Day: April 29, 2026

Categories
Compliance Into the Weeds

Compliance into the Weeds: Navigating DOJ’s Evolving Self-Disclosure Strategies

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore the subject more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss a recent Law360 post by Hui Chen on the evolving calculus for self-disclosure.

Hui Chen’s insights into the Department of Justice’s (DOJ) evolving self-disclosure strategies are crucial for companies navigating the complexities of compliance in today’s uncertain regulatory environment. As a former DOJ compliance counsel and a Microsoft compliance officer, Chen emphasizes the challenges posed by a politicized, understaffed DOJ, urging companies to reassess their compliance programs amid shifting enforcement dynamics. Tom and Matt echo Chen’s concerns regarding the DOJ’s current state. Tom, acknowledging Chen’s expertise, highlights the impact of the department’s politicization and understaffing on the effectiveness of compliance efforts, while Matt underscores the importance of proactive self-disclosure despite uncertainties, stressing the potential risks of inaction under the current administration. Both agree that the fractured nature of the DOJ requires a reevaluation of traditional compliance and self-disclosure strategies.

Key highlights:

  • Navigating DOJ Self-Disclosure Strategies with Wei Chen
  • Justice Department’s Impact on Corporate Prosecutions
  • Mitigating Criminal Violations through Self-Disclosure
  • Benefits of Self-Disclosure in Corporate Enforcement

Resources:

Hui Chen on Law360 (sub req’d)

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Daily Compliance News

Daily Compliance News: April 29, 2026, The Trial of the Century Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • PR exec tried to get rid of documents. (FT)
  • Why did First Brands hire BDO? (FT)
  • Altman v. Musk. Trial of the Century. (FT)
  • Should your Board appoint a Bot? (FT)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
The Hill Country Podcast

The Hill Country Podcast: AJ Rodriguez of Guadalupe Bank on Community Banking, Local Growth, and Interest-Rate Uncertainty

Welcome to the award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth. In this podcast, Tom’s partners, Gilbert Paiz and Andrew Gay, take the lead in visiting with AJ Rodriguez, now the interim CEO and board member of Guadalupe Bank.

AJ recounts entering banking after a ranch fire led him to college, an internship and examiner role with the U.S. Treasury, and subsequent roles at larger banks before becoming CEO of a South Texas community bank that grew to 31 branches and $2.2B in assets; after retiring in 2012 and moving to Fredericksburg, he helped launch the Backwoods barbecue restaurant and later joined Guadalupe Bank, stepping in as CEO after the prior CEO resigned. They contrast community banks with national banks, emphasizing local decision-making, relationship-based service, community involvement, and support for small businesses, and provide Guadalupe Bank details (about $254–$256M in assets, ~37–38 employees, locations in Kerrville and Fredericksburg, and a San Antonio production office planned to become a branch). They cover recruiting talent via a Schreiner University internship rotation program, regional optimism post-flood and amid steady growth, current products and fraud-prevention investments, and non-advisory commentary on interest rates, inflation, and market volatility.

Resources:

Guadalupe Bank 

Other Hill Country Focused Podcasts:

Hill Country Authors Podcast

Hill Country Artists Podcast

Texas Hill Country Podcast Network

Cover Art

Nancy Huffman

Categories
AI Today in 5

AI Today in 5: April 29, 2026, The (AI) Trial of the Century Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Musk v. Altman-AI Trial of the Century. (WSJ)
  2. A RegTech solution vs. an internal bespoke solution. (FinTech Global)
  3. AI governance in practice. (bankinfo security)
  4. AI in a skilled nursing facility. (McKnights)
  5. US v. states—the battle for AI governance. (Vorys)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Great Women in Compliance

Great Women in Compliance: Risk as a Leadership Discipline: Lessons from Internal Audit

Guest Bio:

Michelle Wagner is Vice President and Head of Internal Audit at DocuSign, where she leads global audit strategy and helps the organization strengthen governance, risk management, and internal controls while supporting a culture of integrity and accountability.

With more than 25 years of experience across consulting and industry,

Michelle has held leadership roles at Deloitte, Costco, and SAP, where she led large audit portfolios, built high-performing teams, and drove governance and risk transformation initiatives across complex global organizations.

Michelle is known for her practical, people-centered approach to risk leadership and for translating complex risk insights into clear, actionable guidance. She is passionate about mentoring emerging leaders and helping organizations move from reactive risk management to proactive, insight-driven decision-making.

Show Notes:

Risk is often framed as technical work, but at its core, it is deeply human.

In this episode of Great Women in Compliance, Dr. Hemma Lomax sits down with Michelle Wagner, Head of Internal Audit at DocuSign, to explore how curiosity, empathy, and partnership help organizations manage risk more effectively and build stronger ethical cultures.

Michelle shares insights from a career spanning consulting and global leadership roles, reflecting on the moments that shaped her leadership philosophy and the lessons she has learned about influencing without authority, building trust, and helping teams see risks as opportunities to improve rather than problems to avoid.

Together, they discuss the evolving role of internal audit, the importance of collaboration across risk functions, and how emerging technologies such as AI can help leaders identify patterns and generate insights while reinforcing the need for human judgment.

This conversation is a reminder that great risk leaders don’t just protect organizations — they help them succeed.

Episode highlights:

  • Why risk management is fundamentally a leadership discipline
  • Lessons from moving from consulting to executive leadership roles
  • What makes an internal audit function truly valuable
  • How audit, compliance, and business teams can partner effectively
  • The role of curiosity and psychological safety in surfacing risks
  • Michelle’s perspective on AI and the future of risk management
  • Leadership lessons from mentoring and building teams
Categories
Blog

John Locke and the Legitimacy of Compliance Governance

We continue our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields such as science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider René Descartes and what he teaches as the next step beyond Bacon: evidence must be examined rigorously.

If Francis Bacon teaches us that compliance must be grounded in evidence, and René Descartes teaches us that evidence must be examined with rigor, John Locke brings us to the next great question: why should anyone trust the system itself? That question sits at the center of every modern compliance program. Employees are asked to report concerns, managers are expected to model ethical behavior, boards are charged with oversight, and companies routinely tell regulators that their compliance program is real, effective, and embedded in the business. But none of that works if the people inside the organization do not believe the system is fair, credible, and worthy of trust. That is why John Locke matters so much to the modern compliance professional.

Locke is often remembered as a philosopher of liberty, consent, rights, and accountable government. He argued that authority is legitimate only when it is exercised responsibly and for the benefit of those subject to it. Power, in Locke’s world, is not self-justifying. It must be bounded, accountable, and tied to obligations. That idea is highly relevant to corporate compliance. A compliance program is not legitimate simply because senior management approved it, or because the board receives quarterly updates, or because policies have been published on an intranet site. It is legitimate when employees experience it as fair, when reports are taken seriously, when retaliation is not tolerated, when discipline is consistent, and when leadership is seen to be accountable to the same standards as everyone else. That is not abstract philosophy. That is compliance governance.

Why Locke Matters to Compliance

Locke’s central insight is that authority derives its legitimacy from responsible exercise and reciprocal obligation. In a political context, that meant government existed to protect rights and serve the governed, not simply to command obedience. In the corporate context, the analogy is not exact, but the lesson is powerful. Employees will not trust a compliance program merely because it exists. They will trust it only if they believe it operates fairly, protects those who raise concerns, applies standards consistently, and treats power as accountable.

This is where Locke helps compliance professionals understand something many organizations still miss. Trust in a compliance system is not automatic. It has to be earned. An employee deciding whether to call a hotline is making a deeply practical judgment. Will anyone listen? Will the matter be reviewed fairly? Will the reporter be protected from retaliation? Will the senior executive who generated the concern be treated differently from everyone else? If the employee believes the answer to those questions is no, the reporting system has already failed, no matter how polished the company’s policy language may be.

The DOJ’s Compliance Expectations Are About Legitimacy

The Department of Justice does not use the language of social contract theory, but its Evaluation of Corporate Compliance Programs (ECCP) is filled with Locke’s concerns. The ECCP asks whether the program is well-designed, applied in good faith, and works in practice. It asks about tone at the top and tone in the middle. It asks whether reporting mechanisms are trusted, whether investigations are handled properly, whether discipline is applied consistently, and whether there is protection against retaliation. Those are all questions of legitimacy. A compliance program that employees do not trust cannot work in practice.

This point is critical because too many organizations still frame culture as something soft and secondary, a matter of messaging rather than system design. Locke would reject that categorically. In his framework, legitimacy is not a decoration added to authority. It is what makes authority durable and acceptable. In a company, that means culture and governance cannot be separated. Speak-up systems, fair treatment, board attention, transparent escalation, and consistent discipline are not peripheral to compliance. They are core structural elements of it.

Speak-Up Culture Is a Test of Governance

Few areas of compliance reveal Locke’s relevance more clearly than a speak-up culture. Every company says it wants employees to raise concerns. Every company says it prohibits retaliation. But the real issue is whether employees believe those statements are true in lived experience. That belief is shaped more by organizational behavior than by slogans.

If employees see complaints buried, if they watch high performers protected despite repeated concerns, if they hear that reporting a problem is career-limiting, or if they conclude that management is more interested in identifying the reporter than addressing the underlying issue, the company has lost legitimacy. In Lockean terms, authority has ceased to be trustworthy because it is no longer being exercised for the benefit of those subject to it.

This is why non-retaliation is so important. It is not simply an employment-law consideration or a human-resources aspiration. It is a governance imperative. Retaliation tells employees that the system serves power rather than principle. Once that lesson is absorbed, reporting declines, silent resignation grows, and risk moves underground. A company may still claim to have a hotline, but it no longer has a functioning speak-up culture.

Fairness Is Not Soft. It Is a Control.

Locke also helps us understand the role of fairness in a compliance program. In many organizations, fairness is discussed as a value. It should be discussed as a control. Why? Because fairness shapes behavior. When employees believe standards will be applied consistently, they are more likely to follow them, more likely to report deviations, and more likely to trust the company’s response when issues arise. When employees believe discipline is arbitrary, selective, or influenced by rank and revenue generation, the opposite occurs. Cynicism spreads quickly. Policies become performative. Reporting drops. Informal norms replace formal standards.

That is why the ECCP pays so much attention to disciplinary consistency. Regulators understand that a compliance program loses credibility when senior leaders are treated differently from line employees. Locke would have recognized the point immediately. In any system of authority, legitimacy is undermined when rules are used to bind the weak but not the powerful.

Board Oversight and Accountable Authority

Locke’s philosophy is equally useful when thinking about board oversight. He believed that those entrusted with authority must remain accountable for how they exercise it. That is a principle every board member should understand in the context of compliance.

Board oversight is not merely about receiving information. It is about ensuring that authority inside the company is properly bounded, monitored, and answerable. The board does not run day-to-day compliance, but it is responsible for ensuring that management has created a system worthy of trust. That means asking whether reporting channels work, whether investigations are independent, whether non-retaliation protections are real, whether major risks are escalated, and whether compliance has stature and access.

This is particularly important because boards sometimes fall into the trap of treating compliance as a downstream operational matter. Locke would have viewed that as a category mistake. Governance is not something separate from legitimacy. Governance is how legitimacy is maintained.

For the modern board, that means compliance oversight must be substantive. Directors should ask not only for dashboards, but for explanations. How does management know employees trust reporting channels? What evidence supports claims of a strong culture? How is middle management assessed? What happens when senior leaders are implicated? What trends in reporting, substantiation, retaliation, and discipline should concern the board? Those questions move oversight from ceremonial to real.

In that sense, Locke also speaks directly to Caremark-era expectations. Directors have obligations not simply to exist, but to oversee. A board that does not ensure the company has credible systems of information and response is not exercising accountable authority. It is abdicating it.

Culture and the Middle Management Problem

No discussion of compliance legitimacy would be complete without examining middle management. The DOJ, in both the ECCP and the FCPA Resource Guide, 2nd edition, has long emphasized that “tone at the top” is not enough. Tone in the middle matters enormously, because employees experience the company most directly through their immediate supervisors.

This is another place where Locke offers real insight. In any system of authority, legitimacy rises or falls through those who exercise power closest to the governed. If middle managers pressure employees to ignore controls, discourage escalation, roll their eyes at compliance training, or quietly punish bad news, the company’s formal commitments will collapse in practice.

This is why companies must treat middle management behavior as a governance issue. Are managers trained not just on rules, but on their duty to support reporting and ethical decision-making? Are they evaluated on how they build culture? Do promotion and bonus structures reinforce ethical leadership, or only financial performance? Are there consequences when managers create pressure that undermines compliance expectations?

These are not marginal considerations. They are central to whether the compliance program is experienced as legitimate in daily operations. Locke reminds us that people judge institutions less by official declarations than by how authority is exercised.

The Compliance Officer as Steward of Institutional Legitimacy

Locke casts the compliance officer as a steward of institutional legitimacy. That is an important and underappreciated role. The compliance officer helps the company earn trust, not through public relations, but through structure, fairness, and accountability. The compliance officer helps ensure that when people speak up, they are heard; when misconduct occurs, it is handled consistently; when leaders exercise authority, they do so under standards that bind them as well. In this sense, compliance is not just about preventing legal violations. It is about making the institution worthy of confidence.

That is why legitimacy matters so much. A company with high trust in its compliance system detects issues earlier, responds more effectively, learns more quickly, and sustains a stronger ethical culture over time. A company without that trust becomes opaque to itself. Risk goes silent. Problems surface late. Governance becomes reactive. The institution loses one of its most important defenses: its own people’s willingness to tell it the truth.

Five Lessons Learned for the Modern Compliance Professional

First, a compliance program must be legitimate to be effective. Employees must believe the system is fair, credible, and trustworthy.

Second, speak-up culture is a governance test. Reporting mechanisms only work when employees believe concerns will be taken seriously and retaliation will not follow.

Third, fairness is a control. Consistent discipline, equal treatment across levels of seniority, and transparent standards strengthen compliance credibility.

Fourth, boards must exercise accountable oversight. They should test management’s claims about culture, reporting, and non-retaliation with real evidence.

Fifth, middle management is where legitimacy lives or dies. A company must align manager incentives, expectations, and accountability with its compliance values.

Coming Next: Thomas Hobbes and Why Every Compliance Program Needs Order

If John Locke teaches us that compliance governance must be legitimate, Thomas Hobbes will remind us that legitimacy alone is not enough. A company also needs structure, clear rules, assigned authority, escalation pathways, and credible enforcement. In Part 4, I will explore how Hobbes helps explain the roles of policies, procedures, internal controls, and operational discipline in a best-practices compliance program. Trust matters, but so does order.