recent enforcement action by the U.S. Department of Health and Human Services is sending a clear signal to corporate compliance teams: HIPAA obligations don’t stop at hospitals and insurers.

In a newly reported case, the agency’s Office for Civil Rights pursued enforcement against a self-funded employer health plan—marking a notable shift in how regulators are applying health data privacy rules. While HIPAA has long governed how medical providers and insurers handle protected health information, this action underscores that employers who sponsor health plans may also face direct scrutiny.

For many organizations, that represents a meaningful change in risk exposure.

Employer-sponsored health plans, particularly self-funded arrangements, are common across large and mid-sized companies. These plans often rely heavily on third-party administrators to process claims and manage data. As a result, compliance responsibilities can feel diffuse, split between HR, vendors, and legal teams. This latest enforcement activity suggests regulators are taking a different view.

Rather than focusing solely on service providers, enforcement is moving upstream—toward the plan sponsors themselves.

For compliance officers, the implications are practical. It is no longer sufficient to rely on vendor assurances or contractual protections alone. Regulators appear to be expecting companies to demonstrate active oversight of how health data is handled, including how vendors store, process, and secure sensitive information.

That shift puts a spotlight on governance. Companies may need to reassess whether their compliance programs adequately cover employee health data, particularly if responsibility has historically sat outside the core compliance function. Coordination between compliance, HR, IT, and third-party risk teams is likely to become more important.

The development also reflects a broader regulatory trend. Across industries, enforcement agencies are expanding their focus beyond traditional targets and looking more closely at how organizations manage outsourced activities. Whether the issue is cybersecurity, financial controls, or data privacy, the message is consistent: delegating a function does not eliminate accountability.

In the HIPAA context, that means plan sponsors may be expected to maintain clear documentation of their oversight efforts. This could include vendor due diligence, periodic audits, incident response procedures, and employee training around the handling of health information.

For companies that have not historically treated HIPAA as an enterprise-wide compliance issue, this may require a reset. Even organizations outside the healthcare sector could find themselves subject to enforcement if their internal controls fall short.

The takeaway for compliance professionals is straightforward. Employer health plans are no longer a peripheral concern. They are becoming part of the broader compliance landscape, with regulators paying closer attention to how these programs operate in practice.

As enforcement evolves, companies that take a more integrated approach to data privacy and vendor oversight will be better positioned to manage the risk—and to demonstrate that their controls work when it matters most. 

Joseph McCafferty is editor and publisher of Compliance Chief 360°.

The post HIPAA Enforcement Targets Employer Health Plans, Expanding Compliance Risk appeared first on Compliance Chief 360.

he crackdown on off-channel communications at financial firms isn’t over—it has simply taken a quieter, more targeted turn.

While the U.S. Securities and Exchange Commission drew headlines over the past several years with multibillion-dollar penalties for financial firms where employees communicated with undocumented texts and messages, recent developments suggest that FINRA is continuing to pursue the issue with steady intensity.

In the past several days, compliance observers and industry reporting have pointed to ongoing FINRA enforcement activity tied to unapproved communication channels. Rather than large, broad settlements, the regulator’s current approach appears more embedded in routine examinations and disciplinary actions. That shift makes the risk less visible—but no less real.

At the center of the issue is a familiar problem: employees using personal devices and apps such as text messaging or encrypted platforms to conduct business conversations. When those communications are not captured and retained, firms can fall short of recordkeeping requirements, a longstanding pillar of securities regulation.

What has changed is the expectation around control. Regulators are no longer satisfied with written policies that prohibit off-channel communications. Instead, they are looking for evidence that firms are actively detecting, preventing, and addressing violations in practice.

Recent enforcement patterns also suggest a growing focus on individual accountability. In addition to firm-level penalties, disciplinary actions increasingly include suspensions and fines for registered representatives and supervisors. For compliance leaders, that raises the stakes internally, particularly when it comes to training, supervision, and escalation.

The continued attention from FINRA is significant for another reason: it challenges a perception that the issue had cooled following the SEC’s earlier enforcement wave. In reality, the underlying expectations have not changed, and examination programs continue to test firms’ controls in this area.

For chief compliance officers, the takeaway is straightforward. Off-channel communications remain an active enforcement priority, even if they are no longer dominating headlines. Firms that scaled back monitoring efforts or treated the issue as largely resolved may find themselves exposed during routine exams.

More broadly, the trend reflects a shift in how regulators evaluate compliance programs. The question is no longer just whether a firm has a policy in place, but whether that policy is working in day-to-day behavior. In that sense, off-channel communications have become a clear test case for a wider regulatory approach—one that places increasing weight on evidence, supervision, and real-world outcomes. 

Joseph McCafferty is editor and publisher of Compliance Chief 360°.

.

The post FINRA Keeps Pressure on Off-Channel Messaging as Enforcement Focus Shifts appeared first on Compliance Chief 360.

he Consumer Financial Protection Bureau (CFPB) has finalized a rule that narrows how fair lending laws are enforced, marking a notable shift for compliance programs across the financial services industry.

The rule amends Regulation B, which implements the Equal Credit Opportunity Act (ECOA). Its most significant change is the removal of “disparate impact” as a basis for enforcement. Disparate impact refers to situations where a policy or practice results in unequal outcomes for certain groups, even if there was no intent to discriminate.

Under the updated framework, enforcement will focus primarily on cases involving clear evidence of intentional discrimination. In practical terms, this means regulators will be less likely to challenge lending practices based solely on statistical disparities in outcomes. Instead, examinations and enforcement actions are expected to emphasize documentation, decision-making processes, and evidence of intent.

For compliance teams, this change may alter how fair lending risk is assessed and monitored. Historically, many institutions have relied heavily on data analysis to identify potential disparities across protected classes. While that type of analysis is still valuable for internal risk management, it may play a less central role in regulatory scrutiny going forward.

At the same time, institutions should not interpret the change as a reduction in overall fair lending expectations. The ECOA remains in effect, and examiners are likely to continue reviewing policies, procedures, and controls to ensure that lending decisions are applied consistently and without bias. Strong governance, clear documentation, and well-defined underwriting criteria will remain essential.

The rule also includes updates related to “discouragement,” which addresses whether potential applicants are deterred from applying for credit. The revised approach narrows how discouragement is evaluated, placing greater emphasis on explicit actions or statements rather than inferred effects. This may reduce ambiguity in examinations, but it also underscores the importance of training front-line staff on appropriate communications with applicants.

Another area affected is the treatment of special purpose credit programs, which are designed to expand access to credit for under-served groups. The rule clarifies certain requirements for these programs, and institutions offering them may need to revisit their design and documentation to ensure alignment with the updated standards.

From an operational standpoint, compliance functions may consider recalibrating their fair lending frameworks. This could include reviewing monitoring methodologies, reassessing model governance practices, and ensuring that policies clearly articulate nondiscriminatory intent. Internal audits may also need to adjust their testing approaches to reflect the revised regulatory focus.

Industry response has been mixed, with some stakeholders noting that the changes may provide greater clarity and reduce uncertainty in enforcement. Others have raised concerns about the potential for reduced visibility into systemic disparities. Regardless of perspective, the rule represents a meaningful change that institutions will need to incorporate into their compliance programs. 

Joseph McCafferty is Editor & Publisher of Compliance Chief 360°

The post CFPB Revises Fair Lending Standards, Shifting Compliance Focus to Intent appeared first on Compliance Chief 360.

he Commissioner for Competition at the European Commission, Teresa Ribera, warned that political influences are in danger of corrupting competition enforcement decisions. Ribera argues that antitrust must stay strong against politics and its pressures to ensure impartial and evidence-based enforcement policies. In a statement, she emphasized independence from political pressures and emphasized a willingness to consider industrial policy goals in merger reviews, potentially allowing more leniency for European companies compared to her predecessors.

“I have not got any type of interference on the political bias approach on how we need to deliver. We are bound by the law. We have been developing our own update on how we may assess the different cases, and we have always been quite respectful, and that is my case as commissioner, but also the case of my predecessors in the role of commissioner,” said Ribera during a press conference.

These stances were taken in response to growing pressures to change how competition policy is handled, with antitrust authorities in some regions facing pushback to clear mergers or drop investigations in favor of national economic threats, as stated by MLex. Last November, Ribera also accused the United States of “blackmail” on tech regulation, emphasizing the EU competition policy would not change to accommodate U.S. political pressure or threats of tariffs, according to an article in Politico. 

The post EU Official Says Antitrust Must ‘Stay Strong’ Against Politics appeared first on Compliance Chief 360.

he FTC chairman, Andrew Ferguson, has instructed the FTC staff to create a special health care task force intended to better protect patients, healthcare workers, and taxpayers. The FTC said, in a statement, that the task force will create a coordinated, competitive, and innovative approach to how the agency regulates health care organizations.

In a memorandum, Chairman Ferguson directed the FTC’s Bureaus of Competition, Consumer Protection, and Economics, as well as the Office of Policy Planning and Office of Technology, to form the health care task force.

According to Ferguson, the task force will help the agency to “share knowledge, resources, third-party sources, market intelligence, case leads, and relationships with other agencies and stakeholders.”

The Health Care Task Force will:

• Lead targeted enforcement and advocacy initiatives focused on key priorities;
• Devise coordinated agency-wide strategies on investigations;
• Take a proactive and strategic approach to identifying amicus and statement of interest opportunities; and
• Identify emerging issues and new priority areas for enforcement and advocacy.

The task force will also seek to expand its membership to include other agencies and law enforcement partners, including the Department of Health and Human Services and the Department of Justice. 

The post FTC Launches Health Care Task Force appeared first on Compliance Chief 360.

arlier this month, the Department of Justice announced a new “department-wide” corporate criminal enforcement policy that it says will promote uniformity, predictability, and fairness in how it pursues corporate wrongdoing. The policy, which it labeled the Corporate Enforcement and Voluntary Self-Disclosure policy, is intended to incentivize companies to self-disclose wrongdoing and hold employees responsible in exchange for potential non-prosecution.

The core aspects of the new DOJ corporate enforcement policy (CEP) are individual accountability, voluntary self-disclosure, a standardized approach, aggravating factors, and incentives. The policy emphasizes that the corporate cooperation credit requires that all facts regarding individuals involved in the misconduct be revealed and provided. Companies that self-disclose can avoid criminal prosecution, unless the circumstances are extreme. The CEP applies to all company criminal matters handled by the department, excluding antitrust violations, and it replaces the inconsistent component-specific policies. However, aggravating factors like any involvement with senior management or pervasive misconduct may result in a declination of prosecution. Companies that self-disclose and cooperate regardless of whether they meet all the criteria may receive reductions in fines as high as 75 percent.

“This Department of Justice is committed to transparency and fairness, and our first-ever Department-wide corporate enforcement policy is yet another example of that,” said deputy attorney general Todd Blanche. “This policy draws on decades of experience across the Department and creates incentives for companies to come forward and do the right thing when misconduct occurs so that we may hold accountable the individual wrongdoers. Well-intentioned businesses know that, across the department, they will be rewarded when they self-disclose wrongdoing, cooperate with our investigations, and remediate the misconduct. But for those that do not, make no mistake — we will not hesitate to seek appropriate resolutions against companies and individuals alike that perpetrate white collar offenses that harm American interests.”

According to the DOJ, the main requirements for companies are prompt disclosure, remediation, and cooperation for the DOJ to deal with corporate crime in a consistent, transparent, and predictable environment. 

The post New DOJ Enforcement Policy Emphasizes Individual Misconduct appeared first on Compliance Chief 360.

he Securities and Exchange Commission and the Commodity Futures Trading Commission announced that they have agreed to work more closely and collaborate more on regulatory issues and enforcement. The agencies say the agreement, documented in a “memorandum of understanding,” will allow the agencies to better support lawful innovations, uphold market integrity, reduce regulatory overlap, and protect investors and customers.

The agreement is a formal, non-binding document that outlines a plan to collaborate between the two agencies, which also details roles, responsibilities, and goals without creating legally enforceable obligations.

“The MOU shows the agencies’ commitments to provide fair notice to market participants, respect individual liberty, and foster lawful innovation with the minimum amount of regulation to enhance U.S finance competitiveness,” the SEC says. The main intention was to resolve the conflict between the agencies and provide a framework of cooperation, particularly on cryptocurrencies and digital assets.

In conjunction with the MOU, the agencies have created what they are calling a “joint harmonization initiative” to advance coordinated oversight and promote regulatory clarity in areas of common regulatory interest. The initiative will support coordination across the policymaking, examination, and enforcement functions of each agency, particularly for joint applications and shared policy efforts, including:

• Clarifying product definitions through joint interpretations and rulemakings.
• Modernizing clearing, margin, and collateral frameworks.
• Reducing frictions for dually registered exchanges, trading venues, and intermediaries.
• Providing a fit-for-purpose regulatory framework for crypto assets and other emerging technologies.
• Streamlining regulatory reporting for trade data, funds, and intermediaries.
• Coordinating cross-market examinations, economic analyses, risk monitoring, surveillance, and enforcement.

“America’s financial markets are the envy of the world because they scale and adapt to meet investor demands. Like our markets, the CFTC’s and SEC’s regulatory frameworks must also evolve and modernize to accommodate the needs of our market participants,” said CFTC Chairman Michael Selig. “This Memorandum of Understanding solidifies the agencies’ commitment to harmonize regulatory frameworks to provide comprehensive and seamless financial market oversight. By working together, we’ll eliminate duplicative, burdensome rules and close gaps in regulation for the benefit of all Americans and usher in a golden age of American finance.” 

The post SEC and CFTC Agree to Greater Collaboration Between the Agencies appeared first on Compliance Chief 360.

he Securities and Exchange Commission’s director of the Enforcement Division, Margaret Ryan, stepped down this week after only a little more than half a year on the job. Sam Waldon, who served as head of enforcement before Ryan, will return to the role as acting director.

During her time in the office, Ryan oversaw what the SEC calls a “course correction” within the division, which it says enabled it to refocus on prioritizing cases that provide meaningful investor protection and strengthen market integrity, rather than technical rule violations with no charges of investor harm. She also allocated division staff toward addressing misconduct such as fraud, market manipulation, and abuses of trust, emphasizing holding individuals accountable for their wrongdoings, promoting stronger deterrence, and better safeguarding investors, according to the SEC.

“I extend my thanks to Chairman Atkins, the Commission, and the staff of the Enforcement Division for the opportunity to continue my public service in a different role,” said Ryan. “As I recently said, I did not seek the role of Director of the SEC’s Division of Enforcement. Rather, this role found me. And for that, I am grateful. I am confident that the foundation I helped to shape—working together with Chairman Atkins—will continue to serve investors and the markets well.”

Under Ryan, enforcement actions at the SEC reached multi-year lows in the 2025 fiscal year, following the leadership transition from SEC Chair Gary Gensler to Paul Atkins. The SEC filed 313 new enforcement actions in 2025, a 27 percent decrease from fiscal year 2024 and the lowest in a decade. Actions against public companies and subsidiaries dropped 30 percent from 2024, with 93 percent of the year’s total actions initiated during the first quarter under Gensler.

Only four actions against public companies were initiated after January 2025 under the new administration, the lowest since 2013. Total monetary settlements for public companies declined by 45 percent, the lowest since 2012. Additionally, the SEC initiated only 10 accounting and auditing actions, a 68 percent decrease from 2024. The main reasons for the decline include leadership changes, new strategies, staffing adjustments, reorganization, and case dismissals. Despite the overall decrease, the SEC says Atkins is prioritizing retail investor protection, cross-border fraud, AI washing, and insider trading. 

The post Head of SEC Enforcement Resigns After Seven Months in Position appeared first on Compliance Chief 360.

he U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an online voluntary self-disclosure (VSD) portal for disclosure of potential violations of U.S sanctions earlier this month. The VSD portal will replace the current system, where organizations voluntarily disclose potential violations over email. The VSD portal provides a more secure and user-friendly method of self-disclosure.

OFAC says the improved system will provide a faster acknowledgement of violation submissions and better communication with the agency. While the method of reporting is changing, nothing about the underlying requirements for self-disclosure will change. OFAC continues to offer the potential for a 50 percent reduction in penalties for qualifying self-disclosures.

A VSD is a self-initiated notification to the OFAC of a potential sanctions violation that can earn cooperation credit, should the following OFAC investigation find a violation. Compliance experts warn of the importance of self-reporting, since if caught, there could be severe repercussions like civil penalties (fines of over $1 million for each violation), criminal prosecutions ($20 million in fines for each violation and up to 30 years in prison), and administrative actions, among others.

The main features of the new online portal include the two-step disclosure process and disclosure timeline. The two-step disclosure process includes an initial submission regarding the potential violation which prompts the start of the disclosure timeline, and a final submission which is a detailed report after the completion of the entity’s internal investigation. The disclosure timeline will not change, with OFAC expecting companies to submit a follow-up report within 180 days of the initial notification. Additionally, the new portal allows multiple documents to be filed with OFAC at once efficiently. All other underlying procedures and requirements will stay the same.

The new VSD portal took effect early February. 

The post OFAC Launches New Online Voluntary Self-Disclosure Portal appeared first on Compliance Chief 360.

n today’s fast-paced business environment, regulatory compliance has become both more critical and more complex. Organizations are expected to maintain rigorous internal controls, ensure transparency, and respond swiftly to audits all while managing sprawling IT ecosystems and evolving risk landscapes.

Regulations like the Sarbanes-Oxley Act (SOX) demand companies adhere to strict financial reporting, information security, and auditing requirements. Yet many businesses still rely on manual processes and fragmented systems to meet these requirements. This approach is not only inefficient but also increases the risk of errors, omissions, and non-compliance.

As digital transformation accelerates, compliance teams are being asked to do more with less and the result is a widening gap between compliance obligations and operational capacity.

AI and Automation: Driving a Transformation

Artificial intelligence and automation technologies are emerging as powerful allies in the quest for smarter, more scalable compliance. These tools can streamline routine tasks while enhancing accuracy and provide real-time insights into control effectiveness.

Automation is particularly effective in handling repetitive, rules-based activities such as data collection and report generation. By reducing manual effort, it frees up compliance professionals to focus on strategic oversight and risk mitigation.

AI, on the other hand, brings intelligence into the equation. Machine learning algorithms can analyze vast datasets to detect anomalies, flag potential risks, and even predict future compliance issues. Natural language processing can extract insights from unstructured data, such as emails or policy documents, enabling more comprehensive monitoring.

Together, AI and automation are transforming compliance from a reactive, checklist-driven function into a proactive, intelligence-led discipline.

Continuous Compliance and Adaptive Controls

One of the most transformative shifts enabled by AI and automation is the move toward continuous compliance. Rather than relying on periodic audits or static control reviews, organizations can now monitor their control environments in real time.

This approach allows for faster detection of issues, quicker remediation, and more reliable assurance for stakeholders. It also aligns better with the dynamic nature of modern business, where risks can emerge and evolve rapidly.

Adaptive controls, powered by AI, take this a step further. These controls can adjust dynamically based on context, user behavior, or risk signals. For instance, if a user accesses sensitive financial data from an unfamiliar location, the system might require multi-factor authentication or temporarily restrict access until the activity is verified.

Such intelligent controls enhance security while maintaining operational flexibility, helping organizations strike the right balance between risk management and business agility.

Implementation Challenges and Considerations

While the benefits of AI and automation are clear, successful implementation requires thoughtful planning and execution. Organizations must ensure that these technologies are properly integrated into existing systems and workflows, and that they align with broader compliance strategies.

Data quality is a critical factor. AI models rely heavily on accurate, comprehensive inputs to deliver meaningful insights. Poor data hygiene can lead to false positives, missed risks, or misleading recommendations.

Regulatory alignment is another key consideration. As AI becomes more embedded in compliance processes, regulators are beginning to scrutinize its use. Companies must ensure that their AI-driven practices are transparent, explainable, and auditable. This includes documenting how models are trained, how decisions are made, and how outputs are validated.

Cultural change is also essential. Compliance teams may need to develop new skills as they adopt new tools and embrace new ways of working. Collaboration—with IT, cybersecurity, and business units—is vital to ensure that AI and automation initiatives are successful and sustainable.

Solutions for Cybersecurity and Compliance Leaders

To navigate this transformation effectively, organizations should focus on a few foundational strategies:

• Adopt AI-Integrated Platforms. Start with tools that work seamlessly with your ERP and IT systems to automate tasks and track regulatory change
• Automate Repetitive Tasks. Free up your compliance team by automating routine activities like data entry and control testing
• Stay Ahead of Regulatory Shifts. Use AI to anticipate changes and adjust your compliance strategies before an issue arises
• Build Transparent Audit Trails. Leverage AI to document compliance activities clearly, making audits smoother and more defensible
• Centralize Data for Collaboration. Ensure all departments work from the same source of truth to improve coordination and decision-making.

Cybersecurity vendors have a unique opportunity to support these efforts by offering solutions that combine automation, AI, and robust control frameworks. By helping clients modernize their compliance environments, vendors can deliver measurable value while strengthening trust and resilience.

AI is a Business Imperative

AI and automation are no longer emerging trends, they are strategic imperatives for organizations seeking to modernize compliance and internal control management. These technologies offer a path to greater efficiency, accuracy, and agility, enabling companies to meet regulatory demands while staying ahead of risk.

For cybersecurity companies, the opportunity lies in guiding clients through this transformation with scalable, transparent, and vendor-neutral solutions. By doing so, they can help build a future where compliance is not just a requirement, but a competitive advantage. 

Chris Radkowski is an SAP GRC expert at Pathlock, an identity security and governance platform. A recognized leader in access governance with over 20 years of experience driving innovation in enterprise security and compliance solutions, he brings deep expertise in application access governance, risk management and regulatory compliance.

The post Modernizing Compliance: How AI and Automation Are Reshaping Internal Controls appeared first on Compliance Chief 360.