encrypted HTTPS communications between site and browser.

The last tip is especially important given Google’s Chrome browser and Brave’s browser have long warned users when a website does not use this HTTPS protocol – a warning that likely causes potential visitors to not even visit the site.  The Really Simple SSL plugin can help ensure that this is easily done.  Many hosting companies provide a free SSL certificate so getting the plugin will make this an easy fix if needed.

Tip #2:  Practice good security hygiene by using passwords that include upper case letters, numbers, lower case numbers, and symbols that total no less than 10 characters. Keep the password in a safe place if you cannot memorize it and only use it for your website.  As well, deploy two-factor authentication to make it that much more difficult to get in the website using the front door – Authenticator is an excellent app for 2FA purposes but there many to choose from.  When it comes to passwords, the strongest chain of defense can only be as strong as its weakest link.

Tip #3:  Remind all employees never to click on links in emails – even if they seem legitimately from companies you do business with, including lawyers and accountants.  As for the most basic of “basic training”:  Don’t open or click on anything that looks suspicious. Again, it is much more difficult for hackers to launch an exploit without walking in the front door and they can’t come in if you don’t open the door. In other words, never click on a link, file or image from an untested source or unknown URL. The extra seconds it takes to confirm the actual sender of an email message or owner of a website is well worth the time.

Tip #4:  Safeguard against Ransomware attacks.  Given credit card data and account information has long been dirt-cheap to buy on the dark web, hackers now combine social engineering, e.g., well-crafted targeted emails using publicly available information, including emails of licensed professionals, with botnets usually tasked with promulgating spam and searching for vulnerabilities.  The result is a ransomware attack that can cripple a business unless Bitcoin is transferred to a specific account. 

The FBI has long suggested firms focus on a variety of basic prevention efforts – in terms of awareness training for employees and technical prevention controls, as well as the creation of a solid business continuity plan in the event of a ransomware attack.  And, after a ransomware attack is suspected, victims should immediately contact the local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.   

If a firm wants to immediately enact a more proactive approach, however, there are certainly additional very basic policies and procedures that can be put in place right now to help avoid a ransomware exploit:  (i) block executable files (such as “.exe” files) and compressed archives (such as zip files) containing executable files before they reach a user’s inbox; (ii) block the use of thumb drives; (iii) mitigate against social engineering exploits by providing employee online training that is continuous and targeted with services such as KnowBe4; (iv) make sure whoever is providing you with IT support has a software patch management plan in place; (v) regularly back up data with media not connected to the Internet.

Tip #5:  Apply for Cyber Insurance.   Given the recent massive spike in small business insureds being specifically targeted, price hardening and onerous underwriting requirements have been the norm for cyber insurers.  While it is way too soon to turn in the towel on small business cyber insurance, some of those allocated insurance premium dollars might also be spent on bolstering security as well as lower cost/higher deductible coverage. 

One key attribute of any cyber insurance should be the technical vendors and legal counsel associated with these carriers.  Cyber insurance will also always serve a vital role in helping small business owners deal with ransomware attacks by offering the benefit of an underwriting process so that businesses can better understand their vulnerabilities and potential strengths – all without the need of hiring a consultant or paying any fees.   Indeed, an insurer acting as a trusted partner may even assist a potential client obtain compliance with an insurer’s cybersecurity standards before the insurance is even purchased

Protecting your most valuable assets – your intellectual capital, is well worth the effort.   Whether it’s how your employees conduct business, which clients you do the most business with, how you service those clients, or how you communicate with clients and employees, intellectual property is wrapped around all of it. 

Tip #1: Your know how needs confidential treatment.  Your client list and how your clients are serviced constitute your “know how” or more commonly “trade secrets” that must be kept confidential – once they become public any protections you may have had will evaporate.  The use of non-disclosure agreements with third parties is essential – as well as ensuring your employees understand this fundamental concept. Using well-written contracts with clients will also help ensure your know how is protected.

Tip #2: Your brand, sales and marketing brochures, and training materials are trademark and copyright protected.  Even a small company with no employees can have a robust brand built over many years – and found predominantly on the company’s sales and marketing materials.  All that is necessary for local common law protection is that it be in use to identify specific services or products.  To obtain nationwide protection and added damages for infringement, the mark should seek federal registration using the USPTO.Gov website.  Similarly, the product brochures created from scratch are copyright protected as soon as they were created but have enhanced protection when registered at Copyright.Gov.  

As you review the content and systems powering your business — everything from the company names to the use of training materials — you will quickly appreciate how much value goes unguarded. Consulting a legal expert or learning how to protect your trademarks and copyrights may not be quick or glamorous, but it will give you something longstanding: ownership of an intangible asset, leverage, and peace of mind.

Tip #3: Plan for the sale of your business by incorporating these best practices.  According to the SBA, more than half of the nation’s small-business owners are over the age of 50, and approximately 21% of the US population were born before 1964. And, according to one study, baby boomers owned about 51% of the privately held businesses in the United States, which is about 3 million businesses valued at $10 trillion dollars.  Unfortunately, founders typically defer addressing the fact that they will one day be too old and tired to manage a successful business. 

When no one in the family wants to take over your business there are only two options, close shop or sell to a willing buyer.  One metric used in valuing businesses is tied to the company’s ability to scale based on its protected intellectual property assets.  In other words, sustainable growth is not always about making more — it’s also about being able to protect what you’ve already built. After deploying the right practices, support system, and mindset, a successful entrepreneur can go from vulnerable to vigilant — and nurture a business that’s built for selling.

Artificial Intelligence, Blockchain, Digital Assets, Electronic Health Records, Intellectual Property, Privacy, Risk Management, Technology Law

Birthing the Agentic Web

On May 19, 2025, Microsoft blogged the following potentially prophetic words:

We envision a world in which agents operate across individual, organizational, team and end-to-end business contexts. This emerging vision of the internet is an open agentic web, where AI agents make decisions and perform tasks on behalf of users or organizations.

In the current mad rush to advance AI agents – which represent autonomous tools operating in the “real world” picking and choosing what comes after a user’s initial AI prompts, companies are paying little heed to existing guardrails.

Indeed, commerce titans are falling all over themselves to get in front of Agentic AI. MasterCard recently announced its launch of an Agentic Payments Program, Mastercard Agent Pay. According to MasterCard’s April 29, 2025 press release, this “groundbreaking solution integrates with agentic AI to revolutionize commerce.”

A day later Visa released information regarding its own Visa Intelligent Commerce which “enables AI to find and buy.” Not to be left out in the colde, PayPal released its own Agent Toolkit that same day. PayPal’s toolkit enables existing agent frameworks, such as OpenAI’s Agents SDKVercel’s AI SDKModel Context Protocol (MCP)LangChain, and CrewAI, to integrate with PayPal’s APIs. 

An agentic web lacking in “privacy by design”, strong cybersecurity hygiene, and proper adherence to regulatory and common law constraints regarding consent, will not likely mainstream agentic AI no matter how many developers are tasked with moving this infrastructure forward.

To fully grasp what needs to be done in this area, all one needs to do is read a description of Stanford Health Care’s implementation of Microsoft’s healthcare agent orchestrator. According to Microsoft, the healthcare agent orchestrator “has helped the Stanford team build and test autonomous AI agents that consult disparate data sources and collaborate on tasks that might otherwise take hours – building a chronological patient timeline, synthesizing current literature, referencing treatment guidelines, sourcing clinical trials and generating reports – using clinically grounded knowledge to deliver accurate and reliable results.”

The compliance landmines referenced in this short blurb read like they are straight from a law school exam.

Blockchain, Digital Assets, DLT, Technology Law

Crypto 2025 is not Internet 1995

On January 7, 2025, Fidelity Digital Assets rolled out its 2025 Look Ahead report.  The main message of financial behemoth Fidelity Investments is that it is not too late to invest in digital assets because “2025 has the potential to be the year that is looked back on as the pivotal time where the “chasm was crossed” as digital assets begin to take root and embed themselves into multiple fields and industries.”  See Report at 3. 

Fidelity’s failure to attribute its chasm reference to Geoffrey Moore’s 1991 seminal tech marketing book “Crossing the Chasm” seems reflective of this fluff paper’s entire premise, namely that their predictions for a crypto seismic shift are warranted.  Nothing could be further from the truth.   

While it is true Fidelity Digital Assets has been singing a bullish song these past five years, Fidelity only really cares about “digital assets” to the extent they require Fidelity’s custodial or brokerage services or moving new BTC ETFs into a 401(k).  Fidelity Digital Assets does not care whether there is any underlying value in any of those assets – unlike with shares representative of a company that hires workers, builds products, and generates revenue.

Over the past ten years, blockchain technology has simply merged with crypto coins in the public’s mind with regulators aggressively going after those selling such unregulated coins.  Despite Facebook pouring millions into its Libra coin effort – later renamed Diem, it eventually realized there was no future in its privacy-killing product given this regulatory backlash.  Indeed, during the past seven years no blockchain effort has risen to mass appeal other than the greater fool driven meme coins lacking any centralized control and a BTC reaching over $100,000.  While it is true that DeFi platforms saw increasing growth these past several years, most stock investors would be unable to name any such platform or what even is “DeFi”.

Adding to this lack of true product awareness and regulatory backlash, crypto’s current lack of clothing is easy if one looks in the right places.  In an October 2024 scathing diatribe penned by a former SEC lawyer titled “Blockchain Remains, and Will Forever be, a Dire Grift, a Perilous Scam and a Nasty Scourge”, the author does not mince words:  “I can’t say it any plainer: blockchain is bunk. Despite its relentless hype and inexorable bluster, blockchain technology itself has extremely limited utility and is a solution to a problem that nobody has.”   

The author – John Reed Stark, is the former chief of internet enforcement at the SEC, and was on 60 Minutes on December 8, 2024 to further state his case.  He bemoaned on air that “crypto is a scourge. It’s not something that you want in your society. It has no utility. it’s just pure speculation. Remember, there’s no balance sheet to crypto. There’s no financial statements.”

Mr. Stark explains “there’s no audit, inspection, examination, net capital requirements – no licensure of the individuals involved. And there’s no transparency into it. that creates real systemic risk, not just risk for investors. But the other part that people don’t really talk about enough are the dire externalities that are enabled by crypto.” 

When asked to explain those externalities, he places a floodlight on the elephant in the room:  “Every single crime you can conceive of is easier to do now because of crypto, especially ransomware, human sex trafficking – sanctions evasion, money laundering. North Korea is financing their nuclear weapons program using crypto.” While the volume of illicit transactions may remain high, crypto certainly lost its luster among criminals after better armed law enforcement arrived in 2017.

Nevertheless, not only does crypto not really fuel physical transactions like fiat currencies, it does still fuel criminal activity and can lead to investor loss more readily given it lacks the SEC guard rails afforded to public stock investors.  Accordingly, in some ways, Mr. Stark may be right about crypto but wrong about blockchain – or at least the jury remains out on the later.

Not all crypto coins sold to the public are bunk and smart contracts such as those available under Ethereum will very likely eventually allow for the utilization necessary for a blockchain ecosystem to thrive.  The true potential of blockchain technologies will never be realized, however, until blockbuster products reach mass appeal – something that just has not yet happened other than in the case of the speculative asset of Bitcoin. Bitcoin will never be the optimum test case for blockchain technology given it is nothing more than a speculative asset albeit one that has many buyers and a growing pricing model.

One wildcard is how the new administration shapes policies going forward – including the possibility of creating a U.S. Bitcoin strategic reserve. It remains to be seen whether the Trump Administration fulfills all the promises that led to significant campaign funding from crypto PAC Fairshake.  Such regulatory easing may very well lead to greater innovations.  More than likely, however, after Bitcoin is used by the government to pay down some of its debt, it will no longer project that gleam in the incoming President’s eye and regulatory compliance might reenter the picture. Either way, regulators will for the next four years focus primarily on fraud – which can only help legitimate projects going forward.

While it took a two decades for Internet companies to upend the retail establishment, that seismic market penetration was based on millions of consumer transactions . As of today, however, the only deeply penetrated crypto markets are of the asset class type – which is insufficient to create commercialization of an industry. In other words, the only way the 1995 comparisons made by Fidelity Digital Asset in its report come to fruition is by having blockchain begin delivering on its promise of utility on a grand scale. Until the potential of that happening becomes very clear – which was the case for the Internet when broadband began taking over in 2005, crypto 2025 should not be considered Internet 1995.

Despite showing great initial promise in 2018 – what at the time appeared to be the more appropriate year for the 1995 comparison, nothing pre-seismic occurred during these past seven years. In other words, it still remains too early in the game to peg any seismic shift date so Mr. Stark may eventually be proven right.

Behavioral Advertising, Intellectual Property, Media, Privacy, Social Media

The Personal Financial Data Rights Rule

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) finalized the Personal Financial Data Rights rule, which moves the United States closer to “an open banking system in which consumers, not dominant firms, control their data.”  The CFPB is generally tasked with “promoting fair, transparent, and competitive markets for consumer financial products and services.”

On October 23, 2024, CFPB Director Rohit Chopra spoke at Georgetown University’s DC Fintech Week.  As shown below, his prepared remarks do a nice job of describing how the new rule will address data ownership and stewardship problems largely ignored by helpless consumers.

Today, I primarily want to focus on the data protections in the rule, which are essential to ensuring the rule works to advance competition in financial markets. This rule will help to dramatically improve privacy and security, ending the problematic credential sharing and invasive surveillance that we too often see.

First, to obtain data on a consumer’s behalf, a bank, fintech, or other financial company will need to adhere to federal data security requirements. This means they can’t have shoddy security like we saw at companies like Equifax. And if they fail to meet their obligations, they can face enforcement actions and can even get shut down by the licensing or chartering authority.

Second, the rule works towards ending the practice of “screen scraping.” This occurs when a company collects a consumer’s username and password to log in to online banking on the consumer’s behalf to scrape away data. “Screen scraping” is risky, since it can involve unencrypted credential sharing and massive overcollection of data.

Third, the rule requires companies to minimize the data they collect, secure it, and, as a default practice, delete it upon revocation. In addition, the rule forbids companies from seeking to obtain a permanent authorization to continually harvest data. These requirements should lessen the amount of data that would be vulnerable to a data breach.

Fourth, the rule allows banks and fintechs that currently hold the consumer’s data to deny access to companies requesting on the consumer’s behalf when they fail to meet minimum standards. Companies making requests will need to prove they have the authorization from the consumer, disclose their legal entity identifier, and more. The rule allows banks and fintech to engage in legitimate blocking, as long as those practices are applied consistently and fairly.

Fifth, and most importantly, the rule puts into place significant limitations on how companies can use data. Right now, financial companies send consumers an annual privacy notice that tells them any parties they reserve the right to share the data with. In theory, consumers review this and then opt out of sharing they don’t want. In reality, almost no one opts out of anything. Many believe this is just another notice that doesn’t meaningfully limit misuse of personal data.

The rule spells out a simple, but much different approach: you can use a consumer’s data to provide the product or service the consumer asked you for, but you can’t use it for unrelated purposes the consumer doesn’t want. In other words, companies can’t engage in a bait-and-switch, where they lure people in with an offer for a loan or an account, but then sell, exploit, or monetize the data for another purpose.

And there’s a lot more. Taken together, these protections improve the privacy and security of our financial data, compared to the status quo. This will help to stop the lurch toward surveillance pricing.

The CFPB has closely studied how Big Tech companies and other firms can combine your search history, browsing history, geolocation history, your contacts, and more to create a detailed profile about you. We also see how large banks are also seeking to harvest more data from their customers without meaningful limits. When this information includes your sensitive personal financial data, this can create the conditions for surveillance pricing.

For example, if a rideshare giant knows that you worked an extra shift and just got a larger paycheck than usual, it might decide to charge you more for a ride home. If a dominant player in search knows that you just made a payment at a fertility clinic, it might start targeting you with ads for dubious treatments you didn’t ask for.

While the CFPB’s Personal Financial Data Rights that implements new statutory rights will help to jumpstart competition, it is also a major step forward for privacy, security, and data protection.

Director Chopra is correct in his optimistic assessment of the rule given the longtime “data slurping” conducted by so many companies has largely gone unabated and this new rule – which solves some but far from every consumer data transgression, is a great beginning.  It only took the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 to establish the CFPB and it then another fourteen years to get the CFBP to promulgate this new rule.  When dealing with the “data industrial complex”, these things take time. 

Indeed, as shown by this new rule’s compliance schedule, it will be years before the individual parts of the rule take effect with possible judicial and governmental intervention in the interim.  See Personal Financial Data Rights Rule (“Data providers must comply with the requirements in subparts B and C beginning April 1, 2026; April 1, 2027; April 1, 2028; April 1, 2029; or April 1, 2030, depending on the criteria set forth in § 1033.121(c)”). At the very least, the new rule discussed by Director Chopra alerts consumers to the dark “data industrial complex”. Even if the rule eventually gets neutered, its underlying wake up call hopefully doesn’t get unanswered on a state level.

Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

The Need to Comply With the CTA comes Into Focus

October 8, 2024 was a bellwether date for those waiting on a court to clarify whether the statutory requirement for filing BOI Reports sits on solid ground.  It was on October 8, 2024 when the oral argument in the pending Eleventh Circuit appeal from Small Bus. United d/b/a Nat’l Small Bus. Ass’n v. Janet Yellen, Case No. 5:22-cv-01448, Dkt. No. 52 (N.D. Ala. Mar. 1, 2024) was released to the public.   

Given the tempo and questions raised during this September 27, 2024 hearing, reporting companies can now reasonably assume there is likely no longer any reason to delay filing their BOIR Report based on any perceived lack of judicial clarity.  Before the end of the year – the deadline for over 30 million reporting companies, subject companies should likely file their BOI Report because there is no Judge that will likely remove that obligation. 

While it is never easy to predict which way the judicial winds blow, it seems likely the Eleventh Circuit will at least remand the Alabama decision for further review of the Fourth Amendment argument raised during that hearing – something not touched upon by the court below, if not just rule outright for reversal.  The appellee raised the Fourth Amendment argument because federal, state, local and foreign law enforcement can access BOIR data without the need for a Court Order.  Overall, the Judges – especially the Honorable Andrew L. Brasher who was appointed in 2020, seemed skeptical of this and all other arguments suggesting that Congress passed in 2021 the Corporate Transparency Act (“CTA”) without proper Constitutional footing.

The Eleventh Circuit hearing is on the heels of a District Court Judge in Oregon denying requested injunctive relief, in part, by ruling the CTA was likely constitutional.  See Michael Firestone, et al. v. Janet Yellen, Case No. 3.24-cv-1034, Dkt. No. 18 (D. Or. Sept. 20, 2024).  Indeed, in the second of two supplemental filings with the Eleventh Circuit, the appellee tried to distinguish the Oregon case as well as a recent Supreme Court case that may have shifted the burden in this case slightly in favor of the government – a case the Eleventh Circuit requested supplemental briefing on in its August 14, 2024 Order.  Not surprisingly, the government filed a contrary reply with the Court

As it stands, the Eleventh Circuit and the Court of Appeals of the Ninth Circuit – by way of the likely appeal from the Firestone decision, will squarely rule upon the constitutionality of the CTA – setting up the exact sort of case the Supreme Court likes to hear, namely an appeal where more than one Circuit Court rules on the constitutionality of a far-reaching federal statute. 

Indeed, there are other Courts of Appeal that could also likely chime in on this issue given pending District Court cases, including the First Circuit (William Boyle v. Janet Yellen, Case No. 2:24-cv-00081 (D. Me. filed Mar. 15, 2024) and Black Econ. Council of Mass., Inc. v. Janet Yellen, Case No. 1:24-cv-11411 (D. Mass. filed May 29, 2024)); the Fifth Circuit (Texas Top Cop Shop, Inc. v. Merrick Garland, Case No. 4:24-cv-00478 (E.D. Tex. filed May 28, 2024)), the Sixth Circuit (Small Bus. Ass’n of Mich. v. Janet Yellen, Case No. 1:24-cv-00314 (W.D. Mich. filed Mar. 26, 2024) and Robert J. Gargasz Co. LPA v. Janet Yellen, Case No. 1:23-cv-02468 (N.D. Ohio filed Dec. 29, 2023)); and the Tenth Circuit (Taylor v. Janet Yellen, Case No. 2:24-cv-00527 (D. Utah filed July 29, 2024)).

This mosaic of potentially conflicting upper court decisions leaves little doubt that in the short term FinCEN holds the upper hand and might use such built-up judicial equity to aggressively enforce its BOIR regulations in 2025.  One thing is for sure – the only way this fast-approaching BOIR Train gets derailed is by either the Supreme Court – which is unlikely given the very case the Eleventh Circuit sought briefing on, or by Congress – which is even less likely given the treasure trove of information derived from the CTA may be useful for tracking individuals with large cryptocurrency holdings and eventually bringing in more money into federal coffers as well as potential crime prevention.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Practical Steps for Advising on BOIR Compliance

When advising clients on filing FinCEN’s Beneficial Ownership Information (BOI) reporting obligations, professionals should offer clear, practical guidance to ensure compliance and mitigate potential risks. 

It is obviously helpful to start out by educating small business clients on the fundamentals of BOIR filing:

   – Who needs to file: Explain that most small corporations, LLCs, and similar entities must comply unless specifically exempt.

   – What needs to be reported: Discuss the required information, such as names, dates of birth, addresses, and ID numbers of beneficial owners (anyone with 25% or more ownership or substantial control).

   – Filing deadlines: Highlight the deadlines—new businesses must file upon formation, and existing businesses have until the start of 2025.

Small business ownership structures can be complex.   Professionals should emphasize that beneficial ownership extends to anyone with substantial control, even if their equity stake is less than 25%.  For example, CPAs should direct their clients to experts who can help them identify all individuals who qualify as beneficial owners, ensuring no key person is missed.  Discuss how trusts are to be handled.

The importance of accurate and up-to-date documentation should be stressed:

   – Maintain records: Recommend that clients keep detailed records of beneficial owners and any changes over time. Establishing a system for periodic updates will help ensure compliance in the future.

   – Secure documentation: Encourage clients to securely store identifying information, such as government-issued ID numbers, to ensure data privacy and protection.

Professionals should inform clients of the risks of non-compliance:

   – Fines and penalties: Non-compliance can result in daily fines of $591 per day, potentially leading to substantial financial liability.

   – Business risks: Emphasize that failing to comply could lead to regulatory investigations or civil penalties, which can be costly and damaging to the business’s reputation.

For businesses that may find the filing process challenging, you should either:

   – Assist with filing: Offer to help prepare and file the BOIR on behalf of the client or coordinate with professionals focused on such filings.

   – Refer to a Compliance specialist: CPAs can also recommend working with a compliance expert or other professional specializing in corporate governance and regulatory filings.

Clients should be told to approach BOI filings proactively:

   – Plan for future updates: Encourage clients to set up procedures for regularly reviewing and updating beneficial ownership information to avoid missing future reporting obligations.

   – Consult early: Suggest addressing BOIR filing well in advance of deadlines to prevent rushed submissions that could lead to errors. Professionals who are diligent and invest the time can easily help their clients navigate FinCEN’s BOI reporting obligations effectively, minimizing risk and ensuring ongoing compliance.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Risks of Non-Compliance with FinCEN’s BOI Reporting Rule

Non-compliance with FinCEN’s Beneficial Ownership Information (BOI) reporting requirement could expose your business to significant financial and legal risks. Here’s what you need to know about the potential consequences of failing to comply with this critical regulation.

FinCEN has the authority to impose hefty fines on businesses failing to meet the BOI reporting requirement. Penalties for non-compliance is $591 per day, with no maximum cap. This means even small delays in filing could result in substantial financial costs if FinCEN targets your company.

Non-compliance with BOIR can be seen as an attempt to obscure ownership information, which could trigger further investigation into potential financial crimes.

Businesses found to be in non-compliance with the BOI reporting requirements may also suffer reputational damage. Investors, clients, and partners expect transparency in ownership structures, and failure to comply could result in a loss of trust and business opportunities.

Non-compliant businesses may find it harder to secure loans, attract investors, or engage in mergers and acquisitions. Transparency in beneficial ownership is becoming a key factor in financial and business transactions, and non-compliance could hinder growth opportunities.

As of today, there are no reported instances of fines being assessed against a company for violation of the BOI reporting rule.  Nevertheless, the risks of non-compliance with FinCEN’s BOIR requirement far outweigh the effort of filing. Businesses that take proactive steps to meet the reporting deadlines and maintain accurate information will avoid fines, legal action, and reputational harm. Make compliance a priority to safeguard your business.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Five Common Mistakes to Avoid Before Filing Your BOI Report

Business owners preparing to file their Beneficial Ownership Information (BOI) reports should be aware of common pitfalls that might lead to civil penalties or worse.

The most common mistake is identifying one owner but not identifying every individual qualifying as a beneficial owner. Even if someone owns less than 25% of the business, that person may still be considered a beneficial owner if they hold significant decision-making authority evidencing “substantial control” over the reporting company.

For example, an indirect way to exercise substantial control over a reporting company is by controlling one or more intermediary entities that separately or collectively exercises substantial control over a reporting company. The best way to avoid this mistake is to review your company’s structure carefully and consult an expert if you’re unsure about who is a potential beneficial owner.

Another likely common mistake is submitting incorrect or incomplete details for beneficial owners. Mistakes in names, dates of birth, or identification numbers can lead to rejected filings or regulatory scrutiny – and possibly even fines and jail time if done deliberately. This mistake can easily be avoided by double-checking all information before submission and ensuring you’ve provided accurate and up-to-date details.

A third common mistake is failing to timely file. Businesses underestimate how long the process can take, leading to missed deadlines. For new businesses, filing is required 90 days after formation or registration, while companies formed or registered prior to 2024 have until January 2025 to comply. Companies can avoid this potential problem by marking important dates on your calendar and preparing your filing early to avoid a last-minute rush and a possible $591 a day fine for an untimely filing.

A fourth mistake would be the failure to update information as it changes. As set forth in the applicable regulations, the failure to update beneficial ownership information as changes occur can result in non-compliance. Any changes in ownership or control must be reported within thirty days of the change. This can be avoided by Implementing an internal system to track changes in ownership and file updated reports with FinCEN when necessary.

The fifth common mistake is simply assuming the existence of an exemption without really confirming it applies. Certain businesses, like larger companies already subject to similar rules, are exempt from the BOI reporting requirement. Assuming you are covered by an exemption without having proper confirmation could lead to fines. This can be avoided by double checking your exemption status by consulting the list of exempt entities or seeking expert advice. For example, even if your company has filed for dissolution, that would not automatically exempt you as an inactive company if that dissolution took place in 2024.

Avoiding these five common mistakes will help ensure a smooth BOI reporting process. By simply taking the time to understand key requirements and double-checking your information, you can protect your business from most of these unnecessary risks.