Regulatory Roundup: March 2025
- Steve Marshall
- Mar 12
- 4 min read
Our latest Regulatory Roundup highlights critical regulatory updates from the last month, including new US cross-border data controls, a $37M FinCEN fine for anti-money laundering (AML) failures, and Europe’s growing lead in sanctions enforcement. Plus, find insights on the EU AI Act, US stablecoin regulations, and the DOJ’s new financial crime priorities. Stay informed to ensure your compliance strategies stay on track.
SPECIAL ANALYSIS: CROSS-BORDER DATA FLOWS
SPECIAL ANALYSIS: CROSS-BORDER DATA FLOWS
New US rule regulates cross-border data flows to countries of concern
Starting March 27, 2025, new regulations will impose stricter controls on the transfer of Americans' bulk personal data to foreign entities associated with “countries of concern.” This new framework is designed to enhance data security and protect sensitive information from unauthorized access.
The final rule, issued on December 27, 2024, creates a framework that regulates data transfers involving “covered persons”—a category that includes:
Entities that are majority-owned (50% or more) by a country of concern or related individuals.
Individuals who are employees or residents of such countries.
Any person identified by the U.S. Attorney General as posing a risk to data security.
Defining bulk data and key thresholds
The rule introduces specific data thresholds to identify what qualifies as "bulk data," including:
Genomic data: 100+ US persons
Biometric identifiers: 1,000+ US persons
Precise geolocation data: 1,000+ US devices
Health data: 10,000+ US persons
Financial data: 10,000+ US persons
Personal identifiers: 100,000+ US persons
Data exceeding these thresholds will face stricter scrutiny when transferred to foreign entities.
Due diligence and compliance requirements
Businesses handling this data must implement robust compliance programs that include:
Risk-based procedures for both internal operations and vendor management.
Written policies that outline data protection measures.
Annual certifications by an officer, executive, or designated employee.
Additional requirements as specified by the Attorney General.
What this means for US businesses
Companies that collect, store, or share sensitive US personal data—particularly those in healthcare, finance, or technology—should:
Review existing data-sharing agreements to identify potential risks.
Enhance due diligence processes for vendors and partners, particularly those linked to covered persons.
Develop or update data security policies to meet certification requirements.
The final rule underscores the growing emphasis on safeguarding US citizens’ data in an increasingly interconnected global landscape. Businesses should take proactive steps now to ensure compliance by the March 27, 2025 deadline.
ANTI-MONEY LAUNDERING
FinCEN fines Brink’s $37M for AML failures
FinCEN has imposed a $37 million penalty on Brink’s Global Services USA for willfully violating the Bank Secrecy Act (BSA), failing to implement AML controls, and neglecting to report suspicious activities, allowing hundreds of millions in high-risk cash transfers across the southwest border. This marks FinCEN’s first enforcement action against an armored car company.
FCA urges wholesale brokers to strengthen AML controls
The FCA has identified significant gaps in UK wholesale brokers’ AML systems, citing underestimated risks, over-reliance on third-party checks, limited information sharing, and insufficient awareness of suspicious activity reporting codes. The FCA highlighted the need for firms to have a strong and effective system of internal controls that are reviewed on a consistent basis.
FIT21 Act advances digital asset regulation
The FIT21 Act, passed with bipartisan support in 2024 and backed by the US president this year, mandates digital asset intermediaries to register with the SEC or CFTC based on asset type, strengthens AML compliance, and requires joint rulemaking for dual registration.
GENIUS and STABLE Acts Propose Stablecoin Regulation
In the US, the Guiding and Establishing National Innovation for US Stablecoins (GENIUS) Act and its companion Stablecoin Transparency and Accountability for a Better Ledger Economy (STABLE) Act of 2025 aim to establish a federal framework for regulating dollar-denominated stablecoins, requiring issuers to comply with AML and sanctions rules, with the OCC gaining oversight of federal nonbank stablecoin issuers.
FinCEN delays Corporate Transparency Act enforcement
FinCEN announced it will temporarily refrain from enforcing BOI reporting penalties and plans to extend reporting deadlines via an interim final rule by March 21, 2025, while also seeking public input on potential revisions.
DOJ shifts financial crime enforcement focus
The DOJ has shifted its enforcement focus to target sanctions, export control, and money laundering violations, with increased emphasis on cartels and transnational criminal organizations.
SANCTIONS
Europe surpasses US in sanctions enforcement
In 2024, Europe (including the EU, UK, Switzerland, and Norway) imposed more fines and secured more convictions for sanctions breaches than the US, surpassing U.S. authorities like OFAC, BIS, and the DOJ in total fines, fine value, and the largest single fine.
US designates drug cartels as terrorist organizations
On February 20, 2025, the US Department of State designated eight drug cartels as Foreign Terrorist Organizations (FTOs) and Specially Designated Global Terrorists (SDGTs), placing them on the SDN list and exposing foreign financial institutions and individuals dealing with them to potential secondary sanctions and criminal prosecution.
ARTIFICIAL INTELLIGENCE
EU AI Act enforces new prohibitions
The EU Commission published guidance on the EU AI Act, effective February 2, 2025, highlighting broad prohibitions on certain AI practices, urging businesses to assess real-world AI capabilities, manage high-risk systems, and ensure compliance with other relevant laws.
Confidently navigate regulatory changes
Keeping up with evolving regulations can be challenging. Our Advisory Services offer expert support in model risk management, data governance, sanctions compliance, and more. We can help you strengthen policies, assess data quality, manage customer risk, and refine your AI frameworks. Get in touch today to stay ahead of compliance demands!
