In April 2026, Judge Kenneth Hoyt of the United States District Court for the Southern District of Texas (Court) overturned a guilty jury verdict in the federal government’s FCPA prosecution of Mexican national Ramon Alexandro Rovirosa Martinez (Rovirosa). The case, which was a rare example of an FCPA case brought to trial, is now an even rarer instance of a court reversal of a jury verdict.

In his memorandum and order dismissing indictment and granting an acquittal (Decision), Judge Hoyt found that the prosecution’s introduction of translated messages without presenting the translators for cross-examination violated Rovirosa’s Sixth Amendment rights. He further found that the prosecution’s failure to produce relevant evidence was an independent ground for reversal. The Anti-Corruption Report spoke with defense lawyers and several former federal prosecutors to unpack the Decision and tease out lessons from the case.

See “A Typical Bribery Fact Pattern Leads to a Quick Guilty Verdict for Rovirosa” (Feb. 11, 2026).

A Rare FCPA Jury Verdict

From June 2019 to October 2021, Rovirosa and Mario Alberto Avila Lizarraga (Avila) (collectively, Defendants) allegedly engaged in a bribery scheme in which they paid money and gifts to and for the benefit of foreign officials employed by Petroleos Mexicanos (PEMEX) and PEMEX Exploration Y Production, the Decision explains. The alleged bribes were made in exchange for the award of contracts and the release of payments held up in audits to companies controlled by Rovirosa. Federal prosecutors charged the defendants with conspiracy and three counts of bribery under the FCPA.

The Trial

During Rovirosa’s trial, the prosecution did not introduce any fact witnesses to the alleged conspiracy and bribery, instead relying primarily on documentary evidence, including Spanish-to-English translations of WhatsApp messages among the defendants and the alleged co-conspirators, as well as testimony from experts and investigation participants.

“The thing that is extraordinary about this case is that there are no witnesses who testified who were party to those communications,” John Pease, a partner at Morgan Lewis, told the Anti-Corruption Report. “Typically, the prosecution has one co-conspirator who can explain the communications and provide admissible testimony about the existence of the conspiracy,” he explained. “I would have to think that is an important part of the Court’s thinking in making its ruling,” he emphasized.

Additionally, according to Rovirosa’s counsel, during closing arguments the prosecution “dumped almost all of its exhibits on the jury,” including text messages that had never been properly admitted into evidence, Pease observed. “It is just highly odd to me that the government would present a case that way,” he said.

During deliberations, the jury asked the Court to see the original Spanish language messages, but they were not available because the prosecution had not offered them into evidence. Ultimately, after a three-day trial, the jury found Rovirosa guilty of the conspiracy charge and two of three bribery charges.

Post Verdict Motions

Post-trial, Rovirosa field a motion to dismiss (MTD) the indictment alleging prosecutorial misconduct, including the prosecution’s false tying of Rovirosa to Mexican cartels.

Rovirosa also filed a motion for judgment of acquittal (MJA), arguing that the prosecution’s presentation to the jury of the electronic messages translated from Spanish to English without making the translators available as witnesses at trial violated his Sixth Amendment right to confront those witnesses.

“It’s a very odd issue to base a motion on,” Martin Weinstein, a partner at Cadwalader, told the Anti-Corruption Report. “It seems like a pretty far-fetched argument and one that the government could have cut off,” or cured, he commented.

Rovirosa argued for relief on the additional ground that prosecutors had promised but failed to provide forensic images of the phones of the defendants and other cooperators requested by the defendant.

On April 14, 2026, Judge Hoyt issued an order granting both the MTD and the MJA, dismissing the indictment and, in the alternative, acquitting Rovirosa of all charges “based on a lack of evidence to support his conviction in violation of the Confrontation Clause of the Sixth Amendment.”

It is a “rare occasion that a district court grants a judgment of acquittal after a jury conviction,” and its “especially rare in the FCPA context,” since most FCPA prosecutions do not go to trial or result in verdicts, Pease said.

The Translated Messages Are Inadmissible Testimonial Statements

As his principal ground for reversal of the verdict, Judge Hoyt found that the translated messages were testimonial statements, and the prosecution’s introduction of them into evidence without presenting the translators for cross‑examination violated Rovirosa’s Sixth Amendment right to confront the witnesses and warranted his requested relief.

The Supreme Court on Testimonial Statements

In finding that Rovirosa’s Sixth Amendment rights were violated, Judge Hoyt relied on the U.S. Supreme Court’s seminal decision in Crawford v. Washington^[1], which held that “the Framers would not have allowed admission of testimonial statements of a witness who did not appear at trial unless he was unavailable to testify, and the defendant had a prior opportunity for cross-examination.” The Supreme Court did not define precisely what constitutes a testimonial statement in Crawford, but it did state that “testimony . . . is typically a solemn declaration or affirmation made for the purpose of establishing or proving some fact,” and cited the formal statement of an accuser to government officers as one such example. In short, under Crawford, even if a testimonial statement falls within a hearsay exception, it cannot be admitted if it would violate the Sixth Amendment’s Confrontation Clause.

As an aid in determining whether a statement is testimonial, the Supreme Court later established the “primary purpose test,” which it refined in Michigan v. Bryant^[2], explaining that the inquiry examines “the purpose that reasonable [i.e., objective] participants would have had, as ascertained from the individuals’ statements and actions and the circumstances in which the encounter occurred.”

Translated Messages Were Testimonial

Guided by Crawford and Bryant, Judge Hoyt started with the proposition that a translator can become a witness if the translation is “necessary to prove the elements of the crime charged.” He stated that a criminal defendant’s Sixth Amendment right to confront witnesses against him is “equally, if not more so true when critical parts of the evidence must be translated.” According to Judge Hoyt, the cross-examination of translators can facilitate recognition of cultural sensitivity issues, the level of the translator’s education and usage, specialized knowledge and “contextual consideration.”

“It is the English translations that the Court determined were testimonial in nature, and thus the defendant needed to have the ability to cross-examine the translators because they provided the jury with the meaning of the original Spanish communications,” Nathaniel Edmonds, a partner at DLA Piper, explained to the Anti-Corruption Report.

“Many courts treat private messages as non-testimonial,” Luke Cass, a partner at Womble, told the Anti-Corruption Report. Judge Hoyt “effectively treats the act of translation – when offered to prove elements – as the testimonial event,” he said. “The Court’s core point is fundamental: if the government’s proof depends on a translator’s interpretive work, that translator functions like a witness,” he explained.

The co-conspirator statements were non-testimonial statements, Pease noted. However, he continued, the translations “became testimonial” because, as the Court noted, translation is not an exact science, and the parties could disagree about the accuracy of the translation. Thus, the actual declarants were essentially the translators, he concluded.

The translators are “effectively expert witnesses,” and the defense would want to ask the translators how they attributed meanings to the declarant’s words, Weinstein explained.

Too Much Weight on Intended Use?

In determining that the translated messages are testimonial, Judge Hoyt appeared to place particular weight on their intended use. While stating that the primary purpose test examines the “relevant circumstances giving rise to the messages or statements, as well as how the government intends to use them,” he also said that “foreign language statements or messages qualify as testimonial if the primary purpose for the use of the out of court message is a substitute for trial testimony.” (Emphasis added.) He then found that the “government’s primary purpose for offering the messages was to convict Rovirosa, i.e., to prove the elements of the crimes charged in the indictment.”

“A skeptic will say the Court overweighted ‘intended use,’ which is always to prove guilt,” Cass observed. On the other hand, supporters of Judge Hoyt’s approach might argue that the primary purpose test should focus on the translator’s output, which was created for trial and is inherently interpretive, he said. However, “if translation alone converts private speech into testimonial evidence, the test risks becoming driven by trial use rather than the statement’s original context,” he argued.

Failure to Produce Witnesses

Having held that the messages were testimonial, Judge Hoyt further found that the government had failed to show that the translators were unavailable and that Rovirosa had an opportunity to cross-examine them prior to trial. The prosecution had a “duty” to produce the translators, Judge Hoyt said. The failure to do so violated Rovirosa’s Sixth Amendment right to confront the witnesses, he found.

“The defendant was left without any opportunity to cross-examine any of the statements being used against him,” which “may ultimately be what troubled the Court the most,” Pease said.

An Easy Fix?

The admissibility problem should have been curable, said two of the experts interviewed for this article.

The problem was “easily fixable,” Pease said. The Court seemed to “seize on” an apparent but not fully explained dispute regarding the accuracy of the translation, and the Decision suggests that translator testimony could have addressed its concerns, he stated. “I just don’t understand why the government didn’t present testimony from the translators.” The issue might also have been resolvable at a pretrial hearing, he noted, making this “an incredible, self-inflicted error on the part of the prosecutors.”

As a practical matter, the accuracy of a translation is “hardly ever an issue,” Weinstein reported. Usually, the prosecutor and the defendant stipulate to the legitimacy of the translation or the translator is produced for cross-examination, he stated. “It seems like the government should have been able to foresee and to forestall by fixing these various things,” he said. It is possible that the prosecutors “did not appreciate that this would become an issue,” and that defense counsel “set them up a little bit,” he suggested.

Translator’s Oath Is Not Enough

Judge Hoyt also rejected the argument that the translated messages were admissible because the translators had certified the translations under oath. He held that Rovirosa’s right to cross-examine “cannot be truncated by offering certifications, particularly since the Translators were available to the government.”

Judge Hoyt also found insufficient the prosecution’s offer of “expert” opinion testimony from a special agent that the translation was accurate.

Offering the federal agent as a witness to “bypass” the confrontation right was “ineffective,” Weinstein observed. The certifications are hearsay, he stated. “Of course, the federal agent is going to say that the translation is accurate,” but they did not do the translation, he noted, so a defense lawyer would want to confront the translators directly.

“A party cannot put somebody on the stand to testify about the accuracy or validity of a written document with results prepared by someone else,” Pease cautioned, a point that was covered decisively by the Supreme Court in Bullcoming v. New Mexico^[3].

Failure to Produce Evidence

Without detailing his reasoning, Judge Hoyt concluded that the verdict must be reversed for the additional reason that the prosecution failed to abide by promises to produce what he variously termed “forensic copies of the Spanish messages” or “screenshots,” a failure he said was “fatal” to the prosecution’s case.

A Possible Own-Goal by the Prosecution

It is unclear from the Decision what exactly the government produced, Pease said. It would have been beneficial for the Court to explain what the government failed to produce and “why it mattered,” he stated.

The importance of this failure was called to Judge Hoyt’s attention by the jury’s request during deliberations to see the original Spanish-language messages. They could not be provided because the prosecution had failed to offer them into evidence, which “short-circuited [the jury’s] review of the evidence,” Judge Hoyt said. This was an “evidentiary fact” that he had missed, he noted.

During pre-trial discovery in complex white-collar criminal cases, prosecutors usually produce an “overabundance of evidence” in order to avoid these types of motions and decisions, according to Edmonds, a former FCPA Unit prosecutor. “Typically, all of the communications relevant to the charges, in the original Spanish and with certified translations, would have been produced prior to trial,” he explained. “The production would include the original messages in electronic form, with relevant metadata, so the defense would have the opportunity to examine them and, if appropriate, challenge their authenticity,” he elaborated.

The production of the forensic phone images was a pretrial issue, so the government’s failure to produce them is confusing, Pease stated. It might have been “gamesmanship,” he posited. It is not clear whether Judge Hoyt found that such conduct constituted a violation of Brady v. Maryland^[4], he said. Because it can be difficult to determine what constitutes exculpatory evidence under Brady, such evidence should be produced, he remarked.

The Court was perhaps suggesting that there was a violation of Federal Rule of Criminal Procedure 16, according to Weinstein. “The bottom line is, in a criminal case, the prosecution cannot surprise the defendant unless it’s on rebuttal,” he stated.

The Court treated the failure to produce screenshots of the original Spanish conversations as compounding the constitutional problems, Cass explained. “The jury could not evaluate originals, and the defense could not meaningfully test completeness and context,” he said. In a case built on text messages, “that goes to the heart of reliability,” he added.

An Unstated Factor in the Ruling?

The DOJ has signaled a focus on prosecuting cartels, Weinstein noted, which may have played a role in Judge Hoyt’s Decision. In a press release and during trial, the government alleged that Rovirosa had cartel ties, but this was not backed up at trial, he noted.

It is possible the government’s insinuation of cartel link without producing actual evidence may have impacted the Court’s thinking, Weinstein suggested.

Compliance Takeaways

Judge Hoyt’s Decision may not be the final word on the case as the DOJ filed a notice of appeal on May 8, 2026. Additionally, even if the Decision stands, it is not likely to have a broad impact due to the specificity of the fact pattern here, as it is mostly “fact bound,” Cass observed. However, pending the outcome of the appeal, the Decision offers a few lessons for individuals and companies facing criminal prosecution.

The Focus on Individuals Is Real

Individuals involved in a bribery or corruption case should not rely on their corporate employer to settle the case away.

Traditionally, most FCPA cases have involved corporations, with the “vast majority” of them resulting in negotiated resolutions such as deferred prosecution agreements or pleas, Pease said. However, the DOJ has begun placing a greater emphasis on holding individuals to account, he noted. “I think this is why the government thought that it was an important case to bring,” he suggested.

See “The Blanche Memo’s Take on Corporate Responsibility: Individuals Versus Corporations” (Sep. 10, 2025).

Make a Strong Trial Record

Defense counsel must stay sharp during trial, registering even minor objections for the record.

“The case shows that a well-preserved confrontation and discovery record can become case-dispositive when translations are doing the work of witnesses,” Cass stated.

Judge Hoyt’s Decision demonstrates the importance of making a record of objections repeatedly, both in advance of and throughout the trial, Pease said.

Co-Conspirator Statements Are Powerful Evidence

The jury’s finding of guilt based solely on translated text messages should serve as a warning to possible defendants. The case “demonstrates the importance of co-conspirator statements and the power of evidence to convince a jury that crimes were committed,” Edmonds said.

“Even without a testifying co-conspirator, the communications between them were sufficient for a jury to conclude beyond a reasonable doubt that Rovirosa was guilty,” Edmonds noted. “I expect DOJ will also double-down on ensuring in future cases that they have access to this type of powerful evidence of criminal intent,” he predicted.

Translations Can Be an Important Part of Trial Strategy

Defendants should be prepared to cross-examine translators and offer alternative interpretations of written communications in a foreign language.

The main takeaway from the Rovirosa case is that courts are still “very, very focused” on the Sixth Amendment confrontation right and Crawford,” Pease said. The government “proceeded at its peril” by presenting evidence that was “arguably testimonial” and not putting the translators on the stand for cross-examination,” he stated.

This may be particularly good news for FCPA defendants. “Cross-border cases that hinge on foreign-language messages can rise or fall on whether the government can present (and defend) the translation and the underlying data the way the Constitution requires,” Cass stated. The case meaningfully impacts trial risk “in the slice of cases where the government relies on foreign language messages rather than firsthand witness testimony,” he said. It shows that “when evidence and defendants are located abroad, the government has a more limited set of tools,” he stated.

The case shows that “translation can be constitutional, not just evidentiary,” Cass said. “Practically, the main impact is forward-looking,” he continued. “Prosecutors in other cases will be more likely to line up translators as witnesses, introduce original-language materials where appropriate, and ensure the defense has access to the underlying data needed to test meaning, context and completeness,” he predicted.

See “Zaglin Conviction Offers Insights on Individual Prosecutions in Trump 2.0” (Oct. 22, 2025).

AI Implications

The confrontation clause is important, “particularly in this day and age,” Weinstein said. With the increasing use of AI, evidence will be offered without any human that can testify as to its authenticity, without any human to confront, he predicted. “I could see this being a real issue in the future.”

See our two-part series on Gen AI chats becoming evidence: “Law Enforcement Warrants and Subpoenas” (Dec. 17, 2025), and “How Businesses Can Prepare for Requests” (Dec. 31, 2025).

An executive order issued by the White House in March 2026 imposes significant new requirements on federal contractors who previously were encouraged and required to maintain equal opportunity programs to remain eligible for federal contracts. Relying on the premise that diversity, equity and inclusion (DEI) programs constitute civil rights violations, Executive Order 14398 Addressing DEI Discrimination by Federal Contractors (EO 14398) reverses that longstanding policy in favor of prohibiting some such programs on pain of debarment and prosecution for failure to reverse course.

Starting on April 25, 2026, these new requirements should appear in all new and pending solicitations. Contracting officers have also been instructed to insert the new requirements in all existing contracts by July 24, 2026. The changes are too new to draw any conclusions about their effect on contractors, but the requirements themselves and resolution of a related False Claims Act (FCA) case indicate that federal contractors face serious threats from EO 14398.

See this two-part series on the 2025 Federal Approach to DEI: “Understanding the EOs and Guidance” (Aug. 27, 2025), and “Enforcement, Litigation and How to Respond” (Sep. 10, 2025).

The Runup to EO 14398

On January 21, 2025, the White House issued executive order 14173 Ending Illegal Discrimination and Restoring Merit-Based Opportunity (EO 14173). EO 14173 aimed at government and private sector DEI programs, asserting that large swaths of U.S. companies and institutions “have adopted and actively use dangerous, demeaning, and immoral race- and sex-based preferences under the guise of so-called ‘diversity, equity, and inclusion’ (DEI) or ‘diversity, equity, inclusion, and accessibility” (DEIA) that can violate the civil-rights laws of this Nation.’” EO 14173 revoked decades of equal opportunity policy, including EO 11246, issued by President Johnson in 1965, establishing the Office of Federal Contract Compliance Programs and mandating that federal contractors implement affirmative action programs. EO 14173 also encouraged the elimination of “illegal DEI discrimination and preferences” in the private sector. EO 14173 required the AG to propose a plan to enforce federal civil rights laws to target DEI programs, and required each executive department and agency to “identify up to nine potential civil compliance investigations of publicly traded corporations, large non-profit corporations or associations, foundations with assets of 500 million dollars or more, State and local bar and medical associations, and institutions of higher education with endowments over 1 billion dollars.” The White House had already decided that private entities were violating civil rights laws and wanted a way to eliminate DEI programs.

In May 2025, the DOJ announced the formation of the Civil Rights Fraud Initiative designed to “utilize the False Claims Act to investigate and, as appropriate, pursue claims against any recipient of federal funds that knowingly violates federal civil rights laws.” This aggressive use of the FCA marks a shift from the more common practice of relying on whistleblower reports and allegations from government contracting personnel, and usually bringing cases related directly to claims for payment under government contracts in the healthcare and defense sectors. Tasking the DOJ with sniffing out FCA violations based on civil rights violations only tangentially related to claims for payment (the ultimate focus of the FCA) signals the administration’s intention to actively pursue this new anti-DEI policy.

The IBM Settlement

Shortly after the White House issued EO 14398 and before the April 25, 2026, deadline to insert the anti-DEI clause in new contracts, the DOJ announced the first resolution of an enforcement action under the Civil Rights Fraud Initiative. The DOJ trumpeted a settlement with IBM (IBM Settlement) over “allegations that [IBM] violated the False Claims Act by failing to comply with anti-discrimination requirements in its federal contracts due to practices the United States contends discriminated against employees and applicants for employment because of race, color, national origin, or sex.” Notably, the DOJ alleged that IBM violated the standard equal opportunity clause in government contracts, Federal Acquisition Regulation (FAR) 52.222‑26 Equal Opportunity.

As laid out in the IBM Settlement, the DOJ alleged that IBM engaged in the following activities in violation of the Civil Rights Act of 1964:

• modifications or adjustments to pay, bonus or other compensation that caused employees to take race, color, national origin or sex into account when making employment decisions, including a diversity modifier that tied bonus compensation to achieving demographic targets;
• taking race, color, national origin or sex into account as part of decisions to hire, transfer or promote through the use of “diverse interview slates,” “diverse sourcing” and other related employment practices, including by altering interview eligibility criteria based on race, color, national origin or sex;
• developing race and sex demographic goals for business units and taking race, color, national origin or sex into account when making employment decisions to achieve progress towards those demographic goals; and
• offering certain training, partnerships, mentoring, leadership development programs, educational opportunities or resources, and similar opportunities only to certain employees, with eligibility, participation, access or admission limited on the basis of race, color, national origin or sex.

IBM agreed to pay $17,077,043 to settle the allegations without acknowledging fault.

Challenges to Other Diversity Programs

The Small Business Administration (SBA) oversees the 8(a) Business Development Program (8(a) Program), designed to provide federal contracting opportunities to small businesses whose owners are socially and economically disadvantaged. Until 2023, the SBA applied a presumption of social and economic disadvantage to 8(a) applicants who belonged to particular racial groups. Then in Ultima Servs. Corp. v. U.S. Department of Agriculture^[1], the Eastern District of Tennessee held that race-based presumption of social and economic disadvantage violated the equal protections of the Fifth Amendment. In response, the SBA required all 8(a) Program participants to requalify based on actual social and economic disadvantage.

In early 2026, the SBA issued guidance announcing that “SBA fully agrees that the presumption of social disadvantage based on enumerated races in its regulations is unconstitutional.” The guidance instructs SBA field offices not to use race as a factor when evaluating social or economic disadvantage. Instead, the guidance directs the SBA to consider “such factors as whether such individual has been the victim of illegal or radical DEI policies or illegal affirmative action policies or has otherwise been the victim of discriminatory practices such as race-based quotas, set asides, or hiring targets, in each case, whether by governmental or non-governmental actors.”

Against that backdrop, EO 14398 presents federal contractors with difficult decisions about how to manage their equal opportunity programs on federal, state and local contracts.

EO 14398 Continues Efforts to Eliminate DEI Programs

EO 14398 builds on the White House policy that DEI constitutes racial discrimination. The EO asserts that “DEI activities are not only unethical and often illegal, but also cause inefficiencies, waste, and abuse within entities that engage in such practices.”

Specifically, they “impose artificial costs in hiring, promotion, and operations by precluding implementation of merit-based principles; creating excessive workforce turnover by elevating immutable characteristics over job performance; and jeopardizing the sort of employee collaboration and problem-solving that is essential to fostering efficient and high-quality work,” according to the EO. On this policy basis, the EO mandates the inclusion of a novel clause in all federal contracts above the simplified acquisition threshold currently set at $350,000.

New Anti-DEI Contract Clause

The centerpiece of EO 14398 is the new contract clause to be inserted in all federal contracts. By April 25, 2026, the following clause was to be inserted into all federal contracts:

In connection with the performance of work under this contract, [the contractor/appropriate party (contractor)] agrees as follows:

1. The contractor will not engage in any racially discriminatory DEI activities, as defined in section 2 of the Executive Order of March 26, 2026 (Addressing DEI Discrimination by Federal Contractors);
2. The contractor will furnish all information and reports, including providing access to books, records, and accounts, as required by the contracting agency pursuant to the Executive Order of March 26, 2026 (Addressing DEI Discrimination by Federal Contractors), for purposes of ascertaining compliance with this clause;
3. In the event of the contractor’s or a subcontractor’s noncompliance with this clause, this contract may be canceled, terminated, or suspended in whole or in part, and the contractor or subcontractor may be declared ineligible for further Government contracts;
4. The contractor will report any subcontractor’s known or reasonably knowable conduct that may violate this clause to the contracting department or agency and take any appropriate remedial actions directed by the contracting department or agency;
5. The contractor will inform the contracting department or agency if a subcontractor sues the contractor and the suit puts at issue, in any way, the validity of this clause; and
6. The contractor recognizes that compliance with the requirements of this clause are [sic] material to the Government’s payment decisions for purposes of section 3729(b)(4) of title 31, United States Code (False Claims Act).

Key Definitions

EO 14398 defines “racially discriminatory DEI activities” as “disparate treatment based on race or ethnicity in the recruitment, employment (e.g., hiring, promotions), contracting (e.g., vendor agreements), program participation, or allocation or deployment of an entity’s resources.”

“Program participation” is defined in the EO as “membership or participation in, or access or admission to: training, mentoring, or leadership development programs; educational opportunities; clubs; associations; or similar opportunities that are sponsored or established by the contractor or subcontractor.”

Why EO 14398 Matters

The new contract clause imposes new requirements on contractors and includes some novel elements. As an initial matter, the clause must be flowed down to subcontractors at every tier. With that springboard, the clause also requires the prime contractor to ensure its subcontractors’ compliance and report any “known or reasonably knowable” violations by its subcontractors. While insertion of these requirements into new solicitations may impact the way a contractor bids, the mandatory inclusion of this clause in existing contracts imposes new requirements that contractors did not bargain for. As discussed below, the government expects contractors to accept the new requirements on a no-cost basis or face contract termination.

Perhaps the most oppressive element of the new clause is the requirement that a contractor agrees that compliance with the new requirements is material for purposes of enforcing the FCA. By that agreement, the government sidesteps any requirement to prove materiality – a key element of proving an FCA violation – in an FCA enforcement action. This type of mandated concession is unusual in a contract clause. Combined with the IBM Settlement and the Civil Rights Fraud Initiative, contractors are on clear notice that the DOJ is ready and willing to use the FCA aggressively.

The FCA is designed to prevent contractors from making false claims for payment of money by the government. A common and simple scenario is Medicare overbilling. Other cases, such as compliance with particular laws, rest in part on whether the government considered the contractor’s compliance with those laws a material factor in the government’s decision to pay the contractor.

All of this is important because damages under the FCA can be crippling: $14,308 to $28,619 per violation plus three times the amount of actual damages (often called treble damages). In an aggressive enforcement action, the DOJ would almost surely allege the contract value as the actual damages, amounting to potential penalties of three times the contract price. By extracting a concession on materiality in the contract before any dispute arises, the government places itself far ahead of any contractor facing an FCA enforcement action.

Implementation of EO 14398

On April 17, 2026, the FAR Council issued guidance on implementing EO 14398. In order to speed the new requirements into effect, the FAR Council also published FAR 52.222-90 Addressing DEI Discrimination by Federal Contractors (APR 2026) (DEVIATION APR 2026) as a deviation under the Revolutionary FAR Overhaul. FAR 52.222 90 mirrors the new contract requirements and definitions in EO 14398.

More interesting is the FAR Council’s direction for implementation. In addition to inserting FAR 52.222‑90 in all new and pending solicitations, contracting officers are directed to insert the clause into all existing contacts by July 24, 2026 (with the exception of contracts expiring by December 31, 2026, for which the modification will be at the discretion of the contracting officer).

The guidance states that contracting officers should attempt to modify existing contracts through bilateral modifications. If a contractor declines to sign the modification, rather than issue a unilateral modification, the contracting officer is directed to consider terminating the contract for the convenience of the government. This is an aggressive approach where the government arguably has the authority to issue a unilateral modification of many contracts.

What This Means for Federal Contractors

EO 14398 and FAR 52.222‑90 impose on federal contractors the duty to cease equal opportunity efforts that have been an important element of federal contracting for decades. Failure to do so can result in suspension, debarment and civil enforcement actions under the FCA and the attendant treble damages. These are all drastic measures for enforcement of a policy that upends decades of federal practice practically overnight. Nevertheless, contractors now must make every effort to avoid violating the new requirements. That may be easier said than done.

Conflict Between EO 14398 and State and Local Equal Opportunity Requirements

EO 14398 reaches past a contractor’s federal work; the EO prohibits contractors from engaging in “racially discriminatory DEI activities” company-wide. For contractors subject to the laws of states or localities that still require equal opportunity programs, this poses a potentially impossible requirement to comply with both the federal prohibitions and the state requirements.

Notably, EO 14398 does not specify whether state and local equal opportunity or affirmative action programs would violate or conflict with the federal mandate. Without further guidance from the government, contractors should expect that their efforts to eliminate DEI programs while also complying with state equal opportunity requirements will be closely scrutinized by the federal government.

As a result, contractors should keep detailed documentation of internal policy and procedure reviews in the wake of EO 14398.

A Contractor’s Obligations

EO 14398 and FAR 52.222‑90 define “racially discriminatory DEI activities” as “disparate treatment based on race or ethnicity in the recruitment, employment (e.g., hiring, promotions), contracting (e.g., vendor agreements), program participation, or allocation or deployment of an entity’s resources.”

While the definition leaves much to be desired, contractors should count on a broad interpretation by government officials to capture equal opportunity efforts that have fallen out of favor. A statement in the SBA’s 8(a) Program guidance, issued in January 2026, provides a useful directive: “No American, including white Americans, shall be excluded or treated differently with respect to government programs based on race.” Until further clarity comes through enforcement actions, contractors should scrutinize their recruitment, employment, advancement, and contracting policies and procedures for potential noncompliance.

Contractors are also required to monitor compliance by their subcontractors. With an obligation to report a “subcontractor’s known or reasonably knowable conduct that may violate this clause,” contractors are on notice that they cannot turn a blind eye to their subcontractors’ equal opportunity policies and procedures. Where a contractor can accept other subcontractor assertions if there is no affirmative basis to doubt the truthfulness of the assertion, such as small business size certifications, a contractor cannot rely on a subcontractor’s claimed compliance with FAR 52.222‑90. The phrase “reasonably knowable conduct that may violate this clause” is likely to carry significant weight in enforcement actions. In addition to identifying known violations, a contractor now must identify reasonably knowable subcontractor actions that may violate FAR 52.222 90. That language suggests contractors will be expected to establish meaningful subcontractor compliance review programs.

The full effect of EO 14398 and FAR 52.222‑90 will not be known for some time, and new information is likely to come in the form of FCA enforcement actions. In other words, contractors are left to their own devices until they can learn from another contractor that pays the price for a violation.

 

Jacob Scott is a partner in the Seattle office of Smith Currie Oles. Scott practices government contract law and construction litigation, with a focus on federal construction law. He represents clients at the Government Accountability Office, U.S. Armed Services Board of Contract Appeals, U.S. Civilian Board of Contract Appeals, U.S. Court of Federal Claims, U.S. Court of Appeals for the Federal Circuit and various federal district courts, as well as before various state courts and agency-level tribunals. He assists clients with protests, certified claims and appeals, suspension and debarment, terminations, and responses to subpoenas and government investigations.

U.S. white-collar enforcement remains in flux, most recently due to AG Pam Bondi’s firing and the temporary appointment of Todd Blanche in April 2026, as well as ongoing turf wars over fraud prosecutors following the creation of the new National Fraud Enforcement Division at the DOJ. As a result, international enforcement is an increasingly relevant element of risk management for multinational corporations.

At the March 2026 American Bar Association’s White Collar Crime Institute, defense counsel from the U.S., U.K., France, Switzerland, the Netherlands and Brazil provided updates from their respective jurisdictions and reflected on the state of international cooperation, including the impact of the International Anti-Corruption Prosecutorial Taskforce. This article distills their insights.

See “How the International Anti-Corruption Task Force Is Working” (Mar. 11, 2026).

Brazil

For several years, Brazil was one of the U.S.’s main partners in anti-corruption enforcement, with many coordinated settlements coming out of the Lava Jato scandal. Then, through political change, Brazil’s appetite for bribery prosecutions and cooperation with foreign authorities cooled somewhat.

However, over the course of 2025 and 2026, Brazil has experienced an “intensification in enforcement,” Flavia Leardini, a São Paulo-based partner at TozziniFreire, reported. The Office of the Comptroller General (CGU) has expanded its coordination with the federal police, tax authorities and prosecutors, she noted, with a focus on data integration, asset tracing and complex asset recovery. As a result, 2025 was a record year for anti-corruption and financial crime operations, with recovered damages estimated to exceed $1.2 billion, she said.

The international white-collar community is “incredibly excited” about Operation Compliance Zero, and Operation Carbono Oculto, in particular, Mark Beardsworth, a partner at Signature Litigation in London, remarked.

Indeed, at home in Brazil, the cases are “like a soap opera,” Leardini reported.

Compliance Zero

The name of Operation Compliance Zero describes “the main problem of the case,” Leardini quipped. In November 2025, Brazilian federal police arrested Daniel Vorcaro, the founder of Banco Master, and the bank itself collapsed.

The bank was essentially operating as a Ponzi scheme, Leardini explained. As a result of its collapse, Brazil’s deposit guarantee fund is expected to incur losses of as much as $10 billion.

Additionally, Supreme Court justices are entangled in the scandal, further complicating an already messy bankruptcy process. WhatsApp messages that have been released indicate that Vorcaro maintained “unusually close relationships with at least three Supreme Court justices,” Leardini said. Indeed, Vorcaro sent messages to Justice Alexandre de Moraes on the morning of his arrest. Two central bank employees have been arrested, as well.

Both Vorcaro’s and the bank’s assets were located around the world, so “more cross-border matters” are likely, Leardini predicted, recalling the many international cases that stemmed from the Lavo Jato investigation.

Carbono Oculto

Another case that has gripped international attention is referred to as Operation Carbono Oculto, which translates to “hidden carbon” in English. The investigation was launched in August 2025 and has been described by authorities as the largest operation against organized crime in Brazilian history, according to Leardini.

The case involves two organized crime syndicates, Primeiro Comando da Capital (Capital’s First Command or PCC) and Comando Vermelho (CV). The PCC began in Sao Paulo’s prisons in the 1990s and has evolved to be one of South America’s most powerful organized crime groups.

PCC and CV used shell companies in a “very simple” scheme, “executed on a massive scale,” to conduct interstate fuel transactions that generated tax credits while evading more than $1.5 billion in taxes, Leardini explained. They also operated more than 1,000 gas stations as well as unlicensed fintech platforms that functioned as shadow banks. The fruits of these schemes were channeled into investment funds on Avenida Faria Lima (São Paulo’s equivalent of Wall Street in New York) and laundered into legitimate equity holdings. Operation Carbono Oculto led to raids in the otherwise staid financial district and “a crazy day” on the Faria Lima where Leardini’s office is located, she reported.

The lesson for private sector companies and investors is that “organized crime risk is no longer limited to direct criminal activity,” Leardini cautioned.

See “Brazil’s Anti-Corruption Setbacks Highlight Need for Effective Company Compliance Programs” (Nov. 8, 2023).

Designating Brazilian Cartels As FTOs

An additional wrinkle associated with Operation Carbono Oculto is that the U.S. government has indicated that it may designate both PCC and CV as foreign terrorist organizations (FTOs).

On his first day in office in his second term, President Donald Trump signed an executive order (FTO EO) calling for the designation of cartels and transnational criminal organizations (TCOs) as FTOs. The FTO EO named specific TCOs that should be designated, mostly Mexican gangs including Tren de Aragua and La Mara Salvatrucha (MS‑13). However, in late 2025, news reports began to surface that President Trump was considering adding the Brazilian cartels to the list of designated FTOs.

Designation could have a significant impact on companies doing business in Brazil, Leardini argued. For instance, she recently worked with a client who had purchased a plot of land in Sao Paulo from someone who later turned out to be associated with the PCC. As a result, her client came under scrutiny for possible money laundering. If the PCC were designated as an FTO, she and her client would “have to explain ourselves to the U.S. government, as well,” she said.

The risks associated with designating Brazilian gangs as FTOs is compounded by the increasing sophistication of these groups, Beardsworth observed. They “have moved partly away from drugs, organized crime, [and] racketeering and are now conducting more sophisticated crimes, including investment frauds [and] crypto,” he said.

At the same time, Leardini believes that Brazilian authorities are becoming increasingly effective at targeting corruption. They “are doing a great job” in seizing the assets of crime, in particular, she said.

See “The Impact on Latin America of Designating Cartels As FTOs” (Jan. 14, 2026).

Netherlands

The Netherlands is not a jurisdiction that has made significant headlines for white-collar enforcement, but its prosecutors have been quietly successful in combatting financial crime in recent years, according to Judith de Boer, an Amsterdam-based partner at Hertoghs Advocaten. Indeed, Dutch prosecutors are “the most effective” in Europe, she suggested.

For many years, the Netherlands was viewed as a “laid back” country, as reflected in an enforcement environment with many out-of-court settlements, de Boer reported. However, in a “major shift,” that is now changing, with prosecutors bringing more criminal cases to trial, particularly for companies that fail to self-disclose wrongdoing.

Effective Sanctions Enforcement

Sanctions enforcement is currently one of the main focuses of the Dutch authorities, de Boer explained. Rather than focus on civil forfeitures, as some countries do, Dutch prosecutors have focused on bringing criminal cases, which has been “quite effective,” she said.

For example, between 2017 and 2024, there were 40 convictions for sanctions violations in the Netherlands, which is the highest number in Europe, de Boer reported. Currently, there are more than 200 ongoing investigations, she added. Most of the cases result in a penalty order, which can have a significant impact on a company.

Because many companies have a besloten vennootschap (BV), the Dutch version of a private limited liability company, in their ownership structure, prosecutors are usually “good to go” when it comes to jurisdiction, de Boer explained. Rotterdam is also the biggest port in Europe, which further strengthens jurisdictional hooks, she noted.

The fight against sanctions violations also has political backing, which means resources have been made available to prosecutors, de Boer related.

Cybercrime and Crypto

Another area where Dutch enforcers have been particularly active is in cybercrime and cryptocurrencies. Holland “has one of the best high-tech crime units,” de Boer argued, which has worked globally to dismantle cybercrime networks. They have partnered with the FBI and Interpol, as well as many other local jurisdictions.

One notable example where Dutch authorities worked closely with U.S. colleagues is the Tornado Cash case. Tornado Cash is a cryptocurrency “mixer” that takes cryptocurrency that might be tainted or traceable and combines it with other funds to obscure the source. Co-founder Roman Storm was prosecuted in the U.S. and convicted by a jury of “willfully conspiring to operate a money transmitting business that moved more than $1 billion in dirty money,” according to the DOJ press release announcing the conviction.

The Netherlands has also adopted the E.U. Markets in Crypto-Assets Regulation (MiCA), and it is expected the country “will enforce quite heavily” under it, de Boer advised.

Trials

Dutch prosecutorial zeal is manifesting in several criminal cases and trials, de Boer explained. “We have three very ambitious public prosecutors who are going after a lot of companies, facilitators [and] traders,” she said.

The most important example, de Boer opined, is Morgan Stanley’s settlement to resolve tax issues in late 2025 for more than $117.5 million. The company “was about to go to trial,” but instead decided to settle, while an individual director of one of the bank’s Dutch subsidiaries is still facing trial, she noted.

Illustrating how prosecutor attitudes have changed, both ING and ABN Amro settled money laundering allegations with Dutch authorities several years ago, but Rabobank, facing similar allegations, is now instead headed to trial. “There has been a lot of political pressure not to offer out-of-court settlements anymore,” de Boer pointed out.

It seems that there is “a little pocket of highly intense fraud prosecution” in the Netherlands, Beardsworth observed.

See “Polit and Aguilar Convictions Underscore DOJ’s Dedication to Individual Accountability – Despite the Challenges, Cost and Time Commitment” (Jul. 17, 2024).

International Anti-Corruption Taskforce

Perhaps the most high-profile development outside of the U.S. in 2025 was the formation of the International Anti-Corruption Prosecutorial Taskforce (Taskforce). The Taskforce is a coordinated effort between the SFO in the U.K., France’s Parquet National Financier and the Office of the Attorney General of Switzerland.

Goals

The purpose of the Taskforce is not to create a supranational organization or replace mutual legal assistance treaty (MLAT) procedures, Saverio Lembo, a Geneva-based partner at Bӓr & Karrer, explained. Rather, the goal “is to pool resources, particularly intelligence and forensic investigation [resources], and adopt a pragmatic, operational approach [across] enforcement authorities,” with the ultimate objective of reaching joint resolutions, he said.

Removing “border-related obstacles” and combining “the capacity of different jurisdictions” will help “make the fight against transnational corruption more effective,” Lembo explained.

One foundational goal of the Taskforce is for member authorities to understand each other’s operations. This is “very basic stuff that is sometimes missing in cooperation,” according to Martin Horion, a Paris-based partner at Bredin Prat.

The Taskforce also aims “to enhance and simplify mutual legal assistance,” Horion said. “It is one thing to send MLAT requests,” he noted, but “it is another thing to have it executed swiftly.”

Finally, if member authorities work on a case jointly, the Taskforce is meant to help “manage the day-to-day more easily,” Horion said.

See “The International Anti-Corruption Taskforce and U.S. FCPA Enforcement: A Look Ahead” (May 7, 2025).

Structure

There are two sub-groups in the Taskforce. The first is the Strategic Group, which is composed of the leaders of the three member organizations. This group meets twice a year.

The Strategic Group focuses on “forward-looking strategic work,” according to Horion. Based on his experience speaking with prosecutors, this “just means sharing intel” on “what is coming,” he said.

One issue with the Strategic Group is that, despite having only come into being in March of 2025, there has already been turnover in membership. Nick Ephgrave retired from his post as head of the SFO in January 2026 and a permanent replacement has yet to be appointed. Strategic Group meetings “would probably have taken place just once, maybe twice, with Nick Ephgrave in position,” Christine Braamskamp, a London-based partner at Jenner & Block.

The second sub-group is known as the Operational Group. It “meets once or twice a month to exchange information and cases and harmonize practices,” Lembo explained. Unfortunately, this group has also seen membership turnover due to staffing issues at the SFO. “Those monthly, maybe twice monthly, meetings were attended by [the SFO] co-head of bribery, who has also resigned,” Braamskamp noted. The net result is that there is “huge turnover” of both momentum and staff at the Taskforce, which may be undermining its effectiveness, she suggested.

See our two-part series “2026 U.K. Enforcement Outlook”: Compliance Evaluation Guidance (Feb. 11, 2026), and A Whole-Government Strategy to Fight Corruption (Feb. 25, 2026).

Few Cases So Far

The international anti-corruption landscape may be experiencing somewhat of a geopolitical recalibration, Elizabeth Hanft, a partner at Cleary Gottlieb, suggested. As a result of changes in the U.S. in 2025 and 2026, the Taskforce “is really poised to make a difference in the international anti-corruption landscape,” she said.

At the same time, “global anti-corruption enforcement has been anything but static, and some might say the paradigm shifted long before last year,” Hanft observed. There has been a move from a U.S.-dominated enforcement model to one where foreign governments have been “increasingly interested in having a seat at the table,” she explained. Enforcement has moved toward a coordinated comity and enforcement model where “governments cooperate on investigations, negotiate settlement terms and share the proceeds of financial penalty,” she shared. The Taskforce “is really an extension of that.”

The results of the Taskforce “are not so tangible,” Horion observed. There are no defense lawyers in Geneva, Paris or London who can say that they have a new case thanks to the Taskforce, he noted. However, he acknowledged, this is to be expected considering that the Taskforce has only been in existence for a year.

Quicker Prosecutorial Process

Prosecuting bribery and corruption cases can often feel like moving a quarter down a football field, according to Lisa Miller, former head of the DOJ’s Criminal Division and a current partner at Sidley. It requires patience “to doggedly move the quarter forward every day in some way.” There are more hoops to jump through than in a domestic prosecution “because the evidence is located abroad and it is hard to facilitate foreign witness interviews efficiently,” she said.

While there may not have been any blockbuster settlements or direct results from the Taskforce so far, it may still be making an impact in easing this friction in international prosecutions. Getting people on the phone more frequently, “alone, may have the beneficial effect of moving a case forward incrementally more rapidly,” Miller said. Based on her interactions with people on the Taskforce, she has noticed “that they have synced up more often and they have been sharing information with greater speed.”

The coordination is the “main takeaway” for companies and defense lawyers, Miller suggested. “They are meeting very frequently and, even with the SFO having recent personnel departures, certainly the French and the Swiss are very stitched up . . . and committed to building these cases,” she said.

See our two-part series on the Balt settlement: “New DOJ Policies in Action” (Apr. 22, 2026), and “International Cooperation Continues” (May 6, 2026).

After no state enacted a comprehensive privacy law in 2025, Alabama and Oklahoma moved ahead with Virginia-style statutes in early 2026. Now there are 21 states with such laws, deepening the patchwork of privacy rules as Congress again weighs federal action.

The Oklahoma law puts its citizens “back in control of their personal data,” Oklahoma Senator Brent Howard said in a press release. “For too long, technology companies and online platforms have collected and sold consumers’ personal information, including search histories, spending habits and other browsing data, without giving them the chance to opt out. This new law protects Oklahomans’ privacy online by giving every individual the right to know what data is being collected, while also giving them the power to delete that information and prevent it from being sold.”

This article reviews key provisions of the pair of new state privacy laws, discusses trends in the U.S. privacy law landscape and offers compliance tips, with insights from experts at Covington, Hogan Lovells and Miller Nash.

See, previously, “Measures for Complying With 19 (and Counting) State Privacy Laws” (Jul. 17, 2024).

Key Provisions

The Alabama Personal Data Protection Act (APDPA) and the Oklahoma Consumer Data Privacy Act (OCDPA) are based on Virginia’s Consumer Data Protection Act (amended in 2024 and 2025 to add new restrictions and obligations), and contain some similar provisions, observed Covington partner Elizabeth Canter and Hogan Lovells partner James Denvil.

The laws do not meaningfully change the national compliance landscape, Denvil said. “They generally align with what is out there, with some minor little differences.”

Start Dates

Both laws take effect in 2027: Oklahoma’s on January 1 and Alabama’s on May 1.

Applicability Thresholds

The APDPA and OCDPA each apply to persons (including corporations) conducting business in the relevant state or producing products or services targeting residents of the state, but with different applicability thresholds. The APDPA has a relatively low threshold, applying to persons that control or process the personal data of more than 25,000 Alabama residents (excluding personal data processed solely for completing a payment transaction) or that derive more than 25 percent of gross revenue from the sale of personal data. The OCDPA, however, applies to persons that control or process the personal data of at least 100,000 Oklahoma residents or that control or process the data of at least 25,000 Oklahoma residents and derive more than 50 percent of gross revenue from the sale of personal data.

Exemptions

The APDPA and OCDPA exempt personal data processed by consumer reporting agencies under the Fair Credit Reporting Act, data regulated by the Farm Credit Act, protected health information under Health Insurance Portability and Accountability Act (HIPAA) and data regulated by the Family Educational Rights and Privacy Act.

Both laws also exempt financial institutions subject to the Gramm-Leach-Bliley Act, higher education institutions, HIPAA-covered entities and business associates, and nonprofits. The APDPA’s nonprofit exclusion, however, applies only to nonprofits that have fewer than 100 employees and do not sell personal data.

The APDPA, unlike the OCDPA, also includes an exemption for businesses with fewer than 500 employees that do not sell personal data.

Compliance

The APDPA and OCDPA both require controllers to set up data security practices, enter into contracts with data processors and provide privacy notices.

The OCDPA, unlike the APDPA, requires controllers to carry out and document data protection assessments for processing activities that involve the sale of personal data, the processing of sensitive data, targeted advertising, some kinds of profiling or processing that causes a heightened risk of harm to consumers.

Definitions

Consumer

The APDPA and OCDPA each define “consumer” as an individual living in the respective state who is acting solely in an individual or household context, excluding those acting in a commercial or employment context. Accordingly, business-to-business personal data and employee personal data are outside the scope of each new law.

Sensitive Data

Both laws define “sensitive data” to include:

• personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status;
• genetic or biometric data processed to uniquely identify an individual;
• personal data collected from a “child” (an individual known to be under the age of 13); and
• precise geolocation data.

Sale

The laws differ in how they define “sale.” The APDPA defines the sale of personal data more broadly than the OCDPA. Alabama includes both monetary and “other valuable consideration,” whereas Oklahoma restricts the definition to “monetary consideration” only. Both laws exclude ordinary business disclosures from their definitions of sale.

Consent

The APDPA and OCDPA each require covered entities to obtain consent prior to processing sensitive data. Additionally, under the APDPA, if a controller knows that a consumer is between 13 and 16 years of age, consent is required to sell that consumer’s personal data or to use it for targeted advertising.

Consumer Rights

The APDPA and OCDPA each provide for similar consumer rights, including rights to:

• access their own personal data;
• correct inaccuracies in their personal data;
• delete their personal data; and
• obtain their data in a portable and readily usable format.

Additionally, both laws offer residents the right to opt out of the following:

• sale of personal data;
• use of personal data for the purpose of targeted advertising and profiling in respect of decisions with significant potential effects on the resident (e.g., decisions about criminal justice, insurance, healthcare, education, employment or lending).

Penalties and Enforcement

Each violation of the OCDPA is punishable by a civil penalty up to $7,500, and each violation of the APDPA is punishable by a civil penalty up to $15,000.

Neither law includes a private right of action, and both are exclusively enforced by each state’s AG.

Both laws provide a cure period before enforcement can begin – 45 days in Alabama and 30 days in Oklahoma. Neither law’s cure period sunsets, so both will be available indefinitely.

U.S. State Privacy Law Trends

Ongoing Bipartisan Legislation

Alabama and Oklahoma are both Republican-leaning states. “This reinforces that consumer privacy is a bipartisan issue and states are not waiting for a national approach,” Eva Novick, special counsel at Miller Nash, told the Anti-Corruption Report. There are now more Republican-leaning states with comprehensive privacy laws than Democratic-leaning states, she observed. The absence of a federal privacy law means that states will continue to legislate. “In addition to comprehensive privacy laws, we will also continue to see targeted laws on specific issues, such as children’s privacy, biometrics and AI profiling,” she said.

The passing of the APDPA and OCDPA “is likely going to put pressure on other state legislatures” without a comprehensive privacy law to adopt one, Denvil said, predicting that a “small handful” of states are likely to pass such laws in the next 12 months.

Over the past few years, apart from 2025, at least one or two states have passed a comprehensive privacy law each year, noted Jayne Ponder, an associate at Covington. It is possible that this trend will continue during this legislative session. “We have already seen comprehensive privacy frameworks pass at least one chamber in a number of other states, including Massachusetts, Louisiana and Pennsylvania,” she observed.

A Growing Patchwork

There is an increasing overlap in the basic framework of state privacy laws, but no two are exactly the same, Novick stated. Although states are continuing to learn from each other – as reflected in newer statutes and amendments to earlier law – key differences remain, including compliance thresholds, exemptions, consumer rights and what qualifies as a “sale” of personal data. “While there are commonalities between states, when you compare them, each is not like the others,” she said. “They are puzzle pieces with difference shapes.”

Alignment With Virginia

State policymakers are continuing to look to the Virginia model for inspiration. It “provides strong consumer protections within a workable framework that is fairly well understood and borrows key principles from international data protection laws,” Canter observed.

However, even in states following the Virginia model, there are discrepancies, such as Maryland’s data minimization standard and the aspects of the Minnesota law regarding documentation of policies and procedures, Canter continued. “On top of that, as enforcement has increased, it raises the potential for regulators in different states to take inconsistent approaches on a topic.”

The Push for a Federal Privacy Law

In late April 2026, the House Energy and Commerce Committee leadership proposed a federal privacy bill based on the Virginia model, though its prospects remain uncertain, Canter said. The passage of new privacy laws in Alabama and Oklahoma is unlikely to be “the straw that breaks the camel’s back,” she added, but it contributes to an already heavy patchwork of divergent state requirements that has renewed bipartisan interest in a national privacy standard with preemption.

The House proposal takes an approach on two long‑debated issues, Ponder noted: (1) whether a federal law should broadly preempt state privacy regimes, and (2) whether enforcement authority should rest with the Federal Trade Commission and state AGs.

Industry pressure for a single set of rules is a significant driver behind the proposal, Novick said, but persistent political and policy obstacles remain. As with federal data breach legislation, similar bills have stalled repeatedly, making passage far from assured.

Still, the addition of Alabama and Oklahoma to the growing roster of comprehensive state privacy laws adds momentum to calls for federal action, Denvil said. The more states that adopt laws that differ, even slightly, the greater the pressure on Congress to intervene. At the same time, any federal framework would face substantial hurdles, including resistance from states that oppose broad preemption and the risk of blockage in either chamber. “It is doubtful” the proposal will advance given competing legislative priorities, he surmised, “but you never can tell.”

Compliance Tips

Leverage Existing Privacy Programs, but Prepare for New Operational Realities

Companies generally can apply their existing privacy programs to the two new state laws, Ponder said.

Denvil concurred, specifying that if a company already has a Virginia-style compliance program in place, it is well prepared to address these new laws.

Still, companies should review the new laws and update their programs where applicable. For example, Denvil continued, it is a good idea for companies to confirm that they are able to address and honor requests from consumers in a timely manner and have appropriate consent mechanisms. Organizations that administer rights only for residents of states with laws currently in effect may need to adjust their processes ahead of 2027, while those that already apply rights nationally may not require material changes, he said.

To reduce operational burden, companies may choose to build a rights program around areas of commonality across state laws and address state-specific differences as needed, Ponder suggested. Oklahoma and Alabama regulators may look to whether consumer rights processes are clearly presented and consistently honored, she explained.

Moreover, due to Alabama’s low applicability threshold, companies that are out of the scope of other state laws should check whether they are in the scope of the Alabama law, Denvil said. The Oklahoma law will mainly affect large enterprises but could catch some mid-market ones that have a strong Oklahoma market base. The Alabama law, with a lower threshold, is even more likely to catch small companies that were not over the threshold for other state laws, he stated.

Consider Aligning Baseline Program With Strictest State’s Requirements

Business should consider establishing a baseline privacy program that addresses the strictest common requirements across the state laws, such as consumer rights requests, data protection assessments, data minimization, disclosures in website privacy notices, consent and vendor contracts, Novick advised. If a company is already complying with the stricter state comprehensive privacy laws, Alabama and Oklahoma “will not be a heavy lift,” she said.

It is theoretically possible for companies to comply with all state laws to the letter, Denvil suggested, but they need to assess whether they have the compliance resources to do so.

Review Public-Facing Statements

Companies should consider reviewing their externally facing materials and statements like privacy policies and responses to consumer rights requests through the lenses of the new laws, Ponder urged. Such materials and statements are readily observable by regulators and consumers, attracting scrutiny because they are publicly available.

Companies also need to ensure that any documentation is consistent with actual practices, Novick added. “A perfect policy that employees do not know exists and is not executed upon is just as bad as not having a policy at all,” he said.

Future-Proof Vendor Agreements

Given the rapid pace of change in state privacy laws, continually updating vendor agreements can be impractical, Canter said. Instead, companies may seek to embed strong baseline protections that future‑proof vendor contracts, which may remain in place for years. Companies that already have adopted strong baseline protections that address existing state privacy laws still may want to look at their template data processing terms currently in place to ensure they address what is required in Alabama and Oklahoma, she added.

Many companies apply baseline contractual protections across all personal data processing, regardless of whether the data is currently subject to a comprehensive privacy law, Cantor continued. This approach avoids questions about which data falls within the scope of evolving state privacy requirements, she said.

See our series on compliance representations and warranties: “Definitions and Goals” (Mar. 25, 2026), “Negotiations” (Apr. 8, 2026), and “Verification and Enforcement” (May 6, 2026).

Enable Frontline Teams

Simple workflow processes reinforced by regular reminders are as critical as annual training in enabling frontline teams to recognize privacy requests and route them appropriately, Novick noted.

Ensure Tools Are Properly Configured

Mature vendor tools will be updated to support the new laws ahead of their effective dates, Novick said. But companies remain responsible for ensuring those tools are properly configured and independently verifying that they function as intended.

See “Navigating U.S. Privacy Laws in Internal Investigations” (Aug. 28, 2024).

Enforcement Forecast

It will likely take some time for there to be an initial enforcement action in either Alabama or Oklahoma, Denvil said, predicting that there probably would not be any action taken within the first “few months of the effective dates.” Based on what has occurred with other states, it usually takes about a year after the law’s effective date for AGs to get staff in place, issue inquiries to organizations, deal with cure processes and then start active enforcement, he said. It will probably be at the end of 2027 or the start of 2028 when real enforcement starts to happen.

“However, some states are ramping up their offices quickly and looking to make a mark for themselves,” Denvil cautioned. “So, I would not be terribly surprised if we had quick enforcement.” If these two states follow the leads of the others, the initial regulatory scrutiny will likely be about failures to provide clear, easy-to-use mechanisms to exercise consumer rights requests or processing sensitive data without required consent.

Enforcement risks will differ by state, Novick said. In Alabama, a privacy incident that draws public attention may expand beyond the reported issue into a broader investigation, with regulators layering in allegations related to oversight of vendor commitments, including requirements around pseudonymous or deidentified data. At the same time, Alabama’s non‑sunsetting cure period moderates that risk. In Oklahoma, by contrast, enforcement scrutiny is more likely to focus on consumer‑facing failures, such as privacy notices that do not reflect actual practices or breakdowns in responding to consumer rights requests. Overall, she noted, the states that pursue the most aggressive enforcement tend to be those with the strongest statutory requirements, suggesting that Alabama and Oklahoma may not emerge as the most active enforcers.

See “Four Tips for Effective Privacy Training” (Sep. 24, 2025).

Blocking statutes are laws that govern what information can travel out of a given country. They can take many forms and many countries have them.

While U.S. legal professionals use the term “blocking statutes” to cover a number of statutes that have a similar effect, this is not always how they are referred to in their originating countries, Patrick Stokes, a partner at Gibson Dunn, noted in a February 2026 webinar hosted by the firm. Whatever they are called, they “are designed to protect national interests,” he explained, by protecting “information that may, from the country’s perspective, potentially undermine its national sovereignty.”

However, these statutes can create conflicts when a company faces an investigation in the U.S. where prosecutors expect the company to produce all relevant evidence. Collecting information in a country with a blocking statute to then share with U.S. authorities or courts must comply with the local law of the country where that information resides, Stokes explained, which can create headaches for companies and counsel.

Sanctions for noncompliance with blocking statutes can be significant, Stokes warned. “In some countries, these blocking statutes are criminal statutes that could lead to criminal enforcement actions,” against the company, individual employees or even the lawyers working on their behalf, he explained.

A mutual legal assistance treaty (MLAT) between the U.S. and a jurisdiction with a blocking statute can provide a path forward, but the process is time consuming and requires a U.S. investigating enforcement agency to submit a request to the other government.

During the webinar, Stokes was joined by partners Courtney Brown, Christopher Harris, Ning Ning and Pierre-Emmanuel Fender to provide a multinational perspective on the blocking statutes of France, Switzerland and China; explain how U.S. authorities and courts handle these statutes; and suggest five tips for companies on how to deal with them. This article summarizes the key takeaways.

See “How Internal Investigations Can Let the Compliance Team Shine” (Jan. 29, 2025).

How the U.S. Handles Blocking Statutes

Enforcement authorities and courts are aware of the bind blocking statutes can place companies in when facing investigation or litigation in the U.S.

Courts May Seek to Compel Disclosure

U.S. courts can compel parties to disclose information despite blocking statutes, Brown said. This can happen in both criminal and civil cases.

Judges may instruct companies that, to avail themselves of U.S. jurisdiction, they must comply with document requests, even ones that violate another country’s laws, Stokes elaborated.

Among the factors courts weigh when deciding whether to make such demands, national interest “is often seen as the most important,” according to Brown. The court will weigh the interests of the local jurisdiction and the U.S., she explained.

DOJ Has High Expectations

“The DOJ has noted, through deep experience on its end, that these statutes come up quite frequently” and “prevent the DOJ from obtaining information in its investigations,” Stokes commented. The SEC has encountered the same issue, he added.

Blocking statutes can hamper disclosure of data in civil enforcement and private party disputes, Brown added.

Perhaps because of this deep experience with blocking statutes, the DOJ has high expectations of companies that invoke them as a reason for not sharing information. Indeed, the DOJ’s Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) says:

Where a company claims that disclosure of overseas documents is prohibited or restricted due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the existence of such a prohibition or restriction and identifying reasonable and legal alternatives to help the Department preserve and obtain the necessary facts, documents, and evidence for its investigations and prosecutions.

To comply with DOJ expectations – and receive cooperation under the CEP – a company should “provide written guidance” as to why it cannot provide requested information, Stokes said. It should identify ways in which it can provide the information the DOJ wants without implicating the blocking statutes, he added.

Accommodating Restrictions

Even considering the DOJ’s high expectations, compared to U.S. courts, the DOJ and the SEC “tend to be more understanding of the limitations” that can make it hard for companies and practitioners to provide data “in a cooperative posture in an investigation,” Stokes explained. The enforcement authorities are more likely than the courts to realize that this could expose companies, or their legal advisors, to legal consequences abroad, he observed.

The DOJ and the SEC often take less rigid and formal approaches than U.S. courts, Brown concurred, and emphasize the possibility of reasonable alternatives to obtain the information. For example, the DOJ and SEC will ask if there are sources of information not subject to the blocking statutes, or whether the data has already been transmitted to the U.S. in some form. Meanwhile, a company that ends up in a criminal case being litigated before a court can find the judge takes “a very different view” from the DOJ’s and the SEC’s investigation practices, Stokes cautioned.

See “Five Strategies for Navigating Cross-Border Investigations” (Feb. 25, 2026).

Technip DPA Exemplifies Cooperation Expectation

A 2010 DPA, which the DOJ entered into with French engineering company Technip regarding FCPA violations, offers a case study in how production of foreign documents can be built into resolutions, Brown said.

The DPA stipulated that Technip would provide its monitor with information that was not subject to protection from disclosure by French laws. The monitor then provided the DOJ with a redacted report allowing the DOJ to pursue an MLAT request to French authorities to obtain unredacted versions if it deemed it necessary.

This exemplifies the DOJ’s recognition that a company’s cooperation and reporting obligations may be tempered by the need to conform to non-U.S. law, Brown commented.

See “$296M TechnipFMC Settlement Shows Petrobras Fallout Is Far From Over” (Jul. 10, 2019).

The Swiss Blocking Statutes

Article 271 of the Swiss Criminal Code regulates what information can be sought as part of a U.S. investigation.

Under Article 271, certain official acts should not be performed in Switzerland on a foreign government’s behalf without approval from Swiss authorities, Harris explained. Additionally, Article 271 covers actions performed by a private person if performed in the interests of a foreign state. Relevant actions could include ones carried out “in connection with proceedings conducted by a foreign court or government body,” he pointed out. Breaching Article 271 can mean up to three years in prison or a monetary penalty, he warned.

Impact on U.S. Proceedings

Article 271 can affect a company that is “trying to comply with information requests” in response to a governmental investigation outside Switzerland, Harris explained. The statute also comes into play “when an external party is trying to serve documents or collect evidence for the purpose of proceedings, be they civil or criminal, abroad,” he added.

While in the U.S., it is not unusual to serve documents personally on litigants, this would raise problems in Switzerland, where the notification and transmission of judicial documents is performed by the authorities, Harris said. “To serve a subpoena, for example, on a person in Switzerland is, prima facie, a criminal offense under Article 271,” he noted.

The collection of documents for the purposes of non-Swiss proceedings may be a violation, as well. A non-Swiss authority seeking to do this must, in most cases, deploy the international judicial assistance route, Harris said.

Additionally, two amendments, that took effect on January 1, 2026, have an impact on Article 271, Harris explained.

PILA Amendment

The first notable amendment is to Switzerland’s Federal Act on Private International Law (PILA).

Under the amended version, in some circumstances, a Swiss-based party to foreign proceedings can “produce documents directly and voluntarily in those proceedings,” according to Harris, provided that production is in compliance with other Swiss restrictions, such as secrecy or data protection provisions protecting third parties.

Amendment to Swiss Declaration on Hague Convention

January 2026 also saw an amendment to the Swiss Declaration on the 1970 Hague Convention on the Taking of Evidence Abroad in Civil and Commercial Matters (Hague Evidence Convention).

The amendment “softened, substantially, the requirements for questioning of individuals in Switzerland via telephone or video conference,” Harris said. Switzerland eliminated the need for authorization “when taking evidence from persons located in Switzerland via audiovisual transmission,” he explained.

Instead, there is now “a simpler requirement of notification to the Swiss authorities,” Harris related. Swiss federal authorities must be notified at least 14 days in advance of an interview by the parties, the foreign court counsel or the witness. The Swiss-located individuals’ participation must be voluntary, he added.

See “Navigating U.S. Privacy Laws in Internal Investigations” (Aug. 28, 2024).

Chinese Data Protection Laws

The relationship between the People’s Republic of China and the U.S. is “unlike the very cordial relationship between Switzerland and the U.S.,” Ning reported. Although China and the U.S. have had an MLAT in place for 25 years, it is little used. “With the ongoing geopolitical tension, we are not surprised by the continuing lack of cooperation,” she said.

Three main sets of Chinese laws can complicate the process of obtaining evidence out of China for the purposes of investigations affecting U.S. companies, whether internal or governmental investigations, Ning outlined.

International Criminal Judicial Assistance Law

The first is the International Criminal Judicial Assistance Law (ICJA Law), effective since 2018. It requires Chinese government approval “before anyone in China can provide evidence, testimony or a deposition to foreign criminal proceedings,” Ning explained.

“The law, unfortunately, does not provide a clear roadmap on how to get these approvals,” Ning observed. Implementing regulations dating from 2024 indicate that parties seeking to gain such approval from the Chinese government can submit an application to a working group headed by the Ministry of Justice, she observed.

“It is unclear whether any applications have been successful, because the working group has great discretion to determine whether the evidence has any impact on Chinese national interests and data security,” Ning remarked.

Particular scrutiny applies “if the company is in a sensitive industry,” such as semiconductors, AI or defense, Ning noted. With few details made public, “it is hard to tell how long these applications will take, and whether these are successful at all.”

Data Security Law and Personal Information Protection Law

The Data Security Law (DSL) of 2021 and the Personal Information Protection Law (PIPL) of 2021 form the second category of laws restricting transferal of evidence to non-Chinese judicial and enforcement authorities, in civil or criminal proceedings, Ning said.

In this case, there is “a clear roadmap to transfer data out of China, and the approvals companies need to get,” Ning said. There is a government agency they are directed to communicate with, named the Cyberspace Administration of China. Its staffers “are very experienced in handling requests to transfer data out of China, especially for private party litigations,” she commented.

State Secrets Law

Protection of state secrets is a third area of legislation that poses challenges in transferring data out of China, Ning mentioned. The State Secrets Law concerns the possession and transmission of “anything that has a bearing on the Chinese national security and national interests,” she explained.

Defense, semiconductors, AI, telecommunications infrastructure and state-owned companies are areas where this can arise, according to Ning. “The government has been actively enforcing the State Secrets Law,” she warned.

See “Navigating Recent Changes to China’s Data Privacy Laws in Internal Investigations” (Jun. 5, 2024).

France Steers Inquiries Toward MLAT Channels

France is another country with a challenging data transfer regime for countries facing investigation and litigation in the U.S.

France’s blocking statute favors using the MLAT process for the transfer of data and documents out of the country to foreign authorities, Fender explained. This allows French authorities to filter and block the sharing of “whatever piece of information is of key importance for them,” he explained.

The legislation originated in 1968 as Act No. 68‑678, known in English as the French Blocking Statute (FBS).

The FBS prohibits the communication to non-French authorities of documents deemed sensitive to France’s sovereignty or security, unless this happens via MLAT agreements, Fender explained. Its “general prohibition” bars French-based custodians from communicating key sensitive documents, he said. The FBS also prohibits a wider range of actors, including foreign citizens and residents, from gathering sensitive evidence in France in the context of foreign judicial or administrative proceedings, he added. Violators of the statute may face “a fine and up to six months of imprisonment,” he warned.

Broad Coverage

A wide range of foreign proceedings fall within the FBS’ scope.

“It is very clear” that U.S.-led criminal investigations or commercial or civil disputes are within its scope, Fender commented. However, there are other situations where it can be “more complicated” to ascertain whether the FBS applies, he said. For example, an administrative inquiry can fall within the statute’s scope, as can an internal investigation.

Additionally, voluntary disclosures may be classified as “gathering evidence for the purpose of foreign administrative or judicial proceedings,” and therefore may implicate the statute, Fender said.

Sending a pre-litigation “hold notice” letter, requesting preservation of documents that may be relevant in forthcoming proceedings, is one example. Such requests, addressed to French individuals or entities, could conflict with the FBS and “very quickly be a problem,” Fender warned.

SISSE Is Foreign Entities’ Dialog Partner

A body within France’s Ministry of Economy, the Strategic Information and Economic Security Department (SISSE), supports the implementation of the FBS, Fender explained. Legal practitioners advising on a U.S. investigation and unsure about the application of the blocking statute can communicate with the SISSE and “have a fairly flexible conversation” with its staff, he reported.

Even before the formal start of an investigation or judicial process, it is possible to ask the SISSE to screen documents and ascertain whether sharing them with foreign authorities would violate the FBS, Fender advised.

U.S. Authorities May Need to Trigger MLAT

Since the statute does not allow for “voluntary communication” of data based in France for proceedings elsewhere, companies may need to “trigger” U.S. authorities to pursue the MLAT route, Fender suggested. Additionally, companies may need to “manage the US authorities’ expectations,” because the MLAT process involves a “rather long and tedious channel of communication,” he said.

A request from the U.S. authority goes to a French judge or public attorney, who then interrogates the French document custodian. After that custodian hands over the document, it is “upstreamed back” and must be “screened by the SISSE” before reaching U.S. authorities, Fender explained, which can take weeks, or even months.

U.S. officials who are familiar with the MLAT procedure are more likely to understand that the company is trying to help when it asks them to trigger the MLAT mechanism, Fender observed.

See “The Changing Landscape of the French ‘Secret Professionnel’” (Apr. 8, 2026).

Five Tips for Working With Blocking Statutes

The Gibson Dunn partners offered five tips that companies should keep in mind when a blocking statute is at play in U.S. investigation or litigation.

1) Consider Blocking Statutes From the Outset

It is important to be mindful of blocking statutes from the very initiation of an investigation or litigation, Stokes said.

In choosing how to manage blocking statutes amid investigations, companies should consider the particulars of their situation and the specific purpose of the data collection, Brown advised. The reason for collecting information – including whether a document is being voluntarily provided or is subject to a subpoena – factors into how to best handle the issue, she observed.

Companies should “consider whether there are alternate sources that may not be subject to the blocking statutes,” Brown said. They should be sure to have “collection and review protocols” for documents, which prevent inadvertent transmission of information in a way that violates non-U.S. legal restrictions, she stressed.

2) Work With Local Counsel

U.S. companies and their legal advisors should work with legal experts in the relevant country, Stokes advised, as they are better placed to advise on how blocking statutes apply to a given circumstance.

Ning emphasized the value of asking experienced Chinese counsel to assess data being sought to determine whether the ICJA Law, PIPL or state secrets laws might be implicated.

3) Communicate With U.S. Authorities

Some DOJ and SEC officials “have tremendous experience and knowledge in these areas,” but others do not and “react with more surprise and frustration,” Stokes commented.

Thus, affected companies should communicate “early and often” with authorities about the limitations blocking statutes may impose on data provision, and what they are doing to be cooperative nonetheless, Stokes recommended.

The DOJ and the SEC “appreciate and understand that these laws and restrictions are there,” but “any statements that ‘we cannot provide the information’ are really pressure-tested,” Brown noted.

People working for a U.S. company in another country may sometimes send relevant communications to employees across borders, Stokes pointed out. The DOJ and the SEC expect the affected companies’ counsel to “proactively identify opportunities to obtain information” from such sources, he said.

Companies can even view blocking statutes as “an opportunity for cooperation” with U.S. authorities, Stokes suggested. “A company with counsel familiar with the MLAT process and how to navigate these blocking statutes” can help prosecutors navigate that process, he remarked.

4) Assume Authorities Communicate in the Background

U.S. companies may be concerned that an MLAT request will attract the attention of the other country’s enforcers, triggering an investigation there. However, there may, in any case, be background communication between U.S. and non-U.S. authorities, Stokes noted. If the national authorities have good relations with each other, they may even be coordinating their investigation, he said.

The affected company may not even know that U.S. authorities have pursued MLAT requests, because “there is no notification requirement to companies,” Brown remarked.

5) Understand Where Information Resides

It is critical for companies to understand their tech frameworks and the locations of data because it is typical for U.S. investigating authorities to ask about this upfront, with an eye towards possible blocking statute issues, Brown said.

It is key to understand where a given piece of information resides, “in which territory, and who is actually in control over this document,” Fender concurred.

In the case of company operations located in China, Ning noted, the company needs to conduct data mapping to figure out whether the relevant servers are outside of China. If they are, information held on them is “not subject to the data restriction laws,” even if contained in emails written by employees in China.

See “Navigating the Intersection of Whistleblowing and China’s Data Protection Regime” (Apr. 12, 2023).

Former federal prosecutor Ryan Rohlfsen has joined Latham & Watkins’ Chicago office as a partner in the firm’s white-collar defense and investigations practice.

Rohlfsen advises multinational companies, boards and senior executives in high-stakes government-facing civil and criminal white-collar matters, internal investigations, litigation and related crisis management. He also counsels global companies on building and strengthening sophisticated compliance programs. He has extensive experience advising on international and domestic corruption matters, securities and accounting fraud, healthcare fraud, money laundering, sanctions and export controls, data privacy and state consumer protection matters.

Rohlfsen arrives from Ropes & Gray, where he was a partner for more than a decade. He also previously served as a federal prosecutor in the DOJ’s Criminal Fraud Section in Washington, D.C., and Chicago, where he led complex securities fraud, healthcare fraud and domestic corruption matters, and served in the FCPA Unit.

For commentary from Rohlfsen, see our four-part series on risk assessments in Trump 2.0: “Back to Basics” (Aug. 27, 2025), “Reassessing in the Great American Reset” (Sep. 24, 2025), “Who and When” (Nov. 5, 2025), and “Employing Data and Emerging Technologies” (Dec. 31, 2025).

For insights from Latham & Watkins, see “2025 in Review: DOJ Perspectives on How the Blanche Memo Restarted FCPA Enforcement” (Jan. 14, 2026); and “2025 in Review: Impact on In-House Teams and Their Defense Counsel” (Jan. 28, 2026).

Jamie Nawaday has joined Taft’s newly launched New York office as partner in the compliance, investigations and white collar defense practice.

Nawaday provides strategic counsel to companies and executives navigating high-stakes government investigations and regulatory matters. She advises public and private companies, boards of directors, and senior executives in federal criminal and civil cases involving financial and securities fraud, the FCPA, campaign finance violations, the False Claims Act, asset forfeiture, and Bank Secrecy Act and anti-money laundering issues. She also conducts internal investigations and advises on crisis response and media relations.

Most recently, Nawaday was a partner at Seward & Kissel, where she served as chair of the firm’s government enforcement and investigations practice. During her seven-year tenure as an assistant U.S. attorney in the Southern District of New York, she led numerous high-profile investigations involving securities fraud and other financial crimes.

For commentary from Nawaday, see our two-part series on the FCPA Executive Order: “The Future of U.S. Enforcement” (Mar. 12, 2025), and “Staying the Course in the Face of Continued Risk” (Mar. 26, 2025).