Author: Admin

Categories
Blog

Declinations Are Not Exits: Using Liberty Mutual to Pressure – Test Your Compliance Program

In August 2025, the Department of Justice announced its first FCPA declination of the year, closing its investigation into Liberty Mutual Insurance Company. The facts, while concise, are significant: between 2017 and 2022, employees of Liberty General Insurance, Liberty Mutual’s Indian subsidiary, funneled approximately $1.47 million in bribes to officials at six state-owned banks in exchange for customer referrals. These illicit payments, concealed as marketing expenses and routed through third-party intermediaries, generated $9.2 million in revenue and $4.7 million in profits.

Despite this misconduct, DOJ declined prosecution, citing Liberty Mutual’s early self-disclosure in March 2024 while its internal investigation was still underway; its full and proactive cooperation, including naming individuals involved; and its timely remediation efforts, which included a full acceptance of responsibility, a systematic root cause analysis, and enhanced compliance controls. Notably, the company agreed to disgorge nearly $4.7 million in profits and adopted strengthened policies on third-party oversight, social media use, and ephemeral messaging apps.

Far from a routine declination, Liberty Mutual’s case is a blueprint for how DOJ expects companies to handle potential FCPA violations in 2025 and beyond. For compliance officers, it provides an opportunity to benchmark their programs against the department’s revised Corporate Enforcement Policy and assess whether their own organizations could withstand the scrutiny that Liberty Mutual faced.

What lessons should the compliance community draw from this “plain Jane” declination that is anything but ordinary? Today, we break it down.

Lesson 1: The Risks and Rewards of Early Self-Disclosure

Liberty Mutual’s decision to self-disclose in March 2024, before its internal investigation was complete, reflects the central tension in DOJ’s revised Corporate Enforcement Policy: disclose early or risk losing credit. Under the old guidance, companies were expected to report “immediately upon becoming aware” of potential misconduct, often before facts were clear. The 2025 revision softened the language slightly, but the expectation remains to step forward as soon as you have a clear understanding of the conduct, even if the picture is incomplete.

For compliance officers, this means preparing leadership and boards for tough judgment calls. Waiting for every fact to crystallize risks forfeiting the benefits of voluntary disclosure. Disclosing too early risks exposing the company to liability before it fully understands the problem. Building governance frameworks that allow rapid escalation, provisional risk assessment, and timely board engagement is no longer optional; it is a survival mechanism.

Lesson 2: “Full and Proactive” Cooperation

The declination letter praised Liberty Mutual for its “full and proactive cooperation.” This is a notable evolution in the DOJ’s vocabulary. We know what “full” means: produce documents, facilitate interviews, and respond to requests quickly. Note how this differs from the prior formulation by former Assistant Attorney General Kenneth Polite when discussing the DOJ’s Corporate Enforcement Policy. He defined cooperation as going “above and beyond the criteria for full cooperation” to provide ‘extraordinary’ assistance in demonstrating immediacy, consistency, degree, and impact of the disclosures and support of the investigation. Polite’s use of the term ‘extraordinary’ went well beyond the framing of “full and proactive cooperation.” An extraordinary commitment is required to demonstrate exceptional dedication to the investigation and actively assist the DOJ in achieving its goals.

Liberty Mutual provided relevant facts about individuals, prepared materials the DOJ hadn’t specifically requested, and worked through foreign data privacy challenges to expedite production. That’s proactive.

For compliance professionals, the message is unmistakable: cooperation credit does not just come from answering questions; instead, it comes from anticipating them. Proactive means preparing translations before DOJ asks, synthesizing investigative findings into clear presentations, and offering additional documentation that regulators might find helpful. Companies that want declinations need to train investigative teams to think two steps ahead.

Lesson 3: Navigating Deconfliction and Investigative Boundaries

The Liberty Mutual matter also reminds us of the delicate dance of deconfliction. The DOJ’s practice of asking companies to delay interviewing certain employees so that prosecutors can conduct their interviews first. But cooperation doesn’t end there. The DOJ may also encourage companies to expand their investigations into new geographies or business units.

The 2025 CEP revisions signaled an intent to keep investigations more focused for companies, which provides leverage to push back on overreach while still demonstrating cooperation.

Compliance officers must strike a balance: honor deconfliction requests that allow prosecutors to proceed without interference, but defend investigative boundaries when asked to wander into areas where no evidence exists. A disciplined scope protects both resources and credibility with regulators.

Lesson 4: Fulsome Acceptance of Responsibility

One of the more striking phrases in the declination letter was DOJ’s recognition of Liberty Mutual’s “fulsome acceptance of responsibility.” This signals a shift from perfunctory acknowledgments of wrongdoing to meaningful ownership.

It is the difference between saying, “Yes, our subsidiary made mistakes,” versus declaring, “We, as the parent company, failed to prevent this misconduct, and we own the failure.” Liberty Mutual didn’t stop at distancing itself from bad actors; it accepted enterprise-level responsibility.

For boards and executives, this is a powerful compliance lesson. DOJ expects companies to shoulder responsibility broadly, not hide behind “rogue employees.” The tone set at the top must reflect ownership, contrition, and commitment to preventing recurrence.

Lesson 5: Root Cause Analysis as Compliance Bedrock

The declination also highlighted Liberty Mutual’s systematic root cause analysis. This is not a new concept in compliance circles, but it is increasingly central to the DOJ’s calculus. Simply removing the wrongdoer isn’t enough. The question is: what systemic weaknesses allowed the misconduct to occur?

Liberty Mutual conducted a thorough RCA that examined its control environment, third-party oversight, and cultural gaps. This analysis guided remediation efforts, including structural reorganization, increased compliance resources, and enhanced third-party monitoring.

For compliance officers, the takeaway is straightforward: build RCA into every investigative playbook. Document how each failure occurred, identify the control breakdowns, and map remediation directly back to those findings. DOJ does not just want to see discipline; it wants to see learning.

Lesson 6: Messaging, Social Media, and the New Compliance Frontier

Finally, the Liberty Mutual declination highlighted an issue that has been simmering beneath the surface: the use of ephemeral messaging and social media in business communications. DOJ specifically noted Liberty Mutual’s remediation in this area, a rarity in declinations.

This signals that DOJ expects compliance programs to account for modern communication risks, not just email and enterprise systems, but WhatsApp, Signal, Teams auto-delete, and even Facebook Messenger or Instagram DMs. These channels are increasingly central to both legitimate business and corrupt schemes.

For compliance officers, the challenge is twofold:

  1. Develop clear policies governing employee use of messaging and social media for business.
  2. Deploy monitoring and recordkeeping mechanisms that ensure compliance with legal and regulatory expectations.

This is the new frontier, and companies that fail to adapt may find themselves unable to demonstrate control credibly.

Declinations as Roadmaps

The Liberty Mutual case may have looked routine at first glance, but it is anything but. For the compliance community, it serves as a roadmap for navigating the DOJ’s revised Corporate Enforcement Policy.

The lessons are clear: prepare for early self-disclosure, embrace proactive cooperation, defend investigative boundaries, accept responsibility broadly, conduct rigorous root cause analysis, and modernize oversight of communication.

Declinations are not just quiet exits; they are public teaching tools. Liberty Mutual’s experience demonstrates how a company can turn a damaging bribery scandal into a compliance success by owning the problem, learning from it, and showing a genuine commitment to reform. For today’s CCO, the real question is: if DOJ knocked on your door tomorrow, could you meet the Liberty Mutual standard?

Categories
Innovation in Compliance

Innovation in Compliance – Cybersecurity Challenges and Solutions: An In-Depth Interview with Robert Meyers

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom Fox interviews Robert Meyers, a cybersecurity and privacy expert with over 30 years of experience.

Meyers shares his journey from starting in IT to becoming a prominent figure in cybersecurity, privacy, and M&A security. He recounts the evolution of cybersecurity from the 1980s to the present day, highlighting key lessons learned along the way. He discusses the philosophical divide between U.S. and European attitudes toward data privacy, the importance of a cross-functional approach to cybersecurity and privacy within companies, and how emerging technologies like agentic AI are reshaping the industry. He also shares insights from his new book, ‘Privacy Snippets for the Cybersecurity Professional,’ aimed at helping professionals bridge the gap between cybersecurity and privacy. Additionally, Meyers’s passion for Comic-Con offers a unique perspective on how creativity and community engagement can inform and enrich professional practices.

Key highlights:

  • Robert Meyers’ Professional Background
  • Early Cybersecurity Challenges
  • Evolution of Privacy and Security
  • Roles and Responsibilities in Cybersecurity
  • Agentic AI and Future Challenges
  • Comic-Con and Personal Interests
  • Advice for Aspiring Professionals

Resources:

Privacy Snippets for the Cybersecurity Professional on Amazon

Robert Meyers’ Profile on Amazon

Robert Meyers ‘on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Corruption, Crime and Compliance

[Replay] Third-Party Risks and Sanctions Compliance

With the beginning of the “New FCPA” era coined by DOJ’s Deputy Attorney General Lisa Monaco, we now need to focus on third-party risk and sanctions enforcement. The law, the practice, and the risks are important and not just the same as FCPA legal requirements. As we embark on a new criminal enforcement era surrounding sanctions violations, companies have to address this issue and do it correctly. 

In this episode, Michael Volkov takes a comprehensive look at third-party risks from the distribution and supply sides and outlines appropriate strategies to manage these risks.

 

  • Epsilon Electronics serves as a stark reminder of the financial consequences of non-compliance. The company faced an OFAC enforcement action due to a shipment to Iran, resulting in a staggering penalty of over $4 million.
  • Apollo Aviation Group settled with OFAC for $210,600 for leasing aircraft engines which ultimately ended up being placed in to aircraft of a prohibited entity, Sudan Airways, violating sanctions regulations.
  • ELF Cosmetics settled with OFAC for $996,000 for importing false eyelash kits containing materials sourced from North Korea, highlighting supply chain due diligence failures.
  • The ELF Cosmetics case underscores the crucial role of supply chain due diligence in preventing sanctions violations. Instead of sticking their heads in the sand, companies must undertake basic supply chain due diligence when sourcing products from regions close to high-risk countries or regions.
  • “Reason to know” is now the key phrase guiding the New FCPA era. OFAC does not need to prove goods ultimately end up in a sanctioned country. When you see red flags, you must resolve them or they could be considered a “reason to know” in OFAC’s eyes.
  • Seven essential elements to boost your compliance program and effectively mitigate third-party sanctions risks include risk assessment, varying levels of due diligence, end-user documentation, monitoring, training, and red flag identification.

 

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
Sunday Book Review

Sunday Book Review: August 31, 2025, The Final Set of Books from the Ethicsverse Library Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious about the subject. It could be books about business, compliance, history, leadership, current events, or any other topic that might interest Tom. Today, we conclude our August exploration of four books from the Ethicsverse Library, all curated by Ethico.

Resources:

The Ethicsverse Library

The Sunday Book Review was recently honored as one of the Top 100 Book Podcasts.

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending August 30, 2025

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

Top stories include:

  • Chinese money launderers are moving billions through the US banking system. (WSJ)
  • Texas reveals an ABC plan for Washington. (Axios)
  • Drax is facing an FCA probe in the UK. (Bloomberg)
  • Microsoft employees occupy the CEO’s office in protest over the Gaza situation. (WSJ)
  • BCG staff outraged by company’s work to deport Gazans. (FT)
  • What a bunch of branding clunkers. (FT)
  • Should you rent a robot for compliance? (NYT)
  • The challenges of responsible AI development. (Forbes)
  • JPMorgan to pay $ 330 million over its role in the 1MDB scandal. (WSJ)
  • Under Eric Adams, NYC is a ‘City for Sale’. (NYT)

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

You can purchase a copy of my new book, Upping Your Game, on Amazon.com

Categories
From the Editor's Desk

Compliance Week’s Reflections from August and Insights into September 2025

In this episode of ‘From The Editor’s Desk’ podcast, hosts Tom Fox and Aaron Nicodemus delve into key compliance issues featured in Compliance Week. They discuss the heightened risks for companies doing business in Mexico due to connections with cartels, recent enforcement actions stemming from these connections, and the Trump administration’s first FCPA bribery case. They also preview an upcoming case study on Lafarge’s operations in Syria and introduce new website features, including CW Connect, designed to foster meaningful conversations among compliance officers. Additionally, they highlight best practices and preview articles planned for National Compliance Officer Day.

Highlights include:

  • Top Compliance Stories in August 2025
  • Risks of Doing Business in Mexico
  • FCPA Enforcement Actions and Investigations
  • Upcoming Case Study on Lafarge
  • Website Redesign and New Features

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Daily Compliance News

Daily Compliance News: August 29, 2025, The A Novel in the FT Business Books of the Year Edition

 Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including compliance, ethics, risk management, leadership, or general interest, relevant to the compliance professional.

Top stories include:

  • Chinese money launderers are moving billions through the US banking system. (WSJ)
  • Texas reveals an ABC plan for Washington. (Axios)
  • Drax is facing an investigation by the FCA in the UK. (Bloomberg)
  • Why the novel, Drayton and Mackenzie, is in the FT’s 2025 Business Books of the Year. (FT)

You can donate to flood relief for victims of the Kerr County flooding by going to the Hill Country Flood Relief here.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 58 – The AI Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories this week include:

  • Compliance with the new CRD Regulations is six weeks away. (CDF Labor Law)
  • TikTok to Utilize AI as Content Moderators. (WSJ)
  • Is AI coming for culture? (New Yorker)
  • Is AI psychosis real? (BBC)
  • AI will not replace historians. (WSJ)
  • Google Could Get Broken Up This Week. Here’s What It Would Mean – (NYT)
  • Using AI Agents to Cheat on Training – Radical Compliance (Radical Compliance)
  • AI Made Me Dumb & Sad – (Corporate Compliance Insights)
  • Incentives in Compliance and Ethics Programs: What Does ChatGPT Tell Us? – (Ideas & Answers)
  • Woman Claims Wind Blew Cocaine Into Her Purse, Police Say – (CBS News)

Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
AI Today in 5

AI Today in 5: August 29, 2025, The AI Outperforming Humans Episode

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories include:

  • AI is improving efficiency and compliance. (qsrweb)
  • Compliance Checklist for New California Law Regarding AI and ADS. (JacksonLewis)
  • AI adoption in finance. (FinTechGlobal)
  • Free ESG-AI platform announced. (PressWire)
  • Does AI outperform human recruiters? (Bloomberg)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com

Categories
Blog

UM Cheating Scandal, Part 5: Compliance Lessons Learned

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1, we examined the background facts, the elaborate scouting scheme, recruiting inducements, and failures to cooperate. In Part 2, we discussed the deeper issue of culture, where the football program viewed compliance as an adversary. In Part 3, we analyzed the violations and penalties, focusing on the sanctions imposed on Michigan and its staff. Finally, in Part 4, we considered what happens when an enforcement agency is stripped of its ability to enforce by asking whether the NCAA itself has become a toothless enforcement agency after declining to vacate wins or strip Michigan of its 2023 national championship.

Together, these four posts tell a story that is both uniquely collegiate and universally corporate: a tale of rules violated, compliance sidelined, culture corrupted, penalties imposed, and a regulator under fire. For corporate compliance professionals, the lessons are clear.

The Background: What Happened at Michigan

At the heart of the Michigan case was Connor Stalions, a staffer who orchestrated an elaborate sign-stealing operation. Using a network of interns, acquaintances, and even student-athletes, Stalions purchased tickets, filmed opponents’ sidelines, and created a “Master Chart” of signals. Over the course of three seasons, there were 56 instances of impermissible in-person scouting across 52 games.

The violations went beyond scouting. Coaches and staff provided improper inducements, including meals, gear, and even attempts at social media “blue check” verification. Nearly 100 impermissible text messages were sent to a recruit before the allowable date.

Head coach Jim Harbaugh was charged with head coach responsibility violations, having failed to promote compliance or monitor his staff. To make matters worse, multiple individuals failed to cooperate once the investigation began; devices were destroyed, evidence was deleted, and investigators were misled.

This was Michigan’s second infractions case in as many years, making it a repeat violator.

The Cultural Breakdown

But the facts alone do not explain how this misconduct flourished. The real story was cultural.

Michigan football had a contentious relationship with compliance. Coaches dismissed the compliance staff as “roadblocks” and even “true scum of the earth.” The Chief Compliance Officer, a respected industry leader, testified that she was seen as “a thorn in [Harbaugh’s] side.”

This hostility created an environment of willful blindness. Staff admitted they “went out of their way not to know” what Stalions was doing, so long as results were delivered. Red flags raised by interns or opponents were ignored or brushed aside.

Compliance education was lacking, especially for interns, many of whom played key roles in the scheme but received no targeted training. The compliance office could not even get into the room unless it forced its way in.

Ultimately, the NCAA concluded that “Michigan failed to create a culture of compliance in the football program.” For compliance professionals, this is a cautionary tale: no matter how effective your compliance office is, culture will ultimately prevail if leadership undermines it.

The Penalties: What Was Possible, What Was Imposed

The violations — Level I for the most serious. They were for scouting, head coach responsibility, and failures to cooperate, and Level II for recruiting and monitoring, which carried potentially devastating penalties. As a repeat violator, Michigan could have faced multi-year postseason bans, scholarship reductions, and the vacating of wins.

Instead, the NCAA opted for a different approach:

  • For Michigan: Four more years of probation, multi-million-dollar fines, loss of postseason revenue, recruiting restrictions, and public posting of the infractions’ decision.
  • For Individuals: Career-altering show-cause orders and doling out 10 years for Harbaugh, 8 years for Stalions, 3 years for Robinson, and 2 years for Moore. Negotiated resolutions added show-cause penalties for Clinkscale and Minter.

But the NCAA declined to impose a postseason ban or vacate Michigan’s 2023 national championship. Instead, it substituted financial penalties, citing fairness to current athletes who were not involved in the violations.

The NCAA’s Credibility Crisis

This decision has sparked a broader debate: Is the NCAA now a toothless enforcement agency? By choosing not to vacate wins, not to impose a postseason ban, and not to strip the national championship, the NCAA sent a message: even the most serious Level I–Aggravated violations can be survived without meaningful on-field consequences.

The NCAA justified its choice by citing the need for fairness to current athletes. But the effect was to undercut deterrence. If Michigan can commit widespread violations, win a championship during the scheme, and keep both the wins and the trophy, what message does that send? For compliance professionals, this is equivalent to a regulator declining to debar a repeat corporate offender or refusing to impose a monitor after repeated bribery scandals have occurred. Enforcement without teeth creates cynicism, undermines culture, and emboldens violators.

Five Lessons for Corporate Compliance Professionals

From the four perspectives we have explored — facts, culture, penalties, and the regulator’s credibility — come five key lessons for corporate compliance officers.

1. Culture Will Always Trump Policy

Michigan had a compliance office, policies, and training. Yet the football program treated compliance as the enemy. Harbaugh’s tone at the top set a culture where results mattered more than rules. Compliance professionals must remember that culture is the real driver of behavior. Policies without culture are paper tigers.

2. Repeat Offenders Face Escalating Consequences

Michigan’s repeat violator status magnified its penalties. In the corporate world, companies with prior FCPA or sanctions violations are judged far more harshly when caught again. Building credibility requires not just resolving past cases but sustaining reform over time.

3. Individual Accountability is Here to Stay

The NCAA’s most severe sanctions fell on individuals, Harbaugh and Stalions in particular. This mirrors the DOJ’s emphasis on individual liability. Compliance officers must ensure executives understand that they will personally bear responsibility for compliance failures.

4. Cooperation is Non-Negotiable

The obstruction made this case far worse. Destroying evidence and refusing to cooperate turned a bad situation into a career-ending one for multiple individuals. In corporate enforcement, cooperation credit can significantly reduce penalties; obstruction can magnify them.

5. Regulators Must Enforce Meaningfully — or Risk Irrelevance

The most sobering lesson is about the NCAA itself. By declining to vacate wins or strip championships, the NCAA undermined its own credibility. For compliance officers, this underscores the importance of strong, consistent enforcement. If your regulator is weak, it makes your job harder because the business will treat compliance as optional.

The Broader Meaning

The Michigan case is about more than football. It is about how organizations treat compliance, how regulators enforce rules, and how culture drives outcomes. For compliance professionals, it offers a sobering parable. When leadership undermines compliance, culture tolerates misconduct, violations are repeated, and regulators fail to enforce penalties meaningfully, the result is inevitable: misconduct flourishes, penalties escalate, and credibility erodes.

The job of the compliance professional is to resist that cycle: to build cultures that embrace compliance, to insist on accountability, to promote cooperation, and to hold leadership accountable for setting the tone at the top. And when regulators fail to act, compliance officers must redouble their efforts internally because rules without enforcement may be just suggestions, but culture without compliance is a guaranteed recipe for disaster.