e all know about the great migration to “work from home” that occurred during COVID-19 pandemic starting in 2020 and lasting into 2021 and 2022. While many organizations have moved employees back to the office for some or part of the work week, the remote work movement has remained a far more prevalent aspect of working life.

According to a 2023 Pew Research Center study, around 22 million employed adults in the U.S. work from home all the time, equal to roughly 14 percent of all employed adults, while 41 percent are at least part-time remote on a hybrid setup. By 2025, that same survey finds 32.6 million Americans will be working remotely.

While the flexibility creates favorable conditions for the acquisition and retention of top talent, it also contributes to some new challenges. Managing a compliance team in a remote work environment can be difficult. This is especially true for highly regulated sectors, such as finance, health care, defense, and others, but it could impact a business operating in any field.

Identifying the challenges of remote work and coming up with a solid compliance plan will allow employers and workers to fully utilize remote or hybrid work models without worries about security risks, audits, or subsequent fines. Whether or not you utilize a third-party risk monitoring solution, it’s critical to understand the risks associated with remote work.

Compliance Challenges of a Remote Work Environment

The EY 2023 Mobility Re-imagined Survey suggests that while 92 percent of participants believe workplace mobility is important, 71 percent lack confidence in their organization’s ability to handle compliance and other risks stemming from a remote work environment.

Some of the most common compliance challenges work from home creates for organizations include:

• Determining which labor laws and regulations apply to employees on the basis of their home office location
• Employee monitoring and oversight
• Ensuring workplace safety
• Data security and privacy
• Safety of communication carried out in a remote work environment
• Employment verification processes

Having a solid compliance plan in place and adapting to the hybrid work model realities are both essential to mitigate those risks.

Onboarding and Ongoing Training

The first rule of onboarding compliance is understanding applicable rules regarding employment, data privacy, and security. Onboarding processes have to address all those concerns and adhere to regulatory frameworks within the respective jurisdiction.

If your company hires international employees who work from their own location, you’ll have to go through a few important considerations when doing onboarding. Find out if:

• The respective person has the right to work
• Whether they’re entitled to receive home office equipment
• You will have to provide any kind of training during the onboarding process

The agreements and contracts you sign as a part of onboarding should also account for national or regional regulatory specifics. A well-crafted employment contract should have stipulations on job responsibilities, performance expectations, communication protocols, confidentiality clauses, data protection, dispute resolution, and performance reviews.

The next step would be to train remote workers on anything that may lead to compliance issues. Data privacy and security training is non-negotiable. Authentication and access control training can also reduce the risk of violations or security threats stemming from the remote work environment.

The Importance of a Foolproof Remote Work Policy

A remote work policy is a document that outlines expectations and guidelines for all employees to follow. It’s a comprehensive how-to guide that focuses on procedures, safety protocols, workplace specifics, and technologies employed to do one’s job while following a regulatory framework.

As hybrid work is becoming the norm, standard workplace policies have to account for the new reality and the way it’s changing professional interactions.

Well-crafted remote work policies should contain:

• Rules on eligibility for remote work
• Guidelines on mandatory work hours, equipment, and tools made available to each employee
• Provisions on designing and equipping a remote workplace
• Cybersecurity stipulations and protocols
• Guidelines on communication between coworkers
• Guidelines on employee well-being

Good workflow management is also dependent on effective performance tracking, building trust and transparency through daily communication, having clearly defined roles within teams, and offering the right incentives (like career growth opportunities).

Maximizing Cybersecurity in Remote Environments

Cybersecurity is crucial for all organizations, especially those operating in highly regulated sectors.

Remote work has created numerous challenges that concern executives and make IT security managers sweat. In 2023, 72 percent of respondents in a survey responded they are very concerned or at least somewhat concerned about the online risks related to employees working from home. The number of respondents not at all concerned was only 6 percent.

Without concrete policies and being a part of a shared on-site work environment, common cyber threats like ransomware are more likely to evade defense mechanisms, group head of cyber governance at FWD Insurance in Singapore Pritish Purohit told Forbes.

Overcoming these new challenges depends on:

• Educating employees on recognizing cybersecurity threats
• Strengthening the corporate network through good password policies, multi-factor authentication, the selection of the right antivirus applications, frequent updates, and backups
• Securing remote connections by leveraging VPNs and setting device usage boundaries
• Implementing company-wide cybersecurity policies that apply to both in-office and remote workers
• Carrying out regular security assessments and vulnerability audits
• Adhering to data protection laws like HDPR and HIPAA
• Using an extra layer of protection to safeguard the most sensitive information (for example, only having certain individuals accessing such files and maintaining detailed access logs)

A Focus on Employee Well-being Is Crucial

Finally, don’t forget to maintain the focus on employee well-being, regardless of the workplace model your organization has embraced.

To improve the mental and physical well-being of employees, consider the following:

• Maintain regular communication, preferably using video conferencing tools to make everyone feel connected
• If possible, schedule in-person meetings at least a few times per month
• Discourage overwork and promote better work-life balance (by selecting the right compensation models that will keep workers from spending too much time as the lines between personal and professional get blurred)
• Offer personalized health benefits (89 percent of remote workers value having some kind of health benefit as a part of their employment package)
• Make sure everyone is aware of the available paid time off within the organization
• Provide mental health and well-being resources
• Allow work-hour flexibility

Working from home creates legal considerations that some organizations aren’t prepared to face, while others have been attempting to address those ineffectively.

To reduce the risk of compliance issues, come up with a robust remote work policy. Ensure employees are properly trained and stick to those rules to reduce risks. All other challenges can be addressed via regular performance reviews and audits. Identifying challenges and threats quickly is essential to determine viable remedies and implement those before the issue turns into a major compliance problem.   

Giovanni Gallo is the Co-CEO of Ethico, where his team strives to make the world a better workplace with ethics hotline services, sanction screening and license monitoring, and workforce eLearning software and services.

The post Managing Compliance in a Remote Work Environment appeared first on Compliance Chief 360.

t has been said that if a butterfly flaps its wings in the Serengeti, it can change the climate half a world away. Similarly, if an EU regulator enacts regulation in the EU Commission, it can have a major impact as far away as the United States.

We saw this through the ubiquity of website cookie notices and recent state-level laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which, if nothing else, took some inspiration from the EU’s General Data Protection Regulation (GDPR).

Get ready for another EU regulation that, while not directly applicable in the United States, will nonetheless have a major impact on compliance at U.S. organizations. The Digital Operational Resilience Act (DORA) will be similarly impactful once it comes into force on January 17, 2025—especially for those in the financial services industry.

Nominally, DORA is a cyber-resilience regulation aimed at protecting the operational stability of the European financial services industry. It is the first ever EU regulation of its kind that targets resilience at a sectoral level and, partially speaking, is an extensive suite of requirements for financial institutions and businesses that provide services to them around how information and communication technology (ICT) contracts should be written, risks assessed, incidents reported and security systems tested, among other things.

Like any good EU regulation, DORA will come with large potential fines (one percent of global turnover) for violators.

DORA Is Not Just an EU Regulation

The key thing auditors need to understand about DORA, especially as they are being asked to take on more risk-based responsibilities, is that DORA is very broad. It creates significant regulatory risk for potentially tens of thousands of entities in and outside the EU.

According to a recent McKinsey survey, most EU financial entities have started their journey towards DORA compliance, but only a third expect they will be ready on time for January 17. Globally, the state of DORA readiness is likely far lower.

This is important because, like the GDPR, DORA does not just apply to the 22,000 or so financial entities based in the EU. Instead, it is enforced based on where an organization’s customers are based. This means that if a financial institution in the United States, the United Kingdom, or any other location outside the EU deals with EU customers, there is a strong chance that DORA applies to them.

The best starting point for a compliance officer or internal auditor to see whether their organization falls under DORA is to look at the list of financial entities that are not in DORA’s scope.

Organizations excluded from DORA include non-financial entities, (some) alternative investment fund managers, very small insurance and reinsurance firms, financial entities outside the EU that do not serve the EU financial sector, and some others like post office GIRO institutions and small occupational pension funds.

As a rule, if a financial institution trades actively and is large enough to have EU-based customers, it will need to comply with DORA’s rule sets. Fintechs, crypto brokers, hedge funds, asset managers, and more traditional banks and financial institutions will all be impacted.

What Types of Companies Does DORA Cover?

Some organizations will have more stringent DORA requirements than others. A large multinational bank, for example, with complicated ICT systems and a lot of interdependent relationships will have relatively tough requirements.

To comply with DORA, an entity like this will likely have to conduct threat-led penetration testing (a form of offensive cybersecurity exercise in which you test IT systems against realistic cyber-attack scenarios and threats) at least every three years and other security testing on an annual basis.

They will also need to be able to report ICT incidents, such as data breaches, within 24 hours for significant events and conduct detailed third-party risk assessments for all critical ICT service providers. Ideally, the entity in question will already be ahead of this task, and the compliance officer or internal auditor’s job will not change to a great degree due to DORA.

A smaller organization, like an investment firm with a more basic ICT infrastructure that is less critical to the overall financial services industry, will have different requirements. They will have longer windows for incident reporting (72 hours) and simpler third-party risk requirements. Testing will still be required but on a less stringent basis.

Although many smaller organizations may have slightly less to do to become DORA compliant, they may find that many of DORA’s requirements, like threat-led penetration testing, are completely new to them.

Microenterprises, “very small entities,” defined as having a revenue of less than €2 million per year ($2.11 million) and less than 10 employees, and simple IT environments will have much lighter compliance requirements.

Critical Third Parties Covered by DORA

Another quirk of DORA is that it’s not just applicable to financial institutions but will also impact businesses that serve them, such as companies that provide services that are essential to the EU financial services industry, but are not financial institutions themselves. Some of these businesses will be designated as Critical ICT Third-Party Service Providers (CTPP) and have especially strict requirements.

An essential requirement for ICT third-party service providers to be considered critical by DORA is that they must provide ICT services that support critical or important functions to at least 10 percent of the financial entities for any given category, as defined in DORA. “Critical or important functions” refer to functions whose discontinued, defective, or failed performance would materially impair the financial entity.

In a broad sense, a CTPP is a service that, if it fails, would cause serious damage to a significant portion of the EU financial services industry. A company is designated as such, either by voluntarily declaring itself to be a CTPP or by being appointed as such by a European Supervisory Authority, such as the European Banking Authority. Major cloud service providers like Google Cloud, for example, will likely become CTPPs and have been taking steps to comply with DORA for quite some time.

Compliance Matters

Sectoral, global, and coming into force in less than six months by the European Commission, DORA will become a mainstay of boardroom conversation in 2025.

Hopefully, this article will help compliance officers and internal auditors better understand who is and isn’t covered by DORA. In practice, DORA compliance is a significant top-down effort. The average major financial services industry organization will dedicate significant resources to DORA compliance.  

Nikos Vassakis is the Head of Consulting Services at SECFORCE, an IT security and cybersecurity firm based in London, U.K.

The post Are You Ready for Compliance with EU’s DORA? appeared first on Compliance Chief 360.

The agency failed its first test of pushing its ban through the courts when U.S. District Judge Ada Brown ruled to bar the ban from taking effect. Judge Brown concluded that the FTC did not have the authority to impose such a ban. “The Court concludes that the FTC lacks statutory authority to promulgate the Non-Compete Rule, and that the Rule is arbitrary and capricious. Thus, the FTC’s promulgation of the Rule is an unlawful agency action,” Brown wrote in her order. “(The rule) is hereby SET ASIDE and shall not be enforced or otherwise take effect on September 4, 2024, or thereafter.”

Judge Brown adds on that even if the FTC did have the power to impose a ban on all noncompete agreements, it did not specify what exactly the purpose is behind it. In other words, it did not justify what the ban was at all necessary.“The Commission’s lack of evidence as to why they chose to impose such a sweeping prohibition … instead of targeting specific, harmful non-competes, renders the Rule arbitrary and capricious,” Brown wrote.

The FTC was clearly disappointed with Judge Brown’s conclusion and in a statement to ABC news, announced that they are seriously considering a potential appeal of the decision.

“We are disappointed by Judge Brown’s decision and will keep fighting to stop noncompetes that restrict the economic liberty of hardworking Americans, hamper economic growth, limit innovation, and depress wages,” FTC spokesperson Victoria Graham said.

The FTC has long held that noncompetes hurt employees. “The freedom to change jobs is core to economic liberty and to a competitive, thriving economy,” said FTC Chair Lina Khan in a statement when the proposed rule was first introduced. “Noncompetes block workers from freely switching jobs, depriving them of higher wages and better working conditions, and depriving businesses of a talent pool that they need to build and expand.” Now, the FTC is faced with an even larger obstacle than before with Judge Brown’s ultimate ruling.

The Future of the Noncompete Ban is Unclear

So far, there have been three cases that dealt with the FTC’s ban of noncompete agreements including Judge Brown’s case. One of the cases, taking place in a Florida district court sided with Judge Brown’s ruling while the other one, taking place in a Pennsylvania district court supported the FTC rule. Many anticipate that such an inconsistent ruling on the ban will ultimately lead the issue to the Supreme Court to decide.

However, in order to make its way to the Supreme Court, the FTC’s appeal will need to be heard by the Fifth Circuit, a court notorious for its friendliness to businesses. As a result, it seems more than likely that such a Fifth Circuit ruling will not be in favor of the ban. “Most anticipate that the lower court’s ruling will be upheld by the Fifth Circuit but predicting the outcome in the Third and Eleventh circuits, assuming the [Pennsylvania] and [Florida] cases are appealed, is less predictable. This means we still could see the issue presented to the Supreme Court,” said Amanda Sonneborn, a partner in King & Spalding’s global human capital and compliance practice.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post The Battle over the Ban of Noncompetes Continues as FTC Receives Unfavorable Ruling appeared first on Compliance Chief 360.

When the SEC seeks to punish those who commit civil crimes, such penalties are enforced exclusively in fines. The Court reasoned that since “relief is legal in nature when it is designed to punish or deter the wrongdoer rather than solely to ‘restore the status quo,’ such fines can only be enforced in courts of law.”

The SEC argued that the “public rights” exception to the Seventh Amendment applied, allowing Congress to grant the right to adjudicate a case to an agency without a jury. To fall under this exception depended on whether the SEC was enforcing “public rights” belonging to the government or seeking remedies similar to those sought by private parties. Ultimately, the Court decided that securities fraud did not trigger the exception and as a result meant that Congress could not delegate adjudication rights to the SEC.

Before this ruling took place, the SEC was able to initiate enforcement actions before administrative law judges, who rendered a final decision regarding the case at hand. Now, if the SEC seeks civil penalties like fraud, it must do so in a federal court. “Now the entire federal government is forced to play by the same litigation rules as everyone else—in real courts before real judges, just as our Founders intended,” S. Michael McColloch, Jarksey’s attorney, said.

Implications of the Court’s Ruling

Although this decision is a significant one, it is not unexpected. Due to its anticipation of a ruling similar to this one, the SEC, in recent years, has begun to pursue enforcement actions in federal court as opposed to internal forums. “The SEC anticipated this outcome, so I don’t think the ruling marks a seismic shift,” said Allison Kernisky, a securities litigator at Holland & Knight.

Nevertheless, this decision may potentially affect its overall success rate in securities fraud cases. Historically, the SEC has had a much higher success rate in in-house administrative proceedings, winning 90 percent of those cases compared to 69 percent in federal court. This decision is also likely to lead to an increase in the number of contested cases, rather than those settled before a complaint is filed.

The consequences from this decision will require the SEC to address the approximately 200 open administrative proceedings as well as reassess their use of in-house tribunals. Its reconsideration may result in a sense of hesitancy to use such proceedings for any enforcement actions that seeks civil penalties however, only time will tell.  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post Supreme Court Curtails SEC’s Use of In-House Tribunals for Civil Penalties appeared first on Compliance Chief 360.

In Chief Justice John Roberts’s opinion overruling the 40-year-old precedent, the Court strongly emphasized that courts should be the ones to “decide legal questions by applying their own judgment” and “it thus remains the responsibility of the court to decide whether the law means what the agency says.” The ruling essentially strips federal agencies such as the Securities and Exchange Commission from interpreting any ambiguities in a federal law and as a result abandons a doctrine that long been known as a cornerstone of administrative law.

Many in the legal industry believe that this ruling will result in a substantial increase in litigation challenging federal regulations. According to Douglas Hallward-Driemeier, head of the appellate and Supreme Court practice at Ropes & Gray, “litigants who were previously deterred from challenging federal government policies because of their poor odds under the Chevron doctrine will now be emboldened by the leveling of the playing field.”

Within his majority opinion, Chief Justice Roberts provided support for his conclusion. “Even when an ambiguity happens to implicate a technical matter, it does not follow that Congress has taken the power to authoritatively interpret the statute from the courts and given it to the agency,” Roberts said. “Courts, after all, do not decide such questions blindly,” but rely on the briefs and facts that the parties provide, including the records and reports of the expert agencies involved.

Although the end of the Chevron doctrine marks a significant transfer of power from agencies to the judicial system, it does not entirely prevent courts from deferring to an agency’s interpretation of an ambiguous law. The Court’s ruling merely states that courts are no longer required to assume that legal ambiguities require them to defer to the agency’s interpretation.

Agencies’ interpretations of laws will continue to receive a level of persuasiveness based on the influence of the agencies’ views. Factors influencing this persuasiveness may include how soon after the statute’s enactment the agency adopted the interpretation and the consistency with which the agency has maintained that interpretation over time.

Implications of the Court’s Abandonment of Chevron

 In abandoning the Chevron doctrine, the Court has seemingly ruled in favor of those who are often dissatisfied with agency decision: businesses and property owners. Meg Tahyar, head of the financial institutions and fintech team at Davis Polk & Wardwell, believes that such a ruling will put a substantial amount of pressure on federal agencies. According to Tahyar, agencies will “feel more pressure to shore up the reasoning they provide for the policy decisions they make. They won’t dare to be as creative and search through old statutes to fit new and novel problems.”

This significant Supreme Court decision hands a significant amount of power to judges who are now free to interpret many laws as they see fit. This Court decision effectively introduces a sense of uncertainty into all types of regulations including labor, technology, the environment and healthcare; an uncertainty that large corporations and businesses hope to take advantage of. Essentially, the real effect of this ruling will likely emerge over years of litigation, as courts, agencies, and Congress navigate its practical consequences.  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post Supreme Court Strikes Down Chevron Doctrine, Weakening Federal Regulation appeared first on Compliance Chief 360.

 The ACA Group and National Society of Compliance Professionals released the results from the survey that exhibited the sense of uncertainty surrounding the enforcement of the SEC’s cybersecurity rules. The results indicated that 44 percent of respondents surveyed said they are uncertain about how the SEC will enforce the rules, while 36 percent of compliance professionals cited concerns with complying with cyber incident reporting requirements and timeframes.

Mike Pappacena, a partner of ACA group, said in a statement that “it’s clear that regulatory compliance remains a top concern,” because nearly half of respondents expressed uncertainty about SEC enforcement. Pappacena said the survey results underline the importance of staying ahead of evolving cybersecurity threats.

The online survey consisted of around 310 investment adviser firms. All firm sizes were represented and responding firms belonged to varied business types, with most responses coming from asset managers, broker- dealers, and alternative investment advisors.

According to the survey, around 80% of the participants are confident in their firms’ ability to combat a cyber breach and that the top cyber threat that raised concern is payment fraud and business email compromise.

As a result of the SEC’s adopted rule, public companies are now required to disclose cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The SEC rules now require companies to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

The SEC additionally requires companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The companies are provided a four-day grace period to disclose any cybersecurity incidents from the moment it deems the incident as material.

The SEC’s Consideration of Additional Cybersecurity Proposals

Cybersecurity has been a top priority for the SEC. The Commission is currently considering other cybersecurity-related proposals including one that would require brokers, dealers, investment advisers and companies to implement written policies and procedures concerning unauthorized access to or use of customer information. This would include procedures that are purposed for notifying customers of the incident.

The SEC is also proposing to broaden the scope of information covered by making changes to the requirements for safeguarding customer records and information, and for properly disposing of consumer report information.

Although these proposed measures signal a determined effort to enhance protection for investors, many are worried as to exactly how the SEC will enforce these newly adopted rules and proposals.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°    

The post SEC’s Cyber-Rule Enforcement a Prime Worry for Compliance appeared first on Compliance Chief 360.

AIA is the world’s first set of regulations designed to oversee the field of AI. “We finally have the world’s first binding law on artificial intelligence, to reduce risks, create opportunities, combat discrimination, and bring transparency,” said Brando Benifei, a European Union lawmaker from Italy. “Thanks to Parliament, unacceptable AI practices will be banned in Europe and the rights of workers and citizens will be protected. The AI Office will now be set up to support companies to start complying with the rules before they enter into force. We ensured that human beings and European values are at the very center of AI’s development.”

The new law comes at a point where many countries have introduced new AI rules. Last year, the Biden administration approved an executive order requiring AI companies to notify the government when developing AI models that may pose serious risk to national security, national economic security, or national public health and safety.

AIA Bans Specific Uses of AI

AIA bans certain AI applications that threaten citizens’ rights, including biometric categorization systems based on sensitive information and real-time and remote biometric identification systems, such as facial recognition. The use of AI to classify people based on behavior, socio-economic status or personal characteristics and to manipulates human behavior or exploits people’s vulnerabilities will also be forbidden.

However, some exceptions may be allowed for law enforcement purposes. “Real-time” remote biometric identification systems will be allowed in a limited number of serious cases, while “post” remote biometric identification systems, where identification occurs after a significant delay, will be allowed to prosecute serious crimes and only after court approval.

AIA also introduces new transparency rules that mainly effect Generative AI. The regulation sets out multiple transparency requirements that this sort of AI will have to satisfy, including compliance with EU copyright law. This entails disclosing when content is generated by AI, implementing measures within the model to prevent the generation of illegal content, and providing summaries of copyrighted data utilized during the model’s training process. Additionally, artificial or manipulated images, audio or video content (“deepfakes”) need to be clearly labelled as such.

AIA is projected to become officially effective by May or June, pending some last procedural steps, including approval from EU member states. Implementation of provisions will occur gradually, with countries require to prohibit banned AI systems six months following the law’s enactment.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post EU Passes World’s First Comprehensive AI Law appeared first on Compliance Chief 360.

Since implementing the Anti-Money Laundering Act of 2020, FinCEN’s highest priority has been achieving successful implementation of the beneficial ownership reporting requirements. These requirements obligate a company to disclose all individuals who formed the company. This includes any individuals who have a lot of say or control over the company through another unaffiliated company.

Companies are required to disclose the name, date of birth, and home address of every beneficial owner, along with submitting identification like a passport or driver’s license. However, FinCEN exempts certain “large” companies from the BOI reporting obligations, defining them as those with over 20 full-time employees in the U.S. and minimum gross receipts or sales of $5 million, among other criteria.

The purpose of this requirement is to filter out shell companies that are used primarily for money-laundering. These shell corporations usually consist of smaller companies with a lesser amount of financial resources. As a result of the fact that these companies are not usually current with recent regulations, these reporting requirements have received a significant amount of criticism from Congress. During the congressional hearing, Financial Services Chairman Patrick McHenry  referenced a survey conducted by the National Federation of Independent Business, revealing that 90% of small businesses are unaware of their newly imposed reporting obligations.

Andre Gacki, the head of FinCEN, addressed these criticisms in the recent congressional hearing. “I want to clearly state that FinCEN has no interest in hitting small businesses with excessive fines or penalties. The CTA penalizes willful violations of the law, and we are not seeking to take “gotcha” enforcement actions,” Gacki said. “Looking ahead, we will continue our efforts to promote compliance with the reporting requirements and ensure broad awareness of the safe, secure, and easy-to-use filing system.”

FinCEN’s Outreach Efforts

FinCEN has dedicated much time and effort into actively engaging in outreach to smaller companies in order to notify them of the BIO reporting requirements. “We have held outreach events with a wide range of small business advocacy associations, corporate service providers, third party trade associations, industry trade associations, and good governance organizations,” Gacki said her congressional hearing statement. “We have also opened channels to directly engage with small businesses and other users actively filing reports.”

FinCEN’s website also includes a direct link to their Contact Center, so users can submit their questions about filing or let the agency know of any issues they encounter with submitting their report. It is also using a ChatBot to provide businesses with an interactive tool to quickly answer any questions they may have.

Although small companies are inherently not aware of the current BOI reporting requirements, FinCEN is trying its best to notify each and every company of such rules in order to truly filter out those that have only been formed for the purpose of money-laundering and other financial crimes.

As the head of FinCEN said to the House of Representatives in the recent congressional hearing, “We know that the vast majority of the small businesses that will be impacted by this reporting requirement are law-abiding businesses that want to do the right thing, and we also know that many of them may not be familiar with FinCEN… This is why outreach has been and will continue to be a primary focus of our efforts.”

FinCEN now requires companies to complete their BOI requirements by January 1, 2025. For those who violate the requirements, they will face “civil fines of up to $500 per day that the violation continues, criminal fines of up to $10,000, and up to two years of imprisonment “according to FinCEN.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post FinCEN Addresses Beneficial Ownership Reporting For Small Businesses appeared first on Compliance Chief 360.

The Commission Nationale de l’informatique et des Libertes (CNIL), ruled that Amazon’s system of measuring how quickly its employees scanned items and how long they took breaks was unnecessary and intrusive. The trillion-dollar company had implemented a “Stow Machine Gun Indicator” that required an item to be scanned in no less than 1.25 seconds after the previous one and was immediately alerted when an employee was not keeping up with the required pace.

Amazon also employed an “idle time indicator” and an “latency under ten minutes indicator” which alerted the company when an employee took a break for ten minutes or more and when a scanner was interrupted for up to ten minutes. Because of the large amount of pressure this system placed on Amazon’s employees, CNIL declared the system as extremely excessive, stating that it is “illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption.”

In its ruling, CNIL examined the three indicators and determined that they led to an excessive monitoring of Amazon’s employees by the company. Specifically, the Commission found that the processing of the Stow Machine Gun Indicator meant that nearly any activity of an employee can be constantly monitored to the nearest second, and errors are common. The use of the other indicators made it possible to constantly monitor any time an employee’s scanner is interrupted even for a small amount of time.

Amazon Charged with Unauthorized Employee Surveillance

CNIL additionally stated that Amazon was holding on to employee surveillance data for an exorbitant amount of time of 31 days. Amazon should not be permitted to collect “every detail of the employee’s quality and productivity indicators collected using the scanners over the last month,” the ruling said. The Commission stated that it would be enough to review the surveillance data on a mere weekly basis.

FDPA also discovered that Amazon engaged in video surveillance of employees without their informed consent. This type of surveillance, without adequate notice, is a violation of the privacy protocols contained within General Data Protection Regulation, the French Authority said.

“We strongly disagree with the CNIL’s conclusions, which are factually incorrect, and we reserve the right to file an appeal,” Amazon said in a statement. “Warehouse management systems are industry standard and are necessary for ensuring the safety, quality and efficiency of operations and to track the storage of inventory and processing of packages on time and in line with customer expectations.”

This is not Amazon’s first time being charged with violations of the General Data Protection Regulation rules. In July 2021, Luxembourg issued the tech and retail giant a record fine of $886 million for violations stemming from its data processing practices.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post France Fines Amazon $35 Million for Excessive Monitoring of Employees appeared first on Compliance Chief 360.

Following its acquisition by Verizon, TracFone self-identified and reported to the FCC and the Universal Service Administrative Co. certain instances in which it may have violated the rules of two programs, Lifeline and the Emergency Broadband Benefit, which lower the cost of communication services for those who qualify.

“Whether attributable to fraud or lax internal controls, or both, we will vigorously pursue allegations of misconduct that harms critical FCC programs designed to help those most in need of communications-related services,” said Loyaan Egal, enforcement bureau chief at the FCC. “This settlement sends a strong message that we are determined to protect the integrity of these programs. I want to thank the Enforcement Bureau’s Investigations and Hearings Division for its outstanding work on this matter.”

Improper Claims

The Enforcement Bureau investigated TracFone’s procedures for determining customer usage, which are critical for ensuring public funds are not subsidizing unused connections. TracFone disclosed that its internal processes resulted in Lifeline claims for customers who had not used the service in the prior 30 days, contrary to the Commission’s rules. Specifically, TracFone’s internal systems: 1) improperly considered a subscriber’s receipt of an inbound text message to constitute qualifying Lifeline usage; and 2) improperly claimed support for a group of customers who were enrolled jointly in both the Lifeline and EBB programs, but did not use one of the services in the prior 30-day period.

TracFone also disclosed that a group of its field enrollment representatives used falsified tax documents to enroll subscribers in TracFone’s Lifeline and EBB services. After working with auditors, TracFone reimbursed the Universal Service Fund a total of $22.6 million for Lifeline from January 2019 through October 2021 and also paid back $17.8 million in EBB funds. TracFone further disclosed 79 field enrollment agents who were paid commission-based compensation tied to the number of customers enrolled, despite the FCC’s rules prohibiting such arrangements.

To resolve these matters, TracFone entered into a Consent Decree with the Enforcement Bureau in which it agreed to a series of terms and conditions for future compliance that take into consideration TracFone’s voluntary disclosures and its cooperation during the investigation. In addition, TracFone has also agreed to pay $6.013 million to resolve a 2020 NAL alleging the company claimed federal Lifeline funding for thousands of Texas customers who apparently were not eligible for the program, as well as enrollments in Florida that resulted from sales agents apparently manipulating customer data to create fake accounts.

TracFone Consent Decree Details

Among the requirements of complying with the consent decree are the following conditions, among others:

1) Compliance Officer: Within 30 calendar days after the effective date, TracFone must designate a senior corporate manager with the requisite corporate and organizational authority to serve as a Compliance Officer and to discharge the duties set forth in the decree. The person designated as the Compliance Officer shall be responsible for developing, implementing, and administering the compliance plan and ensuring that TracFone complies with the terms and conditions of the consent decree.

2) Operating Procedures: Within thirty 30 calendar days, TracFone shall establish Operating Procedures that all covered employees must follow to help ensure TracFone’s compliance with the Lifeline Rules. TracFone’s Operating Procedures shall include internal procedures and policies specifically designed to ensure that it does not submit claims for reimbursement for subscribers who are ineligible because they lack qualifying usage of Lifeline service, that ineligible subscribers are timely identified and de-enrolled, that enrollments in Lifeline conform to the customer eligibility determinations.

3) Compliance Manual: Within 60 calendar days, the Compliance Officer shall develop and distribute a Compliance Manual to all Covered Employees. The Compliance Manual shall explain the Lifeline Rules and set forth the Operating Procedures that Covered Employees shall follow to help ensure TracFone’s compliance with the Lifeline Rules. TracFone shall periodically review and revise the Compliance Manual as necessary to ensure that the information set forth therein remains current and accurate.

4) Compliance Training Program: TracFone shall establish and implement a Compliance Training Program on compliance with the Lifeline Rules and the Operating Procedures. As part of the Compliance Training Program, Covered Employees shall be advised of TracFone’s obligation to report any noncompliance with the Lifeline or EBB Rules and shall be instructed on how to disclose noncompliance to the Compliance Officer. Compliance training pursuant to the Compliance Training Program shall be an annual requirement.

5) Reporting Noncompliance: TracFone shall report any material noncompliance with the Lifeline or EBB Rules or with the terms and conditions of this Consent Decree within 30 calendar days of a report made to the Compliance Officer. In complex cases that require additional investigation, TracFone may seek up to an additional 30 calendar days, which shall not be unreasonably denied, to make such a report of material noncompliance.

6) Compliance Reports: TracFone must file compliance reports with the Commission 90 calendar days after the Effective Date, 12 months after the Effective Date, 24 months after the Effective Date, and 36 months after the Effective Date. Each Compliance Report shall include a detailed description of TracFone’s efforts during the relevant period to comply with the terms and conditions of this Consent Decree and the Lifeline Rules.

The Lifeline program provides a monthly discount of up to $9.25 on broadband and phone service for qualifying low-income consumers. Carriers participating in the program receive funds for each eligible Lifeline subscriber and must pass the savings on to those subscribers. The Lifeline program is paid for using Universal Service Fund dollars, and that money comes from fees assessed on the phone bills of American consumers and businesses. The separately funded EBB program helped lower the cost of high-speed internet and connected devices for eligible households in 2021 during the COVID-19 pandemic.  

Joseph McCafferty is editor & publisher of Compliance Chief 360°.

The post TracFone to Pay $23.5M for Violations of FCC Subsidy Program Rules appeared first on Compliance Chief 360.