They continued promoting whistleblowing and expanded the potential violations for which whistleblowers could receive awards; they continued to focus on the efficacy of compliance programs when assessing both whether to bring actions and how violations should be punished; they scrutinized how companies used and claimed to use artificial intelligence (AI) and comported with environmental, social, and governance (ESG) claims; they doubled-down on their recent focus on cryptocurrency; and they leveraged ever-increasing data available to them to identify potential misconduct, particularly in the securities markets.
Looking ahead to 2025, the Trump administration may bring some of the most significant shifts in U.S. enforcement priorities we have ever seen. There will almost certainly be a greater focus on domestic issues, a complete shift in the approach toward cryptocurrency, and fewer resources devoted toward business crime generally. And we expect greater priority to be placed on prosecuting violations that caused actual loss to investors and customers, with less emphasis on procedural violations that create perceived risk but no realized harm. However, any changes will likely take time to implement, and even as senior leaderships shift enforcement priorities, line attorneys will continue to be incentivized to bring as many cases as ever, so for anyone caught in the crosshairs of an investigation, it may appear no different in 2025 as compared to 2024.
Major enforcement trends and developments
Continued emphasis on whistleblower programs and protections
Enforcement agencies in the U.S. continued to prioritize whistleblowing to generate tips that they could turn into enforcement actions.
The Department of Justice (DOJ) established its Corporate Whistleblower Awards Pilot Program on August 1, 2024, adding to established programs under the SEC, CFTC, and FinCEN. In remarks introducing the program, Deputy Attorney General Lisa Monaco explained that the program will “fill … gaps” in the “patchwork quilt” of whistleblowing programs by incentivizing reporting on corporate criminal fraud. Companies are now specifically incentivized to report within 120 days of any internal whistleblowing to receive a presumption of declination under the Criminal Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy.
Existing whistleblower programs continued to issue massive awards. For example, the SEC’s whistleblower program gave out its third highest total of awards, including one award for USD98 million (the fifth largest ever by the program).
And the SEC and CFTC brought various enforcement actions designed to ensure that companies did nothing that could be perceived as chilling potential whistleblowers’ ability to submit complaints. Both agencies reached multiple settlements with companies that entered confidentiality agreements with employees and clients in various scenarios that the regulators alleged could be read to preclude parties from raising regulatory concerns to the authorities as whistleblowers, in violation of SEC Rule 21F-17(a) and CFTC Rule 165.19(b) respectively.
Evaluation of procedures and controls as a core component of enforcement resolutions
U.S. authorities continued their focus on the structure and efficacy of companies’ compliance programs and disclosure controls and procedures. They further entrenched the evaluation of compliance programs as a core component in the calculation of punishments levied against corporate actors. They also demonstrated an increased willingness to bring cases for perceived weaknesses in policies and procedures even when compliance gaps did not cause actual loss to customers and investors. For example:
- In one of the largest actions of the year, a major financial institution pleaded guilty to Bank Secrecy Act violations and conspiracy to commit money laundering as part of a USD3 billion resolution with the DOJ, FINCEN, and banking regulators. Attorney General Merrick Garland emphasized that the size of the resolution—the largest ever in a BSA case—was due to the bank having allegedly failed to maintain a sufficient AML program and update that program when known risks were presented to leadership.
- The SEC continued to charge regulated entities with recordkeeping violations for allegedly inadequate preservation of “off channel” communications, announcing an additional USD390 million in settlement agreements with 26 firms, on top of the significant number of resolutions with major financial institutions in 2023.
- The SEC charged four public companies with inadequate cyber disclosures in the aftermath of the SolarWinds data breach, in some ways doubling down on the aggressive disclosure controls theory that it had brought against SolarWinds itself, notwithstanding the courtroom setbacks it suffered in 2024.
Increased attention to artificial intelligence
2024 also saw regulators respond to companies’ promotion of AI by applying traditional enforcement theories to the emerging technology. The primary focus of these efforts was ensuring companies did not misrepresent their reliance on AI by either overstating or failing to disclose the extent to which they had incorporated AI into their operations, much as regulators had been doing in recent years with companies’ claims of ESG achievements. For example:
- The FTC announced a crackdown on “deceptive AI claims and schemes” targeting companies that used AI to “hype” up products and generate false reviews or marketed AI technology that failed to perform as advertised.
- The SEC took aim at “AI washing” e.g., charging multiple investment advisors with making false and misleading statements by allegedly overstating their use of AI and machine learning in their investment strategies.
- The CFTC’s Technology Advisory Committee issued a report calling for the implementation of “guiderails” and a new AI framework for financial institutions to operate under to ensure adequate risk management for AI to protect financial markets.
- DOJ amended the Criminal Division’s Evaluation of Corporate Compliance Programs to include evaluation of a company’s ability to assess “the potential impact of new technologies, such as artificial intelligence” and the governance structures put in place to manage these risks.
Continued focus on cryptocurrency
Despite suffering a key courtroom setback in the SEC’s case against Ripple in 2023, authorities in 2024 continued to aggressively pursue new and existing cases against issuers of tokens and crypto exchanges, often based primarily on the still unsettled claim that secondary trading in tokens requires securities registration and in the absence of any allegation of fraud. In October 2024, the SEC expanded its focus, bringing a case against one of the world’s leading liquidity providers for crypto assets solely on the theory that it needed to register as a market-maker—something that the firm arguably could not do under existing regulations.
Increasing use of data to identify and pursue enforcement actions
Regulators continued to leverage ever-increasing data sources to identify and pursue enforcement actions. For example, regulated entities are now fully subject to the Consolidated Audit Trail (CAT), which has given FINRA and SEC access to more trade data than ever before, granting these regulators unprecedented ability to spot trends and link trading patterns across individuals and products. We expect that regulators will use such data to investigate and bring more trading and manipulation cases, including based on the SEC’s new “shadow trading” theory in which an investment professional was found liable of insider trading by using material non-public information (MNPI) about his own company to profit from investments in similar companies in the same industry. While the viability of CAT has been specifically criticized by certain industry participants (and may be disfavored by the next administration) it will yield substantial opportunities for investigative staff in the meantime.
Predictions for 2025 and beyond
The Trump administration will undoubtedly bring substantial change. For example, the approach to cryptocurrency will surely change, with regulators shifting away from registration-based cases and in support of rulemaking aimed at making the U.S. more attractive for cryptocurrency firms. We think shifts will come in the following areas as well:
- Regulators will focus less attention on bringing actions based solely on corporate control weaknesses and will place greater emphasis on bringing cases where significant financial loss occurred.
- Regulators may open new investigations rooted in domestic political interests e.g., by investigating companies’ approach to environmental issues and diversity initiatives.
- Global geopolitical tensions will continue to put national security interests at the center of the U.S.’s enforcement regime, with the targets of those interests potentially shifting away from Russia and towards China and other jurisdictions.
But change takes time, and we expect many of the 2024 trends to continue through much of 2025 as leadership transitions at major regulators.
Directory quotes
- “The firm has highly effective and talented attorneys capable of handling the most sophisticated and complex matters.” — Chambers USA
- “The team's judgment is excellent and their strategic approach is terrific.” — Chambers USA
- “The team is responsive, commercial, and pragmatic. They always give solid advice that is mindful of the company's commercial needs.” — The Legal 500
- “Katherine is a smart, creative white-collar practitioner with technical knowledge.” — Chambers USA
- “David has terrific credibility with government lawyers, an excellent touch and a very good manner.” —Chambers USA
This article is part of the A&O Shearman Cross-Border White-Collar Crime and Investigations Review. Please click here for our overviews and insights in other jurisdictions.
