When Fintech Growth Outpaces Compliance: What the OCC’s Consent Order Against Community Federal Savings Bank Means for Your Institution

Over the past few years, many community banks have pursued fintech partnerships to diversify revenue and expand consumer offerings.  These types of partnerships, however, come with enhanced regulatory scrutiny, and it is crucial that community banks evaluate compliance programs as part of any fintech partnership.

On May 21, 2026, the Office of the Comptroller of the Currency (OCC) publicly released a consent order (docketed as AA-ENF-2025-21) against Community Federal Savings Bank (CFSB), a single-branch federal savings association in Woodhaven, New York. The enforcement action targets BSA/AML compliance failures that the OCC tied directly to CFSB’s rapid expansion into payment processing and fintech-adjacent business lines.

For community bank executives and compliance professionals, this action is not just another BSA/AML enforcement headline. It is a case study in what happens when a bank scales its business without proportionally scaling its compliance infrastructure.

What Happened at CFSB

CFSB is a small bank by traditional measures — roughly $866 million in assets as of year-end 2025. But its transaction volumes tell a different story. Since 2020, CFSB significantly grew its payment processing line, resulting in substantial annual wire and ACH activity, including cross-border transactions involving foreign financial institutions. That growth was fueled by CFSB’s role as a sponsor bank for several prominent fintechs, including Wise, Crypto.com, Airwallex, ChipperCash, and LemFi, among others. Crucially, CFSB’s fintech partners offer international payment or multi-currency services.

The OCC found that CFSB failed to develop and maintain controls and risk management processes commensurate with its growth. The consent order identifies violations of four distinct regulatory provisions: 12 CFR 21.21 (BSA/AML program requirements), 12 CFR 163.180(d) (suspicious activity reporting), 31 CFR 1020.210(a) (Anti-money laundering program requirements for federally-regulated banks), and 31 CFR 1010.520(b)(3) (information sharing requirements under Section 314(a) of the USA PATRIOT Act).

Specifically, the OCC found that CFSB’s automated suspicious activity monitoring system’s “filtering criteria and thresholds” were not adequately calibrated to the bank’s “payment processing risk profile, the significant increases in higher risk products and services, and international exposures.” Further, CFSB’s automated alert triage system contained several deficiencies, which resulted in the system auto-closing a “very high percentage” of alerts that should have been escalated for human review.

The OCC also found that CFSB’s customer due diligence program was deficient and that CFSB did not “understand the nature of certain customers’ businesses and the purpose of transactions flowing through its payment processing line, including risks related to foreign financial institutions.” Perhaps most strikingly, CFSB failed to determine whether it held correspondent accounts for foreign financial institutions, a fundamental obligation under the USA PATRIOT Act’s enhanced due diligence requirements. The OCC additionally noted  the bank’s internal auditor failed to identify BSA/AML program weaknesses and failed to test high-risk areas of the bank’s BSA/AML program.

Due to systemic breakdowns in internal controls, weak independent testing, and inadequate staffing, the OCC ultimately concluded that CFSB had not established and maintained a reasonably designed BSA/AML compliance program.

The Fintech Sponsor Bank Angle

This enforcement action did not occur in a vacuum. CFSB’s growth trajectory — from under $140 million in assets in 2017 to nearly $900 million by 2024 — was driven almost entirely by fintech partnerships. The bank served as the underlying banking rails for companies whose business models generate enormous transaction volumes; however, the Bank failed to scale its regulatory compliance programs with its growth.

The consent order makes clear that community banks entering into payment processing partnerships need to install sophisticated monitoring systems, robust customer identification programs, and modify staffing levels to ensure regulatory compliance. When your fintech partners are facilitating cross-border remittances, multi-currency accounts, and cryptocurrency-linked products, you inherit the risk profile of those activities — regardless of your asset size—and may need to manage complexities far beyond what a single-branch community bank would ordinarily face.

Notably, the order was signed through the Assistant Deputy Comptroller for Novel Bank Supervision and included an unusual clarification—the regulatory action is “based on concerns largely unrelated to customers involved in digital assets activities.” This suggests the OCC’s concerns centered on BSA/AML-related issues regarding payment processing and cross-border activity rather than digital assets specifically. Thus, banks considering fintech partnerships in the cross-border payment processing space are likely subject to  the same regulatory scrutiny.

Given the heightened regulatory scrutiny, community banks seeking to expand their operations to include payment processing and cross-border activity must scale their BSA/AML services accordingly. Financial institutions should thus actively consider how to ensure that their regulatory compliance program is properly designed and implemented—and the costs of those programs—before entering into any fintech partnerships. This includes, among other things, updating your automated monitoring systems, adding additional staff, evaluating the third-party relationships and the geographies served by the partnerships, and understanding the transaction types to ensure the systems can adequately manage the increased risk.

Key Compliance Takeaways

  1. Suspicious Activity Monitoring. The OCC’s Order specifically noted that CFSB’s suspicious activity monitoring system was not calibrated to its payment processing business and CFSB’s automated triage system auto-closed alerts that should have been reviewed. To ensure regulatory compliance, whenever you onboard a new business line or partner that materially changes your transaction profile, you should also review your monitoring thresholds. This includes creating clear definitions of customer risk categories and ensuring an effective methodology is in place to assign a customer’s risk category. Finally, you should also have a system in place to periodically review all customers and accounts that exhibit higher-risk characteristics to ensure that a process is in place if your automated alert system fails to detect high-risk transactions.
  2. Know Your Customer and Their Business. The OCC’s Order specifically noted that CFSB did not “understand the nature of certain customers’ businesses and the purpose of transactions flowing through its payment processing line.” In a banking as a service (BaaS) or sponsor bank model, your regulatory obligations extend to understanding the end users and transaction flows facilitated by your fintech partners. If you cannot articulate the nature of your customers’ businesses and the purpose of transactions flowing through your systems, regulators may find you have a due diligence gap. Regular reviews of customer profiles can also ensure that any missing or inaccurate customer due diligence information is timely identified and remediated.
  3. Cross-Border Activities. The failure to identify correspondent accounts for foreign financial institutions is a fundamental gap with serious regulatory consequences. If your fintech partners facilitate cross-border payments, determine whether any of those relationships constitute correspondent banking under the USA PATRIOT Act and apply appropriate enhanced due diligence.
  4. BSA/AML Testing Program. Whether your BSA/AML audit is conducted internally or by a third party, it must test whether controls are functioning as designed to detect any illicit financial activity risk. An audit that avoids high-risk or non-traditional banking areas provides false comfort and, as CFSB’s experience demonstrates, will be cited as a deficiency in its own right.
  5. BSA/AML Staffing. The OCC’s Order noted that CFSB had “weak BSA staffing.” Compliance cannot be a part-time function when your bank processes volumes that rival institutions many times your size. Budget for the compliance team your risk profile demands, not the one your asset size might suggest, and ensure that management’s and staff’s respective responsibilities for establishing and revising customer risk profiles are clearly defined.
  6. Conduct periodic, proactive reviews of Suspicious Activity Reports (“SAR”). Do not wait for an enforcement action to undertake a lookback. Periodic self-assessments of past alert dispositions and SAR decisions — particularly after system changes or new partner onboarding —can catch gaps before examiners do. If you detect any issues regarding the quality or accuracy of prior SAR filings, promptly remediate and report them. The goal is to comprehensively and accurately report any suspicious activities.

Looking Ahead: OCC Supervisory Priorities

The CFSB consent order arrives in a regulatory environment where the OCC has been far more active in terminating existing enforcement actions than entering new ones. Across April, May, and June 2026, the OCC terminated numerous formal agreements and consent orders while issuing only two new institutional consent orders — both of which targeted specific, identified compliance failures rather than broad safety-and-soundness concerns.

This pattern suggests the OCC is being selective and deliberate about where it deploys new enforcement resources. BSA/AML compliance, particularly at institutions with high transaction volumes driven by fintech partnerships, clearly remains a priority. The OCC has previously signaled — including through a November 2025 bulletin establishing Community Bank Minimum BSA/AML Examination Procedures — that it expects compliance programs to be dynamic and proportionate to institutional risk.

For community banks operating in the fintech partnership ecosystem, the message is clear: the OCC will not excuse compliance shortcomings because your bank is small. If you choose to take on the risk profile of a payments company, you must build the compliance infrastructure of one.

Renewed Vigilance is Required in Wake of Recent Amendments to EU Artificial Intelligence Act

On June 16, 2026, with mounting pressure from member states and industry groups, the European Parliament formally endorsed a provisional agreement delaying a significant enforcement milestone in the European Union’s Regulation (EU) 2024/1689 (the “Artificial Intelligence Act” or  “AI Act”), with significant consequences for businesses. Completed just under two months before the new enforcement guidelines were to take effect, the agreement extends various enforcement deadlines, eliminates certain duplicative manufacturer requirements, broadens small business exemptions, and adds new prohibitions on certain AI-generated intimate content.

Though the EU’s delay grants organizations additional time to comply with some obligations under the AI Act, delaying implementation of compliance measures could prove costly. Unlike the prior General Data Protection Regulation’s (“GDPR’s”) early enforcement period, EU regulators have already signaled their intent to enforce the AI Act from day one. Moreover, the EU AI Act has an extraterritorial reach—any AI system influencing decisions affecting EU residents, regardless of where a company is headquartered, may fall within the scope of the AI Act. The AI Act penalties are significant: ranging from €7.5 million or 1% of global annual turnover to €35 million or 7% of global annual turnover. For small companies, even the lower tier penalties represent existential exposure. This is not an abstract compliance exercise—rather, it is a binding legal framework with real penalties, obligations, and exposure that begins the moment enforcement powers fully activate.

Many businesses may unknowingly use, and therefore may be considered deployers of, high-risk AI systems regulated under the AI Act. These systems include:

  • Employment and Workforce Management: AI systems used for recruitment, candidate screening, performance evaluation, work allocation, or monitoring employee behavior.
  • Access to Essential Services: AI systems that evaluate an individual’s eligibility for, or access to, healthcare or wellness services are high-risk. For companies operating employee benefits platforms—including employee assistance programs (“EAPs”)—this category is directly relevant if AI is used to triage, route, or assess employee mental health or wellness needs. The threshold may be lower than you expect.
  • Insurance Risk Assessment: AI systems used in health and life insurance pricing or risk classification. Meaning that if your platform feeds data into underwriting or coverage determination processes, this may be implicated.

The delay shifts certain deadlines by creating a rolling deadline format. For example, the compliance deadline for AI systems outlined under Annex III, including High-Risk AI System Requirements (Articles 9–17 and 26) has moved to December 2, 2027—a 17-month extension. The deadline to comply with the rules for AI systems integrated into products subject to product safety regulations (Annex I) would become August 2, 2028—a 12-month extension), but even with the extensions, these deadlines can creep up in a hectic business environment. Here are six steps to take now:

Conduct an AI Inventory

Map every AI tool your company uses in connection with its EU operations or EU employees. Be sure to include vendor-provided SaaS tools with AI features, not just bespoke systems. Many companies are surprised by how many systems qualify.

Classify by Risk

For each AI system you identify, work with legal advisors to assess its risk category: prohibited, high-risk, or limited/minimal risk. This requires knowledge of both what the system does and how the AI Act specifically defines its risk categories.

Audit Your Vendor Contracts

Review any agreements with AI vendors for compliance-relevant provisions, including documentation delivery, log access, incident notification, EU representative obligations, and allocation of deployer vs. provider responsibilities. Most off-the-shelf agreements do not yet reflect the AI Act’s requirements. And for deployers of high-risk AI systems, obligations cannot be outsourced to AI vendors even where the vendor bears primary provider responsibilities.

Implement Deployer-Side Controls

For any high-risk AI system, start human oversight procedures, log retention practices, employee or user notification mechanisms, and any applicable Fundamental Rights Impact Assessment (FRIA). Document these in writing—the AI requires documentation and enforcement will look for it.

Review Your AI Literacy Obligations

An often-overlooked requirement—enforced since February 2025—is that organizations must ensure that staff who work with AI have appropriate AI literacy training. This is a minor obligation that can be addressed with modest internal effort. If you have not already implemented an AI literacy training program, now is the time to do so.

Integrate AI Governance Into Your Broader Compliance Program

AI Act compliance is not a one-time project. Instead, it requires ongoing monitoring as your company’s AI tools evolve, guidance is updated, and enforcement develops. Building AI Act compliance into your company’s broader compliance program, alongside GDPR and sector-specific obligations, will serve to minimize risks and costs in the long-term.

Companies should begin completing core steps immediately. Organizations waiting until 2027 will be starting from behind, with enforcement already active. We are available to guide you through this process whether you need a full EU AI Act readiness assessment, targeted vendor contract review, or specific guidance on high-risk classification for your product or service, we can provide scoped, efficient support designed for your business needs.

 


This article is intended as general client information and does not constitute legal advice. The EU AI Act is a complex and evolving regulation. Please consult with counsel regarding your specific circumstances.

 

Oklahoma Appeals Court Clarifies Banks’ Fiduciary Duties and Customer Privacy Obligations Under the Oklahoma Financial Privacy Act

In addition to federal privacy laws, numerous states have enacted their own financial privacy statutes that banks and other financial institutions must navigate when responding to requests for customer information.[1] In a recent decision, Oklahoma’s intermediate appellate court seemingly narrowed the scope of claims arising under Oklahoma’s financial privacy law while clarifying the duties of financial institutions within its borders.

In Parker, et al. v. Valliance Bank (“Parker”), the Oklahoma Court of Civil Appeals affirmed a directed verdict in favor of Valliance Bank (the “Bank”). In holding in the Bank’s favor, the Court rejected the consumer-Plaintiffs’ claims that the Bank violated Oklahoma’s Financial Privacy Act (the “Act”) and breached its duty of care and/or fiduciary duties by producing documents in response to a subpoena that did not comply with certain requirements of the Act.[2]

In Parker, the Bank received a subpoena in a foreclosure action — to which it was not a party — seeking financial records of an LLC defendant. The subpoena demanded that a Bank representative appear for deposition and produce essentially all documents related to the LLC’s banking relationship. Critically, the LLC’s loan file contained personal financial documents of its individual members and their other holdings, which had been submitted in connection with the LLC’s loan application. The Bank produced the subpoenaed documents only after motions to quash the subpoena and for a protective order were denied.[3]

The Parker Plaintiffs — the individuals, trusts, and businesses whose financial records were produced as part of the LLC’s loan file — alleged that the production of those documents led to their inclusion in the foreclosure suit and caused damages exceeding $500,000. They asserted claims “as Bank customers,” alleging “the Bank was negligent, violated their rights protected by the Oklahoma Financial Privacy Act, and that the Bank breached a duty of care to protect their private and confidential financial information.”[4]

In addressing these claims, the Parker Court first recognized that the negligence claim was rooted in the production of financial documents and that the Act provides the “exclusive lawful means” of obtaining customer financial records.[5] The Court thus consolidated its analysis of the negligence and statutory claims into a single inquiry: whether the Bank had breached its duties under the Act.[6] The Court ultimately found that the Bank had violated the Act by responding to a subpoena lacking written certification from the issuer of that issuer’s compliance with the Act, a prerequisite to a financial institution’s production of customer financial records under 6 O.S.2021 § 2208(A).

However, the Court held that this duty was owed not to the Plaintiffs, but to the LLC — which was not a party to the lawsuit. The Court explained that the documents produced and now in dispute all came from the LLC’s loan file. It emphasized that the Plaintiffs never argued those documents were improperly in the Bank’s possession. Rather, all the documents at issue were voluntarily provided by the Plaintiffs, who were Bank “customers,” to obtain financing for another “customer,” the LLC. The Court further found that “[t]he only duty that the Bank owed to all of its other customers, including the [Plaintiffs], was to take ‘reasonably prudent’ measures to prevent another customer’s financial records from being inadvertently included in the documents produced in response to that subpoena” — and the Plaintiffs had not asserted such a claim.[7]

Importantly, the Parker Court held that, although the Bank violated the Act by not requiring a certificate of compliance before producing the LLC’s documents, “the Act did not require the Bank to segregate and withhold from production documents lawfully in its possession because they happened to have also related to or been provided by another customer whose records were not the subject of the subpoena.”[8] Simply put, “[t]o the extent [Plaintiffs] proved the Documents were produced in violation of the Act, that claim belongs to [the LLC], or more specifically, pursuit of that claim belongs to the Trustee in [the LLC’s] bankruptcy.”[9]

The Parker Court next addressed the Plaintiffs’ claim that, in addition to the Act, the Bank owed them “special duties,” fiduciary in nature, and that the Bank’s production of the documents constituted a tortious breach of those duties. The Court rejected this argument out of hand, holding that the Plaintiffs’ relationship with the Bank was contractual and that while a failure to keep customer records private might constitute a breach of contract (which was not pled), it did not give rise to a tort claim. The Court then pointed to 6 O.S.2021 § 425, which provides:

Unless a state or national bank shall have expressly agreed in writing to assume special or fiduciary duties or obligations, no such duties or obligations will be imposed on the bank with respect to a depositor of the bank or a borrower, guarantor, or surety, and no special or fiduciary relationship shall be deemed to exist.

Under this 1994 statute, a fiduciary duty between a financial institution and its customers may only be created by express language to that effect in a written agreement. Finding that the Plaintiffs “produced no document by which the Bank agreed “in writing to assume special or fiduciary duties or obligations[,]” it held that no special or fiduciary relationship existed, and the Plaintiffs’ breach of fiduciary duty claim failed “as a matter of law.”[10]

In doing so, the Parker Court distinguished Djowharzadeh v. City National Bank and Trust Co. of Norman, 1982 OK CIV APP 3, 646 P.2d 616. Djowharzadeh, decided over four decades ago, had indicated that a “special relationship” existed between a borrower and a bank.[11] In rejecting the application of Djowharzadeh, the Parker Court held that: “to the extent that Djowharzadeh, decided prior to the enactment of 6 O.S.2021 § 425, holds that a bank owes its customers a fiduciary duty in the absence of a written agreement creating that duty, it has been abrogated by that statute.”[12]

The Parker Court further rejected the Plaintiffs’ reliance on Oklahoma Uniform Jury Instructions (OUJI) — Civil No. 26.2, which included among possible fiduciary relations those with a “banker,” holding that: “To the extent this instruction misstates the law applicable to banks and their customers, it is the duty of the court to provide instructions that ‘accurately state the law.’”[13] Emphasizing that the Plaintiffs had asserted only two theories of recovery, neither of which was supported by law, the Parker Court affirmed the trial court’s directed verdict in favor of the Bank.

Although the Bank in Parker ultimately avoided liability, the opinion signals the potential viability of negligence and even breach of contract claims for improper disclosures of customer information, if properly pled. It also underscores the importance of recognizing and complying with the various state financial privacy laws, like Oklahoma’s. Despite moving to quash the offending subpoena, the Bank in Parker was still found to have violated the Act. These statutes impose specific duties that financial institutions must satisfy before responding to any subpoena for customer financial records, and determining the applicable law often requires review of numerous statutory chapters and regulatory codes.

For financial institutions, continued compliance practically demands maintaining state-specific policies and procedures — and, at a minimum, a policy broad enough to address the laws of every state in which the institution does business, paired with attorney oversight to ensure compliance. Regular review and revision of these policies is equally essential. Parker teaches that failing to maintain current, compliant policies could lead not only to statutory violations and regulatory scrutiny, but also to potential tort liability from affected customers — along with the reputational harm that often follows.

 

[1] See, e.g., Tex. Fin. Code 59.006; N.C. Gen. Stat. §§ 53B-1 through 53B-10.

[2] Parker v. Valliance Bank, 2026 OK CIV APP 5, 587 P.3d 907.

[3] The bank had also moved to quash the subpoena, but counsel for the Bank was apparently not at the hearing and there was no formal disposition of the Bank’s motion. Id. at ¶¶ 7-9. This is likely why the Parker Court limited its consideration of the other motions, including a motion to quash from certain Parker Plaintiffs, to issues of notice and waiver by the LLC, who did not file its own motion despite being the entity whose records were subpoenaed. Id at ¶ 23. The record reflects the LLC may not have been summoned in the foreclosure action, was possibly an improper party to it based on a pending bankruptcy, and never appeared in that litigation. Id. at n.2, 6. Notably, although the trial court’s denial essentially ordered that the depositions/production go forward, Parker offers no opinion as to whether the Bank’s compliance with that order, on an ultimately defective subpoena, could have immunized the Bank against any violation of the Act.

[4] Parker, 2026 OK CIV APP 5, ¶ 11, 587 P.3d at 911.

[5] Id. at ¶ 19.

[6] See id. at ¶ 18 (“Where a regulatory statute “delineate[s] the defendant’s conduct, courts may adopt the conduct required by the statute[ ] as that which would be expected of a reasonably prudent person—providing courts believe the statutorily required conduct is appropriate for establishing civil liability”).

[7] Id. at ¶ 26.

[8] Parker, 2026 OK CIV APP 5 at ¶ 27, 587 P.3d at 915.

[9] Id at ¶ 28.

[10] Id. at ¶ 30.

[11]  Djowharzadeh involved allegations a loan officer’s provision of a prospective borrower’s confidential loan information to shareholders in the bank who then usurped the prospective borrower’s opportunity to purchase a duplex at below market value. The Parker Court indicated this was probably more properly framed as a tortious interference with business relations claim, rather than one arising in fiduciary duties. Id. at ¶ 32.

[12] Id. at ¶ 33.

[13]  Id. at ¶ 34.

Your AI Conversations May Not Be as Private as You Think: Emerging Case Law on Privilege and Work Product Protections for AI Communications

Businesses, employees, lawyers, and parties to litigation are rapidly incorporating generative artificial intelligence into their daily practice to tackle legal issues and prepare for actual or anticipated litigation. But when a party uses an AI platform like ChatGPT or Claude, are those “communications” protected from discovery? Recent decisions show that lawyers and parties should use generative AI with caution, as at least some information about AI use could be disclosed in discovery. Additionally, sharing confidential information with AI tools could undermine the attorney-client privilege and may violate protective orders.

Warner v. Gilbarco: A Pro Se Litigant’s AI Use Constitutes Protected Work Product

In February 2026, the Eastern District of Michigan held that a pro se plaintiff’s AI communications were protected work product. Warner v. Gilbarco, 820 F. Supp. 3d 629 (E.D. Mich. 2026). The defendants sought disclosure of the plaintiff’s queries to ChatGPT, ChatGPT’s responses, and any documents uploaded to ChatGPT. The Court found that (i) the AI materials were prepared in anticipation of litigation and thus fell within the scope of Rule 26(b)(3)(A); (ii) the plaintiff’s use of AI involved her “internal analysis and mental impressions—i.e., her thought process,” which constituted protected opinion work product; and (iii) using a generative AI tool did not waive work product protection because such platforms “are tools, not persons, even if they may have administrators somewhere in the background,” and using AI programs is not akin to disclosing work product to an adversary. The Court concluded that the defendants’ theory “would nullify work-product protection in nearly every modern drafting environment, a result no court has endorsed.”

United States v. Heppner: No Privilege, No Work Product

Around the same time as the Warner decision, the Southern District of New York issued an opinion in a criminal case that confronted what the Court described as a question of first impression nationwide: whether a user’s communications with a publicly available AI platform in connection with a pending criminal investigation are protected by attorney-client privilege or the work product doctrine. United States v. Heppner, 820 F. Supp. 3d 292 (S.D.N.Y. 2026). The Court answered no on both counts.

The defendant in that case had used Claude to prepare approximately thirty-one documents outlining defense strategy and potential legal arguments. Critically, he did so on his own initiative, without any direction from his counsel.

The Court held that the attorney-client privilege does not protect communications with AI platforms for several reasons. First, Claude is not an attorney, so no attorney-client relationship existed. Second, the communications were not confidential because Anthropic’s (the owner of Claude) privacy policy notified users that the company collects data on user inputs and outputs, uses that data for training, and reserves the right to disclose it to third parties, including governmental regulatory authorities. Third, the defendant did not communicate with Claude for the purpose of obtaining legal advice—Claude itself disclaims providing legal advice.

On work product, the Court was equally firm, stressing that the doctrine “shelters the mental processes of the attorney,” and its purpose is “to preserve a zone of privacy in which a lawyer can prepare and develop legal theories and strategy.” Because the AI documents were not prepared by or at the behest of counsel and did not reflect defense counsel’s strategy when the defendant created them, the documents fell outside the doctrine’s protection.

Morgan v. V2X: Splitting the Difference

On March 30, 2026, a Colorado federal court held that Rule 26(b)(3) applies to protect a pro se litigant’s AI-related materials. Morgan v. V2X, Inc., No. 25–CV–01991–SKC–MDB, 2026 WL 864223 (D. Colo. Mar. 30, 2026). The Court explained that the importance of applying these protections is “magnified in the context of AI—one of the most powerful knowledge tools ever to become available to the masses,” because pro se litigants “are forced to act as both party and advocate, simultaneously.” The Court analogized AI tools to Gmail accounts and found that using AI tools did not waive work product protections because it was reasonable to expect some privacy while using these tools, even if they are technically available to a third party, and it was highly unlikely that an adversary would gain access to the information without some legal process. The Court distinguished Heppner on two grounds: first, Heppner was a criminal matter, whereas civil Rule 26(b)(3) broadly protects the work product of a “party,” not merely counsel; and second, in Heppner there was a “gap between the party and the attorney” that does not exist where a pro se litigant is simultaneously the party and the advocate.

Notably, the Morgan Court did not extend work product protections to the identity of the AI tool used by the defendant—only to the substance of the AI interactions. Although the Court acknowledged that work product protection could protect the identity of the AI tool, the pro se plaintiff in that case had failed to demonstrate how disclosing the name of an AI tool would reveal his mental impressions or case strategy.

The Court also offered some practical insight by crafting an AI-specific provision for a protective order that effectively bars the use of mainstream, low-to-no-cost AI platforms for processing confidential information unless the AI provider is contractually prohibited from storing or using inputs for model training and from disclosing inputs to third parties.

Tate Group Automotive v. Legacy Automotive Capital: State Court Adoption

On June 3, 2026, the Texas Business Court weighed in on the question. In Tate Group Automotive, LLC v. Legacy Automotive Capital, LLC, the Court conducted an in camera review of ChatGPT conversations that the plaintiff had withheld based on attorney work product protection. The Texas Business Court expressly adopted the reasoning of Warner and Morgan and rejected Heppner. On the waiver question, the Court agreed with those cases’ recognition that “work product protections are typically waived by disclosure to an adversary, or in circumstances that substantially increase the likelihood that an adversary will obtain the materials”—and that sharing information with an AI tool does not meet that standard. The Court also emphasized that the Texas Rules of Civil Procedure set forth a different and potentially broader standard for protectable work product than the federal rules.

Following Morgan, the Court also ordered the plaintiff to disclose to defendants all discovery materials or products that it had shared with ChatGPT (by Bates number), including any materials produced pursuant to the protective order. The Court further recommended that the parties confer and negotiate amendments to the protective order that would “make unquestionably clear whether, how, and to what extent if so, Confidential Information may be shared with any AI tool or other Large Language Model system” and expressly directed the parties to the Morgan decision.

Practical Implications

The case law on AI continues to develop with practical implications for litigants and other parties using AI. The current case law offers the following practical insights:

  • Create guardrails for AI use. Inputting privileged, confidential, sensitive, or investigation-related information into a consumer-grade AI platform risks waiving attorney-client privilege. Clients should be advised of this risk and warned against inputting any attorney-client communications or confidential documents into an AI platform. If AI must be used to process sensitive material, use an enterprise-tier platform with contractual guarantees against data retention and third-party disclosure.
  • Avoid using AI without lawyer direction. Lawyers should warn their clients that using AI on their own initiative is risky. The outputs may still receive work product protection, but the analysis is context-dependent. If a lawyer directs a client to use an AI tool to assist with litigation preparation, that direction may help bring the resulting materials within the umbrella of work product protection.
  • Proactively address AI usage in litigation. Lawyers should consider proactively addressing AI use in protective orders and discovery protocols at the outset of litigation, rather than scrambling to address it after the fact.
  • Proceed with caution and awareness. Litigants should be aware that their choice of AI tools—and the materials they share with them—may themselves become subjects of discovery. While the substance of AI interactions may be protected, courts have ordered disclosure of the identity of the platform used and of materials shared with it, particularly where confidential information is at stake. Treat every AI interaction as if it could one day be scrutinized by opposing counsel—because, under the right circumstances, it very well might be.

Zoom Settles Dispute with Federal Trade Commission Regarding Cyber Security Practices

Cyber security

Earlier this month, the Federal Trade Commission (“FTC”) reached a settlement with Zoom Video Communications, Inc. (“Zoom”) regarding alleged misrepresentations related to its security program.  The FTC alleged that Zoom misled users by “touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security.

As part of the settlement, Zoom must (1) ensure that its representations to consumers regarding its privacy and security practices are accurate, and (2) update its security practices with a comprehensive new program that includes vulnerability management, annual documentation of risks and new security safeguards such as multi-factor authentication.

The FTC’s regulatory action against Zoom highlights the need for all businesses to ensure that representations regarding privacy and security practices are accurate and implement enterprise-wide cybersecurity protocols that take the specific risks faced by an organization into account.

NC Business Court Discusses the Limits of Attorney-Client Privilege When Attorneys Wear Multiple Hats

Male lawyer or Counselor working in courtroom have meeting with client are consultation with

Attorneys, and clients, are often guilty of taking the position that any communication involving an attorney is privileged and not subject to disclosure.  The law, of course, is much more nuanced.  In today’s world, where reliance on in-house counsel is expanding, and attorneys are consulted as much for their business advice as their legal advice, questions regarding the extent of attorney-client privilege have become more complex.

 

On November 9, 2020, the North Carolina Business Court issued a very helpful opinion analyzing the extent of attorney-client privilege in scenarios where attorneys serve in multiple roles within an organization.  Chief Judge Bledsoe’s opinion in Buckley LLP v. Series 1 of Oxford Insurance Company NC LLC, 2020 NCBC 81, resolved competing motions to compel, where each side sought to compel documents being withheld by the other on the basis of attorney-client privilege and the work product doctrine.

Overview

Plaintiff Buckley, LLP is a law firm that obtained an insurance policy through Defendant Oxford, which included coverage for the loss of key employees.  One of Buckley’s named partners, Andrew Sandler, retired shortly after the policy went into effect, and Buckley filed a $6 million dollar claim with Oxford under the policy.  Oxford refused to pay the claim, arguing that certain exclusions in the policy apply.  Significantly, Oxford contended that Buckley failed to inform Oxford of material facts regarding Sandler prior to the policy taking effect.  Prior to the date of the policy, Buckley had already received allegations of misconduct by Sandler and retained the law firm of Latham & Watkins to investigate the misconduct allegations.  Sandler negotiated a retirement agreement with Buckley rather than participate in the investigation and left Buckley shortly after the policy took effect.

In discovery, Buckley sought Oxford’s internal communications and documents related to its investigation of Buckley’s claim.  Oxford’s general counsel was a member of the team that reviewed Buckley’s claim, and Oxford withheld many of those documents involving its general counsel on the basis of attorney-client privilege.  Similarly, Oxford sought discovery of Buckley’s documents and communications with Latham & Watkins regarding the internal investigation of the misconduct allegations.  Buckley refused to produce its communications with Latham & Watkins on the grounds of attorney-client privilege.  Both sides filed competing motions to compel, which the Business Court resolved in a single opinion.  The Business Court ultimately ordered both parties to produce many, but not all, of the documents they were withholding.

Attorney-Client Privilege

Attorney-client privilege only attaches when the communication “is made in the course of giving or seeking legal advice for a proper purpose.”  As a general rule, if an attorney is not acting as a legal advisor when the communication was made—for instance, by providing financial advice or acting as a business advisor—it is not privileged.  In instances where communications contain both legal and business advice, courts will look to the “primary purpose” of the communication.

Applying these principles, the Business Court found that many of Oxford’s general counsel’s communications were not privileged.  The Business Court concluded that Oxford’s general counsel had a substantial role in the company in reviewing and processing claims for payment.  The Business Court noted that some of the general counsel’s communications reflected the primary purpose of providing legal advice, but most showed her engaging in claim review “in the ordinary course of Oxford’s business.”

This “ordinary course of business” analysis also applied to many of Buckley’s communications with Latham & Watkins.  The Business Court noted that materials “created in the ordinary course of business” and “pursuant to company policy” are typically discoverable and not privileged.  The Business Court noted that, in this instance, the internal investigation was required by Buckley’s own firm policies, which weighed heavily in favor of the documents’ disclosure.  The fact that Buckley chose to hire a prominent law firm to conduct the investigation did not automatically extend privilege to all of its communications with Latham.  The Business Court ultimately determined that many of the documents were “unrelated to the rendition of legal services” and ordered their production.

Takeaways

The Business Court’s opinion is a useful reminder that discovery is a broad tool in litigation, and a lawyer’s participation does not always render a document privileged.  Businesses working with attorneys in in-house or business advisory roles should consider the following, when facing questions of what might become public in a protracted litigation:

  • Was the attorney providing legal or business advice?
  • Did the advice require the attorney to use their legal expertise, or simply their business judgment?
  • Is the communication about a particular legal issue, or is it about our company’s ordinary business?
  • Why was this document created? Is it the result of a company policy?

New CFIUS Regulations Add Another Layer of Regulatory Considerations to Transactions Involving Foreign Investors

Earlier this year, new regulations promulgated by the Committee on Foreign Investment in the U.S. (the “CFIUS”) that implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) took effect, strengthening the oversight authority and expanding the jurisdictional reach of the CFIUS.  Although the new CFIUS regulations initially went largely unnoticed by the vast majority of investors, investors are starting to feel the effect of these expanded regulations as they are advised by deal counsel of a need for targeted due diligence and additional representations and warranties related to CFIUS compliance obligations.

CFIUS Regulatory Framework

The CFIUS, which was created by the Defense Production Act of 1950, is tasked with reviewing any transaction “which could result in foreign control of any person engaged in interstate commerce in the United States.”  50 U.S.C. § 2170.  The basic premise of the regulatory scheme is that the CFIUS will review these transactions, assess the potential for impact on national security, and make formal recommendations to the President as to the appropriate mitigating action necessary to protect the national interest.

Recent Changes to CFIUS Regulations

Until recently, the CFIUS’s jurisdiction was limited primarily to acquisitions of U.S. businesses by non-U.S. businesses.  See Ralls Corporation v. Committee on Foreign Investment in the United States, 758 F.3d 296 (D.C. Cir. 2014).  Earlier this year, however, new CFIUS rules permanently expanded CFIUS jurisdiction to include certain “other” investments—namely, non-controlling foreign investments in U.S. businesses involved in certain critical technologies, critical infrastructure, or the personal data of U.S. nationals (referred to as “TID” businesses, for technology, infrastructure, and data). Covered non-controlling investments afford the foreign investor access to material nonpublic technical information or substantive involvement in the U.S. business’s decision-making with respect to the technology, infrastructure, or data.

In sum, the new CFIUS regulations expanded the jurisdiction of regulators to transactions involving U.S. businesses that: (1) produce, design, test, manufacture, fabricate, or develop “critical technologies”; (2) own, operate, manufacture, supply, or service “critical infrastructure”; or (3) maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security.  31 CFR § 800.211.  Thus, even if a transaction will not result in foreign control of a U.S. business, it may still be subject to CFIUS review if it involves a TID U.S. business.

Critical Technology

For purposes of CFIUS regulations, critical technology is defined as follows:

(a) Defense articles or defense services included on the United States Munitions List (USML) set forth in the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120–130);

(b) Items included on the Commerce Control List (CCL) set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (EAR) (15 CFR parts 730–774), and controlled—

(1) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or

(2) For reasons relating to regional stability or surreptitious listening;

(c) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);

(d) Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and material);

(e) Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and

(f) Emerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).

31 C.F.R. § 800.215.  The nuances of each of these critical technologies should be carefully considered when engaging in a transaction involving foreign investors.

Sensitive Personal Data

The CFIUS also may review certain transactions involving U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target or tailor products or services to certain populations, including U.S. military members and employees of federal agencies with national security responsibilities, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The categories of data include types of (1) financial (e.g., bank account statements, credit applications, payment history, credit reports, credit scores); (2) geolocation, (3) health data (similar to HIPPA’s definition of non-public health information), (4) e-mail communications, (5) chat or other similar communications, (6) biometrics, and (7) information regarding government contractors.  See 31 C.F.R. § 800.241.

While this may seem like an unreasonable burden, the administrative record includes policy statements that inject some degree of restraint into the definition of sensitive personal data.  84 FR 50177.  More specifically, the ancillary information published in the federal register provides the following:

Given that most companies collect some type of data on individuals, the proposed rule protects national security while attempting to minimize any chilling effect on beneficial foreign investment by focusing on the sensitivity of the data itself, as well as the sensitivity of the population about whom the data is maintained or collected. In particular, the proposed rule identifies specific categories of data that constitute sensitive personal data only if the U.S. business (a) targets or tailors its products or services to sensitive U.S. Government personnel or contractors, (b) maintains or collects such data on greater than one million individuals, or (c) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The proposed definition also includes all genetic information and generally carves out data pertaining to a U.S. business’s own employees.

Id. at 50177-78 (emphasis added).

It is also of note that the information collected does not qualify unless it includes “identifiable data.”  31 C.F.R. § 800.239.  Based on the administrative record, it is clear that regulators wanted businesses to use common sense in assessing whether data constituted “identifiable data” by including the following as part of the administrative record:

In some cases, a U.S. business may maintain or collect the data described in § 800.241(a)(1)(ii)(A)-(J), but it is not possible to attribute such data to any specific individual. For example, a U.S. business may store health records on its servers, but those records are encrypted such that only a third party in possession of the encryption key can read the data. The U.S. business in these circumstances would not be maintaining or collecting sensitive personal data. The proposed rule makes clear, however, that identifiable data is not limited to data that includes an individual’s name or other obvious identifier, but rather includes any personal identifier, as defined in § 800.239.

84 FR 50178 (emphasis added).  Thus, if the information is encrypted or otherwise anonymized, it will not qualify as identifiable dataSee 31 C.F.R. § 800.202 (“The term anonymized data means data from which all personal identifiers have been completely removed.”).

Mandatory Filings

Another significant change in the review regime is the introduction of mandatory filings for certain transactions. Historically, all filings made to the CFIUS were submitted on a voluntary basis. However, FIRRMA introduces, and the new regulations implement, the concept of mandatory filings. Despite this, the process remains mostly based on voluntary filings, with a relatively small number of transactions requiring a mandatory filing, namely, (i) a substantial foreign government investment in a TID U.S. business, or (ii) controlling or non-controlling investments in critical technologies within the scope of the CFIUS Pilot Program on critical technologies.

  • A substantial foreign government investment in a TID business. Under the new regulations, there is a substantial interest if a foreign person obtains 25 percent or more voting interest in the TID business, and a foreign government owns 49 percent or more of the foreign person. FIRRMA §1705(v)(IV)(bb)(AA); 31 CFR §800.244;
  • CFIUS Pilot Program on critical technologies of Nov. 10, 2018. Controlling or non-controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more critical technologies in one of 27 identified industries – including aviation, defense, semiconductors, telecommunications and biotechnology – are subject to a mandatory filing with CFIUS. The final regulations, for now, will continue to use the same NAICS codes. However, the CFIUS announced that it will issue a notice of proposed rulemaking, perhaps moving away from an industry-based approach for these filing requirements in favor of “export control licensing requirements.” In the meantime, mandatory declarations must be filed 45 days before the close of a transaction.

For either mandatory or voluntary filings, FIRRMA has developed an abbreviated filing process through a declaration, allowing parties to submit basic information to the CFIUS.  FIRRMA §1706(v)(1). These provisions are expanded in the new, final regulations.  31 CFR §800.401.  The declarations should generally not exceed five pages in length, and it is likely that a form will be ultimately designed to increase the ease and usefulness of the process. Although declarations are intended to streamline the process by moving less complex transactions through the CFIUS review process with less administrative burden on the filing companies, filing a declaration may actually increase the processing time: the CFIUS has 30 days to render a decision on a mandatory declaration, but may at that time require a full notice, adding a full review cycle to reach a decision, thereby delaying the overall timing of a mergers and acquisition transaction. This may act as a significant deterrent to the use of this mechanism.

Penalties

FIRRMA directs the CFIUS to impose certain fees on parties who violate the CFIUS review process. Any person who submits a material misstatement or omission in a declaration or notice, or who makes certain other false statements, may be liable for a civil penalty of up to $250,000 per violation.  31 C.F.R. 800.901(a). Any person who fails to comply with the mandatory filing procedures may be liable for a civil penalty of up to $250,000 or the value of the transaction, whichever is greater.  31 C.F.R. 800.901(b).  Furthermore, any person who, after Dec. 22, 2018, intentionally or through gross negligence violates a material provision of a mitigation agreement entered into before Oct. 11, 2018, will also be liable for a civil penalty of up to $250,000 or the value of the transaction.  31 C.F.R. 800.901(c).  Further guidance on penalties is expected in new rules to come from the CFIUS.

Conclusion

FIRRMA and the recently enacted final regulations make a variety of sweeping changes to the CFIUS process that will certainly bring more transactions under the scope of CFIUS review.  These changes were implemented in response to increased national security concerns but were carefully crafted to avoid suppressing foreign direct investment in the United States.  Nevertheless, given the significant penalties associated with violations of CFIUS regulations, it is extremely important that all parties to investment transactions take steps to ensure compliance with CFIUS regulations.

 

Regulators at the CFTC, FinCEN, and SEC Issue a Joint Statement on Activities Involving Digital Assets

On October 11, 2019, the chairman of the U.S. Commodity Futures Trading Commission (“CFTC”), the director of the Financial Crimes  Enforcement Network (“FinCEN”), and the chairman of the U.S. Securities and Exchange Commission (“SEC”) issued a joint statement (the “Joint Statement”) to remind persons and entities engaged in activities involving digital assets of their Anti-Money Laundering Countering the Financing of Terrorism (“AML/CFT”) obligations under the Bank Secrecy Act (“BSA”).

The Joint Statement reminds market participants that the AML/CFT obligations apply to entities the BSA defines as “financial institutions,” such as future commission merchants and introducing brokers obligated to register with the CFTC, money services business as defined by FinCEN, and broker-dealers and mutual funds obligated to register with the SEC. Primarily amongst the AML/CFT obligations is the requirement to develop and implement an effective anti-money laundering program and record keeping and reporting requirements, including requirements for reporting suspicious activity.

The BSA, among other things, requires certain regulated entities, including financial institutions, to develop and implement AML compliance programs reasonably designed to assure and monitor compliance with the BSA and its implementing regulations. At a minimum, a regulated entity’s AML compliance program must include:

  • A system of internal controls to ensure ongoing compliance;
  • Independent testing of AML compliance;
  • Designation of an individual or individuals responsible for managing BSA compliance;
  • A comprehensive training program for appropriate personnel; and
  • A customer identification program.

In recent years, regulators have also made it clear that the AML compliance programs must be tailored to the products offered, customer demographics, and the transaction history. In sum, financial institutions must take a hard look at their individual characteristics and develop an AML program that is reasonably designed to prevent bank customers from using financial systems for illicit purposes. Given the growth of virtual currencies and potential risks associated with the use of virtual currency for illicit purposes, it should come as no surprise that regulators are increasingly focused on ensuring that regulated entities appropriately update their AML/CFT compliance programs to take the risks associated with virtual currency into account.

The Joint Statement makes clear that the regulation of virtual currencies and digital assets in the United States will continue to be developed and overseen by multiple regulatory agencies. To determine which agency’s regulations and obligations thereunder apply, one must look to the nature of the respective digital asset-related activities and the characteristics of the respective digital asset or virtual currency. The Joint Statement includes a warning that the label or terminology used by market participants to describe the respective activity or digital asset will not impact the specific regulatory treatment afforded such activity or asset.

In sum, digital assets present a number of regulatory challenges for covered persons and entities, which will need to develop specific, effective processes in order to satisfy their AML/BSA obligations. In light of these challenges, as well as heightened expectations of government stakeholders, covered persons and entities should review and update existing policies, procedures, and systems to ensure they have the necessary infrastructure to deal with the unique regulatory issues presented by digital assets and currency.

CVC Joint Policy Statement_508 FINAL_0

California Attorney General Releases Proposed CCPA Regulations

Earlier this month, California Attorney General (AG) Xavier Becerra released the draft regulations for the California Consumer Privacy Act (CCPA). The proposed rules, which set forth procedures for businesses covered under the CCPA to follow for compliance, should provide the framework for the final rules and give covered businesses a head start on updating their compliance policies. The rules can be found here.

CMS Proposes Revisions to Stark Law Aimed to Facilitate Value-Based Care

On October 9, 2019, the Centers for Medicare & Medicaid Services (CMS) of the Department of Health and Human Services (HHS) released its long-awaited Proposed Rule (Proposed Rule) updating and clarifying the physician self-referral (Stark Law) regulations, which was published in the Federal Register on October 17, 2019.

CMS’s Proposed Rule was released together with the HHS Office of Inspector General’s (OIG) proposed rule updating the anti-kickback statute and civil monetary penalty law regulations as part of HHS’s Regulatory Sprint to Coordinated Care, which aims to promote value-based care. HHS identified the regulations as they stand now as potential obstacles to value-based purchasing arrangements for providers and suppliers participating in federal health care programs and the commercial sector.  The proposals were launched following a series of HHS Requests for Information soliciting stakeholder feedback on (1) Stark Law burden reduction, (2) AKS and CMP refinements, and (3) reforms to the Health Insurance Portability and Accountability Act.

The proposed changes are delineated in a pair of rules issued by the Centers for Medicare and Medicaid Services (CMS) (proposed rulefact sheet) (Stark Law) and the Office of Inspector General (OIG) (proposed rulefact sheet) (AKS and CMP). The OIG rule also includes a new safe harbor for cybersecurity items, services, and modifications to the existing safe harbor for Electronic Health Records (EHRs).

While these proposed regulatory changes are expansive and relatively complicated, the overall direction of the changes to Stark, AKS, and CMP policies is to provide greater flexibility to providers engaging in value-based purchasing arrangements. The comment window extends through December 31, 2019. Given the potential impact of these proposed changes, there will likely be robust stakeholder feedback with finalization of the changes potentially coming sometime in the middle of 2020.