Photo of Evan Abrams

Evan Abrams counsels multinational corporations, financial institutions, and individuals on various international regulatory and compliance matters. He assists foreign and domestic companies in navigating national security reviews by the Committee on Foreign Investment in the United States (CFIUS). He has represented companies in industries including semiconductors, metals, and digital security. Evan’s anti-money laundering (AML) practice focuses on helping financial institutions comply with federal and state AML rules, particularly money transmitters and entities involved in creating, exchanging, or dealing in cryptocurrencies and tokens. Evan counsels clients in a variety of export controls and sanctions matters related to the Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), and various sanctions programs under US and international law. In addition, Evan routinely assists clients on anti-corruption investigations and enforcement actions.

Read Evan's full bio.

On March 1, 2024, the federal district court in the Northern District of Alabama declared in the case of National Small Business United v. Yellen that the Corporate Transparency Act (“CTA”) exceeds the Constitution’s limits on Congress’s power. The court enjoined the Department of the Treasury and Financial Crimes Enforcement Network (“FinCEN”) – the agency responsible for implementing the CTA – from enforcing the CTA against the plaintiffs in this case. While the ruling enjoins enforcement only against the plaintiffs in the specific case, the rationale used by the court is a broad rejection of the constitutionality of the statute, rather than a more tailored “as applied” rationale. Following the ruling, FinCEN issued a statement clarifying it will only cease enforcement with respect to the specific plaintiffs in the case, rather than with respect to all reporting companies. Those plaintiffs include Isaac Winkles, reporting companies for which Isaac Winkles is the beneficial owner or applicant, the National Small Business Association (“NSBA”), and members of the NSBA as of March 1, 2024 (collectively, the “Plaintiffs”). As of now, the CTA and its beneficial ownership information (“BOI”) reporting requirements remain in effect for all other entities that are required to report BOI to FinCEN under the CTA.Continue Reading Federal Court Finds Corporate Transparency Act Unconstitutional: Navigating Implications for Reporting Companies

On February 28, 2024, the Biden administration announced the creation of a new national security regulatory regime that will prohibit or restrict certain transactions involving bulk sensitive US personal data or government-related data and specified “countries of concern.” The Biden administration announced the regime in a new executive order, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO 14117), which was accompanied by an advance notice of proposed rulemaking (ANPRM) issued by the National Security Division (NSD) of the Department of Justice (DOJ), the component and agency with primary responsibility for implementing and enforcing the forthcoming regulations. The White House and DOJ also published fact sheets regarding the new regime.

Executive branch officials and members of Congress have long been concerned about the lack of a national security regulatory regime covering the transfer of sensitive US personal data to countries of concern, particularly China. As explained in EO 14117, such data has the potential to be used for a variety of nefarious purposes, including surveillance, extortion, and influence campaigns targeting US government employees and members of the US military, among others. The order highlights that such risks have become more acute due to the rapid advancement of artificial intelligence (AI) and its ability to analyze and manipulate data sets. Bulk sensitive personal data can also be used in the creation and refinement of AI models and other advanced technologies.

According to the White House, the EO is “the most significant executive action any President has ever taken to protect Americans’ data security.”

The public may submit comments on the ANPRM through April 19, 2024 and will likely have an additional opportunity to comment on the language contained in a proposed rule, once issued.

Although intended to be tailored in its scope, our initial assessment is that the new regulatory scheme, once fully implemented, will likely have a profound impact on a number of industries and entities around the world. At a minimum, it seems certain that regulatory compliance costs could be substantial, particularly on entities that have not previously focused on building out a risk-based compliance program in this or other related areas.Continue Reading Biden Administration to Implement New National Security Rules Targeting Personal Data

In a first of its kind action, the US Department of Commerce has begun a rulemaking process to prohibit or impose conditions on certain transactions involving foreign technology used in so-called “connected vehicles” or “CVs,” as defined below for automotive applications.

The measure, announced by Commerce on February 29, 2024 in a press release and an advanced notice of proposed rulemaking (ANPRM), is Commerce’s first attempt to cover a class of transactions under the Department’s Information and Communications Technology and Services (ICTS) rules.

The ICTS rules, contained at 15 CFR Part 7, were first issued in 2021, but Commerce has not yet implemented or used the rules to cover a particular class of transactions. However, Commerce recently created a new Office of Information and Communications Technology and Services (OICTS) within the Bureau of Industry and Security (BIS) and appointed the first ever director of that office (see additional detail here). Those measures, coupled with the ANPRM on CVs, suggest that Commerce has ramped up its efforts in this area and is becoming increasingly active in its use of the ICTS rules. It is all but certain that the ANPRM on CVs is just the first example of industries to be targeted, and we expect to see similar efforts in relation to other high-priority industries going forward.

Comments on the ANPRM are due by April 30, 2024. Commerce will likely publish a proposed rule after reviewing public comments on the ANPRM and provide an additional opportunity to comment on the proposed rule at that time.Continue Reading In First of Its Kind Action, Commerce Moves to Regulate Foreign Tech in Vehicles

On February 23, 2024, the United States issued a broad set of new Russia-related sanctions and export controls in response to the second anniversary of Russia’s invasion of Ukraine and the February 16, 2024, death of opposition leader, Aleksey Navalny, in Russian custody.

The Treasury Department’s Office of Foreign Assets Control (OFAC), the Commerce Department’s Bureau of Industry and Security (BIS), and the State Department all issued new designations.  The agencies also issued an inter-agency advisory warning non-Russian companies from doing business in or with Russia.Continue Reading US Government Imposes New Russia Sanctions, Designating Over 500 Parties and Issuing Interagency Russia Business Advisory

In a recent proposed rule, the Department of Commerce has taken additional steps toward imposing significant regulations on infrastructure as a service (IaaS) providers, including providers engaged in training certain large AI models. The notice of proposed rulemaking (NPRM) is published by Commerce’s Bureau of Industry and Security (BIS) and, in particular, its newly-created Office of Information and Communications Technology and Services (OICTS). The NPRM does not impose any immediate obligations on industry. Rather it requests comments on the proposed rules, which Commerce will consider before issuing a final rule. Comments are due by April 29, 2024.

The NPRM is OICTS’s first step toward implementing the Biden Administration’s executive order on AI (discussed in Steptoe’s alert here) and further implements a prior executive order on IaaS providers (discussed in Steptoe’s alert here).

The NPRM would require providers of IaaS products to implement customer identification programs (CIPs) to verify the identity of foreign customers. The CIP requirement is similar, in many respects, to the CIPs that certain US financial institutions must implement as part of their anti-money laundering (AML) compliance programs. The NPRM also delineates the ability of Commerce to identify foreign jurisdictions and persons posing a heightened threat to US national security and to prohibit or require conditions on the provision of IaaS products to such jurisdictions or persons. IaaS providers would be obligated to identify and report to Commerce when a foreign person uses their products to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. Furthermore, IaaS providers would be required to ensure their resellers comply with the same set of rules.Continue Reading Commerce Proposes Significant New Regulations on AI Training and IaaS Providers

On October 19, 2023, the U.S. Department of the Treasury’s (“Treasury”) Financial Crimes Enforcement Network (FinCEN) announced a Notice of Proposed Rulemaking (NPRM) that would implement new recordkeeping and reporting requirements on domestic financial institutions and domestic financial agencies, related to transactions that they know, suspect, or have reason to suspect involve convertible virtual currency (CVC) mixing within or involving a non-U.S. jurisdiction. 

FinCEN issued the NPRM pursuant to Section 311 of the USA PATRIOT Act, which provides the Secretary of the Treasury (the “Secretary”) the authority to require domestic financial institutions and domestic financial agencies to take “special measures” where the Secretary finds reasonable grounds to conclude that a class of transactions, institution, account, or foreign jurisdiction is of “primary money laundering concern.”  The NPRM identifies international CVC mixing as a class of transactions of primary money laundering concern, highlighting the use of CVC mixing services by illicit actors including cyber criminals and terrorist groups.  According to FinCEN’s press release, the NPRM represents FinCEN’s first use of Section 311 to target a class of transactions.Continue Reading FinCEN Proposed Rule Targets Digital Asset Mixers

After months of anticipation, a federal judge has finally ruled in the closely watched case of Joseph Van Loon, et al. v. Department of Treasury, et al.  This important case addressed challenges to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) decision to impose sanctions on Tornado Cash as a Specially Designated National and Blocked Person (SDN).  The judge granted summary judgement in favor of OFAC, finding it had sufficient legal authority to designate Tornado Cash, and denied summary judgement on the plaintiffs’ claims.  Shortly after that ruling, OFAC announced the SDN designation of Roman Semenov, one of three alleged co-founders of Tornado Cash, and the Department of Justice (DOJ) charged Semenov and Roman Storm, another Tornado Cash founder, with multiple alleged criminal violations related to anti-money laundering (AML) and economic sanctions laws. 

All three actions are critical developments that contain key insights on how the US government views the AML and sanctions obligations of decentralized protocols and individuals associated with those protocols.  The developments make clear that, at least in certain scenarios, individuals involved in the creation of a DeFi platform can be held responsible for the activities conducted on that platform where such conduct violates US economic sanctions or AML laws, or constitutes sanctionable activity under applicable executive orders. Continue Reading Critical Tornado Cash Developments Have Significant Implications for DeFi AML and Sanctions Compliance

On July 31, 2023, the Committee on Foreign Investment in the United States (CFIUS) released its Annual Report to Congress for Calendar Year 2022.  CFIUS is the inter-agency body charged with conducting national security reviews for certain foreign investments in the United States.  The CFIUS process is generally confidential, but the annual report provides aggregate data on certain CFIUS activities and offers the private sector insight into current Committee trends.Continue Reading Key Takeaways from the 2022 CFIUS Annual Report

Overview

On August 9, 2023, the White House issued a long-awaited Executive Order, entitled Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern (“EO 14105”). The EO establishes a new national security regulatory regime, implemented principally by the US Department of the Treasury (“Treasury”), in consultation with other federal agencies including the US Department of Commerce, that will require the notification of, as well as prohibit, certain investment activity by US persons in named “countries of concern,” currently China.

EO 14105 does not restrict all US person investment activity regarding China, and is tailored to focus on specific products, technologies, and capabilities involving: (1) semiconductors and microelectronics (including advanced integrated circuits and supercomputers); (2) quantum information technologies (e.g., computers, sensors, networking, and systems); and (3) certain artificial intelligence systems (e.g., with certain military, intelligence, or surveillance end uses).Continue Reading Biden Administration Announces New Outbound Investment Regime Targeting China

On June 16, 2023, the US Department of Commerce published a final rule (the “June 16 rule”) to implement Executive Order (EO) 14034, Protecting Americans’ Sensitive Data From Foreign Adversaries, by amending Commerce’s previously-issued Securing the Information and Communications Technology Supply Chain regulations (the “ICTS rule”).   Among other requirements, EO 14034 directed the Secretary of Commerce to consider the risks posed by “connected software applications” and take “appropriate action” in accordance with the previously issued ICTS rule and EO 13873, Securing the Information and Communications Technology and Services Supply Chain, pursuant to which the ICTS rule was issued. 

The ICTS rule authorizes Commerce to prohibit or otherwise regulate certain transactions involving information and communications technology or services (“ICTS”) with a nexus to “foreign adversaries” that pose an “undue or unacceptable risk” to US national security.  (For additional detail on the ICTS rule, see our prior blog post.)  The June 16 rule amends the ICTS rule to clarify Commerce’s ability to regulate transactions involving software, including so-called “connected software applications,” and to further enumerate the criteria that Commerce will consider when reviewing such transactions.   The changes are effective July 17, 2023.Continue Reading Commerce Issues Final Rule Targeting Connected Software Applications