recent enforcement action by the U.S. Department of Health and Human Services is sending a clear signal to corporate compliance teams: HIPAA obligations don’t stop at hospitals and insurers.

In a newly reported case, the agency’s Office for Civil Rights pursued enforcement against a self-funded employer health plan—marking a notable shift in how regulators are applying health data privacy rules. While HIPAA has long governed how medical providers and insurers handle protected health information, this action underscores that employers who sponsor health plans may also face direct scrutiny.

For many organizations, that represents a meaningful change in risk exposure.

Employer-sponsored health plans, particularly self-funded arrangements, are common across large and mid-sized companies. These plans often rely heavily on third-party administrators to process claims and manage data. As a result, compliance responsibilities can feel diffuse, split between HR, vendors, and legal teams. This latest enforcement activity suggests regulators are taking a different view.

Rather than focusing solely on service providers, enforcement is moving upstream—toward the plan sponsors themselves.

For compliance officers, the implications are practical. It is no longer sufficient to rely on vendor assurances or contractual protections alone. Regulators appear to be expecting companies to demonstrate active oversight of how health data is handled, including how vendors store, process, and secure sensitive information.

That shift puts a spotlight on governance. Companies may need to reassess whether their compliance programs adequately cover employee health data, particularly if responsibility has historically sat outside the core compliance function. Coordination between compliance, HR, IT, and third-party risk teams is likely to become more important.

The development also reflects a broader regulatory trend. Across industries, enforcement agencies are expanding their focus beyond traditional targets and looking more closely at how organizations manage outsourced activities. Whether the issue is cybersecurity, financial controls, or data privacy, the message is consistent: delegating a function does not eliminate accountability.

In the HIPAA context, that means plan sponsors may be expected to maintain clear documentation of their oversight efforts. This could include vendor due diligence, periodic audits, incident response procedures, and employee training around the handling of health information.

For companies that have not historically treated HIPAA as an enterprise-wide compliance issue, this may require a reset. Even organizations outside the healthcare sector could find themselves subject to enforcement if their internal controls fall short.

The takeaway for compliance professionals is straightforward. Employer health plans are no longer a peripheral concern. They are becoming part of the broader compliance landscape, with regulators paying closer attention to how these programs operate in practice.

As enforcement evolves, companies that take a more integrated approach to data privacy and vendor oversight will be better positioned to manage the risk—and to demonstrate that their controls work when it matters most. 

Joseph McCafferty is editor and publisher of Compliance Chief 360°.

The post HIPAA Enforcement Targets Employer Health Plans, Expanding Compliance Risk appeared first on Compliance Chief 360.

he crackdown on off-channel communications at financial firms isn’t over—it has simply taken a quieter, more targeted turn.

While the U.S. Securities and Exchange Commission drew headlines over the past several years with multibillion-dollar penalties for financial firms where employees communicated with undocumented texts and messages, recent developments suggest that FINRA is continuing to pursue the issue with steady intensity.

In the past several days, compliance observers and industry reporting have pointed to ongoing FINRA enforcement activity tied to unapproved communication channels. Rather than large, broad settlements, the regulator’s current approach appears more embedded in routine examinations and disciplinary actions. That shift makes the risk less visible—but no less real.

At the center of the issue is a familiar problem: employees using personal devices and apps such as text messaging or encrypted platforms to conduct business conversations. When those communications are not captured and retained, firms can fall short of recordkeeping requirements, a longstanding pillar of securities regulation.

What has changed is the expectation around control. Regulators are no longer satisfied with written policies that prohibit off-channel communications. Instead, they are looking for evidence that firms are actively detecting, preventing, and addressing violations in practice.

Recent enforcement patterns also suggest a growing focus on individual accountability. In addition to firm-level penalties, disciplinary actions increasingly include suspensions and fines for registered representatives and supervisors. For compliance leaders, that raises the stakes internally, particularly when it comes to training, supervision, and escalation.

The continued attention from FINRA is significant for another reason: it challenges a perception that the issue had cooled following the SEC’s earlier enforcement wave. In reality, the underlying expectations have not changed, and examination programs continue to test firms’ controls in this area.

For chief compliance officers, the takeaway is straightforward. Off-channel communications remain an active enforcement priority, even if they are no longer dominating headlines. Firms that scaled back monitoring efforts or treated the issue as largely resolved may find themselves exposed during routine exams.

More broadly, the trend reflects a shift in how regulators evaluate compliance programs. The question is no longer just whether a firm has a policy in place, but whether that policy is working in day-to-day behavior. In that sense, off-channel communications have become a clear test case for a wider regulatory approach—one that places increasing weight on evidence, supervision, and real-world outcomes. 

Joseph McCafferty is editor and publisher of Compliance Chief 360°.

.

The post FINRA Keeps Pressure on Off-Channel Messaging as Enforcement Focus Shifts appeared first on Compliance Chief 360.

he Consumer Financial Protection Bureau (CFPB) has finalized a rule that narrows how fair lending laws are enforced, marking a notable shift for compliance programs across the financial services industry.

The rule amends Regulation B, which implements the Equal Credit Opportunity Act (ECOA). Its most significant change is the removal of “disparate impact” as a basis for enforcement. Disparate impact refers to situations where a policy or practice results in unequal outcomes for certain groups, even if there was no intent to discriminate.

Under the updated framework, enforcement will focus primarily on cases involving clear evidence of intentional discrimination. In practical terms, this means regulators will be less likely to challenge lending practices based solely on statistical disparities in outcomes. Instead, examinations and enforcement actions are expected to emphasize documentation, decision-making processes, and evidence of intent.

For compliance teams, this change may alter how fair lending risk is assessed and monitored. Historically, many institutions have relied heavily on data analysis to identify potential disparities across protected classes. While that type of analysis is still valuable for internal risk management, it may play a less central role in regulatory scrutiny going forward.

At the same time, institutions should not interpret the change as a reduction in overall fair lending expectations. The ECOA remains in effect, and examiners are likely to continue reviewing policies, procedures, and controls to ensure that lending decisions are applied consistently and without bias. Strong governance, clear documentation, and well-defined underwriting criteria will remain essential.

The rule also includes updates related to “discouragement,” which addresses whether potential applicants are deterred from applying for credit. The revised approach narrows how discouragement is evaluated, placing greater emphasis on explicit actions or statements rather than inferred effects. This may reduce ambiguity in examinations, but it also underscores the importance of training front-line staff on appropriate communications with applicants.

Another area affected is the treatment of special purpose credit programs, which are designed to expand access to credit for under-served groups. The rule clarifies certain requirements for these programs, and institutions offering them may need to revisit their design and documentation to ensure alignment with the updated standards.

From an operational standpoint, compliance functions may consider recalibrating their fair lending frameworks. This could include reviewing monitoring methodologies, reassessing model governance practices, and ensuring that policies clearly articulate nondiscriminatory intent. Internal audits may also need to adjust their testing approaches to reflect the revised regulatory focus.

Industry response has been mixed, with some stakeholders noting that the changes may provide greater clarity and reduce uncertainty in enforcement. Others have raised concerns about the potential for reduced visibility into systemic disparities. Regardless of perspective, the rule represents a meaningful change that institutions will need to incorporate into their compliance programs. 

Joseph McCafferty is Editor & Publisher of Compliance Chief 360°

The post CFPB Revises Fair Lending Standards, Shifting Compliance Focus to Intent appeared first on Compliance Chief 360.

he California Attorney General’s office has announced a settlement with the Walt Disney Co., resolving allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to answer consumers’ requests to opt-out of the sale or sharing of their data across all devices and streaming services associated with consumers’ Disney accounts. Under the settlement, Disney must pay $2.75 million in civil penalties and must implement opt-out methods that fully stop Disney’s sale or sharing of consumers’ personal information.

The California Department of Justice’s investigation into Disney stems from a January 2024 investigative sweep of streaming services for potential CCPA violations. Effective opt-out is one of the requirements of complying with CCPA. The investigation found that Disney’s opt-out processes did not allow a consumer to completely opt-out of and stop all sale or sharing of their data, in violation of the CCPA.

“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights. Today, my office secured the largest settlement to date under the CCPA over Disney’s failure to stop selling and sharing the data of consumers that explicitly asked it to,” said Attorney General Bonta. “California’s nation-leading privacy law is clear: A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service. In California, asking a business to stop selling your data should not be complicated or cumbersome.”

The investigation found that each of the methods Disney provided had gaps that allowed Disney to continue to sell and share consumers’ data, including:

Opt-Out Toggles: If a user requested to opt-out of the sale or sharing of their data via an opt-out toggle in Disney’s websites and apps, Disney only applied the request to the specific streaming service the user was watching, and often only the specific device the consumer was using. This meant that in most instances, using the toggle would not stop selling or sharing from other devices or services connected to the consumer’s account.

Webform: If a user opted out using Disney’s webform, Disney only stopped the sharing of personal data through the company’s own advertising platform and offerings. However, Disney continued to sell and share consumer data with specific third-party ad-tech companies whose code Disney embedded in its websites and apps. Disney also failed to provide an in-app, opt-out method in many of its connected TV streaming apps, instead directing consumers to its webform, effectively leaving consumers with no way to stop Disney’s selling and sharing from these apps.

The Global Privacy Control: For consumers who opted out via the Global Privacy Control (GPC), Disney limited the request to the specific device the consumer was using, even when the consumer was logged into their account. The GPC is an easy-to-use ‘stop selling or sharing my data switch’ that is available on some internet browsers or as a browser extension.

About the California Consumer Protection Act

The CCPA has opened up a whole new world of privacy protection and increased privacy rights for California consumers, such as the right to know how businesses collect, share, and disclose their personal information. The CCPA vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information.

Today’s settlement represents the seventh enforcement action under the CCPA. The Attorney General’s office has also announced settlements with Sephora and DoorDash as well as mobile app gaming company, Jam City; streaming service, Sling TV; website publisher, Healthline.com; and entertainment company, Tilting Point Media. In order to monitor the businesses’ compliance with the CCPA, Attorney General Bonta has conducted investigative sweeps related to location data, streaming apps and devices, employee information, and surveillance pricing. 

Joseph McCafferty is editor & publisher of Compliance Chief 360.

The post Disney Settles ‘Opt-Out’ Privacy Case with California for $2.75 Million appeared first on Compliance Chief 360.

n today’s fast-paced business environment, regulatory compliance has become both more critical and more complex. Organizations are expected to maintain rigorous internal controls, ensure transparency, and respond swiftly to audits all while managing sprawling IT ecosystems and evolving risk landscapes.

Regulations like the Sarbanes-Oxley Act (SOX) demand companies adhere to strict financial reporting, information security, and auditing requirements. Yet many businesses still rely on manual processes and fragmented systems to meet these requirements. This approach is not only inefficient but also increases the risk of errors, omissions, and non-compliance.

As digital transformation accelerates, compliance teams are being asked to do more with less and the result is a widening gap between compliance obligations and operational capacity.

AI and Automation: Driving a Transformation

Artificial intelligence and automation technologies are emerging as powerful allies in the quest for smarter, more scalable compliance. These tools can streamline routine tasks while enhancing accuracy and provide real-time insights into control effectiveness.

Automation is particularly effective in handling repetitive, rules-based activities such as data collection and report generation. By reducing manual effort, it frees up compliance professionals to focus on strategic oversight and risk mitigation.

AI, on the other hand, brings intelligence into the equation. Machine learning algorithms can analyze vast datasets to detect anomalies, flag potential risks, and even predict future compliance issues. Natural language processing can extract insights from unstructured data, such as emails or policy documents, enabling more comprehensive monitoring.

Together, AI and automation are transforming compliance from a reactive, checklist-driven function into a proactive, intelligence-led discipline.

Continuous Compliance and Adaptive Controls

One of the most transformative shifts enabled by AI and automation is the move toward continuous compliance. Rather than relying on periodic audits or static control reviews, organizations can now monitor their control environments in real time.

This approach allows for faster detection of issues, quicker remediation, and more reliable assurance for stakeholders. It also aligns better with the dynamic nature of modern business, where risks can emerge and evolve rapidly.

Adaptive controls, powered by AI, take this a step further. These controls can adjust dynamically based on context, user behavior, or risk signals. For instance, if a user accesses sensitive financial data from an unfamiliar location, the system might require multi-factor authentication or temporarily restrict access until the activity is verified.

Such intelligent controls enhance security while maintaining operational flexibility, helping organizations strike the right balance between risk management and business agility.

Implementation Challenges and Considerations

While the benefits of AI and automation are clear, successful implementation requires thoughtful planning and execution. Organizations must ensure that these technologies are properly integrated into existing systems and workflows, and that they align with broader compliance strategies.

Data quality is a critical factor. AI models rely heavily on accurate, comprehensive inputs to deliver meaningful insights. Poor data hygiene can lead to false positives, missed risks, or misleading recommendations.

Regulatory alignment is another key consideration. As AI becomes more embedded in compliance processes, regulators are beginning to scrutinize its use. Companies must ensure that their AI-driven practices are transparent, explainable, and auditable. This includes documenting how models are trained, how decisions are made, and how outputs are validated.

Cultural change is also essential. Compliance teams may need to develop new skills as they adopt new tools and embrace new ways of working. Collaboration—with IT, cybersecurity, and business units—is vital to ensure that AI and automation initiatives are successful and sustainable.

Solutions for Cybersecurity and Compliance Leaders

To navigate this transformation effectively, organizations should focus on a few foundational strategies:

• Adopt AI-Integrated Platforms. Start with tools that work seamlessly with your ERP and IT systems to automate tasks and track regulatory change
• Automate Repetitive Tasks. Free up your compliance team by automating routine activities like data entry and control testing
• Stay Ahead of Regulatory Shifts. Use AI to anticipate changes and adjust your compliance strategies before an issue arises
• Build Transparent Audit Trails. Leverage AI to document compliance activities clearly, making audits smoother and more defensible
• Centralize Data for Collaboration. Ensure all departments work from the same source of truth to improve coordination and decision-making.

Cybersecurity vendors have a unique opportunity to support these efforts by offering solutions that combine automation, AI, and robust control frameworks. By helping clients modernize their compliance environments, vendors can deliver measurable value while strengthening trust and resilience.

AI is a Business Imperative

AI and automation are no longer emerging trends, they are strategic imperatives for organizations seeking to modernize compliance and internal control management. These technologies offer a path to greater efficiency, accuracy, and agility, enabling companies to meet regulatory demands while staying ahead of risk.

For cybersecurity companies, the opportunity lies in guiding clients through this transformation with scalable, transparent, and vendor-neutral solutions. By doing so, they can help build a future where compliance is not just a requirement, but a competitive advantage. 

Chris Radkowski is an SAP GRC expert at Pathlock, an identity security and governance platform. A recognized leader in access governance with over 20 years of experience driving innovation in enterprise security and compliance solutions, he brings deep expertise in application access governance, risk management and regulatory compliance.

The post Modernizing Compliance: How AI and Automation Are Reshaping Internal Controls appeared first on Compliance Chief 360.

his year, the compliance landscape is shifting on multiple fronts. Seven new U.S. state-level privacy laws are taking effect, the U.S. Department of Health and Human Services is proposing major changes to HIPAA—the most significant since 2013, and the EU AI Act is introducing sweeping new governance requirements for high-risk systems. For IT leaders, the pressure to prove compliance, not just claim it, has never been greater.

Yet, when asked about their organization’s compliance posture, most IT leaders respond with confidence. In The State of Business Email 2025 global study, 93 percent of respondents said they were confident in their compliance readiness. That’s the good news. The same study, however, found that fewer than half said they were very confident. That nuance matters, and it reveals a growing gap between perception and reality.

This widening gap is more than a confidence issue—it’s a structural risk. As regulations expand and new technologies like AI reshape how data is created and shared, IT teams must move beyond perceived security and toward enforceable, auditable control.

The Compliance Illusion

Modern IT environments are sprawling. Communication stacks are multiplying, data flows are increasingly decentralized, and AI-generated content is only adding to the complexity. It’s easy to conflate compliance with security and think that ticking the boxes for SOC 2, GDPR, HIPAA, and other compliance frameworks means a system is both compliant and secure. Yet good compliance doesn’t equal good security.

True security goes beyond compliance frameworks. It demands daily discipline: the ability to monitor and manage security controls across every tool, team, and touchpoint. Take the rise of generative AI, for example. It’s now easier than ever for staff to generate and send business-critical messages using nonstandard language, formats, or channels. Without clear oversight, even compliant systems can be undermined by how they’re used on a day-to-day basis.

Auditability is the New Baseline

In highly regulated sectors like finance, healthcare, and energy, auditability isn’t optional—it’s table stakes. That’s one reason email continues to play a vital role in compliance strategy. Unlike many instant messaging or project collaboration tools, email provides a structured, traceable, and universally adopted communication format.

According to The State of Business Email 2025 report, 82 percent of IT leaders say email remains the most important channel for communicating with external stakeholders, including clients, regulators, and partners. This isn’t just habit; it’s strategic. Email allows for retention, monitoring, and legal discovery at scale. But auditability doesn’t start and stop at the inbox. It must extend across the entire communication ecosystem, including how content is branded, archived, and governed—especially when teams operate across multiple tools and locations.

Automation Doesn’t Equal Control, Unless It’s Strategic

Many organizations are investing heavily in automation to streamline compliance tasks. That’s a good start. But automation without governance is like cruise control on a long road: helpful until the unexpected hits. True control means automating with intent—centralizing visibility, enforcing standardization, and eliminating shadow IT.

For example, IT leaders can deploy centralized, automated email signature platforms that not only unify branding but also ensure that legal disclaimers, footers, and regulatory notices are applied consistently, without relying on individual employees or departments. This kind of behind-the-scenes control reduces risk while lightening the manual workload on IT teams.

Bridging the Confidence Gap

So how do we move from email confidence to ensuring email trust control? First, we need to shift our mindset. Compliance isn’t a project; it’s a living discipline. It requires clarity around ownership, tools in use, and where data is stored and accessed.

Second, IT leaders must adopt a more rigorous approach to measurement. Instead of asking, “Are we compliant?” ask, “Can we prove the trustworthiness of our email compliance today?” That distinction is crucial when facing an audit, breach, or regulatory review.

Finally, prioritize solutions that provide both visibility, accountability and trustworthiness. Confidence alone does not guarantee security or compliance. Technologies that unify communication policies, monitor usage, and log changes in real time can transform compliance from a check-box exercise into a source of strategic strength to ensure all email communications adheres to compliance standards.

The Stakes Are Higher than Ever

In 2025, the stakes for compliance are higher than ever—financially, operationally, and reputationally. Feeling secure isn’t the same as being secure. To close the gap between confidence and control, IT leaders must rethink how compliance is measured, enforced, and maintained. The organizations that succeed won’t just stay out of trouble—they’ll be better equipped to adapt to whatever the next wave of regulation, innovation, or disruption brings. 

Cary Vidal is VP of IT at Exclaimer. Vidal has a proven track record of implementing robust security measures and safeguarding critical systems for organizations. He is passionate about ensuring data privacy and protecting against cyber threats.

The post Compliance Confidence vs. Control: Feeling Secure Isn’t Being Secure appeared first on Compliance Chief 360.

e have previously written about the impact of the pause in enforcement of the FCPA implemented by the Trump Administration on non-American companies.[1] Although the 180-day review period the Executive Order provided to the Department of Justice (“DOJ”) to develop new guidance for FCPA enforcement has not yet elapsed, several recent developments in the global anti-bribery and anti-corruption (“ABAC”) enforcement space warrant an update.

Updates from the United States

U.S. enforcement agencies have given mixed signals about their intentions for future FCPA enforcement.

Several recent decisions by the DOJ suggest that it does not intend to continue pursuing FCPA enforcement in the same way or to the same extent as it has historically. In addition to dropping the long-running bribery case against two former Cognizant executives in New Jersey,[2] the DOJ has closed its corruption investigation into Norwegian oil and gas company PetroNor,[3] dropped its inquiry into American medical device company Stryker relating to potential FCPA violations,[4] and moved to dismiss FCPA charges against American waste management company Stericycle several months before the expiration of its deferred prosecution agreement.[5] The DOJ has also terminated the two monitorships it imposed on Swiss commodity trading and mining company Glencore (one of which relates to Glencore’s conspiracy to violate the FCPA) in May 2022, [6] and ended a FCPA-related non-prosecution agreement with American chemicals manufacturing company Albermarle,[7] all more than a year earlier than they were set to conclude. Although the Executive Order pausing enforcement of the FCPA discussed “eliminating excessive barriers to American commerce abroad,” and stated a desire to reduce “overexpansive and unpredictable FCPA enforcement against American citizens and businesses,”[8] PetroNor and Glencore are not American companies. Closing the PetroNor investigation and ending Glencore’s FCPA monitorship early could suggest a more general intention to limit FCPA enforcement instead of focusing on enforcement against non-American companies as the wording of the Executive Order suggested may be possible.

In addition to dropping existing cases and monitorships, the DOJ is also considering budget cuts that could affect investigations involving foreign defendants, witnesses, and evidence – as many FCPA cases do. In a recent memo, Deputy Attorney General Todd Blanche suggested that there would be personnel cuts at the Office of International Affairs (“OIA”).[9] OIA is responsible for international extraditions and mutual legal assistance, services relied upon by the FCPA Unit to build and prosecute its cases.

While these moves tend to suggest that the DOJ’s focus on foreign bribery will be more limited moving forward, the DOJ has also indicated that it intends to proceed with several other, already-filed cases. As a result, it is premature to conclude that the DOJ is retreating from FCPA enforcement entirely. Relatedly, it is also difficult to discern any definitive common threads that distinguish the cases the DOJ is continuing to pursue from those it has dropped, making it difficult to predict the strategy for FCPA enforcement going forward. The cases moving forward are against both American and non-American individuals and they include:

• A case against two executives of UK-based voting machine company Smartmatic and a Philippines election official. The DOJ alleges that the Smartmatic executives conspired to pay more than $1 million in bribes to the election official in exchange for contracts for Smartmatic to supply voting machines and services for the Philippines’ 2016 elections.[10]
• A case against a former Corsa Coal executive, who the DOJ accuses of participating in a scheme to bribe Egyptian officials to win coal contracts worth $143 million between 2016 and 2020.[11]
• A case against three individuals for allegedly bribing government officials in exchange for contracts to provide uniforms and other goods to the Honduran National Police.[12]

On May 12, 2025, the DOJ’s Criminal Division published a memorandum setting out its white-collar enforcement priorities and announcing changes to its approach to investigations and prosecutions (the “Galeotti Memo”).[13]  The Galeotti Memo provides further clues about the future of potential FCPA investigations and enforcement in the Trump Administration. Specifically, the Galeotti Memo states that the DOJ will prioritize investigating and prosecuting bribery and related money laundering that “impact U.S. national interests, undermine U.S. national security, harm the competitiveness of U.S. businesses, and enrich foreign corrupt officials.” Though it acknowledges that conducting cross-border investigations (as most bribery investigations are) is time-intensive, the Galeotti Memo emphasizes the need for “efficient” investigations, with the DOJ now requiring prosecutors to investigate and make charging decisions expeditiously. Additionally, moving forward, independent compliance monitors – often imposed in the past in resolutions of FCPA enforcement – will be imposed only when truly necessary for a company to implement a compliance program or prevent a recurrence of misconduct. To the extent monitors are imposed going forward, their scope will be narrowly tailored.[14]

On the Securities and Exchange Commission (“SEC”) side, the Chief and Deputy Chief of the SEC’s FCPA Unit have recently retired,[15] and the SEC has informed multiple defense counsel that it has paused FCPA investigations until further guidance is issued by the Trump Administration pursuant to the Executive Order. These developments come on the heels of then-Acting Deputy Director of the SEC’s Enforcement Division Antonia Apps’s comment at a recent speaking engagement that the SEC was “obviously going to follow the lead of the DOJ” with respect to FCPA enforcement.[16] At the same time, Apps noted that the SEC intends to decline to bring cases more frequently where companies have self-reported, cooperated, and/or remediated their compliance programs.

While these updates and statements seem to suggest a reduction in FCPA enforcement by the SEC going forward, it has not entirely backed away from the FCPA. On April 10, 2025, the SEC filed a motion to reopen a civil FCPA case against two former Cognizant executives (despite the DOJ having earlier decided to drop criminal charges) and issue a stay to allow the parties to “explore a potential resolution.”[17]

The Trump Administration’s approach to FCPA enforcement therefore remains unclear. DOJ’s review of FCPA enforcement is ongoing, and its outcome, which is presently unknown, will determine whether and how the statute will be enforced during the Trump Administration. However, absent an actual repeal of the law, future administrations could reverse enforcement policy decisions the Trump Administration makes and aggressively investigate FCPA violations, including conduct occurring that occurred during the Trump Administration that falls within the five-year statute of limitations. Notably, enforcement at the state level also remains a risk for parties engaged in foreign bribery: California’s Attorney General has announced his intention to prosecute bribery under state law and Manhattan’s District Attorney has indicated that he is considering how his office can step into the void created by the DOJ’s retreat from certain enforcement areas, including FCPA.[18]

Updates in the United Kingdom and Europe

Outside the U.S., the wind is blowing in a clearer direction. On 20 March 2025, enforcement authorities in the UK, France, and Switzerland announced the creation of a new International Anti-Corruption Prosecutorial Taskforce (the “Taskforce”) to strengthen collaboration between these countries.[19] The Taskforce consists of the UK’s Serious Fraud Office (“SFO”), France’s National Financial Prosecutor’s Office (“PNF”), and the Office of the Attorney General of Switzerland (“OAG”). These agencies are no strangers to collaboration, both amongst themselves and with the U.S. For example, as noted by PNF director Jean-François Bohnert, the PNF has assisted the OAG with 89 requests for mutual legal assistance in criminal matters since the agency was created in 2014.[20] Further, both the SFO and OAG were credited with assisting the U.S. with its bribery investigation into Glencore.[21] The Taskforce’s creation represents the SFO’s, PNF’s, and OAG’s intention to continue coordinating, with or without the U.S.

The Taskforce’s Founding Statement acknowledges “the significant threat of bribery and corruption and the severe harm that it causes” and promises that the members will “stand firm in our commitment to tackle this threat within the national and international legal frameworks.”[22] The Taskforce will deliver a “Leaders’ Group focused on the regular exchange of insight and strategy,” a “Working Group, for the purpose of devising proposals for co-operation on cases,” and increased “best practice” intelligence sharing between the three agencies to fully utilize the expertise of each. The Taskforce also intends to invite “other like-minded agencies” to join it,[23] with Bohnert recently stating that the DOJ, as well as other agencies in Europe, Latin America and the Western hemisphere more generally, would be welcome to join.[24] Despite the timing of the announcement and the somewhat pointed language in its Founding Statement, the Taskforce’s creation was, according to SFO Director Nick Ephgrave, “in no way a reaction to” the Trump Administration’s FCPA enforcement pause.[25] Nevertheless, the enforcement vacuum caused by the abrupt cessation of DOJ investigations undeniably creates an opportunity for jurisdictions like the UK, France, and Switzerland to drive global ABAC enforcement going forward. Indeed, Ephgrave has noted that the SFO is currently evaluating the long-term impact of the enforcement pause on the agency, and “actively seeing if there are opportunities where we can pick up investigations in this country,”[26] while the PNF recently added to its credentials a successful prosecution against two SPIE Group companies and two senior managers for bribing an Indonesian public official.[27]

Speaking ahead of the Taskforce’s public announcement, Ephgrave reiterated that the potential use of financial payments to reward whistleblowers (first stated as an SFO policy aim in February 2024) would continue to be on the UK’s agenda, and the recently published SFO Annual Business Plan for 2025-26 (the “ABP”) explicitly references “whistleblower incentive reform.”[28] Ephgrave once again credited the U.S.’s “really well-established system of [whistleblower] incentivisation” as one of the reasons for the U.S.’s historic success in international bribery and corruption intelligence gathering, asserting that 700 UK whistleblowers have gone to the U.S. with tip-offs in the last decade.[29] Speaking at a recent event in London, Ephgrave highlighted whistleblower incentivization as the key reform he wants to implement during his tenure, calling it a “game changer for [UK] intelligence.”[30] This reform looks increasingly likely, with the UK Home Office commissioning an independent report which will consider “incentives for criminal fraud networks informants and whistleblowers”.[31] By introducing financial incentives and stronger channels for whistleblower reports, the UK could generate significantly more leads regarding potential breaches of the UK Bribery Act to investigate. The U.S. has a number of whistleblower incentive programs which have yielded success in recent years. For example, the SEC’s Whistleblower Program received 557 FCPA-related reports during the 2024 financial year, up from 237 in the previous year.[32] The Swiss Attorney General Stefan Blättler has also expressed an appetite for increasing whistleblowing, announcing that he would discuss whistleblower incentivization with both the Swiss parliament and public.[33]

As foreshadowed in the ABP, the SFO has also launched new corporate cooperation guidance (the “Guidance”),[34] to reverse what Ephgrave characterizes as a “slight drop off” in the number of companies self-reporting wrongdoing.[35] The Guidance emphasizes that the SFO will seek to negotiate deferred prosecution agreements with (and not prosecute) companies which promptly self-report wrongdoing to, and cooperate fully with, the SFO “unless exceptional circumstances apply”.[36] Ephgrave hopes that the Guidance, along with strengthened covert surveillance capabilities (another priority set out in the ABP), will give the SFO more control over its referral pipeline and “invigorate or provoke” more self-reports from companies.[37] The SFO also recently announced that it had signed a memorandum of understanding with Indonesia’s Corruption Eradication Commission in an attempt to “refresh [its] relationship” with the country’s main anti-corruption enforcer.[38]

In addition to these moves by the SFO, the UK’s National Crime Agency (“NCA”) intends to increase its foreign bribery caseload, according to NCA senior manager David Liebscher.[39] The NCA currently has seven foreign bribery cases before the UK courts,[40] and has had success in this space in recent years, having achieved the conviction of the former chief of staff to the president of Madagascar for bribery in February 2024.[41] In remarks that chimed with Ephgrave’s commentary and efforts around increasing reports to law enforcement, Liebscher also suggested that the UK’s current corruption reporting framework, with 39 possible channels, is overly complex and a “barrier” to reporting misconduct.[42] Liebscher’s statements, taken together with the developments at the SFO,  indicate a renewed interest in proactive Bribery Act enforcement in the UK.

In the EU, trilogue negotiations between the European Commission, the European Council, and the European Parliament commenced in February 2025 to finalize the EU’s proposed Directive on combatting corruption (the “Directive,” initially unveiled in May 2023). The Directive aims to harmonize corruption offences and sanctions across the EU. Currently, all 27 EU Member States are signatories to the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, which requires acceding states to implement “such measures as may be necessary” to establish the various offenses it sets out (i.e., in relation to the bribery of foreign public officials).[43] However, each Member State has typically adopted its own set of laws to combat corruption, creating a series of fragmented standards that can be easily exploited, with it being reported that the EU loses approximately EUR 990 billion to corruption each year.[44] If adopted in its current form,[45] the Directive will require Member States to introduce a number of specified corruption offences (including domestic and foreign bribery, misappropriation, trading in influence, abuse of functions and obstruction of justice) into their national laws. The Directive will also introduce corporate criminal liability, which will apply where a lack of supervision by a person in a leadership position results in the commission of an offence set out in the Directive.[46] Ultimately, the Directive will allow for greater cross-border cooperation between Member States in investigating and prosecuting corruption.

Looking Ahead

Though the future of U.S. FCPA enforcement, at least for the remainder of the Trump Administration, remains uncertain, the consensus on the other side of the Atlantic is clear: ABAC enforcement remains a priority, and European and British enforcement agencies see the opportunity to lead the charge as the U.S. deprioritizes FCPA enforcement.  

Authored by several attorneys from the law firm King & Spalding in the United States and Europe.

FOOTNOTES:

[1] Brandt Leibe, Aaron Stephens, Grant Nichols, and Margaret Nettesheim, “How does the Trump FCPA pause change the landscape for non-American companies?”, Global Investigations Review (Feb. 28, 2025), https://globalinvestigationsreview.com/just-anti-corruption/article/how-does-the-trump-fcpa-pause-change-the-landscape-non-american-companies.

[2] Motion to Dismiss, United States v. Gordon Cobum and Steven Schwartz Case No. 2:19-cr-00120 (MEF) (Apr. 1, 2025), https://files.lbr.cloud/public/202504/1034%20Cognizant%20motion%20to%20dismiss.pdf?VersionId=9oS.IXOYr7X69W5FEHrNOOYdNmxUZMRb.

[3] Press Release, PetroNor E&P ASA, The U.S. Department of Justice closes its investigation (Apr. 1, 2025), https://petronorep.com/media/jcwltjui/20250402-pnor-investigation-update.pdf.

[4] Stryker Corporation, Form 10-Q (May 2, 2025), https://files.lbr.cloud/public/2025-05/20250502%20-%2010Q%20-%20SYK%20-%20Quarterly%20Report%20-%2028%20pages.pdf?VersionId=cdAGcFWYekWHgT.5u9US2elj0XQcCoM6.

[5] Motion to Dismiss, United States v. Stericycle, Inc. Case No. 22-CR-20156-MOORE (Apr. 21, 2025), https://files.lbr.cloud/public/202504/21%20%20DOJ%20motion%20to%20dismiss%20Stericycle%20DPA%2021%20April%202025.pdf?VersionId=AqQp5fCVxd6Kw7MHh1EnfwQVQaR.G3BP.

[6] Consent Motion to Modify Conditions of Probation, United States v. Glencore International A.G. Case No. 1:22-cr-00297 (LGS) (Mar. 20, 2025), https://assets.law360news.com/2314000/2314349/new%20york%20memo.pdf;  Government’s Notice Concerning Defendant’s Monitor, United States v. Glencore Ltd. Case No. 3:22-cr-00071 (SVN), https://assets.law360news.com/2314000/2314349/connecticut%20notice.pdf.

[7] Albemarle Corporation Form 10-Q (Apr. 30, 2025), https://d6jxgaftxvagq.cloudfront.net/Uploads/u/y/z/albemarle10q_166543.pdf.

[8] Exec. Order, Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security (Feb. 10, 2025), https://www.whitehouse.gov/presidential-actions/2025/02/pausing-foreign-corrupt-practices-act-enforcement-to-further-american-economic-and-national-security/.

[9] See Gaspard Le Dem, “Cuts to DOJ’s international affairs office would slow cases ‘across the board’”, Global Investigations Review (Mar. 31, 2025), https://globalinvestigationsreview.com/just-anti-corruption/article/cuts-dojs-international-affairs-office-would-slow-cases-across-the-board.

[10] Notice of Authorization to Proceed, Untied States v. Juan Andres Donato Bautista, Roger Alejandro Pinate Martinez, Jorge Miguel Vasquez and Ellie Moreno Case No. 24-CR-20343-WILLIAMS (Apr. 9, 2025), https://files.lbr.cloud/public/2025-04/S.D.%20Fla.%2024-cr-20343%20dckt%20000135_000%20filed%202025-04-09.pdf?VersionId=1MOPwxhmwNPB2rcfDa_Fm3S.xmAhq4eV.

[11] Government’s Notice of Authorization to Proceed, United States v. Charles Hunter Hobson Case No. 2:22-CR-86 (Apr. 11, 2025), https://files.lbr.cloud/public/2025-04/US%20v%20Charles%20Hunter%20Hobson%20Govt%20motion%20to%20proceed%2011%20April%202025.pdf?VersionId=HswogHlEFABzL56Wp2sAsFHJYIzRPpxE.

[12] Government’s Notice of Authorization to Proceed, United States v. Carl Alan Zaglin, Aldo Nestor Marchena and Francisco Roberto Cosenza Centeno Case No. 23-20454-CR-BECERRA (Apr. 11, 2025), https://files.lbr.cloud/public/2025-04/US%20v%20Zaglin%20et%20al%20Govt%20motion%20to%20proceed%2011%20April%202025.pdf?VersionId=TaFwJajV1LUAvSBPqmkBMx7SSOSIqWEf.

[13] DOJ Criminal Division, “Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime” (May 12, 2025), https://www.justice.gov/criminal/media/1400046/dl?inline.

[14] The DOJ has separately issued a new monitor selection memorandum clarifying the factors that prosecutors must consider when determining whether a monitor is appropriate. DOJ Criminal Division, “Memorandum on Selection of Monitors in Criminal Division Matters” (May 12, 2025), https://www.justice.gov/criminal/media/1400036/dl?inline.

[15] See Gaspard Le Dem, “SEC’s FCPA chief, top deputy retire”, Global Investigations Review (Apr. 1, 2025), https://globalinvestigationsreview.com/just-anti-corruption/article/secs-fcpa-chief-top-deputy-retire.

[16] See Gaspard Le Dem, “SEC will ‘follow the lead’ of DOJ on FCPA enforcement, official says”, Global Investigations Review (Mar. 5, 2025), https://globalinvestigationsreview.com/just-anti-corruption/article/sec-will-follow-the-lead-of-doj-fcpa-enforcement-official-says.

[17] Motion to Restore Case, S.E.C. v. Coburn, et al., Civil No. 2:19-cv-05820-MCA-MAH (Apr. 10, 2025), https://files.lbr.cloud/public/2025-04/76%20-%20SEC%20asks%20to%20reopen%20Cognizant%20docket.pdf?VersionId=8A..7PjQ88Akv2tvAEarIVkJvt5n8CEO.

[18] Press Release, California Attorney General Rob Bonta, Attorney General Bonta Alerts Businesses: It Remains Illegal to Bribe Foreign-Government Officials (Apr. 2, 2025), https://oag.ca.gov/news/press-releases/attorney-general-bonta-alerts-businesses-it-remains-illegal-bribe-foreign; Estelle Atkinson, “Manhattan state prosecutor looking to fill enforcement void left by DOJ”, Global Investigations Review (Apr. 15, 2025), https://globalinvestigationsreview.com/just-anti-corruption/article/manhattan-state-prosecutor-looking-fill-enforcement-void-left-doj.

[19] International Anti-Corruption Prosecutorial Taskforce Founding Statement (Mar. 20, 2025), https://assets.publishing.service.gov.uk/media/67dc0bb3931ea30d1b7ee33d/International_Anti-Corruption_Prosecutorial_Taskforce.pdf.

[20] See Ana de Liz, “UK, French, Swiss agencies set up new anti-corruption task force”, Global Investigations Review (Mar. 20, 2025), https://globalinvestigationsreview.com/article/uk-french-swiss-white-collar-agencies-set-new-anti-corruption-task-force.

[21] Press Release, U.S. Department of Justice, Glencore Entered Guilty Pleas to Foreign Bribery and Market Manipulation Schemes (May 24, 2022), https://www.justice.gov/archives/opa/pr/glencore-entered-guilty-pleas-foreign-bribery-and-market-manipulation-schemes.

[22] International Anti-Corruption Prosecutorial Taskforce Founding Statement (Mar. 20, 2025), https://assets.publishing.service.gov.uk/media/67dc0bb3931ea30d1b7ee33d/International_Anti-Corruption_Prosecutorial_Taskforce.pdf.

[23] Id.

[24] See Austin Cope, “PNF director: international anti-corruption task force will treat companies equally”, Global Investigations Review (May 7, 2025), https://globalinvestigationsreview.com/just-anti-corruption/article/pnf-director-international-anti-corruption-task-force-will-treat-companies-equally.

[25] See Ana de Liz, “UK, French, Swiss agencies set up new anti-corruption task force”, Global Investigations Review (Mar. 20, 2025), https://globalinvestigationsreview.com/article/uk-french-swiss-white-collar-agencies-set-new-anti-corruption-task-force.

[26] See Malavika Devaya, “’Look at me as the Mikhail Gorbachev of the SFO’: Nick Ephgrave”, Global Investigations Review (Apr. 24, 2025), https://globalinvestigationsreview.com/article/look-me-the-mikhail-gorbachev-of-the-sfo-nick-ephgrave.

[27] See Grace Propheta, “SPIE fined, executives handed prison time over Indonesia police bribes”, Global Investigations Review (May 13, 2025), https://globalinvestigationsreview.com/article/spie-fined-executives-handed-prison-time-over-indonesia-police-bribes?utm_source=SPIE%2Bfined%252C%2Bexecutives%2Bhanded%2Bprison%2Btime%2Bover%2BIndonesia%2Bpolice%2Bbribes&utm_medium=email&utm_campaign=GIR%2BAlerts.

[28] SFO Business Plan 2025-26, https://assets.publishing.service.gov.uk/media/67ee4e86199d1cd55b48c6e8/SFO_2025-26__Business_Plan.pdf.

[29] See Ana de Liz, “UK, French, Swiss agencies set up new anti-corruption task force”, Global Investigations Review (Mar. 20, 2025), https://globalinvestigationsreview.com/article/uk-french-swiss-white-collar-agencies-set-new-anti-corruption-task-force.

[30] Daisy Eastlake, “Whistleblowers could reap rewards for exposing fraud”, The Times (Apr. 25, 2025).

[31] Id.

[32] SEC Annual Report to Congress for Fiscal Year 2024, https://www.sec.gov/files/fy24-annual-whistleblower-report.pdf.

[33] See Ana de Liz, “UK, French, Swiss agencies set up new anti-corruption task force”, Global Investigations Review (Mar. 20, 2025), https://globalinvestigationsreview.com/article/uk-french-swiss-white-collar-agencies-set-new-anti-corruption-task-force.

[34] SFO Corporate Guidance (Apr. 24, 2025), https://www.gov.uk/government/publications/sfo-corporate-guidance/sfo-corporate-guidance.

[35] See Ana de Liz, “SFO announces new five-year plan”, Global Investigations Review (Apr. 18, 2025) https://globalinvestigationsreview.com/article/sfo-aims-revive-corporate-cooperation?utm_source=SFO%2Baims%2Bto%2Brevive%2Bcorporate%2Bcooperation&utm_medium=email&utm_campaign=GIR%2BAlerts.

[36] SFO Corporate Guidance (Apr. 24, 2025), https://www.gov.uk/government/publications/sfo-corporate-guidance/sfo-corporate-guidance.

[37] Id.

[38] Id.

[39] See Ana de Liz, “NCA wants to bulk up foreign bribery caseload”, Global Investigations Review (Apr. 24, 2025), https://globalinvestigationsreview.com/article/nca-wants-bulk-foreign-bribery-caseload?utm_source=%25E2%2580%259CLook%2Bat%2Bme%2Bas%2Bthe%2BMikhail%2BGorbachev%2Bof%2Bthe%2BSFO%25E2%2580%259D%253A%2BNick%2BEphgrave&utm_medium=email&utm_campaign=GIR%2BAlerts.

[40] Id.

[41] See Ana de Liz, “Former Madagascar chief of staff found guilty of bribery”, Global Investigations Review (Feb. 20, 2024), https://globalinvestigationsreview.com/article/former-madagascar-chief-of-staff-found-guilty-of-bribery.

[42] See Ana de Liz, “NCA wants to bulk up foreign bribery caseload”, Global Investigations Review (Apr. 24, 2025), https://globalinvestigationsreview.com/article/nca-wants-bulk-foreign-bribery-caseload?utm_source=%25E2%2580%259CLook%2Bat%2Bme%2Bas%2Bthe%2BMikhail%2BGorbachev%2Bof%2Bthe%2BSFO%25E2%2580%259D%253A%2BNick%2BEphgrave&utm_medium=email&utm_campaign=GIR%2BAlerts.

[43] OECD, Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, OECD/LEGAL/0293, https://legalinstruments.oecd.org/public/doc/205/205.en.pdf.

[44] European Commission, High-risk areas of corruption in the EU: A mapping and in-depth analysis (Nov. 4, 2024) at page 9, https://op.europa.eu/fr/publication-detail/-/publication/5c0730b2-9769-11ef-a130-01aa75ed71a1/language-en.

[45] Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on combating corruption, replacing Council Framework Decision 2003/568/JHA and the Convention on the fight against corruption involving officials of the European Communities or officials of Member States of the European Union and amending Directive (EU) 2017/1371 of the European Parliament and of the Council (May 3, 2023), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2023:234:FIN.

[46] Id.

The post Anti-Bribery and Anti-Corruption Enforcement post-FCPA Pause appeared first on Compliance Chief 360.

magine driving on a constantly changing highway: the speed limits and lane directions are shifting and updating, the exit ramps and destinations rerouting, all while you are mid-journey. How do you, the driver, stay on course? You rely on an up-to-the-minute navigation system. You watch for new road signs. And you drive defensively to avoid collisions.

Today’s regulatory landscape shifts frequently, seemingly on an almost daily basis. This dynamic environment is characterized by unprecedented velocity and complexity as new legislation emerges, enforcement priorities pivot like sudden detours, and technological advancements create novel risks of unexpected road hazards.

Compliance leaders are the vigilant drivers on this ever-changing highway, actively seeking counsel, staying abreast of new regulations, and engaging in preemptive risk management. This demanding, unpredictable terrain requires more than a periodic compliance tune-up; compliance programs must receive constant attention to operate at peak performance in this dynamic environment.

Mapping the Original Routes: The Advent of U.S. Regulation

Business regulation in the United States has been around since nearly the dawn of the country, of course, but its scope, focus, and intensity have evolved significantly since then.

The first major regulatory agency, the Interstate Commerce Commission (ICC), dates back to 1887 amid the rise of large industries and concerns about monopolies and safety. Economic regulation was the focus then, and the ICC was created primarily to regulate the railroad industry. President Franklin D. Roosevelt vastly expanded the federal regulatory apparatus in the wake of the Great Depression. New agencies were created to oversee banking (FDIC), securities (SEC), labor relations (NLRB), and communications (FCC), effectively paving new regulatory roads. The rapid growth of federal agencies during the New Deal led to the Administrative Procedure Act of 1946, which was enacted to bring order, uniformity, fairness, and accountability to the burgeoning federal administrative state, establishing standardized road rules for regulators.

The Wave of Social and Safety Regulations. The 1960s and 1970s gave rise to a new wave of agencies, like the Environmental Protection Agency (EPA), the Occupational Safety and Health Administration (OSHA), and the Consumer Product Safety Commission (CPSC), which focused on broader societal goals. These agencies often set standards for business operations, moving beyond purely economic controls and adding new types of safety lanes and environmental considerations to the compliance map.

Navigating Regulatory Cycles: From Cruise Control to Heavy Traffic. The regulatory environment has oscillated since the 1980s. Major financial crises and corporate scandals tend to trigger periods of heavier regulation—imagine sudden traffic jams and new toll booths—often followed by periods of deregulation and burden reduction driven by inefficiency concerns. This cyclical pattern has become more pronounced and faster in recent decades.

Today’s High-Speed, Multi-Lane Mayhem

Today’s regulatory landscape is unique and characterized by unprecedented complexity, stemming from interconnected factors.

The Global Expressway and Tech-Driven Detours. Regulation was once primarily national and driven by industrialization and economic crises. Now it is intensely global, interconnected, and touches on broader societal issues. Rapid technological advancements, particularly in artificial intelligence, data analytics, and digital finance, create novel risks and ethical considerations that necessitate new rules of the road for privacy, cybersecurity, and market conduct. Regulators struggle to keep pace, leading to reactive rulemaking, which results in poorly marked lanes, sudden regulatory potholes, or regulations that quickly become outdated before the asphalt even dries.

Geopolitical Junctions and ESG Overpasses. Geopolitical events like conflicts, trade disputes, or shifting alliances trigger immediate regulatory responses, particularly concerning sanctions, tariffs, and export controls, forcing abrupt rerouting. Mounting societal and investor pressure, especially concerning Environmental, Social, and Governance (ESG) criteria, drives demand for greater corporate transparency and accountability. This adds new lanes and destinations to the compliance map beyond traditional financial and operational rules.

Exiting to Variable-Speed State Routes. Increasingly, states are implementing their own regulations in areas like data privacy and environmental standards. This creates a complex patchwork of requirements, like navigating a series of local roads with differing speed limits after exiting the federal highway. These regulations can vary significantly across state lines, complicating compliance for companies operating nationwide and requiring drivers to adjust their speed and awareness.

The Whiplash Effect. Heightened political volatility is responsible for the pace and volume of change. Major regulatory shifts historically occurred over decades. Today, significant changes can happen rapidly, driven by executive actions, geopolitical events, or swift legislative responses. Political changes bring new enforcement priorities and legislative agendas. Rules implemented by one administration may be quickly frozen, reviewed, or repealed by the next. This “regulatory whiplash” created by frequent and intense policy reversals creates a far more uncertain operating environment that forces companies to constantly slam on the brakes or accelerate unexpectedly, making smooth navigation nearly impossible.

The Breakdown Lane: Why Periodic Inspections Aren’t Enough

How can companies avoid breakdowns while driving through this demanding, unpredictable terrain? They must adopt a continuous evaluation mindset rather than conducting backward-looking, periodic assessments of compliance programs.

A reactive approach to compliance is insufficient. Periodic reviews often focus on identifying past failures or existing gaps. They are not designed to proactively identify and mitigate emerging threats before they materialize into significant compliance issues.

Furthermore, concentrating evaluation efforts into discrete periods can create significant resource demands, potentially pulling focus from day-to-day compliance operations. And while accurate for a specific point in time, the findings can quickly become outdated. By the time a periodic review is completed, the risks it assessed may have evolved, or new, more pressing risks may have emerged. This can lead to a false sense of security for businesses. A “clean” report from a periodic review might mask underlying vulnerabilities that have developed since the review period or were outside its specific scope. Business leaders must therefore proactively identify and mitigate emerging threats before they materialize into significant compliance issues.

Think of your vehicle’s engine again. An annual inspection might confirm it met standards last year, but it won’t detect a slow leak that started last month or predict a component failure likely to occur next week due to recent heavy usage on rough roads.

The High-Performance Engine: Embracing Continuous Compliance Monitoring

Continuous evaluation moves beyond the static snapshot. It involves embedding monitoring, feedback, and adaptation into the compliance program’s daily fabric. This approach treats the compliance program not as a fixed structure to be occasionally inspected but as a living system that must constantly adapt to its environment, much like a modern vehicle with adaptive cruise control and lane-keep assist.

Adopting a continuous evaluation mindset yields significant advantages:

• Early Hazard Detection: Compliance professionals can identify potential issues and emerging risks much sooner, allowing for timely intervention and mitigation before they escalate into major accidents.
• Enhanced Agility: It enhances adaptability and enables the compliance program to flex and adjust rapidly to regulatory or business environment changes, like smoothly changing lanes in shifting traffic.
• Optimized Resource Allocation: It allows for a more consistent and targeted allocation of compliance resources towards the most pressing current risks, rather than cyclical surges of reactive maintenance.
• Demonstrable Diligence: It provides ongoing evidence to regulators, auditors, and government investigators that the compliance program is actively managed, responsive, and effective in mitigating risk, like having a clean driving record and well-maintained vehicle logs.
• Fostering a Proactive Culture: It promotes a culture where compliance awareness and feedback are ongoing processes, not just annual events, making every employee a co-pilot in vigilance.

Upgrading Your Compliance Vehicle: Implementing Continuous Evaluation

 Implementing a continuous evaluation framework requires a shift in mindset and potentially investment in technology and skills. It necessitates moving away from purely reactive, audit-driven checks towards proactive, data-informed monitoring. Key steps include:

• Leadership Buy-in: Secure commitment from senior management, emphasizing the strategic value of proactive compliance risk management as an essential vehicle safety feature, not just a cost.
• Technology Enablement: Identify and leverage appropriate tools for data aggregation, analytics, monitoring, and regulatory intelligence gathering. This means investing in an advanced “cockpit” with real-time “dashboard telemetry” (data analytics platforms) and a constantly updating “GPS” (AI-powered horizon scanners and regulatory update services) to see around the next bend and anticipate merging traffic or road closures.
• Data Integration: Break down silos to ensure relevant data from across the organization feeds into the compliance monitoring process, like ensuring all vehicle sensors report to the central computer.
• Skill Development: Train and equip compliance teams with the skills needed for data analysis, trend spotting, and interpreting diverse feedback sources, turning them into expert navigators.
• Phased Implementation: Start by focusing on high-risk areas and gradually expand the continuous monitoring approach across the program, like mastering local routes before embarking on a cross-country journey.

Driving Towards a Resilient Future: The Road Ahead

The pace of regulatory change shows no signs of slowing down or becoming less complex. For compliance programs to remain effective guardians of organizational integrity and value, they must evolve beyond periodic check-ups. Like maintaining a high-performance engine for a demanding journey, continuous monitoring, regular feedback, and agile adjustments are essential. By embracing a continuous evaluation model, compliance professionals can move from simply reacting to the past to proactively navigating the complexities of the present and preparing for the uncertainties of the future, ensuring their programs are not just compliant on paper but resilient in practice, ready for any road, any condition.  

Kristin B. Johnson (kristin.johnson@woodsrogers.com) is an attorney in the Government & Special Investigations Practice at the Virginia law firm Woods Rogers.

The post Maintenance Checks Required: Navigating the Chaotic Compliance Highway appeared first on Compliance Chief 360.

The Financial Crimes Enforcement Network (FinCEN), a bureau of the United States Department of the Treasury, requires financial institutions to accurately and promptly report suspicious activities under the Bank Secrecy Act. When institutions fail to meet anti-money laundering (AML) compliance requirements such as maintaining adequate transaction monitoring systems, performing customer due diligence, and properly filing suspicious activity reports (SARs) they can be fined billions of dollars. This is on top of the more than $275 billion the industry already spends on AML compliance.

Lawmakers and policymakers know that AML compliance places significant cost and operational burdens on financial institutions. Through the AML Act of 2020 and Innovation Initiative—and the latest proposed rule—FinCEN is actively advocating for financial institutions to modernize and innovate their AML/CFT programs and combat financial crime, including an increased focus on risk-based processes and technology. This will hopefully reduce some of the compliance costs and improve effectiveness. There is a growing emphasis on integrating technologies to support and enhance human intervention and judgment, ultimately boosting operational efficiencies and reducing errors.

As we move further into 2025, incorporating AI into AML compliance programs will be crucial. Fortunately, many leaders in the financial industry are already turning to AI to keep up with the changing landscape. According to a recent report, 78 percent of financial institutions arelooking to technology to help automate processes and improve efficiency.

Here are four ways AI can help you update your AML program:

1. Transform Transaction Monitoring

Traditional transaction monitoring (TM) systems struggle to keep up with the complexities of modern financial crime. They rely on static rules that can't adapt to new criminal tactics, resulting in a flood of non-suspicious items or false positives that overwhelm compliance teams and obscure the real threats.

While many TM analysts were attracted to their job’s analytical work, many have found their days to be tedious—filled with performing data gathering tasks rather than leveraging their true talent for fighting financial crime, managing risk and mitigating it. In traditional compliance operations, upwards of 80-85 percent of analyst work is spent tracking down information and supporting evidence for case reviews. By automating this tedious, error-prone work and auto-populating the SAR narrative, AI drastically reduces mistakes, ensures complete information, and frees up the analysts to work on higher-value/higher-risk type of work — making them more strategic contributors to the program.

2. Automate Manual Compliance Processes

Many AML programs still rely heavily on manual processes, which are labor-intensive and error-prone, leading to compliance breaches and hefty fines. AI and automation technologies can handle these repetitive and time-consuming tasks, such as customer onboarding, sanctions screening alert review, and the filing of suspicious activity reports, to improve efficiency and accuracy while freeing up human analysts for higher-value work.

For instance, AI can automate the review and disposition of sanctions alerts, of which 99 percent are false positives. Automation can also streamline the SAR filing process by automatically generating SARs based on predefined criteria, reducing the risk of human error and helping banks maintain regulatory compliance.

3. Mitigate Staffing Challenges

The financial industry continues to grapple with a significant talent shortage in AML and sanctions compliance. Many banks have open positions that remain unfilled for months, and even when new analysts are hired, onboarding and training can take considerable time. High attrition rates further exacerbate these challenges, as trained analysts often leave for better-paying opportunities, creating a perpetual cycle of recruitment and training.

Banks can leverage AI to augment their existing teams. AI can handle routine tasks, such as screening alert disposition and data extraction, allowing human analysts to focus on complex investigations that require judgment and expertise.

AI-driven augmentation enhances productivity and helps banks scale their operations without constantly hiring and training new staff, particularly during periods of increased alert volumes. AI can step in to manage the surge, ensuring compliance standards are maintained without overburdening the team.

4. Enhance Regulatory Reporting and Compliance Accuracy

With regulatory scrutiny intensifying, accurate and timely reporting is more critical than ever. AI and ML improve the accuracy and efficiency of regulatory reporting by analyzing large datasets and identifying relevant information to ensure that SARs and other compliance reports are thorough and error-free.

Additionally, AI can provide deeper insights into a bank’s risk exposure by identifying complex networks of transactions that might indicate money laundering, enabling banks to take proactive measures to mitigate risks.

The Future of AML

There’s no doubt that criminals are getting smarter, alerts are multiplying, and regulatory scrutiny penalties are mounting. By incorporating AI into their AML programs, banks can stay resilient and effective in the fight against financial crime.

The future of AML lies in using AI to enhance human capabilities, making compliance programs more adaptable to the ever-changing landscape of financial crime. Embracing AI isn’t just about staying compliant, it’s about staying ahead and protecting our financial system from criminal activities.  

David Caruso is Vice President of Financial Crime Compliance at WorkFusion. With over 25 years in financial crime compliance, David has led major AML and sanctions programs at banks, including JP Morgan, Wachovia, Key Bank, and Riggs Bank.

The post Four Strategic Ways AI Can Strengthen Your AML Program appeared first on Compliance Chief 360.

 

Third-party risk is becoming increasingly expansive as organizations rely on a burgeoning network of external vendors to operate.  Fill out the form at right and hit “Submit” to get the report.

The current environment of heightened third-party software attacks and subsequent legislative response is elevating third-party risk management (TPRM) as an organizational priority. Modern organizations are increasingly focused on managing business risk to foster resiliency and trust, however, much of the risk that an organization contends with is not internal but stems from third-party relationships.

Research by the IDC found that third-party risk management is among the top considerations for strategic organizational risk management, ranking fourth in their Future of Trust Survey, behind IT security, data privacy, and operational risk. However, failure to secure third-party relationships can directly impact these other three areas.

Learn more about this emerging risk landscape, the results of the IDC survey, and what organizations can do to protect themselves in Beyond the Organization: Managing Risk and Compliance in Third-Party Relationships.

FILL OUT THE FORM AT RIGHT TO DOWNLOAD THE REPORT >>

Managing Risk and Compliance in Third-Party Relationships

Complete the form to receive an email with a link to the Report.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Business Email *

Company or Organization *

Job Title *

Company Job Business

Address *

Address Line 1

Address Line 2

City

State / Province / Region

Postal Code

--- Select country ---AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Democratic People's Republic of)Korea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland IslandsCountry

Phone (optional)

Submit

The post Managing Risk and Compliance in Third-Party Relationships appeared first on Compliance Chief 360.