US Corporate Governance — 2025 Midyear Review

From AI and cybersecurity to ESG and federal enforcement actions, we outline the major developments from the first half of the year

Welcome to our midyear review of the latest US corporate governance trends. We start with an assessment of the latest enforcement actions, priorities, and rulemaking at the federal level relating to fraud, white-collar crime and anti-money laundering procedures. We then turn our attention to developments in Delaware corporate law and updates in the cybersecurity and artificial intelligence fields before ending with a discussion of ESG investing regulation and its uncertain future.

Federal enforcement actions, priorities and rulemaking

FinCEN dramatically scales back the Corporate Transparency Act

The Financial Crimes Enforcement Network (FinCEN) issued an interim final rule in March 2025 that removes requirements for US companies to report beneficial ownership information under the Corporate Transparency Act (CTA). The rule only requires non-exempt foreign-formed entities doing business in the US or a Tribal jurisdiction, not domestic entities, to so report. Further, the rule no longer requires those entities to report US persons as beneficial owners.

Previously issued regulations had required domestic- and foreign-organized entities to report their beneficial owners in an effort to increase transparency, reduce corruption, and strengthen the US anti-money laundering/countering the financing of terrorism framework. These rules were subject to several court challenges and were stayed and upheld in a whirlwind of reversing decisions. They were reinstated in February 2025, and in March FinCEN announced they would not be enforced pending publication of the final interim rule. Most recently, the Eastern District of Texas held a challenge to the CTA in abeyance pending the resolution of FinCEN's rulemaking.

FinCEN accepted comments on the new rule until late May and intends to finalize it later this year.

The Securities and Exchange Commission withdraws 14 proposed rules

On June 12, 2025, the Securities and Exchange Comission (SEC) withdrew 14 notices of proposed rulemaking, stating that it does not intend to issue final rules related to these proposals. The proposed rules concern topics including shareholder proposals; cybersecurity; environmental, social, and governance disclosures; and more.

The SEC stated that if it decides to issue rules on these topics, it will publish new proposed rules as required under the Administrative Procedure Act.

Supreme Court affirms fraudulent inducement theory in federal wire fraud prosecutions

This spring, the Supreme Court interpreted the federal wire fraud statute, 18 U.S.C. Section 1343, as embracing the "fraudulent inducement theory" of wire fraud, thereby resolving a circuit split on the issue. In Kousisis v. United States,² the Court expanded potential liability under this statute by concluding that the government need only prove that a defendant induced a victim to enter a transaction under materially false pretenses to be culpable; it need not prove that they intended or caused "economic loss."

The defendant-petitioners in Kousisis had promised to subcontract $6.4 million to a "disadvantaged business enterprise" when bidding for a contract from the Pennsylvania Department of Transportation (PennDOT). Once winning the contract, they performed the work but only paid the qualifying enterprise $170,000. The petitioners argued that because their lie did not cause PennDOT economic loss, it did not meet the statutory requirement that the victim be deprived of "money or property." The Supreme Court rejected this argument, holding that the act of making false representations to obtain PennDOT's money is what constituted fraud.

Although the Court noted that its decision was limited given that materiality (a necessary element under the wire fraud statute) is essential to distinguish "everyday misstatements from actionable fraud," participants in interstate commerce should remain cautious since materiality is a matter of fact that is left to a jury to decide.

Read more

DOJ announces white-collar enforcement priorities and revised corporate enforcement and voluntary self-disclosure policy

In mid-May, the Department of Justice (DOJ) released guidance that sheds light on the DOJ's white-collar enforcement agenda and approach to offering lenience and reduced criminal fines to companies under investigation.

Through revised policies and department guidance, the DOJ, under the Trump administration's leadership, identified 10 areas of business crimes that it is most interested in. The agency also encouraged prosecutors to make more expeditious charging decisions, and evinced a desire for target companies to "fully cooperate" with the DOJ's investigations. The DOJ articulated a focus on enforcing the Foreign Corrupt Practices Act (FCPA) insofar as offenses "impact US national interests, undermine US national security, harm the competitiveness of US businesses, and enrich foreign corrupt officials." This focus contrasts with an executive order President Trump signed in February calling to limit FCPA enforcement, and previewed FCPA enforcement priorities that were later announced in June (described below).

While the guidance offers clarity on the DOJ's white-collar enforcement agenda, it remains unclear what degree of cooperation will constitute "full cooperation" sufficient to trigger the greatest DOJ leniency. Further, non-US companies subject to foreign law restrictions on sharing sensitive data must balance these obligations with any efforts to cooperate with the DOJ.

Read more

DOJ resumes FCPA enforcement with new guidelines

President Trump issued an executive order three weeks into his current term pausing enforcement under the FCPA and directing Attorney General Pam Bondi to review and update guidelines and policies concerning investigations and enforcement under the FCPA. This approach threatened to upend a nearly 50-year history of anti-bribery enforcement.

Since the order was issued, Attorney General Bondi signaled a shift away from corporate prosecution and toward immigration enforcement and the elimination of cartels and transnational criminal organizations (TCOs). She also directed the disbandment of kleptocracy programs aimed at enforcing Russian sanctions and combating foreign influence in US politics, and eliminated the Corporate Enforcement Unit.

In June, the DOJ announced that it would resume FCPA enforcement. Largely echoing its previously issued white-collar priorities (described above), a memorandum issued by Deputy Attorney General Todd Blanche announced a focus on "the vindication of US interests." DOJ prosecutors must now consider four "non-exhaustive" factors before initiating an FCPA investigation: (i) whether US entities have opportunities to compete for international business; (ii) whether US national security interests in "critical minerals, deep-water ports, or other key infrastructure or assets" are implicated or foreign officials are bribed to secure contracts; (iii) the degree of the misconduct; and (iv) whether the misconduct facilitates criminal operations of a cartel or TCO.

The DOJ still expects domestic regulators such as the SEC to enforce the FCPA, even if the department itself lacks criminal interest under the memorandum.

Read more

SEC announces two charges for anti-money laundering violations

The SEC's prioritization of compliance with anti-money laundering (AML) procedures began taking shape in early January, as evidenced by enforcement actions the SEC brought against an investment adviser and a broker-dealer/investment adviser.

First, the SEC charged the investment adviser with violations of Section 206(4) and Rule 206(4)-8 of the Investment Advisers Act for making false representations that it was voluntarily conducting AML due diligence on prospective and existing advisers yet failing to conduct such due diligence until after an investor was sanctioned. Second, the SEC charged the broker-dealer and investment adviser with violating Section 17(a) and Rule 17a-8 of the Securities Exchange Act of 1934 by failing to comply with the Bank Secrecy Act's AML requirements. The SEC alleged that it did not maintain a proper Customer Identification Program and, despite a policy against doing business with higher-risk accounts, failed to close such accounts, including those related to cannabis.

Both companies paid civil penalties to settle the charges against them; the first paid $150,000, while the second paid $18 million.

Read more

Delaware law developments

Delaware Supreme Court to decide questions regarding constitutionality of Delaware Corporate Governance Law amendments

In June, the Delaware Supreme Court accepted two certified questions from the Delaware Court of Chancery concerning the constitutionality of Senate Bill 21, which amended Delaware Corporate Governance Law (DCGL) Section 144, effective March 25, 2025.

Senate Bill 21 added "safe harbor provisions" to DCGL Section 144 that, if satisfied, protect directors, officers, and controlling shareholders from liability. Under new Sections 144(a)-(b), which apply to interested-party transactions other than those where a controlling stockholder takes the corporation private, if a committee of disinterested directors approves the transaction or a majority of voting shareholders vote to approve or ratify it, the parties are protected from liability. This is a stark change from prior Delaware law as defined under In re Match Group, Inc. Derivative Litigation and Kahn v. M&F Worldwide Corp. that only protected interested parties from the rigorous "entire fairness" standard of review where an independent committee and disinterested shareholders approved a transaction prior to its occurrence. Both prongs are still required for going-private transactions under new Section 144(c).

Under the amendments, when the "safe harbor" provisions are satisfied, a Delaware court cannot grant equitable relief or damages. Thus, the first certified question raised in Rutledge v. Clearway Energy Group LLC, et al. is whether the "safe harbor" provisions violate the Delaware Constitution by divesting the court of its equitable jurisdiction.²

Further, Section 3 of Senate Bill 21 makes the "safe harbor" provisions applicable to acts or transactions that occurred prior to its enactment. This section gave rise to the second certified question in Rutledge, whether this application violates the Delaware Constitution by purporting to "eliminate causes of action that had already accrued or vested."

Rutledge is a derivative action that challenged an asset-purchase transaction between a corporation and its majority stockholders. An independent committee had approved the transaction, but the stockholders had not voted. Several other Court of Chancery cases have been stayed pending the justices' answers to the certified questions.

Delaware Chancery Court dismisses Caremark claim based on SEC comment letters

In May 2025, the Delaware Chancery Court dismissed a Caremark³ claim in In re Plug Power Inc. Stockholder Derivative Litigation, holding that a series of SEC comment letters issued to Plug Power Inc. (Plug Power) between 2018 and 2021 covering many issues, including concerns related to the use and presentation of non-GAAP financial metrics, revenue recognition practices, and lease accounting, did not support a viable claim for breach of fiduciary duty.

The plaintiffs argued that, based on the SEC comment letters, Plug Power's board — particularly its Audit Committee — (i) failed to implement a board-level system for monitoring regulatory risk and (ii) disregarded repeated indications that Plug Power's financial reporting was under regulatory scrutiny given the SEC comment letters.

The court found the plaintiffs failed to meet either prong of the Caremark standard, which requires a showing that (i) "the directors utterly failed to implement any reporting or information system or controls," or (ii) "having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention."

It held the SEC comment letters, on their own, do not mandate a stand-alone compliance system beyond typical audit committee oversight. Delaware law affords boards wide latitude in designing internal controls, and the court found no basis to infer bad faith or a wholesale failure of oversight.

The court also concluded that the plaintiffs had not adequately alleged that the board knowingly disregarded compliance concerns or that any company harm was causally linked to the alleged oversight failure. As a result, the Caremark claim based on the SEC comment letters was dismissed in full.

Delaware Supreme Court reverses Chancery Court decision relating to standard of review for reincorporation

In February 2025, in Maffei v. Palkon,⁴ the Delaware Supreme Court reversed the Court of Chancery's decision regarding the standard of review applicable to the decisions of the boards of directors of Tripadvisor, Inc. (Tripadvisor) and Liberty TripAdvisor Holdings, Inc. (Liberty TripAdvisor) to change their corporate domiciles from Delaware to Nevada.

The plaintiffs, stockholders of Tripadvisor and Liberty TripAdvisor, argued that because the boards of directors and controllers would receive a higher level of protection against liability from future litigation under Nevada law than under Delaware law, the move gave the defendants a non-ratable benefit and the entire fairness standard should apply.⁵ The Court of Chancery agreed.

However, on interlocutory appeal, the Delaware Supreme Court reversed. It held that providing protection to directors against future liability exposure does not automatically convey a non-ratable benefit and concluded that temporality is critical to determining whether a non-ratable benefit is material. As a result, absent an allegation that a particular litigation claim would be impaired by a proposed change in domicile, the hypothetical and contingent impact of Nevada law on a corporate action that may or may not occur in the future was too speculative to constitute a material non-ratable benefit. Therefore, the Delaware Supreme Court held that business judgment review is the appropriate standard of review.

Relatedly, on May 30, 2025, Nevada Governor Joe Lombardo signed Assembly Bill 239, amending several chapters of Nevada's corporate statutes. Among other changes, the amendments allow Nevada corporations to include in their governing documents provisions that (i) waive jury trials and mandate bench trials with respect to certain internal actions, and (ii) define the fiduciary duties of controlling stockholders.

The amendments also provide a presumption against a fiduciary duty breach by controlling stockholders with respect to transactions between the corporation and the controlling stockholder, so long as the transaction was approved by either a committee of disinterested directors or the board of directors relying upon such a committee.

The Nevada amendments also limit the extent to which a controlling stockholder can be held individually liable for damages as a result of an act or failure in their capacity as a stockholder. This provides stockholders with protections similar to what directors and officers receive under Nevada's business judgment rule.

Cybersecurity

The California Privacy Protection Agency announces its first enforcement settlement against Honda

Following an investigation into vehicles equipped to capture personal information such as geolocation or driving behavior, the California Privacy Protection Agency announced its first settlement under the California Consumer Privacy Act (CCPA).

The settlement, with American Honda Motor Co. Inc. (Honda), found four violations of the CCPA: (1) requiring consumers to submit more personal information than was necessary for Honda to provide options for consumers to opt out of or limit the use and sale of their data; (2) requiring consumers to directly opt out or limit use of their personal information instead of permitting them to use an authorized third party to do so; (3) improperly making it more difficult — by only one click — to opt out of advertising cookies than to opt in; and (4) failing to produce contracts that Honda was required to have with third parties to whom it sold consumers' personal information.

Honda paid a fine of $632,000. The settlement amount was calculated in a manner that indicates that penalties under the CCPA may be based not on the number of violations but on the number of affected consumers. This would mean that multiple infractions against the same consumer would not necessarily increase the penalty.

Read more

Privacy regulators target the location data industry

In March, California Attorney General Rob Bonta announced an "investigative sweep" into how mobile app providers, advertising networks, and data brokers are using and collecting consumer location data. The announcement noted that under the CCPA, "precise geolocation" — data that places an individual within an 1,850-foot radius — is considered "sensitive personal information," over which consumers have more control under the CCPA.

The sweep came as the California legislature began considering a bill that would strengthen protections of consumer location data even further. This bill would define "location information" more broadly than the CCPA's definition of "precise geolocation" and would, among other measures, impose an outright ban on selling or disclosing such information to third parties unless necessary to provide the requested goods and services.

Read more

NYDFS updates regulated firms on upcoming cyber requirements

On May 1, 2025, new requirements under the New York Department of Financial Services' (DFS) cybersecurity regulation, 23 NYCRR Part 500 (Part 500), took effect. In addition to requiring covered entities — generally banks, insurance companies, and other financial firms — to submit annual compliance updates, financial firms of a certain scale will now have to take increased precautions with regard to access privileges, conduct system scans to assess vulnerabilities, and implement controls to protect against malicious code.

Part 500 further differentiates "Class A" entities, those above a threshold gross annual revenue and/or number of employees, and requires them to implement an endpoint detection response solution and a centralized logging and security event solution for their online systems.

Read more

Third Circuit chides SEC for terse refusal to engage in crypto rulemaking

At the start of this year, a unanimous panel of the US Court of Appeals for the Third Circuit held that the SEC violated the Administrative Procedure Act when it issued a one-paragraph order denying a petition that sought new rules to address when and how cryptocurrencies qualify as securities subject to existing securities laws. The Third Circuit concluded that this short, generalized order was arbitrary and capricious, and remanded to the SEC for a more reasoned explanation of its refusal.⁶

The case originated when Coinbase, a trading platform for digital asset exchanges, brought the petition in 2022, in reaction to prior SEC statements saying that federal securities laws apply to digital assets. Coinbase sought tailored rules for digital assets because, it argued, existing securities laws were "fundamentally incompatible" with "the operation of digital asset securities."

Coinbase reiterated this point in one of its arguments for why the SEC's denial of its petition should be rejected by the Third Circuit. The court credited concerns about the differences between traditional and digital assets as "not frivolous," but rejected them as a basis to overturn the SEC's denial. Instead it rooted its decision in the fact that the SEC's rejection failed to adequately address these concerns, was insufficiently reasoned, failed to explain other regulatory efforts it was prioritizing or detail why it was pursuing regulation through incremental enforcement actions rather than comprehensive rulemaking.

Judge Stephanos Bibas, who joined the majority in full, also wrote his own concurrence to raise constitutional issues of due process.⁷ He took issue with the SEC's chosen path of proceeding with "ex post enforcement without announcing ex ante rules or guidance" because it deprives cryptocurrency companies of constitutional fair notice. While, under Chenery II,⁸ federal agencies have discretion to choose between rulemaking and adjudication when effecting policy change, Judge Bibas' opinion suggests that when the regulatory landscape is uncertain, this choice may be limited by due process concerns.

Relatedly, on May 12, 2025, at a roundtable on tokenization, SEC Chairman Paul Atkins announced that he was prioritizing developing a "rational regulatory framework for crypto assets" that covers issuance, custody, and trading. The SEC's Crypto Task Force is developing that framework. Further, the deputy attorney general issued a memo stating that the DOJ would stop prosecuting digital asset participants for regulatory violations, particularly unwitting violations of the Bank Secrecy Act and Commodity Exchange Act, and would focus instead on actions involving cartels, TCOs, and terrorist organizations.

Read more

Artificial intelligence

In early January, the US Patent and Trademark Office (USPTO) launched an Artificial Intelligence Strategy (AI Strategy) that outlines five goals for how the office planned to address new challenges and goals in an increasingly AI-focused world:

1. promote inclusive innovation and development, particularly by increasing participation in STEM by historically underrepresented and under-resourced communities;
2. build best-in-class AI capabilities by improving data and research programs, including leveraging AI to enable USPTO examiners to identify documents pertinent to an application's patentability;
3. promote responsible use of AI and facilitate transparent stakeholder communication;
4. develop AI expertise within the USPTO workforce; and
5. collaborate with other US agencies, international partners, and the public on AI priorities and AI's impact on the global intellectual property system.

Soon after taking office, the Trump administration rescinded the above-described AI strategy via executive order, as the administration is now focused on a policy of "global AI dominance." The USPTO has not yet issued a revised strategy responsive to that goal, but anticipates publishing a plan at some point.

ESG

SEC abandons climate-related disclosure litigation — What next?

The SEC will no longer defend its March 6, 2024, rules requiring companies to disclose climate-related risks and greenhouse gas emissions, as stated in the March 27, 2025, letter it submitted to the US Court of Appeals for the Eighth Circuit in the case of State of Iowa, et al. v. SEC.⁹

In State of Iowa, petitioners challenged the SEC's rules as exceeding the SEC's powers under the Securities Exchange Act of 1934 because climate-related disclosures are not "material" to investor decision-making. They also argued that the SEC's explanation for why existing regulations are insufficient to obtain climate-related financial disclosures was arbitrary and capricious.

In April 2024, 18 states and the District of Columbia intervened to defend the SEC's rules. This April, the court granted the intervenor's motion to hold the case in abeyance. The court directed the SEC to report within 90 days whether or not it would review or reconsider the climate rules and why, and, if the agency decides not to take any action, to report on whether it will adhere to the rule if the petition for review is denied.

The future of the rules remains uncertain. The SEC had previously voluntarily stayed implementation pending the outcome of the Eighth Circuit litigation, which is now also paused. As in the SEC's letter to the Eighth Circuit, SEC Commissioner Mark T. Uyeda more recently indicated that the Commission will neither defend the rules nor rescind them. If the SEC later decides to repeal the rules, it must comply with the Administrative Procedure Act. In the meantime, public companies should continue to draft compliance plans that balance various approaches to climate disclosure under U.S. state law and adhere to applicable non-US requirements.

Read more

Footnotes

1 145 S.Ct. 1382 (2025).

2 C.A. No. 2025-0499-LWW (Del. Ch. June 6, 2025) (granting plaintiff's motion to certify questions to the Delaware Supreme Court), Rutledge v. Clearway Energy Group LLC, et al., No. 248, 2024 (Del. June 11, 2025) (accepting certified questions).

3 In re Caremark Int'l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996).

4 Maffei v. Palkon, No. 125, 2024 (Del. Feb. 4, 2025).

5 A non-ratable benefit is a unique benefit given to a controlling shareholder, apart from payment that minority shareholders receive.

6 Coinbase, Inc. v. SEC, No. 23-3202, 2025 WL 78330 (3d Cir. Jan. 13, 2025) (J. Ambro).

7 Id. at *20-29 (3d Cir. Jan. 13, 2025) (J. Bibas, concurring).

8 SEC v. Chenery Corp. (Chenery II), 332 U.S. 194, 202-03 (1947).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.