Blog

The DOJ Final Rule: Implications for data risk and cross-border compliance



The growing strategic value of data is shaping how regulators view risk. Not confined to privacy or cybersecurity, data is increasingly linked to issues of national security, geopolitical stability, and economic resilience. The US Department of Justice (DOJ) Final Rule on bulk sensitive data reflects this shift, representing an additional layer of regulatory scrutiny for organizations handling large volumes of sensitive information.




Why the DOJ Final Rule reflects a shift from data protection to national security

The DOJ Final Rule aims to address national security risks arising from the exploitation of sensitive US data. It focuses on preventing access by entities in “countries of concern” (as defined by the DOJ’s rule) such as China (including Macau and Hong Kong), Russia, Iran, North Korea, Cuba, and Venezuela from accessing bulk sensitive personal data or US government-related data.

The rule extends beyond traditional data protection principles and intersects with national security considerations. It reflects concerns that large datasets, particularly when combined with advanced analytics and AI, may be used for surveillance, profiling, espionage, or coercion.

This can be seen as a shift, because while data is an ongoing operational and customer asset, it’s also a strategic resource that may be targeted by adversarial actors. 




What the DOJ Final Rule covers: scope, timelines and data restrictions

The scope of “bulk sensitive data” is defined using thresholds across six categories:

  • Covered 
  • Personal Identifiers 
  • Personal Financial Data 
  • Personal Health Data 
  • Precise Geolocation Data 
  • Biometric Identifiers 
  • Human Genomic Data 

Effective April 8, 2025, with phased compliance obligations extending into October 2025, the rule implements Executive Order 14117 and establishes restrictions on certain circumstances in which US sensitive personal data can be accessed, transferred, or exposed to certain foreign actors.

The Final Rule sets out two tiers. Prohibited transactions, chiefly data brokerage involving bulk sensitive or government-related data plus transfers of human data or biospecimens, are prohibited where they would provide access to covered foreign parties. Restricted transactions, meaning vendor, employment, and investment agreements, may be permitted where specified security and compliance requirements are met.

The rule applies to a wide range of scenarios, including vendor relationships, data brokerage arrangements, employment structures, and investment agreements. It can also capture indirect access, meaning organizations may need to assess direct counterparties as well as ownership structures and downstream exposure for compliance.

Beyond transaction restrictions, organizations may also need to implement a more structured compliance approach. This could include, for example, building data compliance programs, conducting appropriate due diligence on third parties, maintaining records, and, in some cases, reporting or auditing activities. 




Who is impacted: business models, not just industries

One notable aspect of the DOJ Final Rule is its focus: rather than targeting specific sectors, it applies to organizations operations business models where data is collected, aggregated, monetized, or accessed at scale, which may have broad implications.

Organizations operating data platforms, AI training environments, cross-border analytics hubs, or large-scale outsourcing models for example could find themselves in scope. Similarly, companies handling high-risk data types, such as genomic, health, or financial data, may also face heightened scrutiny.

The rule has potential implications across different industries. Technology firms, financial institutions, healthcare providers, telecommunications companies, and research organizations could all be impacted, depending on how they manage and share data.




Ownership risk and indirect exposure: a developing compliance challenge

The regulation includes a focus on ownership-based risk. The concept of “covered persons” includes entities who are 50% or more owned (individually or in aggregate) by parties linked to countries of concern. This may introduce a level of complexity similar to sanctions and export control regimes where organizations may need to consider looking beyond surface-level counterparties to better understand ultimate ownership, indirect shareholding, and control relationships across global networks.

For some firms, this requirement to assess levels of ownership may highlight existing gaps. Ownership data can be fragmented or siloed across different systems in an organization, making it difficult to calculate or develop a holistic view. Yet under the DOJ framework, it is an important component of compliance, closely aligned with concepts already embedded in regulations such as sanctions screening and export controls, as previously mentioned. 




Connecting ownership, data and third-party risk management

In this context, the ability to connect data, ownership intelligence, and risk workflows becomes increasingly important. Robust and up-to-date ownership information, along with the ability to identify direct, indirect, and aggregated ownership exposure, may help organizations uncover potential links between companies and countries of concern. This, in turn, can support more effective screening of counterparties and provide additional visibility into exposure across complex ownership networks, rather than relying solely on surface-level entity data.

Embedding these insights into third-party risk management or governance platforms may also support greater consistency in decision-making across compliance functions. In practice, aligning these capabilities with existing sanctions, export control, and trade compliance screening processes could offer a more practical way to operationalize relevant requirements of the rule into existing processes, while potentially reducing the extent of new workflows required. 




Operational impact: what organizations may consider reassessing

For compliance, risk, and data leadership teams, the practical implications of the rule may be significant in 4 ways:

  1. Organizations may seek to develop a more comprehensive view of the data they hold, including what types, in what volumes, and where it flows. 
  2. Third-party ecosystems may warrant reassessment. Vendors, partners, and service providers may introduce exposure, particularly where ownership links or geographic dependencies are not fully understood.
  3. Governance frameworks may need to be adapted. The rule includes requirements and considerations related to due diligence, documentation, and ongoing monitoring, highlighting the importance of integrated risk and compliance processes. 
  4. As data increasingly intersects with national security, organizations may consider reassessing how they structure global operations, partnerships, and technology architectures. 



Building a more integrated approach to cross-border data risk

Against this backdrop, connecting data, ownership intelligence, and risk workflows could surface as an important part of managing cross-border data risk. Integrating capabilities into existing compliance processes could help contribute to greater consistency in decision-making and alignment across the Final Rule, as well as other sanctions, export control, and third-party risk frameworks. 




What the DOJ Final Rule might signal for the future of data regulation

The DOJ Final Rule may signal a broader change in the direction of travel. As data become a more central focus of regulatory and geopolitical strategy, organizations operating in global, data-intensive environments may face greater scrutiny.

While the rule introduces some new complexities, it also highlights a potential opportunity for organizations: to move toward a more integrated, data-driven approach to risk management that reflects the interconnected nature of modern regulatory expectations.

For organizations who can build this foundation, the ability to navigate evolving requirements may support stronger positioning in an increasingly complex operating environment. 




Speak to Moody’s: understanding ownership, exposure and data risk

As organizations adapt to the DOJ Final Rule, a clearer view of entity ownership, third-party exposure, and data risk may become increasingly important to you and your teams.

Moody’s solutions can support you by providing entity-related intelligence and ownership data that can help you assess relationships and potential exposure to covered persons and countries of concern, and support integration of these insights into your broader risk and compliance workflows.

For more information or to speak to a member of the team, please get in touch any time. We would love to hear from you. 


Disclaimer: This content is for informational purposes only and does not constitute legal, financial, compliance or other professional advice. Please consult with a qualified professional for specific legal, financial, compliance, or other professional advice. For more terms and conditions pertaining to Moody’s products and services, refer to the https://www.moodys.com/web/en/us/legal/global-disclaimer.html on Moody’s website. 

Sources