e all know about the great migration to “work from home” that occurred during COVID-19 pandemic starting in 2020 and lasting into 2021 and 2022. While many organizations have moved employees back to the office for some or part of the work week, the remote work movement has remained a far more prevalent aspect of working life.

According to a 2023 Pew Research Center study, around 22 million employed adults in the U.S. work from home all the time, equal to roughly 14 percent of all employed adults, while 41 percent are at least part-time remote on a hybrid setup. By 2025, that same survey finds 32.6 million Americans will be working remotely.

While the flexibility creates favorable conditions for the acquisition and retention of top talent, it also contributes to some new challenges. Managing a compliance team in a remote work environment can be difficult. This is especially true for highly regulated sectors, such as finance, health care, defense, and others, but it could impact a business operating in any field.

Identifying the challenges of remote work and coming up with a solid compliance plan will allow employers and workers to fully utilize remote or hybrid work models without worries about security risks, audits, or subsequent fines. Whether or not you utilize a third-party risk monitoring solution, it’s critical to understand the risks associated with remote work.

Compliance Challenges of a Remote Work Environment

The EY 2023 Mobility Re-imagined Survey suggests that while 92 percent of participants believe workplace mobility is important, 71 percent lack confidence in their organization’s ability to handle compliance and other risks stemming from a remote work environment.

Some of the most common compliance challenges work from home creates for organizations include:

• Determining which labor laws and regulations apply to employees on the basis of their home office location
• Employee monitoring and oversight
• Ensuring workplace safety
• Data security and privacy
• Safety of communication carried out in a remote work environment
• Employment verification processes

Having a solid compliance plan in place and adapting to the hybrid work model realities are both essential to mitigate those risks.

Onboarding and Ongoing Training

The first rule of onboarding compliance is understanding applicable rules regarding employment, data privacy, and security. Onboarding processes have to address all those concerns and adhere to regulatory frameworks within the respective jurisdiction.

If your company hires international employees who work from their own location, you’ll have to go through a few important considerations when doing onboarding. Find out if:

• The respective person has the right to work
• Whether they’re entitled to receive home office equipment
• You will have to provide any kind of training during the onboarding process

The agreements and contracts you sign as a part of onboarding should also account for national or regional regulatory specifics. A well-crafted employment contract should have stipulations on job responsibilities, performance expectations, communication protocols, confidentiality clauses, data protection, dispute resolution, and performance reviews.

The next step would be to train remote workers on anything that may lead to compliance issues. Data privacy and security training is non-negotiable. Authentication and access control training can also reduce the risk of violations or security threats stemming from the remote work environment.

The Importance of a Foolproof Remote Work Policy

A remote work policy is a document that outlines expectations and guidelines for all employees to follow. It’s a comprehensive how-to guide that focuses on procedures, safety protocols, workplace specifics, and technologies employed to do one’s job while following a regulatory framework.

As hybrid work is becoming the norm, standard workplace policies have to account for the new reality and the way it’s changing professional interactions.

Well-crafted remote work policies should contain:

• Rules on eligibility for remote work
• Guidelines on mandatory work hours, equipment, and tools made available to each employee
• Provisions on designing and equipping a remote workplace
• Cybersecurity stipulations and protocols
• Guidelines on communication between coworkers
• Guidelines on employee well-being

Good workflow management is also dependent on effective performance tracking, building trust and transparency through daily communication, having clearly defined roles within teams, and offering the right incentives (like career growth opportunities).

Maximizing Cybersecurity in Remote Environments

Cybersecurity is crucial for all organizations, especially those operating in highly regulated sectors.

Remote work has created numerous challenges that concern executives and make IT security managers sweat. In 2023, 72 percent of respondents in a survey responded they are very concerned or at least somewhat concerned about the online risks related to employees working from home. The number of respondents not at all concerned was only 6 percent.

Without concrete policies and being a part of a shared on-site work environment, common cyber threats like ransomware are more likely to evade defense mechanisms, group head of cyber governance at FWD Insurance in Singapore Pritish Purohit told Forbes.

Overcoming these new challenges depends on:

• Educating employees on recognizing cybersecurity threats
• Strengthening the corporate network through good password policies, multi-factor authentication, the selection of the right antivirus applications, frequent updates, and backups
• Securing remote connections by leveraging VPNs and setting device usage boundaries
• Implementing company-wide cybersecurity policies that apply to both in-office and remote workers
• Carrying out regular security assessments and vulnerability audits
• Adhering to data protection laws like HDPR and HIPAA
• Using an extra layer of protection to safeguard the most sensitive information (for example, only having certain individuals accessing such files and maintaining detailed access logs)

A Focus on Employee Well-being Is Crucial

Finally, don’t forget to maintain the focus on employee well-being, regardless of the workplace model your organization has embraced.

To improve the mental and physical well-being of employees, consider the following:

• Maintain regular communication, preferably using video conferencing tools to make everyone feel connected
• If possible, schedule in-person meetings at least a few times per month
• Discourage overwork and promote better work-life balance (by selecting the right compensation models that will keep workers from spending too much time as the lines between personal and professional get blurred)
• Offer personalized health benefits (89 percent of remote workers value having some kind of health benefit as a part of their employment package)
• Make sure everyone is aware of the available paid time off within the organization
• Provide mental health and well-being resources
• Allow work-hour flexibility

Working from home creates legal considerations that some organizations aren’t prepared to face, while others have been attempting to address those ineffectively.

To reduce the risk of compliance issues, come up with a robust remote work policy. Ensure employees are properly trained and stick to those rules to reduce risks. All other challenges can be addressed via regular performance reviews and audits. Identifying challenges and threats quickly is essential to determine viable remedies and implement those before the issue turns into a major compliance problem.   

Giovanni Gallo is the Co-CEO of Ethico, where his team strives to make the world a better workplace with ethics hotline services, sanction screening and license monitoring, and workforce eLearning software and services.

The post Managing Compliance in a Remote Work Environment appeared first on Compliance Chief 360.

t has been said that if a butterfly flaps its wings in the Serengeti, it can change the climate half a world away. Similarly, if an EU regulator enacts regulation in the EU Commission, it can have a major impact as far away as the United States.

We saw this through the ubiquity of website cookie notices and recent state-level laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which, if nothing else, took some inspiration from the EU’s General Data Protection Regulation (GDPR).

Get ready for another EU regulation that, while not directly applicable in the United States, will nonetheless have a major impact on compliance at U.S. organizations. The Digital Operational Resilience Act (DORA) will be similarly impactful once it comes into force on January 17, 2025—especially for those in the financial services industry.

Nominally, DORA is a cyber-resilience regulation aimed at protecting the operational stability of the European financial services industry. It is the first ever EU regulation of its kind that targets resilience at a sectoral level and, partially speaking, is an extensive suite of requirements for financial institutions and businesses that provide services to them around how information and communication technology (ICT) contracts should be written, risks assessed, incidents reported and security systems tested, among other things.

Like any good EU regulation, DORA will come with large potential fines (one percent of global turnover) for violators.

DORA Is Not Just an EU Regulation

The key thing auditors need to understand about DORA, especially as they are being asked to take on more risk-based responsibilities, is that DORA is very broad. It creates significant regulatory risk for potentially tens of thousands of entities in and outside the EU.

According to a recent McKinsey survey, most EU financial entities have started their journey towards DORA compliance, but only a third expect they will be ready on time for January 17. Globally, the state of DORA readiness is likely far lower.

This is important because, like the GDPR, DORA does not just apply to the 22,000 or so financial entities based in the EU. Instead, it is enforced based on where an organization’s customers are based. This means that if a financial institution in the United States, the United Kingdom, or any other location outside the EU deals with EU customers, there is a strong chance that DORA applies to them.

The best starting point for a compliance officer or internal auditor to see whether their organization falls under DORA is to look at the list of financial entities that are not in DORA’s scope.

Organizations excluded from DORA include non-financial entities, (some) alternative investment fund managers, very small insurance and reinsurance firms, financial entities outside the EU that do not serve the EU financial sector, and some others like post office GIRO institutions and small occupational pension funds.

As a rule, if a financial institution trades actively and is large enough to have EU-based customers, it will need to comply with DORA’s rule sets. Fintechs, crypto brokers, hedge funds, asset managers, and more traditional banks and financial institutions will all be impacted.

What Types of Companies Does DORA Cover?

Some organizations will have more stringent DORA requirements than others. A large multinational bank, for example, with complicated ICT systems and a lot of interdependent relationships will have relatively tough requirements.

To comply with DORA, an entity like this will likely have to conduct threat-led penetration testing (a form of offensive cybersecurity exercise in which you test IT systems against realistic cyber-attack scenarios and threats) at least every three years and other security testing on an annual basis.

They will also need to be able to report ICT incidents, such as data breaches, within 24 hours for significant events and conduct detailed third-party risk assessments for all critical ICT service providers. Ideally, the entity in question will already be ahead of this task, and the compliance officer or internal auditor’s job will not change to a great degree due to DORA.

A smaller organization, like an investment firm with a more basic ICT infrastructure that is less critical to the overall financial services industry, will have different requirements. They will have longer windows for incident reporting (72 hours) and simpler third-party risk requirements. Testing will still be required but on a less stringent basis.

Although many smaller organizations may have slightly less to do to become DORA compliant, they may find that many of DORA’s requirements, like threat-led penetration testing, are completely new to them.

Microenterprises, “very small entities,” defined as having a revenue of less than €2 million per year ($2.11 million) and less than 10 employees, and simple IT environments will have much lighter compliance requirements.

Critical Third Parties Covered by DORA

Another quirk of DORA is that it’s not just applicable to financial institutions but will also impact businesses that serve them, such as companies that provide services that are essential to the EU financial services industry, but are not financial institutions themselves. Some of these businesses will be designated as Critical ICT Third-Party Service Providers (CTPP) and have especially strict requirements.

An essential requirement for ICT third-party service providers to be considered critical by DORA is that they must provide ICT services that support critical or important functions to at least 10 percent of the financial entities for any given category, as defined in DORA. “Critical or important functions” refer to functions whose discontinued, defective, or failed performance would materially impair the financial entity.

In a broad sense, a CTPP is a service that, if it fails, would cause serious damage to a significant portion of the EU financial services industry. A company is designated as such, either by voluntarily declaring itself to be a CTPP or by being appointed as such by a European Supervisory Authority, such as the European Banking Authority. Major cloud service providers like Google Cloud, for example, will likely become CTPPs and have been taking steps to comply with DORA for quite some time.

Compliance Matters

Sectoral, global, and coming into force in less than six months by the European Commission, DORA will become a mainstay of boardroom conversation in 2025.

Hopefully, this article will help compliance officers and internal auditors better understand who is and isn’t covered by DORA. In practice, DORA compliance is a significant top-down effort. The average major financial services industry organization will dedicate significant resources to DORA compliance.  

Nikos Vassakis is the Head of Consulting Services at SECFORCE, an IT security and cybersecurity firm based in London, U.K.

The post Are You Ready for Compliance with EU’s DORA? appeared first on Compliance Chief 360.

ompliance management has traditionally been marked by accessibility issues, which lead to barriers to adhering to regulations. These long-established frameworks can be so complicated that they make it hard for those who don’t have specialized knowledge to navigate them. Automated solutions, however, have marked a shift in the landscape, making regulatory compliance something that a broader audience can better understand

So how have they done that? Automation can streamline processes and reduce associated risks so that as regulations change over time, compliance can keep up with the pace. Businesses are facing increased scrutiny from regulatory bodies, so conducting smoother audits and staying in good financial condition are important considerations.

In the United States, for example, businesses must consider state and local regulations, in addition to federal regulations, when developing strategic plans or plans for new lines of business.  Whether this is through investing in compliance software or hiring specific legal experts they need to stay on top of the rapidly developing regulatory environment. Let’s dive into the reasons why automation is redefining compliance management.

Reducing Errors and Streamlining Compliance

Compliance management has traditionally involved so many manual processes that were time-consuming and prone to human errors. Processes such as audits, vulnerability assessments, and remediation efforts have often required tight-knit coordination between different teams, which can cause huge gaps in communication and missed compliance risks. This is where automation can be a game-changer, by integrating compliance tasks and automating manual processes.

Automated systems, for example, can assess IT environments for vulnerability, compare any configurations against regulatory standards, and then let the team know if there are any discrepancies. This lessens the manual workload and the possibility of overlooked patches or misconfigured systems. This type of monitoring also means that organizations can identify issues before they escalate into regulatory violations or costly breaches.

Automation also permits businesses to be able to handle complex compliance requirements more effectively. For example, regulations like the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX) need to be consistently analyzed, but automation in this case enables regular audits without compliance teams getting overwhelmed.

Avoiding Regulatory Penalties and Ensuring Smooth Audits

If businesses don’t comply with regulations, the costs can be severe, with hefty fines and reputational damage both possibilities. Data breaches can lead to fines of up to $500,000 per incident, alongside ongoing monthly fines. So as these regulations tighten and audits keep coming in, businesses need to be wary to avoid penalties.

Automation means that businesses can be on top of records and generate reports to reflect their compliance status. Automated compliance tools also mean that reports can be more accurate and comprehensive, and the time and effort required for audit preparation are reduced. Documentation is the other aspect that can give real-time access to compliance records and demonstrate adherence to regulators.

Systems like asset inventory and PC lifecycle management solutions can help to bridge the gap between security and operations by integrating vulnerability assessments with remediation processes. This allows for the streamlining of security handoffs and accelerates patching, which in turn, reduces the window of vulnerability and prevents non-compliance issues from accumulating.

Further Strategies for Complying with Changing Regulations

To be able to maintain compliance while federal, state, and even global regulations are constantly changing is obviously a massive challenge. However, businesses can follow a few additional best practices to stay on top of things. First, organizations should define the compliance states with sufficient detail. Predefined policies that we briefly touched on, such as SOX, HIPAA, or PCI DSS, can serve as templates, and businesses can customize these policies to address their specific needs.

Automation needs to work in tandem with any change management processes to ensure that compliance actions are governed in line with the business’ priorities. By documenting changes and tracking exceptions, organizations can avoid compliance drift and maintain control over their compliance efforts.

Automation is undoubtedly transforming compliance management by reducing the amount of manual work while minimizing costly errors, and finally ensuring that organizations are ready for an audit when called upon. Due to the fact that processes like discovery, audit, and remediation are unified and integrated, businesses can stay compliant with the shifting regulatory landscape.  

Shagun Malhotra is founder of SkyStem LLC, a provider of automated account reconciliation software.

The post How Automation Is Redefining Compliance Management appeared first on Compliance Chief 360.

AIA is the world’s first set of regulations designed to oversee the field of AI. “We finally have the world’s first binding law on artificial intelligence, to reduce risks, create opportunities, combat discrimination, and bring transparency,” said Brando Benifei, a European Union lawmaker from Italy. “Thanks to Parliament, unacceptable AI practices will be banned in Europe and the rights of workers and citizens will be protected. The AI Office will now be set up to support companies to start complying with the rules before they enter into force. We ensured that human beings and European values are at the very center of AI’s development.”

The new law comes at a point where many countries have introduced new AI rules. Last year, the Biden administration approved an executive order requiring AI companies to notify the government when developing AI models that may pose serious risk to national security, national economic security, or national public health and safety.

AIA Bans Specific Uses of AI

AIA bans certain AI applications that threaten citizens’ rights, including biometric categorization systems based on sensitive information and real-time and remote biometric identification systems, such as facial recognition. The use of AI to classify people based on behavior, socio-economic status or personal characteristics and to manipulates human behavior or exploits people’s vulnerabilities will also be forbidden.

However, some exceptions may be allowed for law enforcement purposes. “Real-time” remote biometric identification systems will be allowed in a limited number of serious cases, while “post” remote biometric identification systems, where identification occurs after a significant delay, will be allowed to prosecute serious crimes and only after court approval.

AIA also introduces new transparency rules that mainly effect Generative AI. The regulation sets out multiple transparency requirements that this sort of AI will have to satisfy, including compliance with EU copyright law. This entails disclosing when content is generated by AI, implementing measures within the model to prevent the generation of illegal content, and providing summaries of copyrighted data utilized during the model’s training process. Additionally, artificial or manipulated images, audio or video content (“deepfakes”) need to be clearly labelled as such.

AIA is projected to become officially effective by May or June, pending some last procedural steps, including approval from EU member states. Implementation of provisions will occur gradually, with countries require to prohibit banned AI systems six months following the law’s enactment.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post EU Passes World’s First Comprehensive AI Law appeared first on Compliance Chief 360.

With these proposed changes, the FTC intends for the Act to reflect technological changes and aims to provide young children with greater protections for their personal data. The FTC also wants to ensure that parents will retain control regarding their children’s data and that website operators will be held accountable for their failure to maintain the safety and security of digital services for children.

FTC Seeking Comments on Proposed Changes

In a notice of proposed rulemaking, the FTC is seeking comment on proposed changes to the COPPA Rule aimed at addressing the evolving ways personal information is being collected, used, and disclosed, including to monetize children’s data, and clarifying and streamlining the rule.

The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services that collect personal information from children under the age of 13 to provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from these children. The current Act places several obligations on the website operator, including:

• The incorporation of a detailed privacy policy that describes the information collected from its users.
• Acquisition of a verifiable parental consent prior to collection of personal information from a child under the age of 13.
• Disclosure to parents of any information collected on their children by the website.
• A Right to revoke consent and have information deleted.
• Limited collection of personal information when a child participates in online games and contests.
• A general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children.

“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” said FTC Chair Lina Khan. “The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children. By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents.”

The FTC initiated the latest review of the COPPA Rule in 2019 and received more than 175,000 comments on its request for public comment on whether changes were needed to the rule. The agency also held a workshop in October 2019 on whether to update the COPPA Rule in light of evolving business practices in the online children’s marketplace, including the increased use of voice-enabled connected devices, educational technology, and general audience platforms hosting third-party child-directed content.

The FTC last made changes to the COPPA Rule in 2013 to reflect the increasing use of mobile devices and social networking by, among other things, expanding the definition of personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.

FTC’s Proposed COPPA Amendments

The FTC has proposed several changes to the rule, including:

• Requiring Separate Opt-In for Targeted Advertising: Building off the existing consent requirement in section 312.5, website and online service operators covered by COPPA would now be required to obtain separate verifiable parental consent to disclose information to third parties including third-party advertisers—unless the disclosure is integral to the nature of the website or online service. Firms cannot condition access to services on disclosure of personal information to third parties.
• Prohibition against conditioning a child’s participation on collection of personal information: The proposal reinforces the current rule’s prohibition on conditioning participation in an activity on the collection of personal data to make clear that it serves as an outright ban on collecting more personal information than is reasonably necessary for a child to participate in a game, offering of a prize, or another activity. In addition, the FTC is considering adding new language to this section to clarify the meaning of “activity.”
• Limits on the support for the internal operations exception: The current rule allows operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information and uses the persistent identifier solely to provide “support for the internal operations of the website or online service.” The proposed rule changes would require operators utilizing this exception to provide an online notice that states the specific internal operations for which the operator has collected a persistent identifier and how they will ensure that such identifier is not used or disclosed to contact a specific individual, including through targeted advertising.
• Limits on nudging kids to stay online: Operators would be prohibited from using online contact information and persistent identifiers collected under COPPA’s multiple contact and support for the internal operations exceptions to send push notifications to children to prompt or encourage them to use their service more. Operators that use personal information collected from a child to prompt or encourage use of their service would also be required to flag such usage in their COPPA-required direct and online notices.
• Changes related to Ed Tech: The FTC has proposed codifying its current guidance related to the use of education technology to prohibit commercial use of children’s information and implement additional safeguards. The proposed rule would allow schools and school districts to authorize ed tech providers to collect, use, and disclose students’ personal information but only for a school-authorized educational purpose and not for any commercial purpose.
• Increasing accountability for Safe Harbor programs: The proposed rule would increase transparency and accountability of COPPA Safe Harbor programs, including by requiring each program to publicly disclose its membership list and report additional information to the Commission.
• Strengthening data security requirements: The FTC has proposed strengthening the COPPA Rule’s data security requirements by mandating that operators establish, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children.
• Limits on data retention: The FTC also would strengthen the COPPA Rule’s data retention limits by allowing for personal information to be retained only for as long as necessary to fulfill the specific purpose for which it was collected. The proposed change would also prohibit operators from using retained information for any secondary purpose, and it explicitly states that operators cannot retain the information indefinitely. The Rule would also require operators to establish, and make public, a written data retention policy for children’s personal information.

In addition, the FTC has proposed changes to some definitions in the rule, including expanding the definition of “personal information” to include biometric identifiers, and stating that the Commission will consider marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services when determining whether a website or online service is directed to children.

Those who are interested in weighing in on the proposed rule changes will have 60 days to submit a comment to the FTC after the notice is published in the Federal Register, which should happen in the next two weeks.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post FTC Proposes Significant Changes to Online Protection Rules for Children appeared first on Compliance Chief 360.

In the latest development, The U.S. Transportation Department has ordered Southwest to pay a $140 million civil penalty, part of a broader consent order, after the airline’s operational failures a year ago. That penalty is by far the largest the DOT has ever levied for consumer protection violations, according to a statement from the department.

The DOT cited numerous violations of consumer protection laws during and after the operational failures that cancelled 16,900 flights and stranded over two million passengers over the 2022 Christmas holiday and into the New Year. This penalty is 30 times larger than any previous DOT penalty for consumer protection violations. The majority of the penalty will go towards compensating future Southwest passengers affected by cancellations or significant delays caused by the airline.

“Today’s action sets a new precedent and sends a clear message: if airlines fail their passengers, we will use the full extent of our authority to hold them accountable,” said U.S. Transportation Secretary Pete Buttigieg. “Taking care of passengers is not just the right thing to do — it’s required, and this penalty should put all airlines on notice to take every step possible to ensure that a meltdown like this never happens again.”

The penalty is in addition to the more than $600 million in refunds and reimbursements that DOT already ensured Southwest provide passengers who faced travel disruptions during the operational meltdown. In September 2022, at the urging of Secretary Buttigieg, Southwest Airlines made significant changes to its customer service plan that entitled passengers to reimbursements for expenses such as meals, hotels, and ground transportation if a flight is significantly delayed or cancelled due to an airline issue. As a result of DOT’s actions, Southwest was legally required to adhere to those commitments during the 2022 holiday travel meltdown.

DOT’s investigation into Southwest’s operations during the 2022 holiday season included examining tens of thousands of pages documents, conducting several multi-day, in-person audits and site visits at Southwest’s headquarters, reviewing thousands of consumer complaints, and consulting with various third parties, such as airports.

Southwest’s Operational and Scheduling Failures

Specifically, in its investigation, DOT found the company violated consumer protection laws by:

• Failing to provide adequate customer service assistance: When Southwest customers contacted the company’s customer service, they were often met with busy signals, hours-long queues to connect with agents, or dropped calls. DOT’s investigation found that Southwest’s call center was overwhelmed, which at times led to a full call center queue and meant customers got a busy signal upon calling the customer service telephone number.
• Failing to provide prompt flight status notifications: Southwest’s policy states that it will update consumers about flight status changes via text or email, but during the holiday disruptions, many Southwest customers did not receive a flight status notification in any form, while others received inaccurate ones. DOT’s investigation found that Southwest’s process for notifying passengers broke down, and as a result, the airline failed to provide prompt notification of flight cancellations and delays.
• Failing to provide refunds in a prompt and proper manner: DOT’s investigation included an audit of Southwest’s refunds and reimbursements system to ensure that harmed passengers received what they were owed. DOT found that thousands of customers were not promptly refunded.

As part of the enforcement action and settlement, DOT is closing its unrealistic scheduling investigation without making a finding. Under federal law, unrealistic scheduling is considered an unfair and deceptive practice. In a statement, the DOT says, “today’s penalty will deter airlines from engaging in any unfair and deceptive practices against consumers. DOT is continuing to monitor airlines to identify instances of potential unrealistic scheduling. The Department will act if it finds that an airline has violated consumer protection requirements including setting an unrealistic schedule.”

Southwest’s Consent Order

In addition to the $140 million civil penalty, the settlement includes a consent order that will require Southwest to:

• Establish a $90 million compensation system for future passengers affected by controllable significant delays and cancellations. Specifically, in the event Southwest causes a passenger to arrive at their destination three hours or more after their original scheduled arrival time due to an issue within Southwest’s control, Southwest is required to provide the passenger with a transferrable $75 voucher for future use on the airline.
• Ensure passengers were refunded and reimbursed over $600 million for significant delays and cancellations during the 2022 holiday season. Southwest also provided 25,000 miles to each passenger impacted by the meltdown.

In a statement, Southwest described the agreement as “a consumer-friendly settlement.” The airline says it has taken steps since last year’s disruption to improve its operational resiliency and customer care.

“We have spent the past year acutely focused on efforts to enhance the Customer Experience with significant investments and initiatives that accelerate operational resiliency,” said Bob Jordan, Southwest Airlines President & CEO in a statement. “Our commitment to Customers has been central to our success across our 52-year history and has helped us become one of the world’s most admired and trusted airlines.”  

PHOTO: BOEING 737-7H4 N766SW, BY Z. BUBAKAZ, USED UNDER CC BY-SA 2.0

Joseph McCafferty is editor & publisher of Compliance Chief 360°

The post Southwest to Pay $140 Million for Failures During 2022 Holiday Meltdown appeared first on Compliance Chief 360.

Following its acquisition by Verizon, TracFone self-identified and reported to the FCC and the Universal Service Administrative Co. certain instances in which it may have violated the rules of two programs, Lifeline and the Emergency Broadband Benefit, which lower the cost of communication services for those who qualify.

“Whether attributable to fraud or lax internal controls, or both, we will vigorously pursue allegations of misconduct that harms critical FCC programs designed to help those most in need of communications-related services,” said Loyaan Egal, enforcement bureau chief at the FCC. “This settlement sends a strong message that we are determined to protect the integrity of these programs. I want to thank the Enforcement Bureau’s Investigations and Hearings Division for its outstanding work on this matter.”

Improper Claims

The Enforcement Bureau investigated TracFone’s procedures for determining customer usage, which are critical for ensuring public funds are not subsidizing unused connections. TracFone disclosed that its internal processes resulted in Lifeline claims for customers who had not used the service in the prior 30 days, contrary to the Commission’s rules. Specifically, TracFone’s internal systems: 1) improperly considered a subscriber’s receipt of an inbound text message to constitute qualifying Lifeline usage; and 2) improperly claimed support for a group of customers who were enrolled jointly in both the Lifeline and EBB programs, but did not use one of the services in the prior 30-day period.

TracFone also disclosed that a group of its field enrollment representatives used falsified tax documents to enroll subscribers in TracFone’s Lifeline and EBB services. After working with auditors, TracFone reimbursed the Universal Service Fund a total of $22.6 million for Lifeline from January 2019 through October 2021 and also paid back $17.8 million in EBB funds. TracFone further disclosed 79 field enrollment agents who were paid commission-based compensation tied to the number of customers enrolled, despite the FCC’s rules prohibiting such arrangements.

To resolve these matters, TracFone entered into a Consent Decree with the Enforcement Bureau in which it agreed to a series of terms and conditions for future compliance that take into consideration TracFone’s voluntary disclosures and its cooperation during the investigation. In addition, TracFone has also agreed to pay $6.013 million to resolve a 2020 NAL alleging the company claimed federal Lifeline funding for thousands of Texas customers who apparently were not eligible for the program, as well as enrollments in Florida that resulted from sales agents apparently manipulating customer data to create fake accounts.

TracFone Consent Decree Details

Among the requirements of complying with the consent decree are the following conditions, among others:

1) Compliance Officer: Within 30 calendar days after the effective date, TracFone must designate a senior corporate manager with the requisite corporate and organizational authority to serve as a Compliance Officer and to discharge the duties set forth in the decree. The person designated as the Compliance Officer shall be responsible for developing, implementing, and administering the compliance plan and ensuring that TracFone complies with the terms and conditions of the consent decree.

2) Operating Procedures: Within thirty 30 calendar days, TracFone shall establish Operating Procedures that all covered employees must follow to help ensure TracFone’s compliance with the Lifeline Rules. TracFone’s Operating Procedures shall include internal procedures and policies specifically designed to ensure that it does not submit claims for reimbursement for subscribers who are ineligible because they lack qualifying usage of Lifeline service, that ineligible subscribers are timely identified and de-enrolled, that enrollments in Lifeline conform to the customer eligibility determinations.

3) Compliance Manual: Within 60 calendar days, the Compliance Officer shall develop and distribute a Compliance Manual to all Covered Employees. The Compliance Manual shall explain the Lifeline Rules and set forth the Operating Procedures that Covered Employees shall follow to help ensure TracFone’s compliance with the Lifeline Rules. TracFone shall periodically review and revise the Compliance Manual as necessary to ensure that the information set forth therein remains current and accurate.

4) Compliance Training Program: TracFone shall establish and implement a Compliance Training Program on compliance with the Lifeline Rules and the Operating Procedures. As part of the Compliance Training Program, Covered Employees shall be advised of TracFone’s obligation to report any noncompliance with the Lifeline or EBB Rules and shall be instructed on how to disclose noncompliance to the Compliance Officer. Compliance training pursuant to the Compliance Training Program shall be an annual requirement.

5) Reporting Noncompliance: TracFone shall report any material noncompliance with the Lifeline or EBB Rules or with the terms and conditions of this Consent Decree within 30 calendar days of a report made to the Compliance Officer. In complex cases that require additional investigation, TracFone may seek up to an additional 30 calendar days, which shall not be unreasonably denied, to make such a report of material noncompliance.

6) Compliance Reports: TracFone must file compliance reports with the Commission 90 calendar days after the Effective Date, 12 months after the Effective Date, 24 months after the Effective Date, and 36 months after the Effective Date. Each Compliance Report shall include a detailed description of TracFone’s efforts during the relevant period to comply with the terms and conditions of this Consent Decree and the Lifeline Rules.

The Lifeline program provides a monthly discount of up to $9.25 on broadband and phone service for qualifying low-income consumers. Carriers participating in the program receive funds for each eligible Lifeline subscriber and must pass the savings on to those subscribers. The Lifeline program is paid for using Universal Service Fund dollars, and that money comes from fees assessed on the phone bills of American consumers and businesses. The separately funded EBB program helped lower the cost of high-speed internet and connected devices for eligible households in 2021 during the COVID-19 pandemic.  

Joseph McCafferty is editor & publisher of Compliance Chief 360°.

The post TracFone to Pay $23.5M for Violations of FCC Subsidy Program Rules appeared first on Compliance Chief 360.

It is notable in that it is the first settlement the HHS’s Office for Civil Rights (OCR) has reached with an organization affected by ransomware, under its HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

Doctor’s Management Services (DMS), a Massachusetts medical management company that provides medical billing and payor credentialing, was attacked by the now-defunct GandCrab ransomware gang in April 2017, but the intrusion was not detected until late December the following year, after the group encrypted their files. The $100,000 settlement resolves a large breach reporting failure regarding a ransomware attack that affected the electronic protected health information of 206,695 individuals.

OCR’s investigation found evidence of potential failures by DMS to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

Increased Threat of Ransomware

Ransomware and hacking are the primary cyber-threats in health care. In the past four years, there has been a 239 percent increase in large breaches reported to OCR involving hacking and a 278 percent increase in ransomware, according to HHS. This trend continues in 2023, where hacking accounts for 77 percent of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60 percent increase from last year.

“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.

Mandated Reforms to Comply with HIPAA

Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps that Doctors’ Management Services will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information, including:

• Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
• Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
• Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
• Provide workforce training on HIPAA policies and procedures.

OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
• Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular review of information system activity.
• Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
• Encrypt ePHI to guard against unauthorized access to ePHI.
• Incorporate lessons learned from incidents into the overall security management process.
• Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

HHS’s OCR says it “is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.” Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website.  

The post HHS Reaches First Settlement with Health Care Firm Involved in Ransomware Attack appeared first on Compliance Chief 360.

Rapidly changing elements of digital finance and geopolitical dynamics mean organizations need to continuously adapt and improve sanctions screening programs and AML measures for compliance programs to maintain their effectiveness and integrity. Regulatory enforcement of sanctions violations also appears to be on the rise. Managing sanctions risk has become more complex than ever.

To cope with this pressure and stay compliant, organizations need a strong sanctions screening program—one that achieves a healthy balance between data demands, compliance posture, and operational equilibrium.

Avoiding Data Malnutrition

Access to accurate, high-quality data is essential for a healthy sanctions screening program. Screening effectiveness can be compromised when dealing with incomplete or inaccurate data, resulting in an overwhelming number of alerts and false positives and increasing the risk of overlooking false negatives.

Compliance teams need to screen customers and transactions against a myriad of constantly changing sanctions lists that update often with new sanctions, modified existing ones, and some being removed.

Screening data needs to include both sanctions and customer data, which are the backbone of any healthy screening program. These insightful data sets enable businesses to accurately screen their customers (both existing and new) and transactions against the latest sanctions lists and prevent inadvertent engagement with sanctioned parties.

Additionally, there are a multitude of sanctioning bodies, including sovereign states, regional unions, and international organizations such as the Office of Foreign Assets Control that enforce their own sanctions—and these lists do not always align. Each sanctioning body has its own unique way of organizing and disseminating the data, which can create complexities in integrating and comparing the information.

Navigating through a variety of formats and sizes of sanctions lists, keeping track of frequent updates and ensuring real-time screening requires continuous effort and resources. This means organizations should use extensively researched and up-to-date global risk information that includes the latest Politically Exposed Persons and sanctions lists as well as adverse media and enforcement records from all corners of the world.

Even so, the strength of external data alone is not enough. The quality of customer data is equally important. Streamlining data acquisition processes and enriching customer and third-party data is a must. Organizations should invest time at the very front of their screening processes to cleanse and prepare their data. Conducting an internal data quality assessment will greatly improve process efficiency, saving time in unnecessary remediation.

Today’s high-risk global marketplace also means organizations need to have a clear understanding of their prospective customers and proactively assess the risks they may bring to their business. It’s not only customers, however, who can present sanctions risk. A comprehensive screening program encompasses a list of various entities connected to the organization’s operations including associates, beneficial owners, and the extended supply chain. Regularly reviewing and updating internal and external data is crucial for businesses, as regulatory bodies around the world constantly evolve their rules and restrictions to address geopolitical tensions, financial crimes, and global security concerns.

Strengthening Compliance’s Analytics Capabilities

Access to more accurate, high-quality data is critical for productive screening. While vast amounts of data can deliver deep insights, however, the sheer volume can cause problems for organizations seeking to identify suspicious activity that could constitute compliance risk.

This is where technology automation has a lot to offer. Applying powerful analytics and machine-learning techniques to screening programs helps accurately record, cross-reference, and analyze massive quantities of data and variables. This has distinct benefits when it comes to customer, vendor, and third-party screening as this activity requires the aggregation of disparate data sources including internal systems and external sources.

The world’s rapidly evolving regulatory landscape is increasing demand for organizations to proactively manage risk on a daily and sometimes hourly basis. As challenges continue to grow, it becomes imperative for tools and strategies to evolve accordingly. By harnessing the power of collecting, managing, and analyzing both external and internal data, organizations can gain strategic advantages in risk management. Embracing the latest technologies empowers them to proactively identify, manage, mitigate, and prevent risks effectively.

Organizations can use this increased capability to interrogate their records and identify screening issues earlier so they can move from a reactive to a proactive compliance posture and prevent or neutralize threats before they become a problem. Automating previously manual, time-consuming processes helps to reduce costs, improve compliance efficiency, and free up human resources for tasks that require emotional intelligence.

Boosting Operational Metabolism

One of the greatest challenges organizations face when it comes to sanctions screening is managing frequent alerts and false positives. This is particularly true for legacy systems that rely on fuzzy matching and rules-based screening, as these methods have limitations that make them less effective in handling the complexity of sanctions and countless changes to watchlists.

To address these challenges and reduce the number of false positives, businesses should turn to more advanced technologies such as machine learning and big data analytics. Modernizing legacy technology is a critical first step, ideally followed by a thorough analysis of the quality of the data organizations hold, as data gaps and inaccuracies can compromise screening effectiveness. Finally, organizations should avoid treating all false positives as equal without considering the likelihood of a match and the varying levels of risk. Using entity resolution tools can achieve this.

Deploying entity resolution tools to assess the relevance scores for alerts helps organizations transition from a perspective of quantity to one focused on quality. These tools help consolidate and link records that refer to the same real-world entity, even if the data points have slight variations or discrepancies, enhancing the screening process with improved relevance and matching precision for handling false positives.

Rather than relying on a rules-based method to accept or reject matches, entity resolution employs sophisticated analytics and accurate entity linking to match data points and assess the probability that two database records represent the same real-world individual, company, or entity. This process eliminates irrelevant data, enabling it to effectively identify matches and uncover concealed relationship risks.

This approach provides a quantitative assessment of customer risk, evaluating the strength of the match between a customer account and a watchlist entity. It focuses on identifying matches that merit immediate attention, ensuring a more targeted and efficient risk management process.

As the wellness of sanctions screening and AML programs faces ongoing pressures and emerging threats, innovative, more holistic approaches to screening are necessary. By leveraging the latest technology and engaging a high-quality, dynamic, and global data organization can enhance their match precision and prioritized risk ranking, resulting in a more accurate and effective screening process.

Forward-thinking organizations will gain stronger control over false positives and be able to achieve the much-needed balance between strong compliance posture and operational efficiency.

Grayson Clarke is senior vice president of LexisNexis Risk Solutions.

The post Sanctions Screening and AML Programs: Embracing a More Holistic Approach appeared first on Compliance Chief 360.

The legislation would require thousands of public and private businesses that operate in California and make more than $1 billion annually to report their direct and indirect emissions. It is estimated that it could impact more than 5,000 companies. The goal, say lawmakers, is to increase transparency and nudge companies to evaluate how they can cut their emissions.

The measure, the first of its kind in the nation, passed in a 48-20 Assembly vote last week before the Senate signed off on it in a 27-8 concurrence vote. It now heads to Gov. Gavin Newsom for a final decision. Speaking at a climate panel in New York City, the governor said “of course” he would sign it. Because many large companies have operations in California, some consider it a de facto national mandate, with wide-spread implications for many large companies.

Reporting on ‘Indirect’ Scope 3 Emissions

While many companies already disclose their Scope 1 and 2 emissions, which come directly from company operations and owned assets, under California’s proposed legislation, businesses would also be required to report their Scope 3 emissions—those produced indirectly up and down their supply chains, including by the end use of their products.

California’s disclosure law would be more stringent than the one being finalized by the Securities and Exchange Commission, which dropped the Scope 3 requirement after intense pressure from corporate representatives.

“We are out of time on addressing the climate crisis,” Democratic Assemblymember Chris Ward said in a statement. “This will absolutely help us take a leap forward to be able to hold ourselves accountable.”

The announcement comes one day after Calif. Governor Newsom and Attorney General Rob Bonta announced a landmark case against five energy companies—Exxon, Shell, Chevron, ConocoPhillips, and BP—which they accuse of misleading the public about the dangers of climate change. The suit—the most ambitious attempt by any American official to hold fossil fuel companies accountable for climate change—alleges that dishonest conduct has continued, as oil companies attempt to mislead the public about their greenhouse gas emissions.  

The post California to Adopt Most Stringent Carbon Disclosure Law in the Nation appeared first on Compliance Chief 360.