Day: June 23, 2026

Categories
Everything Compliance - Shout Outs and Rants

Everything Compliance: Shout Outs and Rants- Betting Risks, AI Hallucinations, and Community Highlights

Welcome to a revamped Everything Compliance Shout Outs and Rants. We have a new host, Adam Turteltaub, a new panelist, Rebecca Walker who joins returning regulars Matt Kelly, Jonathan Armstrong and Karen Moore for the next iteration of Everything Compliance Shout Outs and Rants.

  • Adam raises betting markets concern
  • Matt rants about the KPMG Fiasco and shouts out to the NY Knicks
  • Rebecca shouts out to two recent conferences
  • Jonathan shouts out to the Marks Spencer Youth Program
  • Karen celebrates graduation life milestones

Everything Compliance Shout Outs and Rants is a production of the Compliance Podcast Network.

Categories
Daily Compliance News

Daily Compliance News: June 23, 2026, The Do You Want to Go All in on Iran Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Workday to face AI bias in hiring. (Reuters)
  • Bil Oil is not interested in Gulf property development. (NYT)
  • Want to go full high-risk? Iran is about to be open for business. (WSJ)
  • More corruption trouble in Spain. (Bloomberg)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 23 – Investigative Lessons from A Taste of Armageddon for Compliance Professionals

The episode “A Taste of Armageddon” offers a gripping narrative about two planets waging a computerized war, where casualties are “virtual” until real people are targeted for destruction by assassination teams. Beyond its science fiction thrills, this episode offers a rich canvas for compliance investigators to glean valuable insights into corporate investigations, risk management, and ethical decision-making. Today, we explore five investigative lessons drawn from “A Taste of Armageddon” that every compliance professional can apply in today’s complex corporate environment.

Lesson 1: Don’t Accept the Surface Narrative—Dig Deeper

Illustrated By: Captain Kirk and the Enterprise crew arrive at the planet Eminiar VII and are briefed on a bizarre ongoing “war” with their neighboring planet, Vendikar. They’re told the conflict is conducted entirely through computer simulations, with casualties happening only because of computer-generated attack orders. The officials claim that this system prevents physical destruction and loss of infrastructure.

Compliance Lesson: Compliance must have robust evidence-gathering protocols, document reviews, interviews, digital forensics, and whistleblower input that go beyond the polished explanations offered by senior management or external parties.

Lesson 2: Recognize When Systems Are Manipulated to Conceal Real Harm

Illustrated By: As Kirk digs deeper, he discovers that the “war” computer directs citizens of Eminiar VII to “self-destruct” (die) to simulate casualties, a brutal reality masked by the sanitized computer war facade. The computerized system is essentially a tool to hide the true human cost of conflict under the guise of civility.

Compliance Lesson: Investigators must be vigilant in identifying situations where systems, reports, or data are manipulated to conceal wrongdoing or minimize apparent risk.

Lesson 3: Challenge Institutionalized Norms When They Violate Ethics

Illustrated by: The people of Eminiar VII believe their system is rational and ethical because it avoids the destruction of infrastructure and reduces collateral damage. Yet, the human toll is real and horrific. Kirk challenges this “civilized” war system, calling out the moral bankruptcy of a process that sanctions systematic killing under bureaucratic rules.

Compliance Lesson: Investigators should be empowered to raise red flags about practices that may be “business as usual” internally but are fundamentally unethical or illegal.

Lesson 4: Collaborate Across Teams to Confront Complex Issues

Illustrated By: To expose the truth and disrupt the false war, Kirk and his crew collaborate with disillusioned Eminian officials and civilians. This cooperation allows them to understand the deeper reality and develop strategies to end the deceptive conflict.

Compliance Lesson: Investigative collaboration fosters comprehensive fact-finding, more accurate risk assessments, and the development of effective remediation strategies.

Lesson 5: Be Prepared to Disrupt Business as Usual for the Sake of Ethics

Illustrated By: Kirk’s ultimate act is to disable Eminiar VII’s computer war system, forcing the planet’s leaders to face the harsh realities of war without the illusion of sanitized casualty reports. This disrupts their entire way of life, but is necessary to restore true peace and ethical accountability.

Compliance Lesson: Compliance leaders must be prepared to recommend and implement significant changes, even if they are disruptive, to address systemic issues.

Final ComplianceLog Reflections

Star Trek’s “A Taste of Armageddon” is a compelling allegory about the dangers of complacency, obfuscation, and ethical compromise. For corporate compliance professionals, the episode provides a blueprint for rigorous, courageous, and collaborative investigations that delve beyond polished narratives to uncover uncomfortable truths.

In a business universe full of hidden risks and “virtual wars,” compliance investigations serve as a beacon guiding companies toward ethical and sustainable success. Like the crew of the Enterprise, compliance professionals must be prepared to boldly go where few dare to look and make a tangible difference in their organizations.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Timothy is an AI generated voice

Categories
AI Today in 5

AI Today in 5: June 23, 2026, The AI Eats the Economy Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Your AI-based AML platform must be built for a global scale. (FinTechGlobal)
  2. Chevron inks power deal with Microsoft AI.(FT)
  3. AI defensibility. (FT)
  4. Is China closing the AI gap? (NYT)
  5. Nadella says don’t let AI ’eat the economy’. (WSJ)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on ⁠Amazon.com⁠.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on ⁠Amazon.com⁠.

Categories
Innovation in Compliance

Innovation in Compliance: Cybersecurity Workforce Design: Reducing Burnout, Clarifying Accountability, and Aligning Incentives with Dan Duffy

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance as he visits with top innovative minds, thinkers and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits Dan Duffy, the Cyber Practice lead at Consulting Solutions and a longtime cybersecurity and executive search professional.

They chat about the paradox of rising security spend alongside increasing burnout and turnover. Duffy argues organizations cannot hire their way out of broken structures: undefined workflows, lack of playbooks, shadow IT, fragmented accountability, and excessive alert volumes cause teams to drown, making burnout a business risk rather than an HR metric. He emphasizes auditing workforce design, mapping workflow needs, and ensuring executive and board-level support, including proper CISO reporting lines and authority. They discuss emerging demand for an AI compliance officer, the need for AI governance ownership and accountability, and misaligned incentives where security is treated as a late-stage tax versus a design principle. Duffy advocates maturity-focused programs, incident-informed leadership, and stronger entry-level pipelines.

Key Highlights

  • The Cyber Talent Crisis
  • Burnout as Business Risk
  • AI Governance Accountability
  • Building for Long Term Success
  • Future Workforce Pipeline
  • Advice for New Entrants
  • Rethinking Workforce Strategy

Resources

Connect with Dan Duffy on LinkedIn

Consulting Solutions

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts

Categories
Blog

The Bosch Delineation: Part 3 -Bosch and the ECCP: When Compliance Expertise and Resources Fail

As most of readers know, sometimes when I get going on a multipart blog series, I either get carried away or simply cannot stop. Maybe sometimes it is both. This week is beginning to appear to be one of those times. Today I recorded an episode of Compliance into the Weeds with my co-host Matt Kelly and we discussed some very interesting points from the enforcement action that I decided to keep going. (The episode will post Wednesday June 24.)

Over the past couple of blog posts, I have reviewed the DOJ Declination through the lens of the National Security Division. Today I want to look the BIS enforcement action and mine it for a different set of lessons learned.

The BIS enforcement is a useful case study for compliance professionals because it is not simply a story about a company with no compliance program. Rather, Bosch had export compliance processes, including U.S. export compliance processes. The failure was more subtle and more important: the compliance function did not have sufficient expertise and staffing to interpret a major regulatory change, translate that change into operational requirements, challenge incomplete business responses, and revisit advice when contrary facts emerged. BIS charged Bosch with 109 violations involving approximately $72.4 million in exports to Huawei without required authorization.

That is precisely the kind of failure the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) is designed to test. Under ECCP Section II, prosecutors ask whether the compliance program is “adequately resourced and empowered to function effectively.” Section II.B, “Autonomy and Resources,” directs prosecutors to examine whether compliance personnel have sufficient qualifications, seniority and stature; sufficient resources, including staff to audit, document and analyze; and sufficient autonomy from management, including access to the board or audit committee.

As laid out in the BIS enforcement action Bosch failed in the Expertise requirement. The enforcement action stated:

Bosch’s U.S. export compliance team did not have sufficient expertise or resources at the time to adequately address the August 2020 changes to the EAR, namely, the FOP Rule that expanded the restrictions for Huawei. Bosch’s failure to have an effective U.S. export controls compliance program in place for BST and ETAS at this time contributed directly to the violations at issue in these charges.

Bosch also failed in the Resources requirement. Here the enforcement action stated:

During most of the relevant time period, Bosch’s export controls compliance team in the United States primarily consisted of two employees. These employees were responsible for advising Bosch’s central trade compliance function based in Germany and Bosch’s non-U.S. businesses regarding compliance with U.S. export controls regulations. Only one of these employees was tasked primarily with advising on compliance with U.S. export controls. The second employee provided part time assistance with U.S. export controls compliance while also focusing on compliance with U.S. customs and tariffs. The U.S. trade compliance team included other employees primarily focused on U.S. customs and tariffs, who could occasionally assist with minor discrete export controls questions.

  1. Did compliance personnel have the right experience and qualifications?

The ECCP asks whether compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities. That question sits at the center of the Bosch enforcement action.

During much of the relevant period, Bosch’s U.S. export controls compliance team primarily consisted of two employees. Only one was tasked primarily with advising on U.S. export controls; the second provided part-time export controls assistance while also focusing on customs and tariffs. Other U.S. trade compliance personnel were primarily customs and tariffs employees who could occasionally assist with minor export controls questions.

That staffing model proved inadequate for the risk. BIS found that Bosch’s U.S. export compliance team did not have sufficient expertise or resources to address the August 2020 changes to the EAR, and that the failure contributed directly to the violations. Communications between U.S. and German trade compliance personnel showed confusion about the Foreign Direct Product Rule (FDPR). That confusion produced erroneous guidance: a Germany-based trade compliance employee advised BST (a Bosch German entity) management that if products contained less than 25% U.S. content and the U.S. content was not classified under certain ECCNs, there was no impact and no license requirement. BIS explained that this advice improperly confused and conflated the De Minimis Rule with the FDPR.

For compliance professionals, the lesson is direct. Experience and qualifications cannot be evaluated generically. “Trade compliance experience” is not the same as deep expertise in a specific high-risk, fast-changing legal regime. A compliance team may be experienced enough for ordinary classification, screening and documentation work, but underqualified for a complex regulatory change affecting a major restricted customer, foreign production, production equipment, software, suppliers and end-user certifications.

The same issue appeared in  Bosch German subsidiaries, collectively name ETAS in the enforcement action. Bosch trade compliance personnel reviewed automotive software sales to Huawei but incorrectly concluded that the FDPR applied only to physical goods, not software. BIS said Bosch personnel repeatedly advised ETAS that the restrictions did not apply to CycurHSM software.

The broader point is that qualifications must match the company’s risk profile. For a global technology company operating across complex supply chains, compliance expertise must be technical, current and operationally fluent.

  1. Did the level of experience and qualifications change over time?

The ECCP also asks whether the level of experience and qualifications in compliance and control roles changed over time. Bosch is a warning about static capability in a dynamic risk environment.

After the original August 2020 advice, Bosch received repeated warnings that should have triggered reassessment. Company Four warned BST that equipment used in its factories included U.S. export-controlled equipment and that products worked on by Company Four for Huawei could be prohibited under the EAR. BST did not analyze whether that warning conflicted with Bosch’s internal understanding.

A Bosch trade compliance professional in the United States also sent a September 4, 2020 request for information to Bosch businesses, including BST. The request sought detailed information about production lines, production equipment, and U.S.-origin software and technology used in production. BST did not answer the specific questions. The BST Executive responded that the products had already been “clarified” as not impacted and cited a “dire allocation situation.” BIS found that had BST answered the questions, Bosch’s U.S. trade compliance personnel likely would have identified that the sensors were within the FDPR’s product scope.

The failure was not merely the first wrong answer. It was the absence of a mechanism to upgrade expertise, revisit assumptions and escalate conflicting information. A mature compliance program treats major legal change as a trigger for surge resources, specialist review and documented reassessment. It also treats repeated inconsistent data points as evidence that the original advice may no longer be reliable.

  1. How did the company invest in training and development?

The ECCP asks how the company invests in further training and development of compliance and control personnel. Bosch shows that training cannot be limited to compliance staff alone.

Between 2021 and 2024, BST employees signed multiple compliance certifications for contract semiconductor manufacturers. Those certifications stated that items produced by the manufacturers were subject to the EAR and required BST to certify that it would not provide such items to an entity with a footnote 1 designation. The relevant employees later explained that they signed because they did not understand that Huawei was a covered entity.

That is a gatekeeper training failure. Procurement, logistics, production, contract management and customer-response personnel were all part of the control environment. They received supplier certifications, customer requests, internal guidance and external warnings. Yet the process did not ensure they understood what those documents meant or when they had to escalate.

The lesson is practical: high-risk certifications should not be treated as administrative paperwork. They are control documents. Employees who sign them need tailored, role-based training. They should understand restricted-party designations, escalation triggers, the consequences of inaccurate certifications, and the limits of relying on old guidance.

Compliance personnel also need continuing education. Where regulations are complex and fast-moving, development should include outside specialist support, second-level review for high-risk advice, lessons learned from enforcement actions, and technical briefings with engineering and supply-chain personnel. Obviously the regulations changed in 2020 but it appears Bosch trade compliance professionals received training on this change.

  1. Who reviewed the performance of the compliance function?

The ECCP’s final question asks who reviews the performance of the compliance function and what the review process is. Bosch illustrates why that review must go beyond activity metrics.

BIS found that Bosch’s internal controls were insufficient to ensure that compliance advice was broadly distributed, independently reviewed or reassessed to confirm that it was correct or updated for new facts. Bosch also implemented internal blocks on Huawei orders, but German trade compliance personnel repeatedly released those orders based on the erroneous August 2020 advice from the US trade compliance team.

A meaningful review process would have asked different questions: Were high-risk legal interpretations independently validated? Were assumptions documented? Were unanswered business information requests escalated? Were supplier warnings reconciled against prior advice? Were order-block releases reviewed for quality, not just processed for speed? Were compliance personnel empowered to say, “No complete data, no release”?

Performance review of compliance should include legal quality, escalation discipline, documentation, red-flag closure, audit findings, and whether the function has sufficient staff to do the work expected of it. It should also include board or audit committee visibility when resource constraints affect the company’s ability to manage material compliance risks.

Lessons learned for compliance professionals

The Bosch order offers several broader lessons.

  1. Compliance resources must be risk-based. A global company cannot judge staffing by historical headcount or budget inertia. Staffing must be measured against regulatory complexity, geographic scope, business volume, customer risk and the operational burden of collecting facts.
  2. Specialist expertise matters. A general compliance function may identify issues, but complex regulatory regimes require personnel or advisors with deep subject-matter knowledge.
  3. Business pressure is a control risk. The “dire allocation situation” response mattered because it showed how operational urgency can displace compliance fact-gathering. A strong program requires mandatory responses to compliance information requests.
  4. Advice must have a lifecycle. High-risk compliance advice should identify assumptions, facts reviewed, legal basis, owner, date issued and reassessment triggers. It should not become permanent operating authority unless periodically reviewed.
  5. Gatekeepers must be trained as gatekeepers. Employees who sign certifications, release orders, onboard suppliers, or respond to customers are part of the compliance control system.

The Bosch case is a reminder that a compliance program can have policies, procedures and blocks and still fail. The ECCP asks whether compliance is adequately resourced and empowered. Bosch shows why that question matters. The issue is not whether compliance was present. The issue is whether compliance had the expertise, staff, authority and review mechanisms necessary to function effectively when the business needed it most.