recent enforcement action by the U.S. Department of Health and Human Services is sending a clear signal to corporate compliance teams: HIPAA obligations don’t stop at hospitals and insurers.

In a newly reported case, the agency’s Office for Civil Rights pursued enforcement against a self-funded employer health plan—marking a notable shift in how regulators are applying health data privacy rules. While HIPAA has long governed how medical providers and insurers handle protected health information, this action underscores that employers who sponsor health plans may also face direct scrutiny.

For many organizations, that represents a meaningful change in risk exposure.

Employer-sponsored health plans, particularly self-funded arrangements, are common across large and mid-sized companies. These plans often rely heavily on third-party administrators to process claims and manage data. As a result, compliance responsibilities can feel diffuse, split between HR, vendors, and legal teams. This latest enforcement activity suggests regulators are taking a different view.

Rather than focusing solely on service providers, enforcement is moving upstream—toward the plan sponsors themselves.

For compliance officers, the implications are practical. It is no longer sufficient to rely on vendor assurances or contractual protections alone. Regulators appear to be expecting companies to demonstrate active oversight of how health data is handled, including how vendors store, process, and secure sensitive information.

That shift puts a spotlight on governance. Companies may need to reassess whether their compliance programs adequately cover employee health data, particularly if responsibility has historically sat outside the core compliance function. Coordination between compliance, HR, IT, and third-party risk teams is likely to become more important.

The development also reflects a broader regulatory trend. Across industries, enforcement agencies are expanding their focus beyond traditional targets and looking more closely at how organizations manage outsourced activities. Whether the issue is cybersecurity, financial controls, or data privacy, the message is consistent: delegating a function does not eliminate accountability.

In the HIPAA context, that means plan sponsors may be expected to maintain clear documentation of their oversight efforts. This could include vendor due diligence, periodic audits, incident response procedures, and employee training around the handling of health information.

For companies that have not historically treated HIPAA as an enterprise-wide compliance issue, this may require a reset. Even organizations outside the healthcare sector could find themselves subject to enforcement if their internal controls fall short.

The takeaway for compliance professionals is straightforward. Employer health plans are no longer a peripheral concern. They are becoming part of the broader compliance landscape, with regulators paying closer attention to how these programs operate in practice.

As enforcement evolves, companies that take a more integrated approach to data privacy and vendor oversight will be better positioned to manage the risk—and to demonstrate that their controls work when it matters most. 

Joseph McCafferty is editor and publisher of Compliance Chief 360°.

The post HIPAA Enforcement Targets Employer Health Plans, Expanding Compliance Risk appeared first on Compliance Chief 360.

he crackdown on off-channel communications at financial firms isn’t over—it has simply taken a quieter, more targeted turn.

While the U.S. Securities and Exchange Commission drew headlines over the past several years with multibillion-dollar penalties for financial firms where employees communicated with undocumented texts and messages, recent developments suggest that FINRA is continuing to pursue the issue with steady intensity.

In the past several days, compliance observers and industry reporting have pointed to ongoing FINRA enforcement activity tied to unapproved communication channels. Rather than large, broad settlements, the regulator’s current approach appears more embedded in routine examinations and disciplinary actions. That shift makes the risk less visible—but no less real.

At the center of the issue is a familiar problem: employees using personal devices and apps such as text messaging or encrypted platforms to conduct business conversations. When those communications are not captured and retained, firms can fall short of recordkeeping requirements, a longstanding pillar of securities regulation.

What has changed is the expectation around control. Regulators are no longer satisfied with written policies that prohibit off-channel communications. Instead, they are looking for evidence that firms are actively detecting, preventing, and addressing violations in practice.

Recent enforcement patterns also suggest a growing focus on individual accountability. In addition to firm-level penalties, disciplinary actions increasingly include suspensions and fines for registered representatives and supervisors. For compliance leaders, that raises the stakes internally, particularly when it comes to training, supervision, and escalation.

The continued attention from FINRA is significant for another reason: it challenges a perception that the issue had cooled following the SEC’s earlier enforcement wave. In reality, the underlying expectations have not changed, and examination programs continue to test firms’ controls in this area.

For chief compliance officers, the takeaway is straightforward. Off-channel communications remain an active enforcement priority, even if they are no longer dominating headlines. Firms that scaled back monitoring efforts or treated the issue as largely resolved may find themselves exposed during routine exams.

More broadly, the trend reflects a shift in how regulators evaluate compliance programs. The question is no longer just whether a firm has a policy in place, but whether that policy is working in day-to-day behavior. In that sense, off-channel communications have become a clear test case for a wider regulatory approach—one that places increasing weight on evidence, supervision, and real-world outcomes. 

Joseph McCafferty is editor and publisher of Compliance Chief 360°.

.

The post FINRA Keeps Pressure on Off-Channel Messaging as Enforcement Focus Shifts appeared first on Compliance Chief 360.

he Consumer Financial Protection Bureau (CFPB) has finalized a rule that narrows how fair lending laws are enforced, marking a notable shift for compliance programs across the financial services industry.

The rule amends Regulation B, which implements the Equal Credit Opportunity Act (ECOA). Its most significant change is the removal of “disparate impact” as a basis for enforcement. Disparate impact refers to situations where a policy or practice results in unequal outcomes for certain groups, even if there was no intent to discriminate.

Under the updated framework, enforcement will focus primarily on cases involving clear evidence of intentional discrimination. In practical terms, this means regulators will be less likely to challenge lending practices based solely on statistical disparities in outcomes. Instead, examinations and enforcement actions are expected to emphasize documentation, decision-making processes, and evidence of intent.

For compliance teams, this change may alter how fair lending risk is assessed and monitored. Historically, many institutions have relied heavily on data analysis to identify potential disparities across protected classes. While that type of analysis is still valuable for internal risk management, it may play a less central role in regulatory scrutiny going forward.

At the same time, institutions should not interpret the change as a reduction in overall fair lending expectations. The ECOA remains in effect, and examiners are likely to continue reviewing policies, procedures, and controls to ensure that lending decisions are applied consistently and without bias. Strong governance, clear documentation, and well-defined underwriting criteria will remain essential.

The rule also includes updates related to “discouragement,” which addresses whether potential applicants are deterred from applying for credit. The revised approach narrows how discouragement is evaluated, placing greater emphasis on explicit actions or statements rather than inferred effects. This may reduce ambiguity in examinations, but it also underscores the importance of training front-line staff on appropriate communications with applicants.

Another area affected is the treatment of special purpose credit programs, which are designed to expand access to credit for under-served groups. The rule clarifies certain requirements for these programs, and institutions offering them may need to revisit their design and documentation to ensure alignment with the updated standards.

From an operational standpoint, compliance functions may consider recalibrating their fair lending frameworks. This could include reviewing monitoring methodologies, reassessing model governance practices, and ensuring that policies clearly articulate nondiscriminatory intent. Internal audits may also need to adjust their testing approaches to reflect the revised regulatory focus.

Industry response has been mixed, with some stakeholders noting that the changes may provide greater clarity and reduce uncertainty in enforcement. Others have raised concerns about the potential for reduced visibility into systemic disparities. Regardless of perspective, the rule represents a meaningful change that institutions will need to incorporate into their compliance programs. 

Joseph McCafferty is Editor & Publisher of Compliance Chief 360°

The post CFPB Revises Fair Lending Standards, Shifting Compliance Focus to Intent appeared first on Compliance Chief 360.

he U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has announced that it is working on significant reforms of the country’s anti–money laundering (AML) framework. Rather than a single sweeping overhaul, the current reform effort consists of a series of interrelated rulemakings, delays, and targeted expansions that collectively signal a shift toward a more risk-based, sector-inclusive, and flexible regulatory regime.

At the center of this effort is FinCEN’s proposed reconsideration of its 2024 rule extending AML obligations to investment advisers. That rule, originally slated to take effect in January 2026, would have required certain registered investment advisers (RIAs) and exempt reporting advisers to establish AML programs, file suspicious activity reports (SARs), and comply with Bank Secrecy Act (BSA) requirements for the first time. However, in September 2025, FinCEN issued a notice of proposed rulemaking to delay implementation until January 1, 2028.

This delay, finalized in early 2026, is more than a procedural adjustment. Treasury explicitly stated that the additional time would allow regulators to revisit the substance of the rule and better tailor it to the “diverse business models and risk profiles” of the investment adviser sector. The move reflects industry concerns that the original rule was overly broad and potentially burdensome, particularly for smaller firms. At the same time, FinCEN emphasized that AML obligations for the sector are inevitable, underscoring a longer-term policy objective of closing perceived gaps in financial system oversight.

Parallel to this reconsideration is a broader conceptual shift in how AML compliance is structured. FinCEN has proposed modernizing AML/CFT program requirements to emphasize effectiveness and risk alignment over rigid procedural checklists. Under this approach, institutions would be expected to design compliance programs that are “risk-based” and “reasonably designed” to mitigate specific illicit finance threats, rather than simply meeting prescriptive regulatory requirements. This reflects a growing recognition that a one-size-fits-all compliance model may be ill-suited to the complexity of modern financial markets, particularly as new technologies and nontraditional financial intermediaries emerge.

“For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats,” Secretary of the Treasury Scott Bessent said in a statement. “Our proposal restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.”

Another key pillar of FinCEN’s reform agenda is the expansion of AML obligations into historically under-regulated sectors—most notably residential real estate. A new nationwide reporting rule, which took effect in 2026 (with some implementation delays and legal challenges), requires reporting of certain non-financed residential property transfers involving legal entities and trusts. These transactions have long been viewed as a vulnerability in the U.S. AML regime, as illicit actors can use shell companies to purchase real estate without triggering traditional financial institution reporting requirements.

Beyond sector-specific reforms, FinCEN is also exploring structural changes to AML enforcement. According to reporting on Treasury’s internal proposals, the agency may seek a more centralized role in overseeing AML compliance across federal banking regulators. One proposal would allow FinCEN to review—or even veto—certain enforcement decisions made by other regulators under the BSA framework. While still in the proposal stage, such a shift could significantly alter the balance of authority among U.S. financial regulators and potentially lead to more consistent enforcement outcomes.

Among the most significant proposals and aims of AML reform are:

• Refocus compliance obligations and expectations on effectiveness by distinguishing between deficiencies stemming from program design and implementation
• Reinforce Treasury’s belief that financial institutions are best positioned to identify and evaluate their illicit finance risks
• Empower financial institutions to devote more attention and resources toward higher risks rather than toward lower risks
• Clarify expectations related to certain program requirements and functions—including independent testing and audit functions—to ensure that examiners and auditors do not substitute their subjective judgment in place of financial institutions’ risk-based and reasonably designed AML/CFT programs; and
• Affirm FinCEN’s central role in AML/CFT supervision, including through the introduction of a notice and consultation framework between Federal banking supervisors and FinCEN with respect to significant AML/CFT supervisory actions.

These reforms are unfolding against a backdrop of evolving enforcement priorities. Recent FinCEN actions—including expanded geographic targeting orders along the Southwest border and high-profile designations of foreign financial institutions—highlight a continued focus on combating drug trafficking, cybercrime, and transnational fraud networks. This suggests that while certain compliance burdens may be recalibrated, the overall intensity of AML enforcement is unlikely to diminish.

For financial institutions and other affected sectors, the implications are significant. Firms must prepare for an expanded AML landscape that encompasses new industries and transaction types, while also adapting to evolving expectations around program design and effectiveness. At the same time, the regulatory uncertainty created by ongoing revisions may complicate compliance planning in the near term.

FinCEN’s insists its current reform initiative does not represent a rollback of AML regulation, but rather a strategic reconfiguration. By combining expansion, flexibility, and structural reform, Treasury is attempting to build a more comprehensive and adaptive AML regime—one that is better equipped to address the complexities of modern illicit finance while balancing the operational realities faced by regulated entities. 

The post FinCEN Proposes Broad Reforms in AML Enforcement and Rulemaking appeared first on Compliance Chief 360.

he Commissioner for Competition at the European Commission, Teresa Ribera, warned that political influences are in danger of corrupting competition enforcement decisions. Ribera argues that antitrust must stay strong against politics and its pressures to ensure impartial and evidence-based enforcement policies. In a statement, she emphasized independence from political pressures and emphasized a willingness to consider industrial policy goals in merger reviews, potentially allowing more leniency for European companies compared to her predecessors.

“I have not got any type of interference on the political bias approach on how we need to deliver. We are bound by the law. We have been developing our own update on how we may assess the different cases, and we have always been quite respectful, and that is my case as commissioner, but also the case of my predecessors in the role of commissioner,” said Ribera during a press conference.

These stances were taken in response to growing pressures to change how competition policy is handled, with antitrust authorities in some regions facing pushback to clear mergers or drop investigations in favor of national economic threats, as stated by MLex. Last November, Ribera also accused the United States of “blackmail” on tech regulation, emphasizing the EU competition policy would not change to accommodate U.S. political pressure or threats of tariffs, according to an article in Politico. 

The post EU Official Says Antitrust Must ‘Stay Strong’ Against Politics appeared first on Compliance Chief 360.

he FTC chairman, Andrew Ferguson, has instructed the FTC staff to create a special health care task force intended to better protect patients, healthcare workers, and taxpayers. The FTC said, in a statement, that the task force will create a coordinated, competitive, and innovative approach to how the agency regulates health care organizations.

In a memorandum, Chairman Ferguson directed the FTC’s Bureaus of Competition, Consumer Protection, and Economics, as well as the Office of Policy Planning and Office of Technology, to form the health care task force.

According to Ferguson, the task force will help the agency to “share knowledge, resources, third-party sources, market intelligence, case leads, and relationships with other agencies and stakeholders.”

The Health Care Task Force will:

• Lead targeted enforcement and advocacy initiatives focused on key priorities;
• Devise coordinated agency-wide strategies on investigations;
• Take a proactive and strategic approach to identifying amicus and statement of interest opportunities; and
• Identify emerging issues and new priority areas for enforcement and advocacy.

The task force will also seek to expand its membership to include other agencies and law enforcement partners, including the Department of Health and Human Services and the Department of Justice. 

The post FTC Launches Health Care Task Force appeared first on Compliance Chief 360.

arlier this month, the Department of Justice announced a new “department-wide” corporate criminal enforcement policy that it says will promote uniformity, predictability, and fairness in how it pursues corporate wrongdoing. The policy, which it labeled the Corporate Enforcement and Voluntary Self-Disclosure policy, is intended to incentivize companies to self-disclose wrongdoing and hold employees responsible in exchange for potential non-prosecution.

The core aspects of the new DOJ corporate enforcement policy (CEP) are individual accountability, voluntary self-disclosure, a standardized approach, aggravating factors, and incentives. The policy emphasizes that the corporate cooperation credit requires that all facts regarding individuals involved in the misconduct be revealed and provided. Companies that self-disclose can avoid criminal prosecution, unless the circumstances are extreme. The CEP applies to all company criminal matters handled by the department, excluding antitrust violations, and it replaces the inconsistent component-specific policies. However, aggravating factors like any involvement with senior management or pervasive misconduct may result in a declination of prosecution. Companies that self-disclose and cooperate regardless of whether they meet all the criteria may receive reductions in fines as high as 75 percent.

“This Department of Justice is committed to transparency and fairness, and our first-ever Department-wide corporate enforcement policy is yet another example of that,” said deputy attorney general Todd Blanche. “This policy draws on decades of experience across the Department and creates incentives for companies to come forward and do the right thing when misconduct occurs so that we may hold accountable the individual wrongdoers. Well-intentioned businesses know that, across the department, they will be rewarded when they self-disclose wrongdoing, cooperate with our investigations, and remediate the misconduct. But for those that do not, make no mistake — we will not hesitate to seek appropriate resolutions against companies and individuals alike that perpetrate white collar offenses that harm American interests.”

According to the DOJ, the main requirements for companies are prompt disclosure, remediation, and cooperation for the DOJ to deal with corporate crime in a consistent, transparent, and predictable environment. 

The post New DOJ Enforcement Policy Emphasizes Individual Misconduct appeared first on Compliance Chief 360.

he Securities and Exchange Commission and the Commodity Futures Trading Commission announced that they have agreed to work more closely and collaborate more on regulatory issues and enforcement. The agencies say the agreement, documented in a “memorandum of understanding,” will allow the agencies to better support lawful innovations, uphold market integrity, reduce regulatory overlap, and protect investors and customers.

The agreement is a formal, non-binding document that outlines a plan to collaborate between the two agencies, which also details roles, responsibilities, and goals without creating legally enforceable obligations.

“The MOU shows the agencies’ commitments to provide fair notice to market participants, respect individual liberty, and foster lawful innovation with the minimum amount of regulation to enhance U.S finance competitiveness,” the SEC says. The main intention was to resolve the conflict between the agencies and provide a framework of cooperation, particularly on cryptocurrencies and digital assets.

In conjunction with the MOU, the agencies have created what they are calling a “joint harmonization initiative” to advance coordinated oversight and promote regulatory clarity in areas of common regulatory interest. The initiative will support coordination across the policymaking, examination, and enforcement functions of each agency, particularly for joint applications and shared policy efforts, including:

• Clarifying product definitions through joint interpretations and rulemakings.
• Modernizing clearing, margin, and collateral frameworks.
• Reducing frictions for dually registered exchanges, trading venues, and intermediaries.
• Providing a fit-for-purpose regulatory framework for crypto assets and other emerging technologies.
• Streamlining regulatory reporting for trade data, funds, and intermediaries.
• Coordinating cross-market examinations, economic analyses, risk monitoring, surveillance, and enforcement.

“America’s financial markets are the envy of the world because they scale and adapt to meet investor demands. Like our markets, the CFTC’s and SEC’s regulatory frameworks must also evolve and modernize to accommodate the needs of our market participants,” said CFTC Chairman Michael Selig. “This Memorandum of Understanding solidifies the agencies’ commitment to harmonize regulatory frameworks to provide comprehensive and seamless financial market oversight. By working together, we’ll eliminate duplicative, burdensome rules and close gaps in regulation for the benefit of all Americans and usher in a golden age of American finance.” 

The post SEC and CFTC Agree to Greater Collaboration Between the Agencies appeared first on Compliance Chief 360.

he Securities and Exchange Commission’s director of the Enforcement Division, Margaret Ryan, stepped down this week after only a little more than half a year on the job. Sam Waldon, who served as head of enforcement before Ryan, will return to the role as acting director.

During her time in the office, Ryan oversaw what the SEC calls a “course correction” within the division, which it says enabled it to refocus on prioritizing cases that provide meaningful investor protection and strengthen market integrity, rather than technical rule violations with no charges of investor harm. She also allocated division staff toward addressing misconduct such as fraud, market manipulation, and abuses of trust, emphasizing holding individuals accountable for their wrongdoings, promoting stronger deterrence, and better safeguarding investors, according to the SEC.

“I extend my thanks to Chairman Atkins, the Commission, and the staff of the Enforcement Division for the opportunity to continue my public service in a different role,” said Ryan. “As I recently said, I did not seek the role of Director of the SEC’s Division of Enforcement. Rather, this role found me. And for that, I am grateful. I am confident that the foundation I helped to shape—working together with Chairman Atkins—will continue to serve investors and the markets well.”

Under Ryan, enforcement actions at the SEC reached multi-year lows in the 2025 fiscal year, following the leadership transition from SEC Chair Gary Gensler to Paul Atkins. The SEC filed 313 new enforcement actions in 2025, a 27 percent decrease from fiscal year 2024 and the lowest in a decade. Actions against public companies and subsidiaries dropped 30 percent from 2024, with 93 percent of the year’s total actions initiated during the first quarter under Gensler.

Only four actions against public companies were initiated after January 2025 under the new administration, the lowest since 2013. Total monetary settlements for public companies declined by 45 percent, the lowest since 2012. Additionally, the SEC initiated only 10 accounting and auditing actions, a 68 percent decrease from 2024. The main reasons for the decline include leadership changes, new strategies, staffing adjustments, reorganization, and case dismissals. Despite the overall decrease, the SEC says Atkins is prioritizing retail investor protection, cross-border fraud, AI washing, and insider trading. 

The post Head of SEC Enforcement Resigns After Seven Months in Position appeared first on Compliance Chief 360.

almart has agreed to a $100 million judgment to settle allegations by the Federal Trade Commission and 11 states that the company caused delivery drivers to lose earnings, by deceiving them about the base pay, incentive pay, and tips they could earn. The FTC estimates that Walmart delivery drivers lost tens of millions of dollars in earnings due to the deception.

The proposed order also imposes significant changes to Walmart’s business practices to ensure that Walmart “never engages in such behavior again.” The injunction prohibits Walmart from modifying offers after a driver has accepted the offer, unless one of six exceptions applies. It also prohibits Walmart from making or assisting others in making similar misrepresentations to drivers or customers in the future.

Joined by Arizona, California, Colorado, Illinois, Michigan, North Carolina, Oklahoma, Pennsylvania, South Carolina, Utah, and Wisconsin, the FTC alleged in its complaint that Walmart lured drivers into its Spark Driver delivery program with inflated base pay and tip prospects. The complaint claims Walmart deceived customers by falsely proposing that 100 percent of customer tips would go to drivers.

“Labor markets cannot function efficiently without truthful and non-misleading information about earnings and other material terms,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection. “Today’s settlement reflects the Trump-Vance FTC’s focus on ensuring a healthy labor market for American workers, which is critical to the nation’s success.”

The FTC says the enforcement action against Walmart  is a result of it’s Joint Labor Task Force which was created by the cross-agency Labor Task Force to “root out and prosecute deceptive, unfair, and anticompetitive labor-market practices that harm American workers.” It also said the it’s dual consumer-protection and competition mandate makes the agency uniquely well-suited to address these worker harms. “Chairman Ferguson’s Labor Task Force harnesses expertise from the agency’s Bureau of Consumer Protection, Bureau of Competition, Bureau of Economics, and Office of Policy Planning.”

Walmart uses its Spark Driver service to deliver goods to customers using gig workers via the Spark Driver app, similar to Door Dash or Uber Eats. Those workers decide whether to accept “offers” to deliver orders, based on Walmart’s statements about the base pay and tips that a driver can expect to receive if they complete the work.

Details of allegations against Walmart.

The complaint alleges that Walmart engaged in several deceptive practices related to its Spark Driver service, including:

• Deceiving drivers about the number of tips they will receive from an order— the company failed to notify drivers that, unlike the payment for the goods being delivered, the payment for the advertised tip amount had not been preauthorized, and therefore drivers would not receive that amount if the customer was unable to cover the cost of the tip or if the charge otherwise failed. The company also failed to inform drivers that it would split tips when a customer’s delivery was split across multiple drivers.
• Deceiving drivers about the amount of base pay and tips they will receive when Walmart modifies “batched” offers— the company failed to inform drivers that it will reduce their base pay and/or tips when it removes orders from “batched orders,” which involve delivering goods to multiple customers during one trip. In many instances, Walmart either failed to notify drivers at all about the change in base pay and tips or only notified them of the change in their earnings after they completed the delivery.
• Misrepresenting the incentive pay drivers can earn in exchange for completing certain tasks— the company failed to disclose all the conditions that must be met to earn the promised incentive pay for completing certain tasks and denied the promised earnings on the basis that drivers failed to meet all the conditions.
• Deceiving consumers that “100% of tips go to the driver.” — despite this promise, Walmart, on multiple occasions, failed to provide collected tips to drivers as promised and did not refund the tip to customers either.

The FTC alleges that these practices violated the FTC Act and the Gramm-Leach-Bliley Act—by obtaining drivers’ bank and other financial information while deceiving them about the amount base pay and tips they will earn from Spark Driver deliveries—as well as laws of the agency’s state partners.

As part of the proposed order, Walmart is:

• Required to implement an earnings verification program to ensure drivers are paid the promised earnings and tips.
• Prohibited from modifying an offer for base and incentive pay or tips after the initial offer except under limited circumstances such as when the driver fails to provide the required service or the customer cancels an order.
• Banned from misrepresenting the earnings and other information included in the delivery offers it makes to Spark drivers.

If Walmart fails to obey this injunction, the Commission can return to Court in contempt proceedings. 

The post Walmart to Pay $100 Million to Settle FTC Deception Charges on Delivery Service appeared first on Compliance Chief 360.