Archives for June 2026

When Fintech Growth Outpaces Compliance: What the OCC’s Consent Order Against Community Federal Savings Bank Means for Your Institution

June 26, 2026 by eric@weareterrascope.com

Over the past few years, many community banks have pursued fintech partnerships to diversify revenue and expand consumer offerings. These types of partnerships, however, come with enhanced regulatory scrutiny, and it is crucial that community banks evaluate compliance programs as part of any fintech partnership.

On May 21, 2026, the Office of the Comptroller of the Currency (OCC) publicly released a consent order (docketed as AA-ENF-2025-21) against Community Federal Savings Bank (CFSB), a single-branch federal savings association in Woodhaven, New York. The enforcement action targets BSA/AML compliance failures that the OCC tied directly to CFSB’s rapid expansion into payment processing and fintech-adjacent business lines.

For community bank executives and compliance professionals, this action is not just another BSA/AML enforcement headline. It is a case study in what happens when a bank scales its business without proportionally scaling its compliance infrastructure.

What Happened at CFSB

CFSB is a small bank by traditional measures — roughly $866 million in assets as of year-end 2025. But its transaction volumes tell a different story. Since 2020, CFSB significantly grew its payment processing line, resulting in substantial annual wire and ACH activity, including cross-border transactions involving foreign financial institutions. That growth was fueled by CFSB’s role as a sponsor bank for several prominent fintechs, including Wise, Crypto.com, Airwallex, ChipperCash, and LemFi, among others. Crucially, CFSB’s fintech partners offer international payment or multi-currency services.

The OCC found that CFSB failed to develop and maintain controls and risk management processes commensurate with its growth. The consent order identifies violations of four distinct regulatory provisions: 12 CFR 21.21 (BSA/AML program requirements), 12 CFR 163.180(d) (suspicious activity reporting), 31 CFR 1020.210(a) (Anti-money laundering program requirements for federally-regulated banks), and 31 CFR 1010.520(b)(3) (information sharing requirements under Section 314(a) of the USA PATRIOT Act).

Specifically, the OCC found that CFSB’s automated suspicious activity monitoring system’s “filtering criteria and thresholds” were not adequately calibrated to the bank’s “payment processing risk profile, the significant increases in higher risk products and services, and international exposures.” Further, CFSB’s automated alert triage system contained several deficiencies, which resulted in the system auto-closing a “very high percentage” of alerts that should have been escalated for human review.

The OCC also found that CFSB’s customer due diligence program was deficient and that CFSB did not “understand the nature of certain customers’ businesses and the purpose of transactions flowing through its payment processing line, including risks related to foreign financial institutions.” Perhaps most strikingly, CFSB failed to determine whether it held correspondent accounts for foreign financial institutions, a fundamental obligation under the USA PATRIOT Act’s enhanced due diligence requirements. The OCC additionally noted the bank’s internal auditor failed to identify BSA/AML program weaknesses and failed to test high-risk areas of the bank’s BSA/AML program.

Due to systemic breakdowns in internal controls, weak independent testing, and inadequate staffing, the OCC ultimately concluded that CFSB had not established and maintained a reasonably designed BSA/AML compliance program.

The Fintech Sponsor Bank Angle

This enforcement action did not occur in a vacuum. CFSB’s growth trajectory — from under $140 million in assets in 2017 to nearly $900 million by 2024 — was driven almost entirely by fintech partnerships. The bank served as the underlying banking rails for companies whose business models generate enormous transaction volumes; however, the Bank failed to scale its regulatory compliance programs with its growth.

The consent order makes clear that community banks entering into payment processing partnerships need to install sophisticated monitoring systems, robust customer identification programs, and modify staffing levels to ensure regulatory compliance. When your fintech partners are facilitating cross-border remittances, multi-currency accounts, and cryptocurrency-linked products, you inherit the risk profile of those activities — regardless of your asset size—and may need to manage complexities far beyond what a single-branch community bank would ordinarily face.

Notably, the order was signed through the Assistant Deputy Comptroller for Novel Bank Supervision and included an unusual clarification—the regulatory action is “based on concerns largely unrelated to customers involved in digital assets activities.” This suggests the OCC’s concerns centered on BSA/AML-related issues regarding payment processing and cross-border activity rather than digital assets specifically. Thus, banks considering fintech partnerships in the cross-border payment processing space are likely subject to the same regulatory scrutiny.

Given the heightened regulatory scrutiny, community banks seeking to expand their operations to include payment processing and cross-border activity must scale their BSA/AML services accordingly. Financial institutions should thus actively consider how to ensure that their regulatory compliance program is properly designed and implemented—and the costs of those programs—before entering into any fintech partnerships. This includes, among other things, updating your automated monitoring systems, adding additional staff, evaluating the third-party relationships and the geographies served by the partnerships, and understanding the transaction types to ensure the systems can adequately manage the increased risk.

Key Compliance Takeaways

Suspicious Activity Monitoring. The OCC’s Order specifically noted that CFSB’s suspicious activity monitoring system was not calibrated to its payment processing business and CFSB’s automated triage system auto-closed alerts that should have been reviewed. To ensure regulatory compliance, whenever you onboard a new business line or partner that materially changes your transaction profile, you should also review your monitoring thresholds. This includes creating clear definitions of customer risk categories and ensuring an effective methodology is in place to assign a customer’s risk category. Finally, you should also have a system in place to periodically review all customers and accounts that exhibit higher-risk characteristics to ensure that a process is in place if your automated alert system fails to detect high-risk transactions.
Know Your Customer and Their Business. The OCC’s Order specifically noted that CFSB did not “understand the nature of certain customers’ businesses and the purpose of transactions flowing through its payment processing line.” In a banking as a service (BaaS) or sponsor bank model, your regulatory obligations extend to understanding the end users and transaction flows facilitated by your fintech partners. If you cannot articulate the nature of your customers’ businesses and the purpose of transactions flowing through your systems, regulators may find you have a due diligence gap. Regular reviews of customer profiles can also ensure that any missing or inaccurate customer due diligence information is timely identified and remediated.
Cross-Border Activities. The failure to identify correspondent accounts for foreign financial institutions is a fundamental gap with serious regulatory consequences. If your fintech partners facilitate cross-border payments, determine whether any of those relationships constitute correspondent banking under the USA PATRIOT Act and apply appropriate enhanced due diligence.
BSA/AML Testing Program. Whether your BSA/AML audit is conducted internally or by a third party, it must test whether controls are functioning as designed to detect any illicit financial activity risk. An audit that avoids high-risk or non-traditional banking areas provides false comfort and, as CFSB’s experience demonstrates, will be cited as a deficiency in its own right.
BSA/AML Staffing. The OCC’s Order noted that CFSB had “weak BSA staffing.” Compliance cannot be a part-time function when your bank processes volumes that rival institutions many times your size. Budget for the compliance team your risk profile demands, not the one your asset size might suggest, and ensure that management’s and staff’s respective responsibilities for establishing and revising customer risk profiles are clearly defined.
Conduct periodic, proactive reviews of Suspicious Activity Reports (“SAR”). Do not wait for an enforcement action to undertake a lookback. Periodic self-assessments of past alert dispositions and SAR decisions — particularly after system changes or new partner onboarding —can catch gaps before examiners do. If you detect any issues regarding the quality or accuracy of prior SAR filings, promptly remediate and report them. The goal is to comprehensively and accurately report any suspicious activities.

Looking Ahead: OCC Supervisory Priorities

The CFSB consent order arrives in a regulatory environment where the OCC has been far more active in terminating existing enforcement actions than entering new ones. Across April, May, and June 2026, the OCC terminated numerous formal agreements and consent orders while issuing only two new institutional consent orders — both of which targeted specific, identified compliance failures rather than broad safety-and-soundness concerns.

This pattern suggests the OCC is being selective and deliberate about where it deploys new enforcement resources. BSA/AML compliance, particularly at institutions with high transaction volumes driven by fintech partnerships, clearly remains a priority. The OCC has previously signaled — including through a November 2025 bulletin establishing Community Bank Minimum BSA/AML Examination Procedures — that it expects compliance programs to be dynamic and proportionate to institutional risk.

For community banks operating in the fintech partnership ecosystem, the message is clear: the OCC will not excuse compliance shortcomings because your bank is small. If you choose to take on the risk profile of a payments company, you must build the compliance infrastructure of one.

Renewed Vigilance is Required in Wake of Recent Amendments to EU Artificial Intelligence Act

June 25, 2026 by eric@weareterrascope.com

On June 16, 2026, with mounting pressure from member states and industry groups, the European Parliament formally endorsed a provisional agreement delaying a significant enforcement milestone in the European Union’s Regulation (EU) 2024/1689 (the “Artificial Intelligence Act” or “AI Act”), with significant consequences for businesses. Completed just under two months before the new enforcement guidelines were to take effect, the agreement extends various enforcement deadlines, eliminates certain duplicative manufacturer requirements, broadens small business exemptions, and adds new prohibitions on certain AI-generated intimate content.

Though the EU’s delay grants organizations additional time to comply with some obligations under the AI Act, delaying implementation of compliance measures could prove costly. Unlike the prior General Data Protection Regulation’s (“GDPR’s”) early enforcement period, EU regulators have already signaled their intent to enforce the AI Act from day one. Moreover, the EU AI Act has an extraterritorial reach—any AI system influencing decisions affecting EU residents, regardless of where a company is headquartered, may fall within the scope of the AI Act. The AI Act penalties are significant: ranging from €7.5 million or 1% of global annual turnover to €35 million or 7% of global annual turnover. For small companies, even the lower tier penalties represent existential exposure. This is not an abstract compliance exercise—rather, it is a binding legal framework with real penalties, obligations, and exposure that begins the moment enforcement powers fully activate.

Many businesses may unknowingly use, and therefore may be considered deployers of, high-risk AI systems regulated under the AI Act. These systems include:

Employment and Workforce Management: AI systems used for recruitment, candidate screening, performance evaluation, work allocation, or monitoring employee behavior.
Access to Essential Services: AI systems that evaluate an individual’s eligibility for, or access to, healthcare or wellness services are high-risk. For companies operating employee benefits platforms—including employee assistance programs (“EAPs”)—this category is directly relevant if AI is used to triage, route, or assess employee mental health or wellness needs. The threshold may be lower than you expect.
Insurance Risk Assessment: AI systems used in health and life insurance pricing or risk classification. Meaning that if your platform feeds data into underwriting or coverage determination processes, this may be implicated.

The delay shifts certain deadlines by creating a rolling deadline format. For example, the compliance deadline for AI systems outlined under Annex III, including High-Risk AI System Requirements (Articles 9–17 and 26) has moved to December 2, 2027—a 17-month extension. The deadline to comply with the rules for AI systems integrated into products subject to product safety regulations (Annex I) would become August 2, 2028—a 12-month extension), but even with the extensions, these deadlines can creep up in a hectic business environment. Here are six steps to take now:

Conduct an AI Inventory

Map every AI tool your company uses in connection with its EU operations or EU employees. Be sure to include vendor-provided SaaS tools with AI features, not just bespoke systems. Many companies are surprised by how many systems qualify.

Classify by Risk

For each AI system you identify, work with legal advisors to assess its risk category: prohibited, high-risk, or limited/minimal risk. This requires knowledge of both what the system does and how the AI Act specifically defines its risk categories.

Audit Your Vendor Contracts

Review any agreements with AI vendors for compliance-relevant provisions, including documentation delivery, log access, incident notification, EU representative obligations, and allocation of deployer vs. provider responsibilities. Most off-the-shelf agreements do not yet reflect the AI Act’s requirements. And for deployers of high-risk AI systems, obligations cannot be outsourced to AI vendors even where the vendor bears primary provider responsibilities.

Implement Deployer-Side Controls

For any high-risk AI system, start human oversight procedures, log retention practices, employee or user notification mechanisms, and any applicable Fundamental Rights Impact Assessment (FRIA). Document these in writing—the AI requires documentation and enforcement will look for it.

Review Your AI Literacy Obligations

An often-overlooked requirement—enforced since February 2025—is that organizations must ensure that staff who work with AI have appropriate AI literacy training. This is a minor obligation that can be addressed with modest internal effort. If you have not already implemented an AI literacy training program, now is the time to do so.

Integrate AI Governance Into Your Broader Compliance Program

AI Act compliance is not a one-time project. Instead, it requires ongoing monitoring as your company’s AI tools evolve, guidance is updated, and enforcement develops. Building AI Act compliance into your company’s broader compliance program, alongside GDPR and sector-specific obligations, will serve to minimize risks and costs in the long-term.

Companies should begin completing core steps immediately. Organizations waiting until 2027 will be starting from behind, with enforcement already active. We are available to guide you through this process whether you need a full EU AI Act readiness assessment, targeted vendor contract review, or specific guidance on high-risk classification for your product or service, we can provide scoped, efficient support designed for your business needs.

This article is intended as general client information and does not constitute legal advice. The EU AI Act is a complex and evolving regulation. Please consult with counsel regarding your specific circumstances.

Oklahoma Appeals Court Clarifies Banks’ Fiduciary Duties and Customer Privacy Obligations Under the Oklahoma Financial Privacy Act

June 24, 2026 by Wagner Hicks

In addition to federal privacy laws, numerous states have enacted their own financial privacy statutes that banks and other financial institutions must navigate when responding to requests for customer information.[1] In a recent decision, Oklahoma’s intermediate appellate court seemingly narrowed the scope of claims arising under Oklahoma’s financial privacy law while clarifying the duties of financial institutions within its borders.

In Parker, et al. v. Valliance Bank (“Parker”), the Oklahoma Court of Civil Appeals affirmed a directed verdict in favor of Valliance Bank (the “Bank”). In holding in the Bank’s favor, the Court rejected the consumer-Plaintiffs’ claims that the Bank violated Oklahoma’s Financial Privacy Act (the “Act”) and breached its duty of care and/or fiduciary duties by producing documents in response to a subpoena that did not comply with certain requirements of the Act.[2]

In Parker, the Bank received a subpoena in a foreclosure action — to which it was not a party — seeking financial records of an LLC defendant. The subpoena demanded that a Bank representative appear for deposition and produce essentially all documents related to the LLC’s banking relationship. Critically, the LLC’s loan file contained personal financial documents of its individual members and their other holdings, which had been submitted in connection with the LLC’s loan application. The Bank produced the subpoenaed documents only after motions to quash the subpoena and for a protective order were denied.[3]

The Parker Plaintiffs — the individuals, trusts, and businesses whose financial records were produced as part of the LLC’s loan file — alleged that the production of those documents led to their inclusion in the foreclosure suit and caused damages exceeding $500,000. They asserted claims “as Bank customers,” alleging “the Bank was negligent, violated their rights protected by the Oklahoma Financial Privacy Act, and that the Bank breached a duty of care to protect their private and confidential financial information.”[4]

In addressing these claims, the Parker Court first recognized that the negligence claim was rooted in the production of financial documents and that the Act provides the “exclusive lawful means” of obtaining customer financial records.[5] The Court thus consolidated its analysis of the negligence and statutory claims into a single inquiry: whether the Bank had breached its duties under the Act.[6] The Court ultimately found that the Bank had violated the Act by responding to a subpoena lacking written certification from the issuer of that issuer’s compliance with the Act, a prerequisite to a financial institution’s production of customer financial records under 6 O.S.2021 § 2208(A).

However, the Court held that this duty was owed not to the Plaintiffs, but to the LLC — which was not a party to the lawsuit. The Court explained that the documents produced and now in dispute all came from the LLC’s loan file. It emphasized that the Plaintiffs never argued those documents were improperly in the Bank’s possession. Rather, all the documents at issue were voluntarily provided by the Plaintiffs, who were Bank “customers,” to obtain financing for another “customer,” the LLC. The Court further found that “[t]he only duty that the Bank owed to all of its other customers, including the [Plaintiffs], was to take ‘reasonably prudent’ measures to prevent another customer’s financial records from being inadvertently included in the documents produced in response to that subpoena” — and the Plaintiffs had not asserted such a claim.[7]

Importantly, the Parker Court held that, although the Bank violated the Act by not requiring a certificate of compliance before producing the LLC’s documents, “the Act did not require the Bank to segregate and withhold from production documents lawfully in its possession because they happened to have also related to or been provided by another customer whose records were not the subject of the subpoena.”[8] Simply put, “[t]o the extent [Plaintiffs] proved the Documents were produced in violation of the Act, that claim belongs to [the LLC], or more specifically, pursuit of that claim belongs to the Trustee in [the LLC’s] bankruptcy.”[9]

The Parker Court next addressed the Plaintiffs’ claim that, in addition to the Act, the Bank owed them “special duties,” fiduciary in nature, and that the Bank’s production of the documents constituted a tortious breach of those duties. The Court rejected this argument out of hand, holding that the Plaintiffs’ relationship with the Bank was contractual and that while a failure to keep customer records private might constitute a breach of contract (which was not pled), it did not give rise to a tort claim. The Court then pointed to 6 O.S.2021 § 425, which provides:

Unless a state or national bank shall have expressly agreed in writing to assume special or fiduciary duties or obligations, no such duties or obligations will be imposed on the bank with respect to a depositor of the bank or a borrower, guarantor, or surety, and no special or fiduciary relationship shall be deemed to exist.

Under this 1994 statute, a fiduciary duty between a financial institution and its customers may only be created by express language to that effect in a written agreement. Finding that the Plaintiffs “produced no document by which the Bank agreed “in writing to assume special or fiduciary duties or obligations[,]” it held that no special or fiduciary relationship existed, and the Plaintiffs’ breach of fiduciary duty claim failed “as a matter of law.”[10]

In doing so, the Parker Court distinguished Djowharzadeh v. City National Bank and Trust Co. of Norman, 1982 OK CIV APP 3, 646 P.2d 616. Djowharzadeh, decided over four decades ago, had indicated that a “special relationship” existed between a borrower and a bank.[11] In rejecting the application of Djowharzadeh, the Parker Court held that: “to the extent that Djowharzadeh, decided prior to the enactment of 6 O.S.2021 § 425, holds that a bank owes its customers a fiduciary duty in the absence of a written agreement creating that duty, it has been abrogated by that statute.”[12]

The Parker Court further rejected the Plaintiffs’ reliance on Oklahoma Uniform Jury Instructions (OUJI) — Civil No. 26.2, which included among possible fiduciary relations those with a “banker,” holding that: “To the extent this instruction misstates the law applicable to banks and their customers, it is the duty of the court to provide instructions that ‘accurately state the law.’”[13] Emphasizing that the Plaintiffs had asserted only two theories of recovery, neither of which was supported by law, the Parker Court affirmed the trial court’s directed verdict in favor of the Bank.

Although the Bank in Parker ultimately avoided liability, the opinion signals the potential viability of negligence and even breach of contract claims for improper disclosures of customer information, if properly pled. It also underscores the importance of recognizing and complying with the various state financial privacy laws, like Oklahoma’s. Despite moving to quash the offending subpoena, the Bank in Parker was still found to have violated the Act. These statutes impose specific duties that financial institutions must satisfy before responding to any subpoena for customer financial records, and determining the applicable law often requires review of numerous statutory chapters and regulatory codes.

For financial institutions, continued compliance practically demands maintaining state-specific policies and procedures — and, at a minimum, a policy broad enough to address the laws of every state in which the institution does business, paired with attorney oversight to ensure compliance. Regular review and revision of these policies is equally essential. Parker teaches that failing to maintain current, compliant policies could lead not only to statutory violations and regulatory scrutiny, but also to potential tort liability from affected customers — along with the reputational harm that often follows.

—

[1] See, e.g., Tex. Fin. Code 59.006; N.C. Gen. Stat. §§ 53B-1 through 53B-10.

[2] Parker v. Valliance Bank, 2026 OK CIV APP 5, 587 P.3d 907.

[3] The bank had also moved to quash the subpoena, but counsel for the Bank was apparently not at the hearing and there was no formal disposition of the Bank’s motion. Id. at ¶¶ 7-9. This is likely why the Parker Court limited its consideration of the other motions, including a motion to quash from certain Parker Plaintiffs, to issues of notice and waiver by the LLC, who did not file its own motion despite being the entity whose records were subpoenaed. Id at ¶ 23. The record reflects the LLC may not have been summoned in the foreclosure action, was possibly an improper party to it based on a pending bankruptcy, and never appeared in that litigation. Id. at n.2, 6. Notably, although the trial court’s denial essentially ordered that the depositions/production go forward, Parker offers no opinion as to whether the Bank’s compliance with that order, on an ultimately defective subpoena, could have immunized the Bank against any violation of the Act.

[4] Parker, 2026 OK CIV APP 5, ¶ 11, 587 P.3d at 911.

[5] Id. at ¶ 19.

[6] See id. at ¶ 18 (“Where a regulatory statute “delineate[s] the defendant’s conduct, courts may adopt the conduct required by the statute[ ] as that which would be expected of a reasonably prudent person—providing courts believe the statutorily required conduct is appropriate for establishing civil liability”).

[7] Id. at ¶ 26.

[8] Parker, 2026 OK CIV APP 5 at ¶ 27, 587 P.3d at 915.

[9] Id at ¶ 28.

[10] Id. at ¶ 30.

[11] Djowharzadeh involved allegations a loan officer’s provision of a prospective borrower’s confidential loan information to shareholders in the bank who then usurped the prospective borrower’s opportunity to purchase a duplex at below market value. The Parker Court indicated this was probably more properly framed as a tortious interference with business relations claim, rather than one arising in fiduciary duties. Id. at ¶ 32.

[12] Id. at ¶ 33.

[13] Id. at ¶ 34.

Your AI Conversations May Not Be as Private as You Think: Emerging Case Law on Privilege and Work Product Protections for AI Communications

June 17, 2026 by Wagner Hicks

Businesses, employees, lawyers, and parties to litigation are rapidly incorporating generative artificial intelligence into their daily practice to tackle legal issues and prepare for actual or anticipated litigation. But when a party uses an AI platform like ChatGPT or Claude, are those “communications” protected from discovery? Recent decisions show that lawyers and parties should use generative AI with caution, as at least some information about AI use could be disclosed in discovery. Additionally, sharing confidential information with AI tools could undermine the attorney-client privilege and may violate protective orders.

Warner v. Gilbarco: A Pro Se Litigant’s AI Use Constitutes Protected Work Product

In February 2026, the Eastern District of Michigan held that a pro se plaintiff’s AI communications were protected work product. Warner v. Gilbarco, 820 F. Supp. 3d 629 (E.D. Mich. 2026). The defendants sought disclosure of the plaintiff’s queries to ChatGPT, ChatGPT’s responses, and any documents uploaded to ChatGPT. The Court found that (i) the AI materials were prepared in anticipation of litigation and thus fell within the scope of Rule 26(b)(3)(A); (ii) the plaintiff’s use of AI involved her “internal analysis and mental impressions—i.e., her thought process,” which constituted protected opinion work product; and (iii) using a generative AI tool did not waive work product protection because such platforms “are tools, not persons, even if they may have administrators somewhere in the background,” and using AI programs is not akin to disclosing work product to an adversary. The Court concluded that the defendants’ theory “would nullify work-product protection in nearly every modern drafting environment, a result no court has endorsed.”

United States v. Heppner: No Privilege, No Work Product

Around the same time as the Warner decision, the Southern District of New York issued an opinion in a criminal case that confronted what the Court described as a question of first impression nationwide: whether a user’s communications with a publicly available AI platform in connection with a pending criminal investigation are protected by attorney-client privilege or the work product doctrine. United States v. Heppner, 820 F. Supp. 3d 292 (S.D.N.Y. 2026). The Court answered no on both counts.

The defendant in that case had used Claude to prepare approximately thirty-one documents outlining defense strategy and potential legal arguments. Critically, he did so on his own initiative, without any direction from his counsel.

The Court held that the attorney-client privilege does not protect communications with AI platforms for several reasons. First, Claude is not an attorney, so no attorney-client relationship existed. Second, the communications were not confidential because Anthropic’s (the owner of Claude) privacy policy notified users that the company collects data on user inputs and outputs, uses that data for training, and reserves the right to disclose it to third parties, including governmental regulatory authorities. Third, the defendant did not communicate with Claude for the purpose of obtaining legal advice—Claude itself disclaims providing legal advice.

On work product, the Court was equally firm, stressing that the doctrine “shelters the mental processes of the attorney,” and its purpose is “to preserve a zone of privacy in which a lawyer can prepare and develop legal theories and strategy.” Because the AI documents were not prepared by or at the behest of counsel and did not reflect defense counsel’s strategy when the defendant created them, the documents fell outside the doctrine’s protection.

Morgan v. V2X: Splitting the Difference

On March 30, 2026, a Colorado federal court held that Rule 26(b)(3) applies to protect a pro se litigant’s AI-related materials. Morgan v. V2X, Inc., No. 25–CV–01991–SKC–MDB, 2026 WL 864223 (D. Colo. Mar. 30, 2026). The Court explained that the importance of applying these protections is “magnified in the context of AI—one of the most powerful knowledge tools ever to become available to the masses,” because pro se litigants “are forced to act as both party and advocate, simultaneously.” The Court analogized AI tools to Gmail accounts and found that using AI tools did not waive work product protections because it was reasonable to expect some privacy while using these tools, even if they are technically available to a third party, and it was highly unlikely that an adversary would gain access to the information without some legal process. The Court distinguished Heppner on two grounds: first, Heppner was a criminal matter, whereas civil Rule 26(b)(3) broadly protects the work product of a “party,” not merely counsel; and second, in Heppner there was a “gap between the party and the attorney” that does not exist where a pro se litigant is simultaneously the party and the advocate.

Notably, the Morgan Court did not extend work product protections to the identity of the AI tool used by the defendant—only to the substance of the AI interactions. Although the Court acknowledged that work product protection could protect the identity of the AI tool, the pro se plaintiff in that case had failed to demonstrate how disclosing the name of an AI tool would reveal his mental impressions or case strategy.

The Court also offered some practical insight by crafting an AI-specific provision for a protective order that effectively bars the use of mainstream, low-to-no-cost AI platforms for processing confidential information unless the AI provider is contractually prohibited from storing or using inputs for model training and from disclosing inputs to third parties.

Tate Group Automotive v. Legacy Automotive Capital: State Court Adoption

On June 3, 2026, the Texas Business Court weighed in on the question. In Tate Group Automotive, LLC v. Legacy Automotive Capital, LLC, the Court conducted an in camera review of ChatGPT conversations that the plaintiff had withheld based on attorney work product protection. The Texas Business Court expressly adopted the reasoning of Warner and Morgan and rejected Heppner. On the waiver question, the Court agreed with those cases’ recognition that “work product protections are typically waived by disclosure to an adversary, or in circumstances that substantially increase the likelihood that an adversary will obtain the materials”—and that sharing information with an AI tool does not meet that standard. The Court also emphasized that the Texas Rules of Civil Procedure set forth a different and potentially broader standard for protectable work product than the federal rules.

Following Morgan, the Court also ordered the plaintiff to disclose to defendants all discovery materials or products that it had shared with ChatGPT (by Bates number), including any materials produced pursuant to the protective order. The Court further recommended that the parties confer and negotiate amendments to the protective order that would “make unquestionably clear whether, how, and to what extent if so, Confidential Information may be shared with any AI tool or other Large Language Model system” and expressly directed the parties to the Morgan decision.

Practical Implications

The case law on AI continues to develop with practical implications for litigants and other parties using AI. The current case law offers the following practical insights:

Create guardrails for AI use. Inputting privileged, confidential, sensitive, or investigation-related information into a consumer-grade AI platform risks waiving attorney-client privilege. Clients should be advised of this risk and warned against inputting any attorney-client communications or confidential documents into an AI platform. If AI must be used to process sensitive material, use an enterprise-tier platform with contractual guarantees against data retention and third-party disclosure.
Avoid using AI without lawyer direction. Lawyers should warn their clients that using AI on their own initiative is risky. The outputs may still receive work product protection, but the analysis is context-dependent. If a lawyer directs a client to use an AI tool to assist with litigation preparation, that direction may help bring the resulting materials within the umbrella of work product protection.
Proactively address AI usage in litigation. Lawyers should consider proactively addressing AI use in protective orders and discovery protocols at the outset of litigation, rather than scrambling to address it after the fact.
Proceed with caution and awareness. Litigants should be aware that their choice of AI tools—and the materials they share with them—may themselves become subjects of discovery. While the substance of AI interactions may be protected, courts have ordered disclosure of the identity of the platform used and of materials shared with it, particularly where confidential information is at stake. Treat every AI interaction as if it could one day be scrutinized by opposing counsel—because, under the right circumstances, it very well might be.