Katten's Privacy, Data and Cybersecurity Quick Clicks is a monthly newsletter highlighting the latest news and legal developments involving privacy, data and cybersecurity issues across the globe.
To read more issues of Katten's Privacy, Data and Cybersecurity Quick Clicks, please click here.
DORA Compliance: Navigating the Latest Developments
By Nathaniel Lalone and Ciara McBrien
On March 24, the following two developments relating to the implementation of the EU Digital Operational Resilience Act (DORA) took place: i.) the European Commission (Commission) adopted a Delegated Regulation supplementing DORA with regard to regulatory technical standards (RTS) on the subcontracting of information communication and technology (ICT) services that support critical or important functions (Subcontracting RTS); and ii.) the Delegated Regulation supplementing DORA regarding the RTS to specify the criteria for determining the composition of the joint examination team was published in the Official Journal of the European Union (OJEU) (JET RTS). In addition, on March 27, the Commission published a press release setting out its decision to open infringement procedures against certain EU member states for failing to fully transpose the Directive on DORA (DORA Directive) into their national law. Read more about Subcontracting RTS, JET RTS and member states that have failed to fully transpose the DORA Directive.
The More You Know Can Hurt You: Court Rules Financial Institutions Need 'Actual Knowledge' of Mismatches for ACH Scam Liability
By Eric Hail, Eric Werlinger and Christopher Vazquez
On March 26, the US Court of Appeals for the Fourth Circuit issued a decision that has important ramifications for banks and credit unions that process millions of Automated Clearing House (ACH) and Electronic Funds Transfer (EFT) transactions daily, some of which are fraudulent or "phishing scams." In Studco Buildings Systems US, LLC v. 1st Advantage Federal Credit Union, No. 23-1148, 2025 WL 907858 (4th Cir. amended Apr. 2, 2025), the Fourth Circuit held that financial institutions typically have no duty to investigate name and account number mismatches — commonly referred to as "misdescription of beneficiary." The financial institution will only face potential liability for the fraudulent transfer if it has "actual knowledge" that the name and the account number do not match the account into which funds are to be deposited. Read more about how phishing scams can result in misdirected electronic transfers.
SEC Issues Crypto Securities Disclosure Statement as IRS DeFi Broker Rule Repealed
By Daniel Davis and Alexander Kim
On April 10, the Securities and Exchange Commission (SEC) Division of Corporation Finance issued a new statement about SEC staff’s experience with SEC disclosure requirements for crypto-related offerings that qualify as securities. The statement distinguishes between tokens that are themselves securities, those sold as part of investment contracts, and those falling completely outside SEC jurisdiction, but does not purport to give guidance on the application of the Howey (SEC v. W. J. Howey Co.) test. This statement follows the SEC’s recent statements on memecoins, proof-of-work mining and stablecoins, continuing the SEC’s efforts to provide incremental clarity on the regulation and classification of digital assets. Separately, President Donald Trump eliminated the controversial Internal Revenue Service (IRS) digital asset broker reporting rule, which would have required decentralized finance (DeFi) platforms (including front-ends) to collect and report taxpayer information like traditional brokers, despite their fundamental technological differences. Read more about the SEC’s recommendations on disclosure practices for crypto-related securities and President Trump’s signed legislation.
Financial Industry Concerns Cause FCC to Delay Implementation of Broad Consent Revocation Requirement under TCPA
By Ted Huffman
On April 11, a controversial new rule by the Federal Communications Commission (FCC) was set to take effect to modify consent revocation requirements under the Telephone Consumer Protection Act (TCPA). But each of the rule’s mandates, as codified at 47 CFR § 64.1200(a)(10), did not go into effect on that date. Just four days before, the FCC issued an Order delaying the rule’s requirement that callers must “treat a request to revoke consent made by a called party in response to one type of message as applicable to all future robocalls and robotexts . . . on unrelated matters.” The plain language of the rule states that consumers may use “any reasonable method” to revoke consent to autodialed or prerecorded calls and texts, and that such requests must be honored “within a reasonable time not to exceed ten business days.” The rule also delineates certain “per se” reasonable methods by which consumers may revoke consent. Read more about the banking industry’s concerns regarding the rule.
