new report predicts that compliance and assurance functions could double the amount they spend on new technology by 2027. According to the research, issued by Gartner Inc., generative AI, machine learning, and large language models will fuel a surge in spending by compliance, risk management, and assurance functions.

The news isn’t all good. The report also predicts a wave of disillusionment with advanced technologies as expectations are exceeding capabilities in many cases. Accordingly, Gartner experts have placed AI at the “peak of inflated expectations” in the 2024 “Hype Cycle” for legal, risk, compliance and audit technologies.

“Some assurance leaders are prematurely expecting AI technology to greatly enhance productivity,” said Weston Wicks, senior director analyst in the Gartner Legal & Compliance Practice. “While these technologies show promise, in the near-term Gartner recommends assurance leaders identify where they can pilot and experiment with them while maintaining healthy skepticism as they are implemented.”

Gartner experts believe that GenAI will have a foreseeable impact on adjacent innovations in the analytics space, and therefore certain innovations, such as data and analytics governance, audit analytics, legal analytics, and advanced contract analytics, have moved further toward the trough as the te to plateau for these innovations becomes nearer-term — two-to-five years.

“Certain notable movements on the 2024 Hype Cycle are driven by assurance leaders convinced that incorporating new technology and generative AI (GenAI) tools is necessary to manage the growing burden of new rules and regulations imposed on executives and enterprises globally,” said Wicks. “Select emerging innovations, such as compliance monitoring solutions, have been directly impacted by GenAI and have seen substantial movement along the Hype Cycle as a result.”

Proceed with Caution

While there are some expectations that the advancements in GenAI will be transformative in assurance, Gartner experts caution that early adopters must acknowledge the risks of these new advancements and their impact on teams’ ability to manage them.

“Early lessons learned by assurance leaders include understanding the importance of information management and data governance, and the importance of intentionally including humans in the loop to mitigate bias and other risks,” said Wicks. “For these reasons, Gartner estimates the innovations will achieve high benefit ratings across the next five years.” 

The post Report: Compliance Functions Could Double Tech Spend by 2027 appeared first on Compliance Chief 360.

nvesco Advisers is paying the price for misleading clients and investors about how much of its assets were truly aligned with environmental, social, and governance principles. The Atlanta-based investment firm has agreed to pay a $17.5 million civil penalty to settle the Securities and Exchange Commission’s charges that it issued misleading statements on ESG.

According to the SEC’s order, from 2020 to 2022, Invesco told clients and stated in marketing materials that between 70 and 94 percent of its parent company’s assets under management were “ESG integrated.” However, in reality, these percentages included a substantial amount of assets that were held in passive ETFs that did not consider ESG factors in investment decisions. Furthermore, the SEC’s order found that Invesco lacked any written policy defining ESG integration.

“As stated in the order, Invesco saw commercial value in claiming that a high percentage of company-wide assets were ESG integrated. But saying it doesn’t make it so,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, in a statement. “Companies should be straightforward with their clients and investors rather than seeking to capitalize on investing trends and buzzwords.”

The order charges Invesco with willfully violating the Investment Advisers Act of 1940. Without admitting or denying the order’s findings, Invesco agreed to cease and desist from violations of the charged provisions, be censured, and pay the aforementioned $17.5 million civil penalty.  

The post SEC Fines Invesco Advisers $17.5M for Misleading ESG Statements appeared first on Compliance Chief 360.

igital disruption and climate change have emerged as the two fasting-growing risk areas for organizations across industries, according to a new report.

Based on feedback from more than 3,500 internal audit leaders around the world, global risk levels for digital disruption and climate change are projected to increase 20 percent and 16 percent, respectively, over the next three years, outpacing other risk areas. The research was conducted by the Institute of Internal Auditor’s Internal Audit Foundation for its latest Risk in Focus report.

Despite the growing intensity of these risks, most audit plans do not currently prioritize them, the study found. In fact, neither digital disruption nor climate change were named among the top five areas where internal audit functions allocate the most time and effort, with both ranked in the lower half of audit priorities. Globally, internal audit functions focus predominantly on cybersecurity, governance and corporate reporting, and business continuity, indicating a gap between evolving threats and current areas of attention.

“Our latest research tells us cybersecurity, business continuity, and human capital continue to hold the top three spots in risk ratings. However, respondents anticipate significant changes as risks related to climate change and digital disruption accelerate in the coming years,” said Anthony Pugliese, president and CEO of the IIA. “To ensure both short-term success and long-term sustainability, organizations and their internal audit functions must adapt risk management practices to keep pace with the changing risk landscape.”

Risk in Focus offers a comprehensive view of the current global risk landscape and how it is expected to evolve in the coming years. Because threats are expected to rise steeply for technological advancements and climate change, the 2025 reports focus on leading practices for mitigation of these risks.

Keeping Pace with Digital Disruption

Approximately 39 percent of survey respondents worldwide ranked digital disruption as a top five risk, with that number expected to jump to 59 percent in three years. For North America, these figures are even higher at 48 percent and 70 percent, respectively. Furthermore, respondents worldwide expect digital disruption to rise from the fourth to the second highest ranked risk area in three years.

Artificial intelligence (AI) has introduced new risks to track, especially related to cybersecurity, according to 75 percent of respondents. AI has also impacted many other risk areas, including human capital, fraud, communications, reputation, and more.

AI is a particular focus for internal audit leaders concerning technology-related risks. Specifically, challenges include upskilling and adopting new tools, as well as global disparities in access to and knowledge of emerging technology.

Climate Regulations Driving New Risks

Climate-related risks are currently ranked relatively low, but they are expected to rise substantially soon. About one in four (23 percent) of global respondents view climate change as a top five risk today. However, nearly 40 percent of respondents anticipate it will reach the top five in the next three years, climbing from 13^th place to 5^th.

Globally, roundtable participants agree that sustainability reporting and compliance requirements are the primary drivers for boards, management, and internal audit functions to allocate resources to climate change. The report revealed significant regional differences in climate-related risk perceptions. For instance, 33 percent of European audit leaders and 30 percent of Canadian audit leaders rate climate change as a top five risk, compared to 9 percent for U.S. audit leaders. Despite the U.S. position, North American respondents expect ratings for climate change as a top 5 risk will double from 13 percent to 27 percent in three years.

“While climate change has long been recognized as a growing risk for organizations, these findings reveal the extent to which climate-related risks are expected to surge in the near term,” said Pugliese. “It is imperative for organizations, stakeholders, and internal audit leaders to objectively assess the short-term and longer-term risks to their organizations beyond basic compliance with regulations.”

Extreme weather can cause supply chain disruptions, higher operational costs, flooding, famine, and more. Some consumers and investors are calling on organizations to implement more sustainability initiatives. These sustainability initiatives, however, must be reported accurately to avoid greenwashing and reputational damage.

Regional Risk Differences

The study also explored regional differences in the risk landscape through roundtables and separate Risk in Focus reports for Africa, Asia Pacific, Europe, Latin America, the Middle East, and North America. These regional reports outline proactive steps that organizations and audit leaders across industries can take today to mitigate threats and embrace opportunities.

Embracing artificial intelligence and emerging technologies will be critical, as well as prioritizing upskilling, technology-oriented training, and recruitment to manage these risks effectively.

“The IIA has strongly advocated for internal audit functions to take a more strategic advisory role to better serve organizations and stakeholders,” said Pugliese. “The Risk in Focus findings underscore the importance of agile collaboration and partnership among internal audit functions, boards, and management to stay ahead of emerging threats and improve understanding of potential risk exposures.”  

The post New Report Identifies Fastest Growing Risks for Companies appeared first on Compliance Chief 360.

ells Fargo’s recent disclosure of regulatory investigations related to its anti-money laundering (AML) and sanctions programs and agreement to “work with U.S. bank regulators to shore up its financial crimes risk management” serves as a timely reminder of the ongoing importance of robust compliance measures in the financial sector.

These events underscore the need for vigilance at all levels of the industry, from major institutions to smaller financial companies, and further highlight the critical role of due diligence in selecting and monitoring payment solution providers for compliance officers, risk practitioners, and internal audit executives.

To that end, here are four essential questions to ask when evaluating potential partners, informed by the latest industry developments:

1. How comprehensive is the BSA/AML compliance program?

A robust Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance program is vital to any financial institution’s risk management strategy. When evaluating a provider’s program, look for well-defined internal policies and controls. These should include a documented BSA/AML policy that outlines the organization’s approach to identifying, assessing, and managing money laundering and terrorist financing risks.

The policy should encompass clear customer identification procedures, risk-based customer due diligence processes, and transaction monitoring systems. Additionally, it should detail suspicious activity reporting procedures and record-keeping practices that meet or exceed regulatory requirements. Equally important is a defined process for staying current with regulatory changes and implementing updates promptly.

A dedicated compliance officer should oversee these efforts. This individual should possess relevant experience in BSA/AML compliance, appropriate certifications, and have direct access to senior management and the board of directors. They should be empowered to implement necessary changes across the organization.

Another crucial element is ongoing, comprehensive training. Look for providers that offer role-specific training tailored to different departments, annual refresher courses for all staff, and ad-hoc training to address new regulations or emerging risks. The training program should include testing to ensure comprehension and retention of key concepts, with all activities documented for audit purposes.

Finally, the provider should conduct rigorous auditing and monitoring. This includes regular internal audits of all BSA/AML processes, periodic independent third-party audits, and continuous monitoring of transactions and customer activity. There should be a straightforward process for addressing and remediating audit findings, with regular reporting to senior management and the board on audit results and program effectiveness.

2. Who comprises the compliance team?

The expertise of the compliance team is crucial in navigating complex regulatory landscapes. Look for a diverse team with a mix of legal, financial, and technological expertise.

A well-rounded team might include a chief legal & compliance officer, corporate counsel, senior compliance analysts, a finance settlement manager, information security leaders, and an operations director. This diversity helps ensure a comprehensive approach to compliance and security, reducing the risk of oversight that could lead to regulatory issues.

3. How does the organization embed compliance responsibilities across all departments?

Compliance should not be confined to a single department but should be integrated throughout the organization. A company-wide commitment to compliance should be evident through clear statements from leadership emphasizing its importance, inclusion of compliance objectives in departmental and individual performance metrics, and regular compliance updates in company-wide communications.

Training should extend beyond the compliance department. Look for providers that offer role-specific training illustrating how compliance impacts different job functions. Scenario-based learning can help employees identify and respond to potential compliance issues. The use of multiple training formats can cater to different learning styles, ensuring comprehensive understanding across the organization.

Clear communication channels for reporting potential issues are essential. This includes an anonymous whistleblowing hotline or reporting system, a defined escalation process for compliance concerns, and protection for employees who report potential violations. Regular reminders about these reporting channels reinforce the importance of speaking up.

A culture of compliance is characterized by the incorporation of compliance considerations into all business decisions and processes. This might include recognition for employees who demonstrate strong compliance behavior, zero tolerance for willful non-compliance regardless of an employee’s position, and regular compliance “town halls” or Q&A sessions to foster open dialogue about compliance matters.

4. What is the approach to regular internal audits and regulatory examinations?

In light of increased regulatory scrutiny, regular, independent audits are crucial. Inquire about the frequency and scope of their audits, including how often internal audits are conducted, what areas they cover, and how findings are categorized and addressed.

The provider’s relationship with regulatory bodies and sponsor banks is also important. Ask about their interaction with regulators outside of formal examinations, participation in regulatory outreach events or industry working groups, and their track record with past regulatory examinations.

A strong provider will have a formal process for reviewing and acting on audit and examination findings. This should include tracking and validating corrective actions, measuring the effectiveness of implemented changes, and sharing learnings across the organization.

Staying updated on regulatory changes and industry best practices is crucial. Look for providers that subscribe to regulatory update services, have relationships with outside counsel or consultants for complex regulatory matters, and participate in industry associations or forums.

Finally, inquire about their approach to continuous improvement. This might include using data analytics to enhance compliance programs, conducting regular risk assessments to identify potential gaps or emerging risks, and benchmarking their practices against industry peers.

Proactive Compliance in a Complex Regulatory Environment

The recent Wells Fargo disclosure reminds us that compliance is an ongoing process requiring constant attention and proactive measures. For compliance officers, risk practitioners, and internal audit executives, this underscores the importance of thorough due diligence when selecting and monitoring payment solution providers.

By asking these four key questions and critically evaluating the responses, you can significantly mitigate risks and ensure a more secure financial ecosystem for your organization. Remember, in today’s regulatory environment, compliance isn’t just about meeting minimum requirements—it’s about fostering a culture of integrity and security that permeates every aspect of your operations.

As you evaluate potential payment solution providers, look for partners who share this philosophy and demonstrate a commitment to excellence in compliance and security. In doing so, you’ll not only meet regulatory requirements but also build a foundation of trust with your customers, stakeholders, and regulators—a crucial asset in navigating today’s financial landscape.  

Anna Fron is Chief Legal and Compliance Officer at Dash Solutions, a platform that provides digital payments and engagement program management to thousands of customers.

The post Compliance Lessons from Wells Fargo: Four Questions to Ask Your Payment Solution Provider appeared first on Compliance Chief 360.

With risks constantly changing and driving new compliance requirements, compliance programs must be able to respond to changes with agility. This highlights the importance of incorporating a continuous monitoring approach. Fill out the form at right and hit “Submit” to get the report.

NIST defines continuous monitoring as: “Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” This enables an organization to quickly pivot and respond strategically as new compliance requirements come into scope. Compliance programs are often developed with short-term goals in mind; for example, complying with an industry standard. However, compliance is not stagnant. Without scalable policies and procedures in place, no matter how well-conceived your program is, decentralization will ultimately hinder the growth and scalability of your program as time goes on.

A strong continuous monitoring foundation can help enable an organization to pivot as new requirements come into scope. Learn seven steps to incorporate continuous monitoring into your compliance program at any stage, including a checklist of key metrics to track.

FILL OUT THE FORM AT RIGHT TO DOWNLOAD THE REPORT >>

7 Steps to Incorporate Continuous Monitoring in Your Compliance Program

Complete the form to receive an email with a link to the Report.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Business Email *

Company or Organization *

Job Title *

Address *

Address Line 1

Address Line 2

City

State / Province / Region

Postal Code

--- Select country ---AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Democratic People's Republic of)Korea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland IslandsCountry

or Phone Business

Phone (optional)

Submit

The post 7 Steps to Incorporate Continuous Monitoring in Your Compliance Program appeared first on Compliance Chief 360.

ompliance management has traditionally been marked by accessibility issues, which lead to barriers to adhering to regulations. These long-established frameworks can be so complicated that they make it hard for those who don’t have specialized knowledge to navigate them. Automated solutions, however, have marked a shift in the landscape, making regulatory compliance something that a broader audience can better understand

So how have they done that? Automation can streamline processes and reduce associated risks so that as regulations change over time, compliance can keep up with the pace. Businesses are facing increased scrutiny from regulatory bodies, so conducting smoother audits and staying in good financial condition are important considerations.

In the United States, for example, businesses must consider state and local regulations, in addition to federal regulations, when developing strategic plans or plans for new lines of business.  Whether this is through investing in compliance software or hiring specific legal experts they need to stay on top of the rapidly developing regulatory environment. Let’s dive into the reasons why automation is redefining compliance management.

Reducing Errors and Streamlining Compliance

Compliance management has traditionally involved so many manual processes that were time-consuming and prone to human errors. Processes such as audits, vulnerability assessments, and remediation efforts have often required tight-knit coordination between different teams, which can cause huge gaps in communication and missed compliance risks. This is where automation can be a game-changer, by integrating compliance tasks and automating manual processes.

Automated systems, for example, can assess IT environments for vulnerability, compare any configurations against regulatory standards, and then let the team know if there are any discrepancies. This lessens the manual workload and the possibility of overlooked patches or misconfigured systems. This type of monitoring also means that organizations can identify issues before they escalate into regulatory violations or costly breaches.

Automation also permits businesses to be able to handle complex compliance requirements more effectively. For example, regulations like the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX) need to be consistently analyzed, but automation in this case enables regular audits without compliance teams getting overwhelmed.

Avoiding Regulatory Penalties and Ensuring Smooth Audits

If businesses don’t comply with regulations, the costs can be severe, with hefty fines and reputational damage both possibilities. Data breaches can lead to fines of up to $500,000 per incident, alongside ongoing monthly fines. So as these regulations tighten and audits keep coming in, businesses need to be wary to avoid penalties.

Automation means that businesses can be on top of records and generate reports to reflect their compliance status. Automated compliance tools also mean that reports can be more accurate and comprehensive, and the time and effort required for audit preparation are reduced. Documentation is the other aspect that can give real-time access to compliance records and demonstrate adherence to regulators.

Systems like asset inventory and PC lifecycle management solutions can help to bridge the gap between security and operations by integrating vulnerability assessments with remediation processes. This allows for the streamlining of security handoffs and accelerates patching, which in turn, reduces the window of vulnerability and prevents non-compliance issues from accumulating.

Further Strategies for Complying with Changing Regulations

To be able to maintain compliance while federal, state, and even global regulations are constantly changing is obviously a massive challenge. However, businesses can follow a few additional best practices to stay on top of things. First, organizations should define the compliance states with sufficient detail. Predefined policies that we briefly touched on, such as SOX, HIPAA, or PCI DSS, can serve as templates, and businesses can customize these policies to address their specific needs.

Automation needs to work in tandem with any change management processes to ensure that compliance actions are governed in line with the business’ priorities. By documenting changes and tracking exceptions, organizations can avoid compliance drift and maintain control over their compliance efforts.

Automation is undoubtedly transforming compliance management by reducing the amount of manual work while minimizing costly errors, and finally ensuring that organizations are ready for an audit when called upon. Due to the fact that processes like discovery, audit, and remediation are unified and integrated, businesses can stay compliant with the shifting regulatory landscape.  

Shagun Malhotra is founder of SkyStem LLC, a provider of automated account reconciliation software.

The post How Automation Is Redefining Compliance Management appeared first on Compliance Chief 360.

he Securities and Exchange Commission has charged four public companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. The charges against the four companies—Unisys, Avaya, Check Point Software, and Mimecast—result from an investigation involving public companies impacted by the compromise of SolarWinds’ Orion software.

The SEC also charged Unisys with disclosure controls and procedures violations. The companies agreed to pay the following civil penalties to settle the SEC’s charges:

• Unisys will pay a $4 million civil penalty;
• Avaya. will pay a $1 million civil penalty;
• Check Point will pay a $995,000 civil penalty; and
• Mimecast will pay a $990,000 civil penalty.

“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.

The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls.

The SEC’s order against Avaya finds that it stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment.

The SEC’s order against Check Point finds that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. The order charging Mimecast finds that the company minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.

Don’t Downplay the Seriousness of a Breach

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge Tenreiro, acting chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.  The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

The SEC’s orders find that each company violated certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules. Without admitting or denying the SEC’s findings, each company agreed to cease and desist from future violations of the charged provisions and to pay the penalties described above. Each company cooperated during the investigation, including by voluntarily providing analyses or presentations that helped expedite the staff’s investigation and by voluntarily taking steps to enhance its cybersecurity controls.  

The post SEC Charges Four Companies With Misleading Cyber Disclosures appeared first on Compliance Chief 360.

he Securities and Exchange Commission’s Division of Examinations has released its 2025 examination priorities. This year’s examinations will prioritize perennial and emerging risk areas, such as fiduciary duty, standards of conduct, cybersecurity, and artificial intelligence. For fiscal year 2025, in addition to conducting examinations in core areas such as disclosures and governance practices, the Division will also examine for compliance with new rules, the use of emerging technologies, and the soundness of controls intended to protect investor information, records, and assets.

The Division publishes its examination priorities annually to inform investors and registrants of potential risks in the U.S. capital markets and to make them aware of the examination topics that the Division plans to focus on in the new fiscal year.

“The Division of Examinations 2025 priorities enhance trust in our ever-evolving markets,” said SEC Chair Gary Gensler. “In examining for compliance with our time-tested rules, the Division plays a critical role in protecting investors and facilitating capital formation. Working with registrants to understand the rules helps ensure that markets work for investors and issuers alike.”

The Division examines SEC-registered investment advisers, investment companies, broker-dealers, clearing agencies, and self-regulatory organizations, among others, for compliance with federal securities laws. The Division prioritizes examinations of the practices, products, and services that were found, through a risk-based assessment, to present a heightened risk to investors or the integrity of the U.S. capital markets, it said in a statement. The annual publication of the examination priorities furthers the SEC’s mission and aligns with the Division’s four pillars to promote and improve compliance, prevent fraud, monitor risk, and inform policy, the Commission said.

“Our 2025 examination priorities identify the key areas of potentially increased risks and related harm for investors,” said Keith Cassidy, acting director of the division of examinations. “We hope that registrants will evaluate their compliance programs in the areas we identified and make the changes necessary to protect investors and maintain fair and orderly capital markets.”

The 2025 examination priorities cover a broad landscape of potential risks to investors that firms should consider as they review and strengthen their compliance programs. They are not, however, an exhaustive list of all the areas the Division will focus on in the upcoming year, the SEC noted. The scope of any examination includes analysis of other risk factors such as an entity’s history, operations, and products and services.  

The post SEC Issues It’s List of 2025 Examination Prioriries appeared first on Compliance Chief 360.

he U.S. Department of Defense issued final rules for its Cybersecurity Maturity Model Certification (CMMC) Program, which is indented to ensure that defense contractors meet standards for safeguarding sensitive information.

The CMMC Program aligns with the DoD’s existing information security requirements for private sector defense contractors. It is designed to enforce the protection of sensitive unclassified information shared by the department with its contractors and subcontractors. The program was developed to provide the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for non-federal systems processing controlled unclassified information.

“CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” the DoD said in a statement. “The CMMC Program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company’s cybersecurity status.”

Central features of the CMMC Program:

• Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for requiring protection of information flowed down to subcontractors.
• Assessment Requirement: CMMC assessments allow the DoD to verify implementation of existing cybersecurity standards by contractors and subcontractors.
• Implementation through Contracts: DoD contractors and subcontractors handling sensitive unclassified DoD information must achieve a specific CMMC level as a condition of contract award.

Businesses in the defense industrial base should take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments.  Members of the defense industrial base may use cloud service offerings to meet the cybersecurity requirements that must be assessed as part of the CMMC requirement.  

The post DoD Finalizes Cybersecurity Certification Program for Contractors appeared first on Compliance Chief 360.

anadian-based TD Bank will pay more than $3 billion in a historic settlement with U.S. authorities who said that the financial institution’s lax practices allowed significant money laundering over multiple years. The bank pleaded guilty to conspiracy to commit money laundering, the largest bank in U.S. history to do so, Attorney General Merrick Garland said.

“TD Bank created an environment that allowed financial crime to flourish,” Garland said. “By making its services convenient for criminals, it became one.”

TD Bank, the 10th largest bank in the United States, agreed to pay over $1.8 billion in penalties to resolve the Justice Department’s investigation into violations of the Bank Secrecy Act (BSA) and money laundering, the Justice Department said in a statement. A TD Bank statement said the full expense would exceed $3 billion for the firm, which must also upgrade its current anti-money laundering operations. It also will face a more stringent approval process for new products, stores, services and markets.

The bank pleaded guilty to conspiring to fail to maintain an anti-money laundering (AML) program that complies with the BSA, fail to file accurate Currency Transaction Reports (CTRs), and launder money.

TD Bank’s guilty pleas are part of a coordinated resolution with the Board of Governors of the Federal Reserve Board (FRB), as well as the Treasury Department’s Office of the Comptroller of the Currency (OCC) and Financial Crimes Enforcement Network (FinCEN).

“By making its services convenient for criminals, TD Bank became one,” . “Today, TD Bank also became the largest bank in U.S. history to plead guilty to Bank Secrecy Act program failures, and the first US bank in history to plead guilty to conspiracy to commit money laundering,” said Garland. “TD Bank chose profits over compliance with the law — a decision that is now costing the bank billions of dollars in penalties. Let me be clear: our investigation continues, and no individual involved in TD Bank’s illegal conduct is off limits.”

“For years, TD Bank starved its compliance program of the resources needed to obey the law. Today’s historic guilty plea, including the largest penalty ever imposed under the Bank Secrecy Act, offers an unmistakable lesson: crime doesn’t pay — and neither does flouting compliance,” said Deputy Attorney General Lisa Monaco. “Every bank compliance official in America should be reviewing today’s charges as a case study of what not to do. And every bank CEO and board member should be doing the same. Because if the business case for compliance wasn’t clear before — it should be now.”

‘Pervasive and Systemic Deficiencies’

According to court documents, between January 2014 and October 2023, TD Bank had long-term, pervasive, and systemic deficiencies in its U.S. AML policies, procedures, and controls but failed to take appropriate remedial action. Instead, senior executives at TD Bank enforced a budget mandate, referred to internally as a “flat cost paradigm,” requiring that TD Bank’s budget not increase year-over-year, despite its profits and risk profile increasing significantly over the same period. Although TD Bank maintained elements of an AML program that appeared adequate on paper, fundamental, widespread flaws in its AML program made TD Bank an “easy target” for perpetrators of financial crime.

Over the last decade, TD Bank’s federal regulators and TD Bank’s own internal audit group repeatedly identified concerns about its transaction monitoring program, a key element of an appropriate AML program necessary to properly detect and report suspicious activities. Nonetheless, from 2014 through 2022, TD Bank’s transaction monitoring program remained effectively static, and did not adapt to address known, glaring deficiencies; emerging money laundering risks; or TD Bank’s new products and services. For years, TD Bank failed to appropriately fund and staff its AML program, opting to postpone and cancel necessary AML projects prioritizing a “flat cost paradigm” and the “customer experience.”

Throughout this time, TD Bank intentionally did not automatically monitor all domestic automated clearinghouse (ACH) transactions, most check activity, and numerous other transaction types, resulting in 92% of total transaction volume going unmonitored from Jan. 1, 2018, to April 12, 2024. This amounted to approximately $18.3 trillion of transaction activity. TD Bank also added no new transaction monitoring scenarios and made no material changes to existing transaction monitoring scenarios from at least 2014 through late 2022; implemented new products and services, like Zelle, without ensuring appropriate transaction monitoring coverage; failed to meaningfully monitor transactions involving high-risk countries; instructed stores to stop filing internal unusual transaction reports on certain suspicious customers; and permitted more than $5 billion in transactional activity to occur in accounts even after the bank decided to close them.

TD Bank’s AML failures made it “convenient” for criminals, in the words of its employees. These failures enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts between 2019 and 2023. Between January 2018 and February 2021, one money laundering network processed more than $470 million through the bank through large cash deposits into nominee accounts. The operators of this scheme provided employees gift cards worth more than $57,000 to ensure employees would continue to process their transactions. And even though the operators of this scheme were clearly depositing cash well over $10,000 in suspicious transactions, TD Bank employees did not identify the conductor of the transaction in required reports.

In a second scheme between March 2021 and March 2023, a high-risk jewelry business moved nearly $120 million through shell accounts before TD Bank reported the activity. In a third scheme, money laundering networks deposited funds in the United States and quickly withdrew those funds using ATMs in Colombia. Five TD Bank employees conspired with this network and issued dozens of ATM cards for the money launderers, ultimately conspiring in the laundering of approximately $39 million. The Justice Department has charged over two dozen individuals across these schemes, including two bank insiders. TD Bank’s plea agreement requires continued cooperation in ongoing investigations of individuals.

As part of the plea agreement, TD Bank has agreed to forfeit $452 million and pay a criminal fine of $1.4 billion, for a total financial penalty of $1.8 billion. TD Bank has also agreed to retain an independent compliance monitor for three years and to remediate and enhance its AML compliance program. TD Bank has separately reached agreements with the FRB, OCC, and FinCEN, and the Justice Department will credit $123 million of the forfeiture toward the FRB’s resolution.

Partial Cooperation Credit

The Justice Department reached its resolution with TD Bank based on a number of factors, including the nature, seriousness, and pervasiveness of the offenses, as a result of which TD Bank became the bank of choice for multiple money laundering organizations and criminal actors and processed hundreds of millions of dollars in money laundering transactions. Although TD Bank did not voluntarily disclose its wrongdoing, it received partial credit for its strong cooperation with the Department’s investigation and the ongoing remediation of its AML program. TD Bank did not receive full credit for its cooperation because it failed to timely escalate relevant AML concerns to the Department during the investigation. Accordingly, the total criminal penalty reflects a 20% reduction based on the bank’s partial cooperation and remediation.

IRS Criminal Investigation, the Federal Deposit Insurance Corporation Office of Inspector General, and Drug Enforcement Administration investigated the case. The Morristown Police Department, U.S. Attorney’s Office for the District of Puerto Rico, Homeland Security Investigations, U.S. Customs and Border Protection, and New York City Police Department provided substantial assistance.  

The post TD Bank to Pay $3B in Plea to Settle Money-Laundering Case appeared first on Compliance Chief 360.