Introduction

California continues to lead the way in white-collar crime enforcement, navigating evolving enforcement priorities from the U.S. Department of Justice (DOJ), the U.S. Securities and Exchange Commission (SEC) and other federal regulatory bodies. In addition to tackling new areas such as cryptocurrency fraud, trade and tariff evasion, and data privacy, the DOJ is also expanding its use of tools such as the False Claims Act (FCA), which has traditionally been used in healthcare fraud, to tackle new areas. California is also challenging in court many of the Trump administration’s positions on clean energy and voting rights as well as its controversial actions related to federal funding.

Evolving DOJ Priorities Shape Enforcement Trends for State Attorneys General

Terrence Brody

At the start of 2025, many attorneys specialising in white-collar crime predicted an uptick in enforcement by state attorneys general based on early signs that the DOJ would be redirecting resources to other priority areas of the Trump administration, as evidenced by the President’s February 2025 executive order pausing enforcement of the Foreign Corrupt Practices Act (FCPA). 

In May 2025, the DOJ provided the public with insight into its new prioritisation practices for investigating and prosecuting corporate crime. While the DOJ’s memorandum reinforced the agency’s long-standing practice to prosecute healthcare fraud, bribery, money laundering and other traditional enforcement vectors, the memorandum also indicated that the DOJ would be prioritising trade and customs fraud, investigating cartels and transnational criminal organisations, and pursuing other national security interests. While the DOJ has been refining enforcement priorities, it has also experienced significant attrition over the past year, losing roughly a third of its senior leaders and more than 4,600 employees overall.

With shifting enforcement priorities and a reduction in resources at the DOJ, the white-collar bar’s attention has shifted to following enforcement trends at the state level. State attorneys general typically have broad powers under state consumer protection, data privacy, securities, civil rights and antitrust laws. In addition, state attorneys general can also enforce certain federal laws. Indeed, during the FCPA pause, the California Attorney General issued an alert reminding businesses that the state could prosecute FCPA violations under California’s Unfair Competition Law.

Based on an analysis of press releases from the California Attorney General’s office, enforcement of consumer protection and antitrust laws largely remained steady in 2025 when compared to 2024. There was a modest increase in activity related to civil rights, data privacy and AI. However, there has been a dramatic increase in the number of lawsuits brought by the state of California against the federal government. The California Attorney General filed nearly 50 suits against the federal government in 2025, challenging executive orders, agency decisions and other actions related to federal funding, voting rights, clean energy and public health programmes. This trend is expected to persist throughout President Trump’s remaining term, as Attorney General Rob Bonta has promised that “any time and every time the Trump administration breaks the law, we will take them to court”.

Despite early predictions that white-collar enforcement activity by state attorneys general would increase, data from California suggests that corporate prosecutions are trending at similar levels to prior years. The California Attorney General has, however, escalated efforts challenging the federal government.

SEC Enforcement Trends Could Favor California Offices

Stephen Bucci

Turning to the SEC, quantitative metrics show diminished SEC enforcement activity during fiscal year 2025 with a large decrease in cases against public companies since the new administration took over in January 2025. Although specifics vary from case to case, the five main drivers of the decline were:

• the change from the Biden administration’s accelerated pace in completing cases to the incoming administration’s shift to new priorities;
• that, similar to the DOJ, the SEC experienced a reduction in force that disproportionately impacted senior staff capacity;
• a revised approach to parallel proceedings, with the current commissioners expressing less enthusiasm for expending SEC resources if another agency is already involved;
• the impact of the U.S. Supreme Court’s Jarkesy decision that bars the SEC from pursuing civil penalties in fraud cases and actions brought under Section 102(e) of its Rules of Practice via its in-house administrative forum; and
• policy changes that tend to extend investigation timelines, such as the revocation of delegated authority to issue formal orders and an expanded Wells process.

The future impact of these factors is difficult to predict. However, when we consider them in concert with Chairman Paul Atkins’ stated priority of returning to the core mission of the SEC, with the “cornerstone” being investor protection, the two California regional offices, in Los Angeles and San Francisco, may be poised to rebound more quickly than the enforcement program in general. Recent actions by the Enforcement Divisions from these offices have been weighted heavily toward the types of cases Chairman Atkins has described as “lie, cheat and steal” violations, such as offering frauds, material financial misrepresentations, and broker-dealers and advisors who defraud investors. As the resource and policy issues are being ironed out and the impact of the early fiscal year 2026 government shutdown fades into the rearview mirror, the California-based regional offices are returning to a business-as-usual posture. For example, the first two matters filed by the Los Angeles Regional Office in early fiscal year 2026 are alleged offering frauds with Ponzi-like payments: Linh Thuy Le and Trong Hoang Luu and Marco G. Santarelli.

Although it remains to be seen, given their focus on technology, penny stock expertise and geographic location, the SEC’s California-based offices could also find themselves busier if Chairman Atkins follows through with his stated desire to increase market trading oversight on companies based in countries like China that pose unique investor risks.

White-Collar Criminal Liability Under the CCPA

Ryan Smyth

The California Consumer Privacy Act (CCPA) is a data privacy law that “gives consumers more control over the personal information that businesses collect about them”, including the ability to request their data be deleted, to opt out of their information being sold, and to take legal action should a data breach occur. 

While penalties for violations of the CCPA are primarily civil in nature, if CCPA obligations are knowingly and purposely violated, the wrongdoer’s actions can be considered fraud or misrepresentation. Further, the California False Claims Act (CFCA) prohibits providing false statements to government entities, which includes making deceptive statements regarding compliance efforts. In addition to civil penalties under the CFCA, violators can face criminal charges for knowingly presenting false claims, particularly in an attempt to secure government funding or evade legal obligations, underscoring the CFCA’s relevance to the CCPA and other compliance frameworks.

Without proper programmes and oversight, organisations face criminal liability and legal risk exposure from CCPA violations. Data breaches resulting from inadequate security measures are a common occurrence, but if executives knowingly choose not to implement reasonable security protections, it could result in fraud or negligence charges against the company and its executives, especially if the maturity of a security programme was misrepresented to stakeholders and consumers. It is also possible that continued, wilful violations of the CCPA could lead to criminal charges, potentially falling under more fraud-specific California statutes.

The CCPA is intended to provide California residents with greater transparency, access and control over how their personal data is used and shared by companies. Failure to implement appropriate safeguards to ensure compliance with these requirements can leave organisations susceptible to data theft and misuse, including identity theft. Identity theft often serves as a facilitator for other crimes, including money laundering, suggesting that a CCPA violation could have cascading criminal implications.

Ensuring CCPA compliance will help an organisation avoid civil penalties and criminal charges, but navigating the complex obligations can be challenging. Organisations are required to disclose what personal information they collect and how it is specifically used, implement adequate security measures and provide transparent and regularly updated privacy notices.

Compliance can be achieved by conducting thorough data mapping, establishing or enhancing processes for consumer requests, implementing and testing incident response plans, training employees on CCPA requirements, and updating vendor contracts with CCPA terms so that baseline security efforts of connected third parties also comply with the applicable requirements.

Organisations that establish comprehensive CCPA compliance programmes achieve the dual benefit of protecting consumer privacy rights while also creating vital safeguards against exposure to potential white-collar crime as the result of mismanaged data.

California’s AI Regulatory Trajectory: What Corporate Counsels Should Prepare for Next

Joe Knight and Kyle Wetzold

California has continued to pass regulations and guidance on AI that emphasises accountability, transparency and enforceable guardrails in AI development. The clearest example is SB 53, the Transparency in Frontier AI Act, signed into law in September 2025. SB 53 is the first US law aimed squarely at frontier AI systems – large, high-impact foundation models trained at immense computational scale and capable of downstream consequences that regulators can no longer ignore. The law requires developers to publish model-safety frameworks, demonstrate adherence to recognised best practices and report safety incidents directly to the state. Most importantly, it empowers the California Attorney General to impose civil penalties for non-compliance. 

California’s broader regulatory activity reinforces the same direction of travel. Through AB 1008, AI-generated inferences are now treated as personal information under the CCPA, expanding an organisation’s obligations around transparency, data rights and record-keeping. Laws such as SB 942 and AB 2355 address synthetic and manipulated media, requiring labelling tools and disclosures for political AI content. For organisations, this means the integrity of AI-generated outputs is no longer just a trust issue – it is a compliance one.

Healthcare, public-sector operations, and consumer interactions are also seeing rapid regulatory expansion. AB 3030 requires healthcare providers to disclose AI involvement in patient communications, while SB 896 mandates risk assessments and governance frameworks for generative AI used across state agencies. These obligations foreshadow what private-sector operational expectations may soon look like, particularly around documentation, human oversight and safety evaluation.

Employment regulation is evolving just as quickly. California is also reshaping expectations around how employers use AI inside the workforce. Taken together, more than 30 bills and newly adopted California Fair Employment and Housing Act (FEHA) regulations create a clear directive: AI-enabled hiring, promotion and workforce-management tools must be transparent, auditable and free from discriminatory outcomes. As of 1 October 2025, employers and their vendors are required to test automated-decision systems for bias, maintain detailed documentation of how these tools influence employment decisions and ensure that human oversight is not a formality but a defensible control. 

For general counsel, compliance leaders and investigations teams, this marks a meaningful shift. Use of AI in the workplace is no longer an innovation conversation – it is a risk exposure conversation. Misconfigured tools, untested vendor models or undocumented decision paths can now trigger FEHA liability, discovery obligations and regulatory scrutiny. California’s approach is signalling where employer expectations are heading nationally, and organisations need to treat employment-AI governance with the same rigour they apply to privacy, cybersecurity and financial crime risk.

When contrasted with the federal AI Action Plan’s reliance on voluntary frameworks, innovation incentives and regulatory sandboxes, AI innovation in California is welcome but those who deploy it will be held accountable for potential violations of existing laws and regulations.

For multistate organisations, California is becoming the de facto regulatory baseline – not because federal standards are absent, but because California’s requirements are specific, enforceable and designed to evolve quickly. Aligning AI governance to what has been passed in California is the most reliable path to reducing enforcement exposure, strengthening defensible processes, and preparing for a national patchwork of regulations and guidance that could increasingly resemble California’s model.

The Evolution of Cryptocurrency Fraud

Alma Angotti

As fraud evolves, the role of cryptocurrency in fraud typologies is also evolving. Digital assets face risks similar to other currencies, but they also introduce unique vulnerabilities requiring crypto-specific controls. As adoption continues to grow, institutions must adapt to patterns of potentially fraudulent activity that both mirror and extend beyond those in traditional finance. Unlike cash, crypto transactions are visible and traceable on the blockchain. This makes it easier to identify the laundering of the proceeds of fraud through structuring, layering, peel chains and wash trading in non-fungible tokens (NFTs).

The Federal Trade Commission reported USD12.5 billion in consumer fraud losses in 2024, including USD5.7 billion from investment scams. The Federal Bureau of Investigations noted USD16 billion in losses from internet crime, with USD6.5 billion tied to cryptocurrency investment schemes. Common fraud typologies include phishing, romance scams, impersonation, blackmail, cloud mining scams and fake wallets. Both retail investors and institutions are at risk, and a recent FINRA Foundation survey discovered that half of respondents were unable to recognise the classic warning signs of fraud, underscoring the importance of proactive risk management.

In February 2025, hackers stole USD1.5 billion in Ethereum, the largest crypto heist to date. Consumer protection is critical: without safeguards, institutions risk becoming conduits for scams. Managing systemic risk is essential as crypto integrates with the mainstream, and institutions can leverage blockchain’s transparency and efficiency to help.

California has emerged as a focal point for high-profile crypto-related fraud. In March 2025, the California Department of Justice (CDOJ) announced that it had shut down 42 fraudulent websites in 2024 that scammed innocent victims out of at least USD6.5 million, with an average loss per victim of USD146,306. Victims were targeted through fake romantic and investment schemes, using social engineering to build trust over months.

In December 2024, the DOJ unsealed a six-count indictment against two Southern California residents for orchestrating an NFT and crypto “rug‑pull” scheme that defrauded investors of more than USD22 million. This case highlights California’s central role in high-profile crypto fraud, with the state serving as both a hub for perpetrators and a key jurisdiction for enforcement.

Crypto fraud is not merely a technology problem, but a significant risk management issue. Compliance failures can result in financial, regulatory and reputational damage. Organisations that act proactively can protect trust, meet regulatory expectations and contribute to a more secure, transparent and inclusive financial system.

The Increased Importance of Transaction-Specific Due Diligence in Export Controls

James Needham

Over the past decade, the US export controls landscape has shifted dramatically. What was once a largely formulaic exercise for many exporters – determining an item’s jurisdiction, classification and destination to identify the appropriate authorisation – has evolved into a far more transactional, end-use and end-user-driven regime that often requires substantial due diligence.

Although these considerations have long existed within the export control framework, the US government’s increasing use of end-use and end-user-based controls to advance national security and foreign policy objectives has significantly expanded the number of parties and uses that must be evaluated in any export transaction. Historically, exporters could rely on structured compliance programs that – given the right inputs (classification, destination, nationality of recipients and list-based screening) – could reliably determine licensing requirements and were often amenable to substantial automation. Today, by contrast, exporters face far more granular, transaction-level diligence requirements, as country-based determinations and static screening are no longer sufficient to assess risk or determine authorisation obligations.

The dramatic expansion of global sanctions, the rapid growth of the Export Administration Regulations Entity List, the applicability of the Military End User List, and other less defined red-flag indicators, mean that customer identities and intentions often matter at least as much as where products are going.

These developments have forced companies across sectors – especially in California and other technology hubs – to rethink risk and how they manage their export controls obligations. Beyond the traditional challenges that leading technology companies have always faced in managing their export compliance risk, organisations must now contend with expectations on par with corporations operating in high-risk jurisdictions. Sophisticated and ongoing third-party monitoring, data-driven risk scoring and supply chain transparency tools – long standard in mature anti-corruption and anti-money laundering (AML) programmes – are increasingly necessary for export controls and sanctions compliance.

This convergence reflects a shared reality: both regimes (export controls and anti-corruption/AML) now demand granular visibility into partners, counterparties, intermediaries, resellers and downstream use. Sanctions and export controls evasion schemes often mimic corruption and money laundering schemes – using shell entities, layered intermediaries, obscure financing channels and opaque beneficial ownership. Compliance requires collaboration between in-house trade and anti-corruption/AML teams that have traditionally been siloed, and aligning their respective investigative capabilities, intelligence tools and escalation pathways for increased effectiveness and scalability.

Similarly, with expanded foreign direct (or even indirect) investment scrutiny by the Committee on Foreign Investment in the United States (CFIUS) and new outbound investment considerations, a growing part of California’s innovation ecosystem must now integrate export controls into early-stage partner vetting and investor diligence, including monitoring foreign participation and beneficial ownership. 

Going forward, companies will need greater co-ordination among international trade, anti-corruption and AML programmes; shared data analytics infrastructure; and unified investigative protocols. Regulators increasingly expect companies to treat export controls and sanctions not as isolated licensing issues but as part of a broader transactional risk framework – one that recognises how illicit finance, corruption, sanctions evasion and diversion increasingly overlap in practice.

FCA Enforcement Expands Beyond Healthcare

Brett Barlag

The FCA continues to be an important federal enforcement tool – particularly in the healthcare industry. FCA recoveries reached an all-time high of USD6.8 billion for the fiscal year ending 30 September 2025, with matters involving the healthcare industry accounting for USD5.7 billion. With Medicare Advantage, the opioid epidemic and kickbacks taking centre stage, the government’s use of the FCA to pursue pandemic-era fraud claims, coupled with the rollout of its civil cybersecurity initiative, demonstrate continued and expanded use of the statute to protect taxpayer dollars.

For example, in November 2025, the U.S. Attorney’s Office for the Eastern District of California announced a USD1.75 million settlement with the defence contractor Aero Turbine, Inc. and its private equity sponsor, Gallant Capital Partners LLC, for failing to comply with certain cybersecurity requirements under its contract with the United States Air Force. According to the government’s announcement, from January 2018 to February 2020, Aero Turbine failed to implement the required National Institute of Standards and Technology (NIST) cybersecurity controls and improperly shared sensitive defence information with unauthorised foreign personnel, while continuing to submit claims for payment under the contract. 

This is one example of the government’s expanded use of the FCA to pursue new areas of enforcement emphasis such as cybersecurity fraud. This also highlights the potential for enforcement to extend beyond the company target to include its private equity backers, a development the DOJ has been increasingly emphasising in its public comments.

***

The views expressed herein are those of the authors and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.