In 2025, the chance of some level of deregulation in the US federal regulatory regime is quite likely, ushering in a less-is-more approach to new technology such as artificial intelligence (AI), alternative investments (including private funds and digital assets), climate disclosure, bank capital requirements and consumer protection rules in the financial services sector.

But some areas that garner great bipartisan support should show little change in approach, and international and state-level mandates in areas such as consumer protection, sustainability reporting, privacy and others make it important that companies keep resources and skillsets ready to meet their compliance challenges.

And compliance and legal teams must be prepared for some areas of risk to possibly increase, even as a certain amount of de-regulation settles in, because every regime shifts the balance of policy objectives – that often result in mandates for businesses – in different directions.

Let’s dig in.

AML and Sanctions Regulation and Enforcement

Anti-money-laundering (AML) enforcement was one centerpiece of the SEC’s, banking regulators’ and US Treasury’s Financial Crimes Enforcement Network’s (FinCEN’s) enforcement endeavors in 2024, and there is little evidence to suggest this will change in 2025.

In September, FinCEN issued a final rule that adds certain registered investment advisers (RIAs) and exempt reporting advisers to the definition of “financial institution” under the regulations implementing the Bank Secrecy Act. That means that they must implement risk-based AML and combating the financing of terrorism (CFT) programs, including internal controls, policies, training, independent testing, and the designation of a qualified AML/CFT officer, plus file suspicious activity reports and currency transaction reports.

In October, TD Bank pleaded guilty to AML failures, receiving a record-smashing $3 billion+ in penalties and highly unusual asset cap of $434 billion on the growth of its US entity. The penalty included settlements with the Department of Justice, FinCEN and Office of the Comptroller of the Currency, and TD Bank agreed to four years of independent monitoring, having previously agreeing to hire a new AML leadership team.

The FinCEN final rule and the TD Bank fine were seen as positive developments — filling a much-needed gap in AML rules and holding a bank responsible for allowing drug cartels and other criminals to move hundreds of millions of dollars in illicit finance. (At least a couple of US lawmakers want TD Bank to be penalized further.)

Bipartisan support was also a feature of the Corporate Transparency Act (CTA), which was implemented on January 1 with a compliance date coming up on the same day in 2025.

But thanks to a federal appeals court in Texas, companies do not have to file beneficial ownership details right now, since that court’s judge blocked the law’s implementation.

This new administration will have to deal with a China that has more greatly leveraged its allies to circumvent American and European sanctions.

The beneficial ownership component of that law requires covered businesses to report information about their owners – namely, anyone who owns 25% or more of ownership interests in the entity or exercises substantial control over the entity.

The CTA might not be fatally wounded, though. The bipartisan push to create it is not suddenly gone, and as the law’s authors noted, Vladimir Putin’s invasion of Ukraine amplified the importance of the law. “The federal government cannot properly implement sanctions against Putin and his oligarchs if it does not know the full extent of their holdings,” said Senator Marco Rubio (R-FL) at the time.

Speaking of sanctions, they should play a key role in a second Trump administration as they did in his first.

And even if Trump were to carve out exceptions for President Putin, he could use secondary sanctions authority to target those countries trading with both Russia and the US to accomplish the same sanctions policy goal.

Scrutiny of China and continued export restrictions on the minerals and other components that go into our tech tools should persist, but this new administration will have to deal with a China that has more greatly leveraged its allies to circumvent American and European sanctions.

And other countries might also seek to circumvent the proposed, lofty tariffs he has announced. Trump said plans an intention to implement on imports from countries including Canada, Mexico and China – tariffs that many economists think are likely to lead to rising prices for consumers.

The tariffs could lead to headaches for companies that have already tried to temper the effects of a few years of persistent inflation. This involves compliance and legal teams when sales and product strategies, procurement practices and manufacturing locations are adjusted due to pricing and changing consumer patterns.

Banks, capital rules and M&A

In recent interviews with potential nominees to lead bank regulatory agencies, Trump advisers and officials from the newly created Department of Government Efficiency have asked whether the president-elect could abolish the Federal Deposit Insurance Corporation, people familiar with the matter told the WSJ.

So, alas, there is a chance of shrinkage or consolidation in the banking regulatory arena coming, but time will tell.

For now, banks that have been fighting against efforts to boost their capital requirements sense more cheery messaging is coming in that vein. Granted, these capital proposals have been watered down already, but some banking industry participants are wondering if the so-called Basel III Endgame scheme can go away completely or get diluted further.

Banks are like other companies – seeking to consolidate and challenge other businesses in their sector or in tangential sectors they seek to grow products and services in imminently. This is true to Capital One and Discover, which are trying to challenge the large credit card companies with a merger.

Mergers and acquisitions keep spreading across the technology, food, and healthcare sectors, among others, but the antitrust regime for the past several years – presided over by Lina Kahn at the Federal Trade Commission and Jonathan Kanter at the Department of Justice – has pushed back.

Without them, I would expect to see a larger degree of dealmaking activity that banks manage for these other businesses, subject to exceptions that arise on a case-by-case basis. (Example: Trump in his first term opposed AT&T’s acquisition of Time Warner, but it seemed to have more to do with his animosity toward cable news provider CNN than anything else.)

These developments also bode well for private-equity firms, of course, as they seek to finance some of this dealmaking business. But they should also benefit from a new approach to alternative investments – an area that SEC Chair Gary Gensler challenged with new rules during his tenure (targeting private funds in particular) that got stalled, then thrown out by an appeals court, and are likely dead in the water.

Consumer protection

Some businesses are anxious to see the current leader of the Consumer Financial Protection Bureau (CFPB) leave his post. Director Rohit Chopra has been energetically implementing stricter consumer protection efforts (in the form of new rules and enforcement actions) over a broad swath of credit card companies and online digital payment app providers, targeting overdraft, late and other “junk” fees and that many businesses consider hindrances on their bottom lines and an illegal extension of the agency’s remit.

By its own estimate, the CFPB has clawed back nearly $20 billion in consumer relief.

It might just come down to where you live as a consumer in terms of your consumer protection coverage.

The recent rule capping credit-card late fees (being challenged in courts) is likely to be discarded or weakened. The idea of capping the limit to $8 (down from $32) seems to discard free-market principles, and it’s hard to see Trump’s CFPB vigorously defending it.

This summer, the agency proposed banning medical debt from appearing on consumers’ credit reports. And in October it warned companies against seeking payment on unverified bills, which triggered litigation from debt collectors, citing the costs they would bear and pass on to consumers.

Even if the Trump administration dumps the rule, there are state regulators taking up the cause, with Colorado, California and New York either enacting rules on medical debt reporting or proposing it.

So, it might just come down to where you live as a consumer in terms of your consumer protection coverage – which has always been true, but maybe more so with a conservative administration reining in the federal consumer watchdog.

(Sidenote: Speaking of reining in, Elon Musk has already said his cost-cutting role within the federal government will include “deleting the CFPB.”)

ESG

What will happen to the SEC’s climate disclosure rule, issued in March, under the new federal administration? It is likely to be completely tossed out or really whittled down, but I am not convinced this means much.

According to a CCSI/Sabin center report, many companies already publish much of the information already called for by the new SEC rule in the sustainability reports they provide investors on their websites.

Of course, that does not mean they are filing that information with the SEC, since they don’t have to, but these organizations could be subject to other ESG-related reporting directives, such as the EU’s daunting Corporate Sustainability Reporting Directive and California’s regulations requiring disclosure over climate-related financial risks and greenhouse gases. (

Other countries, such as Singapore and Australia, have committed to mandating disclosure of 2025 sustainability data based on the International Financial Reporting Standards.

So, these material details are going to some regulators, plus many investors, since some investors demand or expect them from sizable enterprises.

Pro-ESG coalitions such as As You Sow, CERES and the Interfaith Center on Corporate Responsibility have announced that they will continue to pressure companies to further advance their ESG initiatives. And there are other issues in the ESG context that straddle the sub-categories of “supply chain,” “marketing,” and “business continuity” that keep the ESG discussion fully relevant in the regulatory compliance sense, too.

In other words, companies will have to assess their climate-based risks because of operational challenges that relate to their supply chains, informing their stakeholders and regulators what they have done to be resilient to climate-related risks in their supply chains.

And import restrictions by the US and EU to reduce dependence on China – premised on national security and clean supply chains – are already contributing to supply challenges and price volatility.

Further, ESG as a risk area isn’t always about the actual climate – it can sometimes just refer back to a company’s public statements, including sustainability phrases, claims and goals.

A number of businesses have been charged with making false or unverified environmental claims to mislead the public and investors – a charge colloquially called “greenwashing.” Whether companies must submit certain climate-related data to a regulator or not, they must appreciate such things as how and to what extent their recycling programs operate in the real world, whether names for certain investment products are misleading and what “net zero” actually means.

Last, business continuity planning must include natural disasters and other climate-related crises, if they ever did not include them before the warmest year on record hit the planet in 2024. Even climate events that are not devastating can disrupt business operations in localized ways and more broadly, and your business partners likely expect you to have contingency plans in place, never mind your regulator.

Cybersecurity and privacy

As cybersecurity risks (including insider threats) remain a key concern across industries, regulatory scrutiny of how companies secure data, manage data-breach risk, remain resilient, respond to incidents and accurately report issues in a timely fashion, will remain a regulatory priority.

In 2024, almost every industry experienced critical IT disruptions, many of them highly disruptive and some having significant national security implications. The CrowdStrike incident, as just one example, put into stark relief how susceptible a truly wide swath of (crucial) industries in the global economy are to software vendor disruptions and overreliance on the same tiny group of vendors.

Salt Typhoon, the China-linked threat group, recently infiltrated and maintains access to at least eight telecom providers in the US. In response, current Federal Communications Commission (FCC) Chair Jessica Rosenworcel’s proposed rule changes that would require telecom operators to secure their networks and maintain cybersecurity risk management plans.

In like fashion, the incoming FCC Chair, Brendan Carr, expressed significant concern over the implications of an adversary attacking US critical infrastructure – like its telecom networks – and said this risk has to be tackled immediately.

Cyber-breach concerns for firms go beyond regulators’ concerns, mandates and regulatory fines, though. Class-action litigants seek damages in them too, especially since federal regulations have been lacking to protect customers and employees.

Litigants often allege that the defendant-company had a duty to protect their personally identifiable information under various federal and state laws, such as Section 5 of the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act.

(Sidenote: The Change Healthcare data breach this year led to 79 federal complaints in US courts.)

But let’s look at a couple of regulatory regimes that should persist.

Peirce and her GOP colleague, Commissioner Mark Uyeda, do seem focused, though, on making sure that the securities watchdog steers clear of “Monday morning quarterbacking.”

In July, the SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance. Although SEC Commissioner Hester Peirce thought that the SEC’s 2018 cybersecurity guidance would have been adequate enough to compel disclosure, without the need for new rules, I don’t think this definitively signals an imminent about-face on the rule, given the onslaught of high-profile attacks this year.

Peirce and her GOP colleague, Commissioner Mark Uyeda, do seem focused, though, on making sure that the securities watchdog steers clear of “Monday morning quarterbacking” in cyber-related enforcement actions, saying only hindsight can provide the type of nuanced information that is not available during or right after a cyber incident.

Companies have been prepared and have met the reporting date set out by the SEC – providing such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.

At the state level, New York’s Department of Financial Services mandates cybersecurity programs, the appointment of a chief information security officer, an incident response plan, incident reporting and annual compliance certification. And it was recently updated to require businesses to implement new, proactive incident response measures, as well as business continuity and disaster recovery plans.

And, as referenced above, California’s Consumer Privacy Act is an important legal imperative here, as it grants California residents significant control over their personal information, letting consumers know what data businesses collect about them, request deletion and opt out of data sales.

Businesses operating across multiple states face challenges due to varying data privacy laws. States like California, Massachusetts and Illinois have strong laws in this regard, but other may be more lenient. Could this upcoming iteration of Congress craft a federal data privacy law to create a more uniform standard? I think maybe, given the multi-faceted push for children’s privacy legislation pertaining to online safeguards.

In terms of enforcement priorities, the Federal Trade Commission (FTC) has been active on privacy enforcement, and both Republican and Democratic Commissioners have emphasized holding “Big Tech” accountable with titans like Meta and TikTok, so we may see a similar focus of privacy-related enforcement actions under a Republican-led FTC.

Digital assets

In 2024, regulators (particularly the SEC) presided over the crypto market with a keen interest in enforcing compliance with its registration requirements and fraud-related rules. Critics called it “rulemaking via enforcement,” since SEC Chair Gary Gensler seemed to mount the campaign in lieu of – and ignoring – the industry’s request to create new crypto-specific regulations that were specific to them and lighter in touch.

The SEC has had mixed results battling crypto firms in court, and litigation takes a while to resolve, so some of the agency’s biggest cases won’t be heard with him running the agency, and incoming SEC Commissioner Paul Atkins might dismiss them.

Trump’s White House return does present a new era for cryptocurrency, since he has pledged support for the industry and, to be sure, its leadership supported his campaign financially. (He had once been a skeptic, though, calling digital assets’ value “based on thin air.”)

In the months leading up to the US presidential election, newfound enthusiasm spilled into the crypto community – and the recently-legalized prediction marketplace.

Crypto companies are feeling more confident about their central argument: that investments written for securities firms do not work well for digital tokens that are designed to run over peer-to-peer networks. Many of them (and their like-minded allies at US agencies) argue that they are more akin to commodities, like baseball cards, and should be regulated by the Commodity Futures Trading Commission (CFTC).

It is within that commodities watchdog agency that I think we will see more regulatory oversight here.

To be sure, the US House of Representatives has passed a bipartisan-supported law, the Financial Innovation and Technology for the 21^st Century Act” or FIT21, that gives the CFTC new jurisdiction over digital commodities and clarifies the SEC’s jurisdiction over digital assets offered as part of an investment contract.

One of the lawmakers who spearheaded the bill in Congress, French Hill (R-AR), has just been appointed the next House Financial Services Committee Chair, and it will likely be high on the committee’s list of priorities in 2025.

AI governance

President Biden signed an executive order in October 2023 that was meant to promote the “safe, secure, and trustworthy development and use of artificial intelligence” within the federal government. But Trump has promised to repeal that executive order as President, saying it would hinder innovation.

Biden was also able to get several leading AI companies to agree to (nonbinding) guidelines for how AI should be safely developed and deployed, but aside from using existing rules to push back against misleading claims (“AI-washing”), the only specific mandate that would include the technology is the SEC-proposed rules covering predictive analytic tools, which is likely dead in the water, given the Republican SEC Commissioners’ (Hester Peirce and Mark Uyeda) opposition to it.

The Federal Trade Commission (FTC) has been another regulator to apply a heavy hand to AI technology enterprises, and the new FTC’s newly tapped leader, Andrew Ferguson, has said he will “aim to end the FTC’s attempt to become an AI regulator.”

But even with a softer regulatory approach to AI tools, the spread of deepfake pornography, political deepfakes and disinformation campaigns have caused widespread concern, and there either has to be true industry self-regulation here or government regulation, or both.

AI-based tools that can generate text, audio, and imagery have quickly grown more sophisticated, accessible, and easy to use, spurring a concerning escalation of disinformation tactics. Over the past year, the new technology was used in at least 16 countries to sow doubt, smear opponents, or influence public debate.

Overreliance on self-regulation by the creators of AI technology is not the answer, but neither is preventing tech development and censoring providers.

Combating this issue has led experts to recommend a balanced approach that I hope the next administration adopts. It is this: overreliance on self-regulation by the creators of AI technology is not the answer, but neither is preventing tech development and censoring providers.

To ensure AI bolsters rather than harms internet freedom, lawmakers should work with civil society and the executive branch to craft bipartisan legislation that takes a rights-based approach to AI governance and transforms guiding principles into laws.

One key piece of legislation pending in Congress is the Future of AI Innovation Act, cosponsored by Senators Todd Young (R-IN), Maria Cantwell (D-WA), John Hickenlooper (D-CO), and Marsha Blackburn (R-TN), which addresses the global race to lead in new AI and emerging technologies, such as quantum computing systems and applied biosciences. 

Key provisions in the text would formally establish the AI Safety Institute at the National Institute of Standards and Technology (NIST) to develop voluntary guidelines and standards with the private sector and federal agencies to develop performance benchmarks, evaluations and documentation standards for AI systems.

And it would launch an AI testbed competition helmed by NIST, the National Science Foundation, the Department of Energy and the private sector to develop security risk tools and testing environments for companies to evaluate their systems’ capabilities and limitations.

The incoming administration might believe that regulating a field too early is a bad idea – and there is much to be gained by allowing developers to have a limited-time sandbox to build and test their tools out. But “limited-time” is the operative phrase here.

A “no laws and no regulations” (or even a “too-little”) approach – when these technologies are so broadly used already and there are so many stakeholders involved – is far too risky.

And this is especially true since rampant unethical use will just hinder innovation; because technology depends on the trust we all have of it to work as intended, and preferably without it harming us.