Day: December 5, 2025

Categories
Regulatory Ramblings

Regulatory Ramblings: Episode 83 – Hong Kong’s New Protection of Critical Infrastructures (Computer Systems) Ordinance

This episode focuses on Hong Kong’s new Protection of Critical Infrastructures (Computer Systems) Ordinance. Currently in bill form before the territory’s Legislative Council, it is expected to go into effect in January 2026. The discussion first features Wendy Chow, Invest Hong Kong’s Head of Digital Technologies & Data Infrastructure, on how her group is raising awareness of the forthcoming legislation locally.

Following that, the conversation moves to Nicky Au, Ensign InfoSecurity’s General Manager, Greater Bay Area, and Pierre Malgorn, I-TRACING Cybersecurity’s Asia Pacific Director, about what financial institutions and corporations need to do to prepare for the new law.

The Protection of Critical Infrastructure (Computer Systems) Ordinance in Hong Kong seeks to safeguard the computer systems of designated Critical Infrastructures (CIs) by creating a regulatory framework to boost cybersecurity and strengthen defenses against cyber threats. The Ordinance will take effect on January 1, 2026.

Who are Considered Critical Infrastructure Providers?

Organizations crucial for delivering essential services for daily life operating in the following eight designated sectors will be affected:

Air Transport, Banking and Financial services, Energy, Healthcare services, Information Technology, Land Transport, Maritime, and Telecommunications and Broadcasting services.

Key highlights:

  • The Ordinance requires organizations that manage critical infrastructure in Hong Kong to comply with strict cybersecurity regulations.
  • Failure to meet the Ordinance’s obligations may result in fines ranging from HK$500,000 to HK$5 million. For ongoing offenses, an additional daily fine of HK$50,000 to HK$100,000 may be imposed for each day the offense persists.
  • Penalties target the organization as a whole, not senior management individually. However, individuals may be personally liable for crimes such as providing false information or committing fraud.

Biography:

Wendy Chow is based in Hong Kong and has been with Invest Hong Kong for almost a quarter of a century in various roles. She is currently the Head of Digital Technologies and Data Infrastructure. She specializes in providing bespoke guidance and hands-on facilitation services to help establish and grow mainland Chinese and overseas tech businesses in Hong Kong and regional markets.

An HKU alum, she holds a BA, a master’s in social science in mental health, and an MBA from the University of Hong Kong. She also has an MA degree from the University of Massachusetts Amherst.

Nicky Au is Ensign InfoSecurity’s Hong Kong-based General Manager for the Greater Bay Area. He is a graduate of the City University of Hong Kong, where he earned his bachelor’s degree in business administration with a focus on information systems, and he is also a certified professional, holding CISSP, CISM, CISA, and CISP-CISO certifications.

Pierre Malgorn is the Asia Pacific Director for I-TRACING Cybersecurity. He holds an engineer’s degree in IT technologies from the EPF Engineering School in Cachan, France, and is currently based in Hong Kong.

Discussion:

The spotlight chat begins with Wendy sharing why the Ordinance matters to Hong Kong and what it means for the territory’s digital regulatory landscape. She goes on to explain Invest Hong Kong’s role in raising awareness of the bill and helping the local business community understand and adapt to it. She also shares her thoughts on whether there was sufficient cybersecurity and infrastructure support locally in the city and, if not, what the strategy was to attract more talent and firms to Hong Kong.

Wendy acknowledges that for multinationals operating across Asia, the regulatory landscape can be complex. Yet, the belief is that the new ordinance is necessary and will strengthen Hong Kong’s long-term position as a secure, reliable hub for international business.

Following that, we continue the discussion on the Ordinance with Nicky and Pierre. They share their views on how the law will likely affect their clients and what they are doing to help them prepare for its rollout. While awareness and preparation are key for smooth implementation, the Ordinance’s definition of “critical infrastructure” can seem broad. Nicky and Pierre comment on how they help companies determine whether they are covered by the new law and on the practical first steps they would recommend.

They also comment on how the Ordinance introduces financial penalties, which are helping change the conversation at the board level, with cybersecurity matters now treated as a core business risk. Increasingly, the risk landscape includes emerging threats such as AI-powered attacks. Nicky and Pierre comment on how new technologies are changing the threat landscape for their clients and how they would advise them to build genuine security—going beyond mere box-ticking and compliance.

A sad reality is that in a major cyber incident, the local authorities will get involved. How does one prepare their clients to manage crisis communications while interacting with regulators, law enforcement, and policymakers? Our guests offer some “dos” or “don’ts” for such scenarios.

Regulatory Ramblings podcasts is brought to you by The University of Hong Kong – Reg/Tech Lab, HKU-SCF Fintech Academy, Asia Global Institute, and HKU-edX Professional Certificate in Fintech, with support from the HKU Faculty of Law.

Useful links in this episode:

You might also be interested in:

Connect with RR Podcast at:

LinkedIn: https://hk.linkedin.com/company/hkufintech 
Facebook: https://www.facebook.com/hkufintech.fb/
Instagram: https://www.instagram.com/hkufintech/ 
Twitter: https://twitter.com/HKUFinTech 
Threads: https://www.threads.net/@hkufintech
Website: https://www.hkufintech.com/regulatoryramblings 

Connect with the Compliance Podcast Network at:

LinkedIn: https://www.linkedin.com/company/compliance-podcast-network/
Facebook: https://www.facebook.com/compliancepodcastnetwork/
YouTube: https://www.youtube.com/@CompliancePodcastNetwork
Twitter: https://twitter.com/tfoxlaw
Instagram: https://www.instagram.com/voiceofcompliance/
Website: https://compliancepodcastnetwork.net

Categories
From the Editor's Desk

From the Editor’s Desk – Compliance Week’s Insights and Reflections for November and into December 2025

In this episode of ‘The Editor’s Desk’ podcast, hosts Tom Fox and Aaron Nicodemus delve into key compliance issues featured in Compliance Week. Tom and Aaron discuss top stories from Compliance Week in November, look at stories that will appear in December, and provide a preview of upcoming content and events in January and beyond.

They discuss FCPA investigations closed under the Trump administration and the implications for compliance professionals. Aaron highlights stories from Compliance Week, including an FCPA enforcement action involving Millicom Cellular in Guatemala and a detailed look at financial institutions in Latin America involved in money laundering for drug cartels. The hosts also touch on significant interviews and upcoming features, such as compliance wins and fails of the year, an AI and compliance survey, and the upcoming Compliance Week national conference. The episode offers valuable insights into compliance trends and regulatory changes, providing practical advice for compliance officers.

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

From the Mind of the CCO survey

Categories
Compliance Tip of the Day

Compliance Tip of the Day – M&A-Pre-Acquisition: Final Lessons

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice for navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we looked at the role of compliance in the pre-acquisition phase of a merger and acquisition. We wrap it all up for you.

For more on this topic, check out The Compliance Handbook: A Guide to Operationalizing your Compliance Program, 6th edition, which LexisNexis recently released. It is available here.

Categories
Compliance and AI

Compliance and AI: Navigating the Challenges and Opportunities of Agentic AI in Compliance

What is the intersection of AI and compliance? What about Machine Learning? Are you using ChatGPT? These questions are just three of the many we will explore in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance. Today, the Everything Compliance gang, led by Dr. Hemma Lomax, is considering how to navigate the challenges and opportunities of agentic AI in compliance.

In this episode, we explore the rapidly evolving landscape of Agentic AI and its implications for compliance professionals. Agentic AI, defined as AI that acts autonomously rather than just responding to prompts, presents both significant opportunities and challenges. The technology can optimize risk management and compliance workflows, but it also introduces complexities around accountability, transparency, and oversight. We discuss recent real-world examples of Agentic AI in use, such as in banks and tax agencies, and highlight potential risks, including autonomous collusion and AI agents making unethical decisions. The episode emphasizes the need for compliance teams to shift from monitoring human activities to overseeing intelligent systems, ensuring the establishment of proper guardrails. We also delve into new roles emerging in this landscape, such as AI ethics coaches and agent supervisors, and the importance of human intervention to verify AI decisions. Join the discussion to understand how to navigate this transformative technology responsibly and effectively.

Key highlights:

  • Defining Agent AI
  • Implications for Compliance and Ethics
  • Challenges and Risks of Agent AI
  • Real-Time Compliance and Risk Management
  • Human Oversight and AI Governance

Resources:

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: December 5, 2025, The White Collar Criminal Enterprise Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • The US lost over $29bn to fraud, waste, and abuse in Afghanistan. (USAToday)
  • The FTC orders Boeing to divest an asset as part of the merger. (WSJ)
  • EU considers interim measures against Meta. (Reuters)
  • How far from Earth has executive comp gone? (FT)

The Daily Compliance News has been honored as No. 2 in the Best Regulatory Compliance Podcasts category.

Categories
AI Today in 5

AI Today in 5: December 5, 2025, The AI Doesn’t Know How to Learn Edition

Welcome to AI Today in 5, the newest edition of the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Ex-CTO of Yahoo says AI doesn’t know how to learn. (YouTube)
  2. CEOs making a business case for AI (and not a bubble). (Fortune)
  3. The EU is looking at Meta and its WhatsApp AI program. (CNBC)
  4. AI for marketing compliance. (FinTechFinanceNews)
  5. AI-generated comms and compliance risks. (Thomson Reuters)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

It’s Always About the Data: Lessons in Data from the AI Today In Five

Today I want to shift gears from the serious business of SFO guidance to the serious business of measuring impact. Whether we are talking about avoiding a Deferred Prosecution Agreement (DPA) or dominating the Apple Podcast charts, the core lesson is the same: if you cannot measure it, you cannot manage it. And if you are not measuring its effectiveness, you are wasting your time.

I have reviewed the ranking data for my AI Today Podcast, from Podgagement, and while some might see this as simple content success, I see a powerful case study in operational excellence that every compliance professional needs to internalize. This data provides the clearest metrics on global impact and sustained quality, the very things we should be striving for in our ethics and compliance programs.

The Global Audit of Excellence

When the SFO or the DOJ comes knocking, they are not looking at the size of your policy binder; they are looking at impact and coverage. The AI Today Podcast provides a clear metric for this: global dominance.

The data shows that this podcast has reached #1 in the Technology category across multiple critical global markets. Think about that. Achieving the top rank in a major competitive market means winning the global audit of content quality. It proves the program is not just adequate; it is best-in-class. A truly effective compliance program should aim for the same status: it must be globally recognized, universally applicable across jurisdictions, and resilient enough to rank at the top against any competitor. If your program only works in one country, you have a regional policy, not a global compliance culture. 

Consistency is Compliance

In compliance, a single “win” is meaningless. You do not get credit for a good policy written five years ago if your training is out of date and your due diligence system is circumvented. Excellence requires sustained, consistent effort. The AI Today Podcast data beautifully illustrates this principle of sustained effectiveness. Beyond the top spot, the network consistently achieves high rankings across a broad geographical and cultural spectrum:

  • Portugal at #2
  • Indonesia at #3
  • Hong Kong at #10
  • Canada at #12

This is not simply a flash in the pan. This is evidence that the procedures behind the content, research, production, consistent release schedule, and listener engagement are working day in and day out. Furthermore, the “All chart rankings” table shows the podcast hitting the #1 rank across multiple specific dates in 2023 and 2025. This momentum is the metric we should pursue in compliance: proof that our controls are embedded, actively monitored, and working effectively over time.

If you are seeing consistent, high scores on internal compliance metrics, if your training completion rates are always high, and if your internal investigations are identifying and addressing risk proactively, that is your #1 ranking.

The Power of the Niche

All of the observed top rankings are categorized under Technology. This specialization is not a limitation; it is a strategic advantage that leads to market dominance. The podcast knows its audience and serves it flawlessly. In compliance, this directly translates into risk assessment and proportionality. We must focus our limited resources on the specific risks we face, whether that is bribery in third-party channels, fraud under the new ECCTA, or sanctions risk in volatile markets. A program that tries to be everything to everyone ends up being nothing to anyone. A sharp, well-defined risk focus is what allows you to reach the top of your organizational niche and prove your effectiveness.

The Challenge: Measure Your Impact, Not Just Your Effort

The success of the “AI Today Podcast” is a stark reminder to every compliance professional: Stop counting the number of policies you’ve written or the hours you’ve spent in meetings. That is effort. Start focusing on the metrics of impact.

  • What are your global #1 rankings in compliance?
  • Is it the rate of substantiated misconduct reports?
  • Is it the demonstrable improvement in employee perception of ethical culture?
  • Is it a perfect pass on a third-party audit?

If your compliance program is not producing measurable, consistent, globally relevant results, you do not have an effective program; rather, you have a “paper exercise.” The SFO and the DOJ have told you they care about effectiveness; the podcast charts show you what effectiveness looks like in the real world.

Take this lesson, audit your metrics, and ensure your program is not just running but dominating the corporate integrity chart. You should settle for nothing less than a #1 rank.