Alston & Bird Consumer Finance Blog

Uncategorized

Texas Commercial Sales- Based Financing Law Poses Unique Challenges to Financial Services Industry

By

What Happened?

Following the path of nine other states that have enacted laws to regulate commercial non real estate secured financing, on May 28, 2025, the Texas legislature passed a “commercial sales-based financing” bill, known as House Bill 700[1], and the Governor Greg Abbott signed the bill into law on June 20, 2025. Unlike other state laws that have required providers of commercial financing to make Truth-in-Lending-type disclosures to borrowers, and in some instances, register with state authorities, the Texas legislation caps the cost of “sales-based financing,” which is defined as “a transaction that is repaid by the recipient to the provider of the financing as a percentage of sales or revenue, in which the payment amount may increase or decrease according to the volume of sales made or revenue received by the recipient or according to a fixed payment mechanism that provides for a reconciliation process that adjusts the payment to an amount that is a percentage of sales or revenue.” Most provisions of the law become effective on September 1, 2025, except for the provider and broker registration requirement, discussed below, which takes effect on December 31, 2026.

Why It Matters

Notably, the Texas legislation includes a provision that prohibits sales-based financing providers from establishing a “mechanism for automatically debiting a recipient’s deposit account” unless the provider obtains and perfects a security interest in the recipient’s account with “first priority” against the claims of “all other persons.” As a practical matter, no provider is likely to meet this standard. Under the Uniform Commercial Code, a security interest in a deposit account can only be perfected by entering into a deposit account control agreement with the bank at which the account is maintained. These control agreements typically provide a creditor with lien priority against the claims of other secured creditors, but not against the claims of the bank itself. Because the claims of the bank will be superior to the claims of the sales-based financing provider, no provider would be able to satisfy the Texas requirement that the provider’s interest have priority against the claims of “all other persons.” This requirement is significant because most sales-based financing transactions require payment via automated clearing house (ACH) debit entries to the recipient’s deposit account. It is unclear whether providers will be able to devise alternative payment methods or whether such alternative payment methods will negatively impact the performance of sales-based finance transactions.

Further, the legislation amends Texas law to exclude “sales-based financing” from Texas’s usury exemption. Under the new legislation, fees and charges paid or charged under a “sales-based financing” transaction count as interest under state usury law, regardless of the amount financed. However, the legislation does not require disclosure of an APR or interest rate, and it is not clear how the interest rate of a “sales-based financing transaction” would be determined for usury purposes.

The Texas legislation requires providers who extend specific offers of commercial “sales-based financing” of less than $1,000,000 to disclose to Texas-based recipients, among other things, (1) the total amount of the financing; (2) the disbursement amount; (3) the finance charge; (4) the total repayment amount; and (5) the estimated period for the periodic payments to equal the total repayment amount under the terms of the financing.

The legislation requires financers (i.e., “providers”) and brokers of “sales-based financing” transactions to register with the Texas Office of Consumer Credit Commissioner and to renew their registrations annually by January 31. The legislation exempts from its requirements banks (specifically including out-of-state banks) and their subsidiaries and affiliates, certain companies that provide tech services to exempt entities, lenders regulated under the Farm Credit Act, real property secured sales-based financing, true (operating) leases, and certain a commercial sales-based financing agreement or commercial open-end credit plan of $50,000 or more.

Again, most provisions of the law become effective on September 1, 2025, except for the provider and broker registration requirement, which takes effect on December 31, 2026.

A person who violates the law would be subject to a civil penalty of $10,000 for each violation, but the legislation does not authorize a private right action for violations arising under the law.

What To Do Now

The Texas legislation, while part of a growing trend of augmented state regulation of commercial non real estate secured lending, is far more burdensome than other similar state laws enacted to date, and at first blush, absent an exemption, may render it extremely difficult, if not impossible, to conduct sales-based financing in Texas. Only time will tell whether lenders can devise alternative financing methods that are not ensnared by the legislation or whether the legislature amends the law.

[1] https://legiscan.com/TX/text/HB700/2025

 

President’s Working Group Declares a New Era for Digital Assets

By

What Happened?

On July 30, 2025, the President’s Working Group on Digital Asset Markets released a comprehensive Digital Assets Report, outlining a national strategy for cryptocurrency and blockchain. Declaring a departure from the prior Administration’s approach, the report recommends that regulators adopt pro-innovation rules toward digital assets and blockchain technology. It addresses market structure, banking, payments, stablecoins, taxation, and anti-money-laundering (AML) measures.

The Working Group was established in the President’s January Executive Order, Strengthening American Leadership in Digital Financial Technology, which declared support for the responsible growth and use of digital assets, blockchain technologies, and related technologies across all sectors of the economy.

Why Is It Important?

The report marks a significant shift in U.S. policy, and it is designed to position the United States as a global leader in digital finance. It outlines lawful digital asset use, including self-custody rights, and promotes U.S. dollar-pegged stablecoins to strengthen dollar dominance globally (while rejecting a U.S. central bank digital currency). The recommended framework includes tools that include safe harbors, innovation exemptions, and updated tax and banking rules.

On July 31, 2025, SEC Chair Paul Atkins amplified the report’s significance in a speech, American Leadership in the Digital Finance Revolution, calling it a “blueprint to make America first in blockchain and crypto technology.” He characterized the potential of digital asset technology as a new area in the history of financial markets and said that regulatory clarity could unleash unprecedented capital formation and consumer choice.

What To Do Now?

The regulatory tide has clearly shifted for companies who wish to explore or engage in the digital asset ecosystem. As always, sound compliance and governance structures will be key as regulatory expectations evolve. Additionally, engaging with regulators and industry groups to craft safe harbors and sandbox programs will be crucial to ensure alignment with evolving regulatory approaches for AML, banking, tax, and digital identity standards.

Privacy, Cyber & Data Strategy / White Collar, Government & Internal Investigations Advisory | GENIUS Act Establishes Federal Regulatory Oversight of Global Stablecoin Industry

By , ,

Executive Summary
8 Minute Read

Our Privacy, Cyber & Data Strategy and White Collar, Government & Internal Investigations Teams examine how the GENIUS Act’s framework for stablecoin issuers will impact the cryptocurrency sector.

  • The Act restricts the issuance of payment stablecoins within the United States to “permitted payment stablecoin issuers” (PPSIs)
  • PPSIs must maintain reserves of high-quality, liquid assets that fully back their outstanding stablecoins on at least a one-to-one basis
  • Regulatory oversight is divided between federal and state authorities, with joint oversight applying when state issuers exceed certain thresholds or opt into federal frameworks

___________________________________________________

On July 17, 2025, during “Crypto Week,” the U.S. House of Representatives passed the landmark Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act). Signed into law by President Donald Trump the next day, the GENIUS Act establishes a comprehensive federal framework for the issuance of payment stablecoins, regulation of stablecoin issuers, and both federal and state oversight for stablecoin authorization, audits, and other obligations. Domestic and foreign issuers in the more than $250 billion stablecoin market now have a clear path to securing and maintaining regulatory compliance in the United States.

Demonstrating rare cross-aisle cooperation and a shared interest in modernizing financial regulations to match emerging blockchain and artificial intelligence (AI) technologies, the Act garnered 308 affirmative votes in the House and 68 in the Senate, surpassing the upper chamber’s filibuster threshold. The GENIUS Act addresses Trump’s key campaign and policy promise to bring clarity and control to the digital asset market.

Key Provisions of the GENIUS Act

Effective date

The GENIUS Act takes effect on the earlier of (1) January 18, 2027 (18 months after the date the Act is enacted into law); or (2) 120 days after the primary federal regulators responsible for stablecoins issue their final regulations to implement the Act.

Authorized issuance of stablecoins only

The Act restricts the issuance of payment stablecoins within the United States to only those entities that qualify as “permitted payment stablecoin issuers” (PPSIs). PPSIs must be either U.S.-based issuers authorized under the Act or foreign issuers that are registered and operate under a regulatory framework deemed comparable to the Act by U.S. authorities and are subject to supervision by the Office of the Comptroller of the Currency (OCC).

A domestic PPSI must meet the requirements of one of three main categories: (1) subsidiary of an insured depository institution that has received approval to issue payment stablecoins under Section 5 of the Act; (2) federal qualified payment stablecoin issuers, which encompass nonbank entities (excluding state-qualified issuers) approved by the OCC, uninsured national banks chartered and approved by the OCC, or a foreign bank that does business outside the United States and has opened one or more federally licensed branches or offices in a U.S. state (“federal branch”), approved by the OCC; or (3) state-qualified payment stablecoin issuers, which are entities legally established under state law and approved by a state payment stablecoin regulator, provided they are not an uninsured national bank, federal branch, insured depository institution, or subsidiary of any such entities.

Requirements for issuing stablecoins

PPSIs must maintain reserves that fully back their outstanding stablecoins on at least a one-to-one basis. These reserves must consist of high-quality, liquid assets such as U.S. coins and currency or credit with a Federal Reserve Bank, demand deposits at insured depository institutions, short-term U.S. Treasury securities, and other monetary securities described in Section 4(a)(1) of the GENIUS Act. Any PPSI must publicly disclose its redemption policies and publish monthly reports detailing the composition, average maturity, and custody location of its reserves. A PPSI’s CEO and CFO must certify the accuracy of those monthly reports, and the Act makes knowingly false certifications punishable by up to 10 or 20 years’ imprisonment under 18 U.S.C. § 1350. To ensure reserve quality and transparency, PPSIs are prohibited from pledging, rehypothecating, or reusing reserves except under limited conditions, such as meeting margin obligations for investments in permitted reserves or creating liquidity to redeem payment stablecoins.

Mitigating money laundering and illicit financing risk

The GENIUS Act designates permitted payment stablecoin issuers as “financial institutions” under the Bank Secrecy Act (BSA), requiring them to implement robust compliance programs to prevent money laundering, terrorist financing, sanctions evasion, and other illicit activity. PPSIs must annually certify that they have implemented an effective BSA/AML compliance program. False certifications are punishable by up to five years’ imprisonment. To ensure regulatory parity, the Act’s registration and inspection requirements for foreign issuers effectively subjects them to similar compliance standards when accessing the U.S. market. Issuers must also be technologically capable of assisting with asset freezes, seizures, and turnovers pursuant to lawful orders. The Act further strengthens enforcement by requiring both U.S. and foreign issuers to (1) maintain the technical ability to comply with such orders; and (2) comply with them. Foreign issuers that fail to do so may be designated “noncompliant” by the Treasury, triggering a ban on secondary trading of their stablecoins after 30 days. Violations of that ban carry steep penalties—up to $100,000 per day for digital asset service providers and $1 million per day for foreign issuers.

Regulatory oversight

Regulatory oversight is divided between federal and state authorities, with federal regulators overseeing federally chartered or bank-affiliated issuers, state regulators supervising state-chartered issuers, and joint oversight applying when state issuers exceed certain thresholds or opt into federal frameworks. Regulators are responsible for licensing, examining, and supervising PPSIs to ensure compliance with the Act’s requirements, including reserve backing, redemption policies, and risk management standards.

PPSIs with more than $50 billion in consolidated total outstanding issuance that are not subject to the reporting requirements of the Securities Exchange Act of 1934 are required to prepare an annual financial statement in accordance with generally accepted accounting principles (GAAP) and must disclose any “related party transactions,” as defined under GAAP. A registered public accounting firm must audit the annual financial statement, and the audit must comply with all applicable standards set by the Public Company Accounting Oversight Board. These audited financial statements must also be made publicly available on the PPSI’s website and submitted annually to the PPSI’s primary federal payment stablecoin regulator.

Civil and criminal penalties

Additional civil and criminal penalties are set out throughout the Act. Notably, entities other than PPSIs that issue payment stablecoins in the United States without proper approval may face civil penalties of up to $100,000 per day for violations. Individuals who knowingly issue stablecoins in the United States without being a permitted payment stablecoin issuer face up to five years’ imprisonment and fines up to $1 million for each violation. Additionally, individuals with certain felony convictions are prohibited from serving as officers or directors of a PPSI, and violations of that prohibition can result in imprisonment for up to five years. The Act expressly gives regulators discretion to refer violations of the Act to the Attorney General.

Modernizing anti-money laundering and financial crimes compliance

The GENIUS Act places a strong emphasis on leveraging blockchain technology and AI to modernize the detection of illicit financial activity involving digital assets. The Act mandates that the Secretary of the Treasury initiate a public comment period to gather insights on how regulated financial institutions are using or could use innovative tools—particularly blockchain and AI—to detect money laundering and related crimes. Blockchain technology is highlighted for its potential in transaction monitoring and transparency, especially in tracking digital asset flows and identifying suspicious patterns.

Rulemaking timeline

The Act mandates that all primary federal payment stablecoin regulators, the Secretary of the Treasury, and state payment stablecoin regulators must promulgate regulations to implement the Act within one year of its enactment (July 18, 2026). These regulations must be issued through a notice-and-comment process. Additionally, within 180 days of the Act’s effective date, the OCC, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System shall submit a report to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that confirms and describes the regulations necessary to carry out this Act.

Other Impending Crypto Legislation

The GENIUS Act is momentous for stablecoin issuers, but it does not resolve a number of crypto-native issues, which are the subject of a broader market structure bill known as the Digital Asset Market Clarity Act of 2025 (CLARITY Act). The CLARITY Act passed the House with broad bipartisan support, and a version is currently under Senate consideration. While the GENIUS Act focused narrowly on regulating stablecoin issuers, the CLARITY Act seeks to establish a robust regulatory framework for all digital assets and define the roles of the Securities and Exchange Commission and Commodity Futures Trading Commission in policing the digital asset markets. Most notably, for the first time, the CLARITY Act attempts to classify digital assets based on their characteristics, such as decentralization and blockchain maturity, with a goal of reducing regulatory uncertainty and fostering innovation in the cryptocurrency industry. Senator Tim Scott (R-SC), chair of the Senate Banking Committee, has made several public statements on the timeline for consideration of the CLARITY Act, with committee markup expected in September and full Senate action possible by late fall.

Conclusion

The GENIUS Act establishes a robust framework for the issuance and oversight of payment stablecoins in the United States. It sets clear standards to ensure transparency for the backing of permitted payment stablecoins, and it requires issuers, like traditional financial institutions, to quickly establish robust compliance programs to combat illicit uses of their stablecoins. With its strong bipartisan backing and goals of financial stability, consumer protection, and global competitiveness, the Act could lay the groundwork for a more transparent and trustworthy digital asset ecosystem.

Ransomware Fusion Center

Stay ahead of evolving ransomware threats with Alston & Bird’s Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird’s Ransomware Fusion Center to learn more and access our tools.

Originally published July 24, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

From Uncertainty to Action: DOJ Rolls Out a New White-Collar Enforcement Playbook

By ,

On May 12, 2025, the head of the U.S. Department of Justice Criminal Division, Matthew Galeotti, announced a new white-collar enforcement plan rooted in three tenets: “focus, fairness, and efficiency.” The new plan includes updates to the Criminal
Division’s Corporate Enforcement Policy, independent compliance monitor selection policy, and whistleblower programs.

In announcing the new plan, Galeotti explained that the DOJ’s Criminal Division “is turning a new page on white-collar and
corporate enforcement,” and despite recent indications of a step back from corporate criminal enforcement by the DOJ, the
plan suggests that such enforcement is certain to continue in many ways that are familiar to companies and counsel. The
plan designates 10 areas of focus for white-collar enforcement: Some are longstanding enforcement priorities, such as health
care fraud, and some are newer initiatives that align with the Trump Administration’s priorities, such as trade and tariff-related enforcement.

Ten Corporate Criminal Enforcement Priorities
The Criminal Division’s plan is directed at “corporate crime in areas that will have the greatest impact in protecting American
citizens and companies and promoting U.S. interests,” and prioritizes 10 “high-impact areas” for investigative and
prosecutorial focus:
1. Fraud, waste, and abuse, including health care fraud and federal program and procurement fraud.
2. Trade and customs fraud, including tariff evasion.
3. Fraud perpetrated through special purpose vehicles or variable interest entities, including securities fraud and market
manipulation.
4. Fraud on U.S. investors, including through Ponzi schemes.
5. National security threats, including threats to the U.S. financial system.
6. Support to terrorist organizations, including designated cartels.
7. Complex money laundering.
8. Violations of the Controlled Substances Act and the Food, Drug, and Cosmetic Act, including illegal distribution of
fentanyl and other drugs.
9. Bribery and associated money laundering.
10. Certain crimes involving digital assets.

In investigating and prosecuting these types of conduct, the Criminal Division further commits to prioritize “schemes involving
senior-level personnel or other culpable actors, demonstrable loss, and efforts to obstruct justice,” and the identification and
seizure of “assets that are the proceeds of, or involved in” such conduct.

Corporate Enforcement Policy Changes
The CEP was introduced in 2016 as a pilot program for the Criminal Division’s Foreign Corrupt Practices Act unit. In 2018, the
policy was extended to “all other corporate matters” handled by the Criminal Division. In 2023, the CEP was revised again to
further incentivize self-disclosure through greater fine discounts. But at the same time, DOJ leadership announced that
non-prosecution agreements (NPAs) and deferred prosecution agreements would be “disfavored” without fast and full
cooperation. (Alston & Bird’s analysis of the CEP changes over time appears in advisories, available here, here, and here).

While this latest CEP update provides more certainty for companies who self-report and credit for “near misses,” it may also
result in the DOJ wielding a bigger stick against companies deemed to fall outside that scope. The revised CEP offers three
categories of potential benefits for companies:

  • To companies that (1) promptly and voluntarily self-disclose potential misconduct; (2) fully cooperate with the DOJ’s
    investigation; and (3) undertake timely and appropriate remediation, the Criminal Division promises a declination of
    enforcement action (provided no “aggravating circumstances” are present), rather than (as before) simply offering a
    presumption of a declination.
  • To companies in the “near miss” category that do not qualify for a declination (due to failure to self-report or the presence
    of aggravating circumstances), the Criminal Division promises an NPA with a term of 3 three years or less (except in
    “exceedingly rare cases”), no monitor, and a 75% fine reduction (calculated from the low end of the applicable U.S.
    Sentencing Guideline range).
  • To companies that fail to satisfy any of the three key criteria – voluntary self-disclosure, full cooperation, and timely and
    appropriate remediation – the Criminal Division caps the available fine reduction at 50% (typically from the low end of the
    applicable guideline range) and does not rule out the possibility of imposing an independent compliance monitor.

In an effort to further clarify these policy changes, the Criminal Division has, for the first time, distilled the CEP into a
flowchart:

Corporate Enforcement Policy flowchart

Whistleblower Program Changes
To reinforce the changes to the CEP, Galeotti directed that the Criminal Division’s Corporate Whistleblower Awards Pilot
Program (covered in an earlier Alston & Bird advisory, available here) be amended to include six additional types of conduct
of interest. These new areas are:
1. Violations by corporations related to cartels and transnational criminal organizations, including money laundering.
2. Violations by corporations of federal immigration law.
3. Violations by corporations involving material support of terrorism.
4. Corporate sanctions offenses.
5. Corporate trade, tariff, and customs fraud.
6. Corporate procurement fraud.

Individuals reporting such conduct must still meet the Corporate Whistleblower Awards Pilot Program criteria. But the
program’s expansion increases corporate risk as companies continue to grapple with the significant implications of the
numerous whistleblower programs launched by the DOJ in 2024 (covered in an Alston & Bird advisory, available here).

Monitor Selection Policy Changes
In his Memorandum on the Selection of Monitors in Criminal Division Matters, Galeotti aims to “clarify[] the factors that
prosecutors must consider when determining whether a monitor is appropriate and how those factors should be applied” and
also emphasizes the need to “appropriately tailor and scope the monitor’s review and mandate.” To accomplish these goals,
the memo lists four criteria prosecutors are to consider when assessing the need for a monitor:
1. The risk of recurrence of criminal conduct that significantly impacts U.S. interests.
2. The availability and efficacy of other independent government oversight.
3. The efficacy of the company’s compliance program and culture of compliance at the time of the resolution.
4. The maturity of the company’s controls and its ability to independently test and update its compliance program.

Based on those criteria, if a prosecutor determines that a monitor is appropriate, then Galeotti’s memo requires prosecutors to
take three specific steps “to ensure [the monitorship] is carried out appropriately”:
1. Close scrutiny and management of costs associated with the monitorship, including a cap on hourly rates, a preliminary
budget, and periodically updated cost estimates.
2. Biannual (at least) “tri-partite” meetings of the government, the company, and the monitor to ensure alignment.
3. Ongoing collaboration among the government, the company, and the monitor, including “an open dialogue” among all
three parties.

This revised and restated DOJ approach to monitors largely mirrors that of the first Trump Administration, during which the
DOJ expressed greater hesitation to impose monitors as part of corporate criminal resolutions. In 2018, the DOJ issued a
memorandum from then Assistant Attorney General Brian Benczkowski (discussed in a prior Alston & Bird advisory, available
here), which instructed that monitors should only be imposed “where there is a demonstrated need for, and clear benefit to be
derived from, a monitorship relative to the projected costs and burdens.” Three years later, however, Biden Administration
Deputy Attorney General Lisa Monaco reversed course and signaled a greater DOJ appetite for the imposition of monitors
(see prior Alston & Bird analysis, available here). It appears the pendulum has now swung back again, with the Criminal
Division resuming something like its prior stance on monitorships and having already terminated certain existing monitorships
early.

Key Takeaways
White-collar enforcement remains a DOJ priority. Since President Trump’s reelection, speculation has swirled about
whether the DOJ would pull back from white-collar criminal enforcement. Various DOJ memoranda and Executive
Orders—most notably the President’s February 10, 2025 order purporting to “pause” DOJ enforcement of the Foreign
Corrupt Practices Act (discussed in a prior Alston & Bird advisory, available here)—have fueled such speculation and
uncertainty. But the Criminal Division’s new plan sends an unmistakable signal: DOJ white-collar enforcement will
continue, and may even expand, as clarified expectations and resource alignment take hold in the coming years.

Broad industry impact. The Criminal Division’s plan distills its white-collar enforcement focus into 10 “high-impact
areas,” which may at first seem to represent a narrowing of the Criminal Division’s focus. However, those areas span
multiple sectors, including health care and life sciences, financial services, investment management, industrials and
manufacturing, natural resources, defense, retail, and others.

The DOJ’s Criminal Division intends to flex its new muscles. Public reports indicate that DOJ leadership plans to
shift certain criminal enforcement responsibilities previously assigned to the Civil Division’s Consumer Protection Branch
to the Criminal Division, and the Criminal Division’s new plan appears to not only reflect that shift—by including as
priorities elder fraud, “fraud that threatens the health and safety of consumers,” and violations of the Food, Drug, and
Cosmetic Act—but to suggest that Criminal Division prosecutors will quickly put these reassigned authorities to use.

More opportunities for whistleblowers. The Criminal Division’s new plan indicates that any speculation that the DOJ
might scale back the Corporate Whistleblower Awards Pilot Program or otherwise express disinterest in whistleblowers is
unfounded. The new plan states that Criminal Division leadership has “reviewed the Criminal Division’s existing pilot
program” and made just one change: expanding the scope of conduct for which whistleblower reports will be
incentivized.

What does the DOJ’s commitment to “efficiency” mean in practice? Galeotti’s remarks in announcing the new
Criminal Division plan highlight potential concerns around DOJ white-collar enforcement: It can be costly, “unchecked,”
“unfocused,” and can drag on for years, unduly disrupting law-abiding businesses. The new plan commits the Criminal
Division to targeted, tailored white-collar enforcement and directs prosecutors to “move expeditiously to investigate
cases and make charging decisions.” But how this commitment will play out remains unclear—whether it will primarily
shape internal decision-making at the DOJ or lead to perceptible outward-facing changes such as more tailored DOJ
expectations and demands of cooperating companies.

A less patient DOJ? As welcome as this increased clarity and focus by the DOJ’s Criminal Division may be, the price of
it for companies likely will be some measure of diminished patience on the part of Criminal Division prosecutors and
supervisors regarding investigative or other delays by subjects and targets of investigations. This raises the stakes for
compliance improvements that will better ensure prompt detection of potentially illegal conduct, skilled and efficient
internal investigations of any such conduct, effective assessment of the all-important self-reporting decision, and adroit
engagement with the government.

Compliance ROI higher than ever. By returning to a more skeptical posture regarding the imposition of independent
compliance monitors, the Criminal Division is offering more of a potential reward than ever to companies that implement
robust compliance programs. Beyond preventing and detecting misconduct, such programs will position companies to
proactively engage with the DOJ and will better position companies to persuade a far more receptive DOJ that a monitor
is unnecessary.

_________________________________________

Originally published May 15, 2025.

Alston & Bird’s White Collar, Government & Internal Investigations team, which is composed of numerous former federal and
state prosecutors and agency staff (including several former DOJ Criminal Division prosecutors), will continue to monitor and
provide updates on the Criminal Division’s implementation of these new policies.

If you have any questions, or would like additional information, please contact one of the attorneys on our White Collar,
Government & Internal Investigations team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Wave Goodbye to the Waiver Debate: Court Holds Data Breach Investigation Report Not Work Product from the Start

By ,

Litigants in data breach class actions often fight over whether a data breach investigation report prepared in response to the breach is protected by the work-product doctrine. Common areas of dispute include whether the report was prepared in whole or in part for business—not legal—purposes, and whether the report relays facts that are not discernable from other sources. The fight becomes even more complicated, however, when the company that suffered the data breach is required to provide the report to regulators.

For example, in the mortgage industry, mortgagees regulated by the Multistate Mortgage Committee (MMC) are required to provide a “root cause report” following a data breach. Similarly, under Mortgagee Letter 2024-10, FHA-approved mortgagees must notify HUD of a cybersecurity incident and provide the cause of the incident. These reporting obligations involve production of information to regulators that typically overlaps with the content of data breach investigation reports.

Traditionally, one might think that disclosure of an investigation report (or its contents) to a regulator was a question of waiver. But recently, a federal district court in the Southern District of Florida bypassed the waiver analysis entirely by holding that reports provided to regulators weren’t protected by the work-product doctrine because they were primarily created for regulatory compliance rather than in anticipation litigation, even though, factually, they weren’t originally created for the purpose of regulatory compliance.

What Happened?

In a recent decision in a data breach litigation against a national mortgage loan servicer, the court considered whether investigative reports prepared by cybersecurity firms were protected under the work-product doctrine. These reports were initially withheld from discovery on the familiar grounds that they were prepared in anticipation of litigation following a data breach. But the plaintiffs argued that because the reports were disclosed to mortgage industry regulators, any work-product protections were waived.

Rather than address the waiver issue, the court analyzed whether the documents were privileged in the first place under the dual-purpose doctrine, which assesses whether a document was prepared in anticipation of litigation or for other business purposes. Under this doctrine (adopted by the First, Second, Third, Fourth, Sixth, Seventh, Eighth, Ninth, and D.C. Circuits), a document is protected if it was created “because of” the anticipated litigation, even if it also serves an ordinary business purpose. Notably, the court found that the reports were primarily created to comply with regulatory obligations, specifically those imposed by the MMC, even though they’d initially been prepared in anticipation of litigation. In the court’s view, the unredacted submission of the reports to the MMC, when demanded, evidenced that the predominant purpose for their creation was regulatory compliance.

The court ended with the suggestion that the defendants could have avoided this issue by creating a separate document for regulatory compliance, omitting sensitive findings related to litigation. Aside from this suggestion, there does not appear to be a legal framework under the which the disclosed reports would have been protected work product, at least in the court’s view.

Why Does it Matter?

The district court’s decision creates a new challenge for breach victims seeking to protect investigation reports from disclosure under the work-product doctrine. A key purpose of the doctrine is to allow parties to engage in pre-litigation investigations without the fear of disclosure. Data breach victims dealing with regulators have historically had to manage the risk that disclosing investigation reports (in whole or in part) to regulators could result in litigation over whether work-product protections were waived. But the decision appears to raise the stakes. The risk of disclosure is not limited to a waiver analysis, where parties can defend the disclosure based on the circumstances of the compelled disclosure and can rely on law requiring the narrow construction of privilege waivers. Now, parties must also consider whether using a report for a non-litigation purpose after the fact will lead to the conclusion that the report wasn’t prepared for litigation at all and therefore not privileged in the first place.

What Do I Need to Do?

Because this decision is by a federal district court, this is an area that should be monitored to determine whether a trend develops around the court’s rationale. And in the interim, the best option seems to be to follow the court’s suggestion: create separate documents for regulatory compliance and litigation purposes.

It is, of course, important to maintain a good relationship with regulators to try to circumvent these issues, but the two-report approach is a practical way to preempt the issue entirely. The reality is that many litigation-related items do not need to be submitted in a regulatory report. For example, an emerging issue in the cybersecurity space is whether following a data breach, the company that suffered the breach should bring claims against other related parties. Analyzing the merits of this type of litigation is plainly covered by the work-product doctrine but is not needed for regulatory reports. Thus, by following the two-report approach, sensitive findings related to that potential litigation can be omitted from the regulatory report, preserving the work-product protection for the litigation-related document. This approach could help companies navigate the complexities of dual-purpose documents and maintain the intended protections of the work-product doctrine.