Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

Privacy, Cyber & Data Strategy / White Collar, Government & Internal Investigations Advisory | GENIUS Act Establishes Federal Regulatory Oversight of Global Stablecoin Industry

By , ,

Executive Summary
8 Minute Read

Our Privacy, Cyber & Data Strategy and White Collar, Government & Internal Investigations Teams examine how the GENIUS Act’s framework for stablecoin issuers will impact the cryptocurrency sector.

  • The Act restricts the issuance of payment stablecoins within the United States to “permitted payment stablecoin issuers” (PPSIs)
  • PPSIs must maintain reserves of high-quality, liquid assets that fully back their outstanding stablecoins on at least a one-to-one basis
  • Regulatory oversight is divided between federal and state authorities, with joint oversight applying when state issuers exceed certain thresholds or opt into federal frameworks

___________________________________________________

On July 17, 2025, during “Crypto Week,” the U.S. House of Representatives passed the landmark Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act). Signed into law by President Donald Trump the next day, the GENIUS Act establishes a comprehensive federal framework for the issuance of payment stablecoins, regulation of stablecoin issuers, and both federal and state oversight for stablecoin authorization, audits, and other obligations. Domestic and foreign issuers in the more than $250 billion stablecoin market now have a clear path to securing and maintaining regulatory compliance in the United States.

Demonstrating rare cross-aisle cooperation and a shared interest in modernizing financial regulations to match emerging blockchain and artificial intelligence (AI) technologies, the Act garnered 308 affirmative votes in the House and 68 in the Senate, surpassing the upper chamber’s filibuster threshold. The GENIUS Act addresses Trump’s key campaign and policy promise to bring clarity and control to the digital asset market.

Key Provisions of the GENIUS Act

Effective date

The GENIUS Act takes effect on the earlier of (1) January 18, 2027 (18 months after the date the Act is enacted into law); or (2) 120 days after the primary federal regulators responsible for stablecoins issue their final regulations to implement the Act.

Authorized issuance of stablecoins only

The Act restricts the issuance of payment stablecoins within the United States to only those entities that qualify as “permitted payment stablecoin issuers” (PPSIs). PPSIs must be either U.S.-based issuers authorized under the Act or foreign issuers that are registered and operate under a regulatory framework deemed comparable to the Act by U.S. authorities and are subject to supervision by the Office of the Comptroller of the Currency (OCC).

A domestic PPSI must meet the requirements of one of three main categories: (1) subsidiary of an insured depository institution that has received approval to issue payment stablecoins under Section 5 of the Act; (2) federal qualified payment stablecoin issuers, which encompass nonbank entities (excluding state-qualified issuers) approved by the OCC, uninsured national banks chartered and approved by the OCC, or a foreign bank that does business outside the United States and has opened one or more federally licensed branches or offices in a U.S. state (“federal branch”), approved by the OCC; or (3) state-qualified payment stablecoin issuers, which are entities legally established under state law and approved by a state payment stablecoin regulator, provided they are not an uninsured national bank, federal branch, insured depository institution, or subsidiary of any such entities.

Requirements for issuing stablecoins

PPSIs must maintain reserves that fully back their outstanding stablecoins on at least a one-to-one basis. These reserves must consist of high-quality, liquid assets such as U.S. coins and currency or credit with a Federal Reserve Bank, demand deposits at insured depository institutions, short-term U.S. Treasury securities, and other monetary securities described in Section 4(a)(1) of the GENIUS Act. Any PPSI must publicly disclose its redemption policies and publish monthly reports detailing the composition, average maturity, and custody location of its reserves. A PPSI’s CEO and CFO must certify the accuracy of those monthly reports, and the Act makes knowingly false certifications punishable by up to 10 or 20 years’ imprisonment under 18 U.S.C. § 1350. To ensure reserve quality and transparency, PPSIs are prohibited from pledging, rehypothecating, or reusing reserves except under limited conditions, such as meeting margin obligations for investments in permitted reserves or creating liquidity to redeem payment stablecoins.

Mitigating money laundering and illicit financing risk

The GENIUS Act designates permitted payment stablecoin issuers as “financial institutions” under the Bank Secrecy Act (BSA), requiring them to implement robust compliance programs to prevent money laundering, terrorist financing, sanctions evasion, and other illicit activity. PPSIs must annually certify that they have implemented an effective BSA/AML compliance program. False certifications are punishable by up to five years’ imprisonment. To ensure regulatory parity, the Act’s registration and inspection requirements for foreign issuers effectively subjects them to similar compliance standards when accessing the U.S. market. Issuers must also be technologically capable of assisting with asset freezes, seizures, and turnovers pursuant to lawful orders. The Act further strengthens enforcement by requiring both U.S. and foreign issuers to (1) maintain the technical ability to comply with such orders; and (2) comply with them. Foreign issuers that fail to do so may be designated “noncompliant” by the Treasury, triggering a ban on secondary trading of their stablecoins after 30 days. Violations of that ban carry steep penalties—up to $100,000 per day for digital asset service providers and $1 million per day for foreign issuers.

Regulatory oversight

Regulatory oversight is divided between federal and state authorities, with federal regulators overseeing federally chartered or bank-affiliated issuers, state regulators supervising state-chartered issuers, and joint oversight applying when state issuers exceed certain thresholds or opt into federal frameworks. Regulators are responsible for licensing, examining, and supervising PPSIs to ensure compliance with the Act’s requirements, including reserve backing, redemption policies, and risk management standards.

PPSIs with more than $50 billion in consolidated total outstanding issuance that are not subject to the reporting requirements of the Securities Exchange Act of 1934 are required to prepare an annual financial statement in accordance with generally accepted accounting principles (GAAP) and must disclose any “related party transactions,” as defined under GAAP. A registered public accounting firm must audit the annual financial statement, and the audit must comply with all applicable standards set by the Public Company Accounting Oversight Board. These audited financial statements must also be made publicly available on the PPSI’s website and submitted annually to the PPSI’s primary federal payment stablecoin regulator.

Civil and criminal penalties

Additional civil and criminal penalties are set out throughout the Act. Notably, entities other than PPSIs that issue payment stablecoins in the United States without proper approval may face civil penalties of up to $100,000 per day for violations. Individuals who knowingly issue stablecoins in the United States without being a permitted payment stablecoin issuer face up to five years’ imprisonment and fines up to $1 million for each violation. Additionally, individuals with certain felony convictions are prohibited from serving as officers or directors of a PPSI, and violations of that prohibition can result in imprisonment for up to five years. The Act expressly gives regulators discretion to refer violations of the Act to the Attorney General.

Modernizing anti-money laundering and financial crimes compliance

The GENIUS Act places a strong emphasis on leveraging blockchain technology and AI to modernize the detection of illicit financial activity involving digital assets. The Act mandates that the Secretary of the Treasury initiate a public comment period to gather insights on how regulated financial institutions are using or could use innovative tools—particularly blockchain and AI—to detect money laundering and related crimes. Blockchain technology is highlighted for its potential in transaction monitoring and transparency, especially in tracking digital asset flows and identifying suspicious patterns.

Rulemaking timeline

The Act mandates that all primary federal payment stablecoin regulators, the Secretary of the Treasury, and state payment stablecoin regulators must promulgate regulations to implement the Act within one year of its enactment (July 18, 2026). These regulations must be issued through a notice-and-comment process. Additionally, within 180 days of the Act’s effective date, the OCC, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System shall submit a report to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that confirms and describes the regulations necessary to carry out this Act.

Other Impending Crypto Legislation

The GENIUS Act is momentous for stablecoin issuers, but it does not resolve a number of crypto-native issues, which are the subject of a broader market structure bill known as the Digital Asset Market Clarity Act of 2025 (CLARITY Act). The CLARITY Act passed the House with broad bipartisan support, and a version is currently under Senate consideration. While the GENIUS Act focused narrowly on regulating stablecoin issuers, the CLARITY Act seeks to establish a robust regulatory framework for all digital assets and define the roles of the Securities and Exchange Commission and Commodity Futures Trading Commission in policing the digital asset markets. Most notably, for the first time, the CLARITY Act attempts to classify digital assets based on their characteristics, such as decentralization and blockchain maturity, with a goal of reducing regulatory uncertainty and fostering innovation in the cryptocurrency industry. Senator Tim Scott (R-SC), chair of the Senate Banking Committee, has made several public statements on the timeline for consideration of the CLARITY Act, with committee markup expected in September and full Senate action possible by late fall.

Conclusion

The GENIUS Act establishes a robust framework for the issuance and oversight of payment stablecoins in the United States. It sets clear standards to ensure transparency for the backing of permitted payment stablecoins, and it requires issuers, like traditional financial institutions, to quickly establish robust compliance programs to combat illicit uses of their stablecoins. With its strong bipartisan backing and goals of financial stability, consumer protection, and global competitiveness, the Act could lay the groundwork for a more transparent and trustworthy digital asset ecosystem.

Ransomware Fusion Center

Stay ahead of evolving ransomware threats with Alston & Bird’s Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird’s Ransomware Fusion Center to learn more and access our tools.

Originally published July 24, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Wave Goodbye to the Waiver Debate: Court Holds Data Breach Investigation Report Not Work Product from the Start

By ,

Litigants in data breach class actions often fight over whether a data breach investigation report prepared in response to the breach is protected by the work-product doctrine. Common areas of dispute include whether the report was prepared in whole or in part for business—not legal—purposes, and whether the report relays facts that are not discernable from other sources. The fight becomes even more complicated, however, when the company that suffered the data breach is required to provide the report to regulators.

For example, in the mortgage industry, mortgagees regulated by the Multistate Mortgage Committee (MMC) are required to provide a “root cause report” following a data breach. Similarly, under Mortgagee Letter 2024-10, FHA-approved mortgagees must notify HUD of a cybersecurity incident and provide the cause of the incident. These reporting obligations involve production of information to regulators that typically overlaps with the content of data breach investigation reports.

Traditionally, one might think that disclosure of an investigation report (or its contents) to a regulator was a question of waiver. But recently, a federal district court in the Southern District of Florida bypassed the waiver analysis entirely by holding that reports provided to regulators weren’t protected by the work-product doctrine because they were primarily created for regulatory compliance rather than in anticipation litigation, even though, factually, they weren’t originally created for the purpose of regulatory compliance.

What Happened?

In a recent decision in a data breach litigation against a national mortgage loan servicer, the court considered whether investigative reports prepared by cybersecurity firms were protected under the work-product doctrine. These reports were initially withheld from discovery on the familiar grounds that they were prepared in anticipation of litigation following a data breach. But the plaintiffs argued that because the reports were disclosed to mortgage industry regulators, any work-product protections were waived.

Rather than address the waiver issue, the court analyzed whether the documents were privileged in the first place under the dual-purpose doctrine, which assesses whether a document was prepared in anticipation of litigation or for other business purposes. Under this doctrine (adopted by the First, Second, Third, Fourth, Sixth, Seventh, Eighth, Ninth, and D.C. Circuits), a document is protected if it was created “because of” the anticipated litigation, even if it also serves an ordinary business purpose. Notably, the court found that the reports were primarily created to comply with regulatory obligations, specifically those imposed by the MMC, even though they’d initially been prepared in anticipation of litigation. In the court’s view, the unredacted submission of the reports to the MMC, when demanded, evidenced that the predominant purpose for their creation was regulatory compliance.

The court ended with the suggestion that the defendants could have avoided this issue by creating a separate document for regulatory compliance, omitting sensitive findings related to litigation. Aside from this suggestion, there does not appear to be a legal framework under the which the disclosed reports would have been protected work product, at least in the court’s view.

Why Does it Matter?

The district court’s decision creates a new challenge for breach victims seeking to protect investigation reports from disclosure under the work-product doctrine. A key purpose of the doctrine is to allow parties to engage in pre-litigation investigations without the fear of disclosure. Data breach victims dealing with regulators have historically had to manage the risk that disclosing investigation reports (in whole or in part) to regulators could result in litigation over whether work-product protections were waived. But the decision appears to raise the stakes. The risk of disclosure is not limited to a waiver analysis, where parties can defend the disclosure based on the circumstances of the compelled disclosure and can rely on law requiring the narrow construction of privilege waivers. Now, parties must also consider whether using a report for a non-litigation purpose after the fact will lead to the conclusion that the report wasn’t prepared for litigation at all and therefore not privileged in the first place.

What Do I Need to Do?

Because this decision is by a federal district court, this is an area that should be monitored to determine whether a trend develops around the court’s rationale. And in the interim, the best option seems to be to follow the court’s suggestion: create separate documents for regulatory compliance and litigation purposes.

It is, of course, important to maintain a good relationship with regulators to try to circumvent these issues, but the two-report approach is a practical way to preempt the issue entirely. The reality is that many litigation-related items do not need to be submitted in a regulatory report. For example, an emerging issue in the cybersecurity space is whether following a data breach, the company that suffered the breach should bring claims against other related parties. Analyzing the merits of this type of litigation is plainly covered by the work-product doctrine but is not needed for regulatory reports. Thus, by following the two-report approach, sensitive findings related to that potential litigation can be omitted from the regulatory report, preserving the work-product protection for the litigation-related document. This approach could help companies navigate the complexities of dual-purpose documents and maintain the intended protections of the work-product doctrine.

California Attorney General Targets Location Data in New Investigative Sweep

By ,

This week California Attorney General Rob Bonta announced a new investigative sweep under the California Consumer Privacy Act (CCPA). We have anticipated this sweep for some time based on the focus and the direction of a number of inquiries, investigations, and enforcement proceedings initiated by Attorney General Bonta’s office over the past 12-24 months.

The Notices of Violation issued by the Attorney General’s office will give rise to meaningful risks for many of the receiving businesses. We anticipate the Attorney General’s team will focus on granular technical details of data collection via mobile apps including through the third-party SDKs[1] that are ubiquitous across digital mobile products. How these and other digital analytics tools collect and transfer data, including precise location data, is often not well understood even by the internal digital marketing, data analytics, and product development teams that deploy and use the tools. This blind spot has created a zone of risk for many businesses that would not consider themselves a part of the “location data industry” referenced in the Attorney General’s announcement.

The interactions with the Attorney General’s office in these investigations and in enforcement proceedings can also change focus when the Attorney General’s staff suspects compliance gaps in other sensitive areas, such as use of mobile apps by children or in connection with healthcare or other sensitive activities. Careful and detailed internal legal/technical data flow analyses are therefore critical to quickly identifying the full scope of potential risk and framing the strategy for engaging with the Attorney General. For those businesses that have not received notices, this is another opportunity to close the gap between digital advertising, data analytics, and mobile app development and these emerging and increasingly clear legal privacy standards relating to precise location data and use of third-party SDKs in mobile apps.

Alston & Bird’s Privacy, Cyber & Data Strategy Team has extensive experience advising and defending clients who receive inquiries and violation notices from California’s privacy regulators.  We will continue to monitor developments in privacy regulatory enforcement in California and other states.

[1] “SDK” refers to a software development kit. These tools, many of which are free, are commonly used by mobile app teams to shorten app development timelines and quickly add features and functions to mobile apps.

_______________________________
Originally published March 12, 2025 on Alston & Bird’s Privacy, Cyber & Data Strategy Blog.

Trump Administration Rescinds Biden Executive Order on Artificial Intelligence

By

What Happened?

Last week, President Trump signed an Executive Order that rescinded the Biden Administration’s October 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.

Titled “Removing Barriers to American Leadership in Artificial Intelligence,” the new Executive Order “revokes certain existing AI policies and directives that act as barriers to American AI innovation, [and will] clear a path for the United States to act decisively to retain global leadership in artificial intelligence.” The Trump Administration’s Executive Order directs executive departments and agencies to develop and submit to the President an action plan designed to meet that objective.

Why does it Matter?

AI is expected to be a focus for the new Administration, and policy likely will focus on AI development and innovation as a matter of economic competitiveness and national security. In December, (then President-elect) Trump named David Sacks, a prominent Silicon Valley venture capitalist, as the White House “AI and Crypto Czar.” When announcing this appointment, President Trump characterized AI as “critical to the future of American competitiveness…David will focus on making American the clear global leader…” We expect the Administration to focus on national security issues that include export control issues where the technology could be used in military applications by non-US governments.

What’s Next?

In contrast to the deregulatory approach at the federal level, a number of states already have passed legislation relating to the use of AI, particularly in the consumer space, including laws relating to data use, consent, and disclosures. Additionally, state Attorneys General, particularly in “blue states,” have expressed concern about the risk of “high-risk” AI that can negatively impact consumers’ access to financial goods and services and employment opportunities. With growing use of AI, we expect more activity at the state level.

Ginnie Mae Imposes Cybersecurity Incident Notification Obligation

By ,

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

  • the date/time of the incident,
  • a summary of in the incident based on what is known at the time of notification, and
  • designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae.  Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days.  Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement.  It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing.  Our Cybersecurity & Risk Management Team can assist.