Insights

On March 23, 2026, the Federal Communications Commission (FCC) updated its Covered List—a list of communications equipment and services deemed to pose an unacceptable risk to U.S. national security or the safety and security of U.S. persons—to include consumer-grade routers produced in a foreign country, absent an exemption granted by the U.S. Departments of War (DoW) or Homeland Security (DHS). This designation effectively prohibits the import of all consumer routers that are not produced in the United States.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued six new general licenses, and updated a seventh that allow for many activities related to: the export of Venezuelan oil and petrochemical products from Venezuela; the exploration, development, and production of oil, gas, and petrochemical products in Venezuela; the generation, transmission, storage, or distribution of electricity in Venezuela; the export to Venezuela of U.S.-origin diluents; negotiating for investment in the oil, gas, petrochemical, and electricity sectors in Venezuela; and the export of Venezuelan gold.

On March 6, 2026, the White House released its National Cyber Strategy (Strategy) and issued an accompanying Executive Order, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (EO). These documents outline the administration’s priorities for combating cybercrime and call for coordination across the federal government and the private sector to invest in new technologies, continue innovation, and prioritize the United States’ cyber capabilities. Key sectors of concern include energy, financial services, telecommunications, data centers, water, and health care. The Strategy and EO encourage increased public-private coordination, signal greater latitude for private sector offensive cyber operations, prioritize securing critical infrastructure, elevate cybercrime as a national security priority, outline a path for victim compensation, and promote streamlining cyber regulations.

On February 9, 2026, the U.S. Department of the Treasury’s (Treasury) Office of Investment Security (OIS) published a request for information (RFI) seeking public comments on how the Committee on Foreign Investment in the United States (CFIUS) might streamline its foreign investment review process, including through the Known Investor Program (KIP). The RFI requests feedback on (1) proposed eligibility criteria and a draft questionnaire for the KIP, including certain defined terms, and (2) other ways that CFIUS and transaction parties can streamline aspects of the foreign investment review process. Written comments are due March 18, 2026.

On December 18, 2025, the Fiscal Year 2026 National Defense Authorization Act (FY 2026 NDAA) (P.L. 119-60) was signed into law. The Act makes significant changes to defense acquisition, sourcing restrictions, and interactions between the Defense Industrial Base (DIB) and the Department of Defense (DOD). 

The United States, European Union, and United Kingdom have significantly escalated Russia-related sanctions the past month, including the Trump Administration’s first sanctions directly imposed on Russia. These coordinated actions—which particularly target the Russian energy sector—indicate that Russia sanctions remain on the geopolitical agenda and require multinational companies to remain vigilant in their compliance with those sanctions.

U.S. Government and private sector sources continue to report efforts by Democratic People’s Republic of Korea (DPRK) nationals to infiltrate companies around the world by posing as information technology (IT) professionals, in order to get hired by U.S. and other businesses and gain access to sensitive company systems. Crowdstrike, a U.S. cybersecurity company, has reported a 220% increase in the number of companies infiltrated by North Korean threat actors over the last 12 months. In particular, a DPRK-affiliated group known as “Famous Chollima” has leveraged artificial intelligence and deepfake technology to generate synthetic identities, as well as resumes and CVs, draft communications, and conduct job interviews. Enforcement actions brought by the U.S. Department of Justice identify victims in the cryptocurrency sector, including decentralized finance (“DeFi”) projects. In addition, media reports indicate that North Korean hackers are purportedly offering fake job offers targeting employees in the cryptocurrency sector, with the goal of stealing crypto.

On July 28, 2025, Cadence Design Systems Inc. (“Cadence” or “the Company”), a global electronic design automation (“EDA”) technology company based in San Jose, California, agreed to plead guilty in a settlement with the U.S. Department of Justice’s National Security Division (“NSD”) and the U.S. Attorney’s Office for the Northern District of California. Through its guilty plea, Cadence agreed to resolve charges that it committed criminal violations of export controls by selling EDA hardware, software, and semiconductor design intellectual property (“IP”) technology to the National University of Defense Technology (“NUDT”), a Chinese military university on the U.S. Entity List since 2015 due to its involvement in military and nuclear simulation activities. In addition, Cadence simultaneously resolved a civil enforcement action brought by the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”) related to the same underlying conduct.

Historically, SEC-registered investment advisers have not been subject to comprehensive AML regulation under the Bank Secrecy Act (“BSA”) unless they also qualify as a broker-dealer or other BSA-regulated financial institution. Notwithstanding the absence of a formal requirement to date, many SEC-registered investment advisers have voluntarily adopted AML programs in line with industry expectations and investor demands. However, on August 28, 2024, FinCEN issued its Final Rule, establishing anti-money laundering/countering the financing of terrorism (“AML/CFT”) requirements for Covered Advisers similar to those that apply to broker-dealers. The Final Rule, which was scheduled to take effect on January 1, 2026, required Covered Advisers to maintain written AML programs, perform customer due diligence, file Suspicious Activity Reports (“SARs”) and other reports required of BSA-regulated financial institutions, and retain standard AML records.  

 

The Inflation Reduction Act (“IRA”) and Infrastructure Investment and Jobs Act (“IIJA”) appropriated hundreds of billions of dollars in grants, loans, and other funding to facilitate clean energy and infrastructure deployment, advance Environmental Justice policy objectives, and address climate change concerns. While many companies, non-profits, and other recipients have reaped the benefits of those programs, they may also now be exposed to increased risks from Congressional investigations; enforcement actions; inspector general reviews; terminations for alleged waste, fraud, and abuse; and in extreme instances, potential exposure to criminal liability.

Since December of last year, the status of the CTA has been in a state of perpetual flux, following a dizzying series of federal court rulings and FinCEN announcements. On February 28, 2025, we reported that FinCEN paused enforcement actions for entities required to report under the CTA’s Beneficial Ownership Information Reporting Rule (BOI Rule) until FinCEN issued an interim final rule providing new guidance regarding the BOI Rule’s requirements and associated deadlines. Then, on March 2, 2025, Treasury went a step further, indicating that it would altogether cease enforcement against U.S. citizens and domestic reporting companies for violations of the BOI Rule, explaining that it would instead issue proposed rulemaking to narrow the scope of the BOI Rule to “foreign reporting companies” only and set new reporting deadlines. 

On February 28, 2025, we reported that the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) paused enforcement actions for entities required to report under the CTA’s BOI Rule (Reporting Companies) for failure to file or update beneficial ownership information (BOI) reports by a previously-announced March 21, 2025, deadline. FinCEN had explained that the pause would last until it issued an interim final rule further updating reporting deadlines and providing new guidance around the BOI Rule’s requirements.

We previously reported that the Corporate Transparency Act’s Beneficial Ownership Information Reporting Rule (BOI Rule) was back in effect as of February 18, 2025, with a stay of the final nationwide block to enforcement. At that time, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) extended the BOI Rule’s reporting deadline until March 21, 2025 (in cases where the originally-applicable deadline had expired) for entities required to report, which includes certain entities formed or registered to do business in the United States (Reporting Companies). 

On February 21, 2025, President Trump issued a National Security Policy Memorandum (“NSPM”) announcing the Administration’s “America First Investment Policy” (the “Investment Policy”)[1] affirming the United States’ commitment to open investment while safeguarding national security. Aimed at promoting investment in the United States from allied countries while imposing stricter measures on both inbound and outbound investments from “foreign adversaries,” the Investment Policy incentivizes foreign investment in the United States by announcing a “fast track” process “to facilitate greater investment from specified allied and partner sources in United States businesses involved with United States advanced technology and other important areas.” The NSPM defines “foreign adversaries” to include the People’s Republic of China (the “PRC” or “China”), including Hong Kong and Macau, Cuba, Iran, North Korea, Russia, and the Maduro regime in Venezuela.[2]

On February 18, 2025, a District Court judge in the Eastern District of Texas entered an order staying the last remaining nationwide injunction of the CTA’s Beneficial Ownership Information Reporting Rule (BOI Rule) in Smith v. U.S. Dep’t of the Treasury.  The BOI Rule requires certain entities formed or registered to do business in the U.S. (Reporting Companies) to report information about themselves and their natural-person beneficial owners to the Financial Crimes Enforcement Network (FinCEN), a bureau of the Treasury Department.  Following the court’s order, FinCEN issued an alert notifying Reporting Companies that the BOI Rule is back in effect with an amended deadline of March 21, 2025.

As we have previously reported, enforcement of the Corporate Transparency Act’s (the CTA) Beneficial Ownership Information Reporting rule (the BOI Rule) remains blocked nationwide as the result of an order from the U.S. District Court for the Eastern District of Texas in Smith v. U.S. Dep’t of the Treasury. On January 7, 2025, the Smith court granted a motion for preliminary injunction enjoining enforcement of the CTA against the named plaintiffs and their related entities, while also issuing a nationwide stay of the effective date of the BOI Rule. This occurred before the Supreme Court stayed a separate nationwide injunction of the CTA and stay of the BOI Rule in Texas Top Cop Shop v. McHenry.

On January 23, 2025, the U.S. Supreme Court granted the Government’s application for a stay of an injunction issued by the U.S. District Court for the Eastern District of Texas in Texas Top Cop Shop. The injunction had blocked enforcement of the CTA and implementation of the related BOI Rule, which required certain entities formed or registered to do business in the U.S. (Reporting Companies) to report information about themselves and their natural-person beneficial owners to the Financial Crimes Enforcement Network (FinCEN), a bureau of the Treasury Department. The Supreme Court stayed the Texas Top Cop Shop injunction “pending the disposition of the [Government’s] appeal in the United States Court of Appeals for the Fifth Circuit and disposition of a petition for a writ of certiorari.” For more information on the events leading up to the Supreme Court’s review and decision to stay the injunction, please see our prior alerts here, here, and here.

As described in our prior client alert, on December 3, 2024, the U.S. District Court for the Eastern District of Texas issued an opinion and order  enjoining the federal government from enforcing the CTA and a rule implementing it.  The rule (BOI Rule) requires certain entities formed or registered to do business in the U.S. (Reporting Companies) to report information about themselves and their natural-person beneficial owners to the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury that administers anti-money laundering laws.  Then, on December 13, 2024, DOJ filed an “Emergency Motion for Stay Pending Appeal” in the Fifth Circuit asking that court to stay the District Court’s injunction pending appeal, or, in the alternative, to narrow the District Court’s injunction to members of the National Federation of Independent Business.

As we discussed in our recent client alert, the U.S. District Court for the Eastern District of Texas issued an opinion and order on December 3, 2024, ("the Order") enjoining the federal government from enforcing the CTA and a rule implementing it. The rule requires certain entities formed or registered to do business in the U.S. ("reporting companies") to report information about themselves and their beneficial owners to the Financial Crimes Enforcement Network ("FinCEN"), a bureau of the U.S. Department of the Treasury.