Author: Admin

Categories
FCPA Compliance Report

FCPA Compliance Report: Highlights from SCCE Europe with Gerry Zack

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. This is our 800th edition. In this episode, Tom Fox welcomes back Gerry Zack, who recently attended the SCCE Europe conference in Berlin.

They begin by noting the differences from the U.S. national conference, including a stronger European focus on behavioral ethics, culture, and community networking. Zack highlights extensive conference attention to AI, including the shift toward agentic AI, practical compliance uses such as identifying policy gaps, enhancing third-party due diligence, and automating anomaly follow-up, while cautioning about investigative risks if AI-generated interview strategies are scrutinized in court. They discuss AI-driven fraud threats (deepfakes, fake invoices, and improved phishing) and the growing concerns about shadow AI and the improper use of confidential information. Zack also describes a company’s experience pursuing ISO 37301 and 37001 certifications and notes ongoing work and limited U.S. awareness around the UK Failure to Prevent Fraud Act. He was surprised by the profession’s continued lack of sophistication in risk assessments.

Key highlights:

  • US vs Europe Conference
  • AI Keynote and Practical Takeaways
  • ISO Compliance Certification
  • UK Failure to Prevent Fraud
  • Surprises Risk Assessment Gap

Resources:

Gerry Zack on LinkedIn

RiskTrek

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Returning to Venezuela on Amazon.com

Categories
AI Today in 5

AI Today in 5: March 9, 2026, The Dr. AI is In Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Scaling AI safely will be a key healthcare issue in 2026. (PR Newswire)
  2. What is AI governance? (FinTechGlobal)
  3. The Trump Administration continues to sow AI chaos. (S&PGlobal)
  4. The Trump Administration puts ‘any lawful use’ in AI contracts. (FT)
  5. The era of Dr. AI is here. (Axios)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: March 9, 2026, The Death Carve Out for Betting Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • On Wall Street, don’t dress better than the boss. (WSJ)
  • Workplace abuse was physical at Noma. (NYT)
  • The Trump risk for international travel. (FT)
  • Kalshi sued over the failure to pay out on a bet on the death of the Iranian leader. (Reuters)
Categories
Blog

Aly McDevitt Week: Part 1 – Carnival and the Hard Truth About Crisis-Tested Compliance

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

Please note that I will leave her seminal (in my opinion) piece, The Banks Behind the Epstein Enterprise, for a later piece.

In A Tale of Two Storms, it is worth noting at the outset that McDevitt did more than recount a corporate crisis. She captured a company trying to rebuild itself under the eye of a court-appointed monitor just as COVID-19 exploded into a global emergency. As Compliance Week explained, what began as a long-form examination of Carnival’s environmental misconduct and attempted compliance redemption became a far bigger story when one of its ships became an early incubator of the virus outside China.

For the compliance professional, that pivot is the first lesson. A program is not truly tested in the conference room. It is tested when an old crisis collides with a new one.

McDevitt opens at a moment of eerie transition. On February 20, 2020, Carnival was already dealing with a COVID-19 outbreak aboard the Diamond Princess, even as Compliance Week toured the company’s new ethics and compliance function in Miami. That juxtaposition framed the whole case study. Carnival was not simply managing a public health disaster. It was doing so while still carrying the baggage of a long, embarrassing, and very expensive history of environmental misconduct.

That history mattered. Carnival had pleaded guilty in federal court in both 2002 and 2017 to illegal discharges of oily waste and to falsification of records, and the Department of Justice viewed the pattern as evidence of a systemic problem in ethics and culture. This was not a one-off control failure. It was a story of repeated misconduct, insufficient structural reform, and an organization that had not yet fully learned how to turn compliance into culture.

McDevitt shows that the real inflection point came in 2019, after Carnival paid another $20 million for violating the terms of its probation and was ordered to implement corporate structural changes under a tight deadline, with a possible $10 million-per-day late penalty. That is when Carnival hired Peter Anderson as its first chief ethics and compliance officer and began to centralize what had long been fragmented compliance functions.

The importance of that move cannot be overstated. A common problem in large organizations is that compliance is spread across subject-matter silos, each with its own language, priorities, and reporting lines. McDevitt reports that before August 2019, Carnival did not have a centralized ethics and compliance department; environmental, general compliance, and health and safety functions worked independently across its operating companies. That fragmentation is often sold internally as efficiency or business autonomy. In practice, it can become a breeding ground for inconsistent controls, weak escalation, and cultural drift.

Anderson’s mandate was broader than legal remediation. He was brought in to unite the program, strengthen trust, improve information flow, and build a sustainable culture of compliance. McDevitt’s reporting around Anderson is especially valuable because she does not present him as a silver-bullet hero. Rather, she portrays him as an architect trying to build structure, process, and cultural credibility simultaneously.

His four pillars, as reported by McDevitt, were prevention, detection, response, and correction. That framework remains highly useful for any chief compliance officer. It reminds us that compliance is not just about policies or investigations. It is about understanding risk, identifying issues early, responding quickly, and then conducting real root cause analysis so the same failure does not recur. This became critically important once COVID hit.

One of the sharpest observations in McDevitt’s reporting comes from Carnival’s Gerry Ellis, who described the pandemic not as a pure compliance issue but as “compliance with the regulatory aspect of health” in a rapidly shifting battlefield of contradictory requirements across jurisdictions. That is a familiar challenge to modern compliance teams. Whether the issue is sanctions, AI governance, cyber, ESG, or public health, the hardest problems often come when the rules are changing in real time, across borders, with high operational stakes.

The brutal optics of timing also complicated Carnival’s crisis response. McDevitt details how the company faced allegations that it had sufficient warning signs yet continued operating for too long, even as infections spread across multiple vessels. Carnival defended its timing, noting that public health guidance was still evolving and that government advisories had not yet been fully escalated. That explanation may be understandable, but for compliance officers, the point is not merely whether management can defend its judgment after the fact. The point is whether the organization had the governance structure to make fast, documented, risk-based decisions while conditions changed by the hour.

McDevitt’s deeper contribution is to connect the pandemic response to the compliance rebuild already underway. She reports that Carnival’s pre-pandemic investments in a centralized program, better risk assessment, improved training, stronger communications, and closer engagement with the monitor helped the company absorb the shock of COVID more effectively than it otherwise could have. In other words, compliance did not solve the pandemic. But it provided muscle memory. That may be the most important lesson in the entire case study.

The company also understands that the tone at the top must be reinforced through resource allocation. Even amid severe financial pressure, Carnival preserved a larger share of its ethics and compliance team than many other departments, continued environmental investments, and developed a Pause Priorities Plan to sustain compliance momentum during the shutdown. Compliance officers should take note. A company reveals its real priorities not by slogans but by budget, staffing, visibility, and follow-through.

There are other practical insights here as well. McDevitt recounts how Carnival moved from a blame-oriented investigative mindset to “incident analysis” and learning, with Anderson explicitly stating that incidents should be viewed as assets for improvement. She also reports the company’s emphasis on “speak up,” leadership engagement, culture measurements, and the need to make captains and shipboard leaders receptive to challenge from below. That is a direct answer to one of the oldest compliance questions: how do you build trust in high-hierarchy environments where people fear speaking up?

Yet McDevitt does not let Carnival off the hook. The court-appointed monitor remained skeptical, top leadership had to be pushed to engage more deeply, environmental violations persisted, and Judge Patricia Seitz openly questioned whether Carnival was building a robust system that could function without the court’s “training wheels”. That skepticism is healthy. It underscores a hard truth every compliance professional knows: a redesigned program is not the same thing as an effective one. The real test is whether the organization behaves differently over time.

In the end, A Tale of Two Storms is not simply a cruise industry story. Aly McDevitt uses Carnival to show what happens when compliance reform is forced to mature in public, under enforcement pressure, and amid operational chaos. Her reporting demonstrates that while a crisis can expose weakness, it can also accelerate the transition from paper program to operational discipline.

For compliance leaders, that is the heart of the matter. You do not get to choose when your second storm arrives. You only get to choose whether your program is strong enough to meet it.

Join us tomorrow as we move to Aly’s piece on Volkswagen and its journey regarding its corporate soul after its emissions testing scandal. I am a columnist for Compliance Week.

Categories
Sunday Book Review

Sunday Book Review: March 8, 2026, The Top Books on the End of the World Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at 4 top books about the end of the world.

  1. Apocalypse by Lizzie Wade
  2. Goliath’s Curse by Luke Kemp
  3. A Brief History of the End of the F*cking World by Tom Phillips
  4. End of the World 2026-The Burning World by Sumit Yadav
Categories
Creativity and Compliance

Creativity and Compliance: Captain Compliance: Humor, Characters, and Creative Training at Premera Blue Cross

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection all require creativity. Join Tom Fox and Ronnie Feldman on the award-winning Creativity and Compliance. Ronnie’s company, Learning and Entertainment, uses the entertainment devices people use to consume information in their everyday, non-work lives and applies them to important topics in compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible.

Tom and Ronnie are back with their first episode for 2026. They visit with Sven Peterson, VP of Compliance, Ethics, and Regulatory Services at Premera Blue Cross, to discuss using creativity and humor to make compliance more approachable and strengthen the speak-up culture in a highly regulated industry. Peterson explains why his team created “Captain Compliance,” a superhero-style character he plays, in both live and animated versions, to deliver ethical guidance through short skits, training sessions, meetings, and employee events; the program also includes an “Ethics League” and a contrasting character, Professor Pitfall. He emphasizes that ethics is a team sport supported by compliance champions across the company, and advises establishing credibility, gaining leadership buy-in, involving others as co-authors, and aligning with company culture. Reported results include strong employee awareness survey feedback and Ethisphere’s Compliance Leader Verification.

Key highlights:

  • Why Creativity Matters
  • Meet Captain Compliance
  • How the Skits Work
  • Approachability and Speak Up
  • Building Community and Champions
  • Handling Skeptics and Buy-In
  • Results and Measuring Impact

 Resources: 

Sven Peterson on LinkedIn

Premera Blue Cross

Captain Compliance

Ronnie

  • Learnings & Entertainments (Website)
  • Compliance Confessions – inspired by “Mean Tweets,” these 90-second commercials address misconceptions and excuses to promote a speak up culture and the E&C team as positive and helpful.
  • E&C Training Jams: a soulful singer banters with ethics & compliance, explaining policies, sharing examples, and debunking excuses. 
  • Tales from the Hotline – Real, speak-up-themed stories about workplace behavior gone wrong.
  • Workplace Tonight Show! – E&C meets SNL Weekend Update, explaining corporate risk topics and why employees should care.
  • 60-Second Communication & Awareness Shorts – A variety of short, customizable, music and multimedia, quick-hitter “commercials” promoting integrity, compliance, speaking up, and the E&C team as helpful advisors and coaches.
  • Custom Live & Digital Programing – Custom creative programming that balances the seriousness of the subject matter with a more engaging delivery. After all, you can’t bore people into learning.

 Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Creativity and Compliance is a multiple podcast award-winning show and was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.

Categories
AI Today in 5

AI Today in 5: March 6, 2026, The Captain Nemo Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Financial crimes, compliance, and AI. (FundsEurope)
  2. AI is making a difference in finance. (FinTechWeekly)
  3. AI agents as financial intermediaries. (FinTechWeekly)
  4. How AI is changing pharma. (BioSpace)
  5. Floating wind turbines to power AI data centers located at sea. (Electrek)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: March 6, 2026, The Does ChatGPT Practice Law Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Wells Fargo is free from the Consent Order. (WSJ)
  • Senator flags White House corruption for betting markets. (Decrypt)
  • OpenAI sued for practicing law. (Reuters)
  • The Trump Administration ordered a refund of illegal tariffs. (WSJ)
Categories
Blog

AI Compliance as a Competitive Advantage: Turning Governance Into ROI

In too many organizations, “AI compliance” is treated like a speed bump. Something to route around, manage after launch, or outsource to a vendor deck and a policy that nobody reads. That mindset is not only outdated but also expensive. In 2026, mature AI governance is becoming a commercial differentiator because customers, regulators, employees, and business partners increasingly ask the same question: Can you prove your system is trustworthy?

The most underappreciated truth is that AI risk is not “an AI team problem.” It is a business-process problem, expressed through data, decisions, third parties, and change control. The Department of Justice Evaluation of Corporate Compliance Programs (ECCP) has never been about perfect paperwork; it has been about whether a program is designed, implemented, resourced, tested, and improved. If you can translate that posture into AI, you can convert “compliance cost” into “credibility capital.”

A cautionary backdrop shows why. The EEOC’s 2023 settlement with iTutorGroup serves as a cautionary tale: automated hiring screening that disadvantages older workers can lead to legal exposure, remediation costs, and reputational damage. The details matter less than the pattern; when algorithmic decisions are not governed, the business eventually pays the bill. The compliance professional should see the pivot clearly; governance is the mechanism that lets you move fast without becoming reckless.

From a build-from-scratch, low-to-medium maturity posture, the win is not sophistication. The win is repeatability. If you build an AI governance framework aligned to NIST AI RMF (govern, map, measure, manage), structured through ISO/IEC 42001’s management-system discipline, and cognizant of EU AI Act risk tiering, you get something the business loves: a predictable path from idea to deployment. Today, I will explore five ways mature AI compliance can become a competitive advantage, each with a practical view of how a compliance-focused GenAI assistant can support business processes.

1) Sales and Customer Trust

Trust is a sales feature now, even when marketing refuses to call it that. Customers increasingly ask about data use, model behavior, security controls, and human oversight, and they are doing it in procurement questionnaires and contract negotiations. A mature governance framework lets you answer quickly, consistently, and with evidence, thereby shortening sales cycles and reducing late-stage deal friction. A compliance GenAI can support this by drafting standardized responses from approved trust artifacts such as policies, model cards, DPIAs, and audit summaries; flagging gaps, and routing exceptions to Legal and Compliance before the business overpromises.

For compliance professionals, this lesson is even more stark, as the ‘customers’ of a corporate compliance program are your employees. Some key KPIs you can track are average time to complete AI security and compliance questionnaires; percentage of deals requiring AI-related contractual concessions; number of customer-facing AI disclosures issued with approved templates; and percentage of AI systems with current model documentation and ownership attestations.

2) Regulatory Credibility

Regulators are not impressed by ambition; controls persuade them. NIST AI RMF provides a common language to demonstrate that you mapped use cases, measured risks, and managed them over time, while ISO/IEC 42001 imposes discipline on accountability, documentation, and continual improvement. The EU AI Act’s risk-based approach adds an organizing principle: classify systems, apply controls proportionate to risk, and prove that you did it. A compliance GenAI can help by maintaining a living inventory, prompting owners to complete quarterly attestations, drafting control narratives aligned with the frameworks, and assembling regulator-ready “evidence packs” that demonstrate governance in operation rather than on paper.

For compliance professionals, this lesson is about your gap analysis. You have not aligned your current internal controls with GenAI, governance, or other controls. You should do so. Some key KPIs you can track are percentage of AI systems risk-tiered and documented; time to produce an evidence pack for a high-impact system; number of material control exceptions and time-to-remediation; and frequency of risk reviews for high-impact systems.

3) Faster Product Approvals and Safer Deployment

Speed comes from clarity, not from cutting corners. When decision rights, review thresholds, and required artifacts are defined up front, product teams stop guessing what Compliance will require at the end. That is the management-system advantage: ISO/IEC 42001 treats AI governance like a repeatable operational process with gates, owners, and records, rather than a series of one-off debates. A compliance GenAI can support the workflow by pre-screening new use-case intake forms, recommending the correct risk tier under EU AI Act concepts, suggesting required testing (bias, privacy, safety), and generating the first draft of a launch checklist that the product team can execute.

For compliance professionals, this lesson is that you must run compliance at the speed of your business operations. Some key KPIs you can track are: cycle time from AI intake to approval; percent of launches that pass on first review; number of post-launch “surprise” issues tied to missing pre-launch controls; and percentage of models with human-in-the-loop controls when required.

4) Talent, Recruiting, and Internal Confidence

Top performers do not want to work in a company that treats AI like a toy and compliance like a nuisance. Mature governance creates psychological safety inside the organization: employees know what is permitted, what is prohibited, and how to raise concerns. It also improves recruiting because candidates, especially in technical roles, ask about responsible AI practices, data governance, and ethical guardrails. A compliance GenAI can support internal confidence by serving as the first-line “policy concierge,” answering questions with approved guidance, directing employees to the correct procedures, and logging common questions so Compliance can improve training and communications.

For compliance professionals, this fits squarely within the DOJ mandate for compliance to lead efforts in institutional justice and fairness. Some key KPIs you can track include training completion and comprehension metrics for AI use; the number of AI-related helpline inquiries and their resolution times; employee survey results on comfort raising AI concerns; and the percentage of AI use cases with documented business-owner accountability.

5) Lower Cost of Incidents and More Resilient Operations

AI incidents are rarely just “bad outputs.” They are process failures: poor data lineage, uncontrolled model changes, vendor opacity, missing logs, weak access controls, or no escalation path when harm appears. NIST AI RMF’s “measure” and “manage” functions emphasize monitoring, drift detection, incident response, and continuous improvement, which is precisely how you reduce the frequency and severity of failures. A compliance GenAI can support incident resilience by guiding teams through an AI incident response playbook, helping triage severity, ensuring evidence is preserved (audit logs, prompts, outputs, approvals), and generating lessons-learned reports that connect root cause to control enhancements.

For compliance professionals, this lesson is even more stark, as the ‘customers’ of a corporate compliance program are your employees. Some key KPIs you can track include the number of AI incidents by severity tier; mean time to detect and mean time to remediate; the percentage of high-impact models with drift-monitoring and alert thresholds; and the percentage of third-party AI providers subject to change-control notification requirements.

What “Mature Governance” Looks Like When You Are Building From Scratch

Do not start with a 60-page policy. Start with a few non-negotiables that scale:

  • Inventory and classification: Create a single inventory of GenAI assistants, ML models, and automated decision systems. Classify them by impact using EU AI Act concepts (high-impact versus low-impact) and your own business context.
  • Accountability and decision rights: Assign an owner for each system and require periodic attestations for the highest-risk categories.
  • Standard artifacts: Use lightweight model documentation, data lineage notes, and disclosure templates. If it is not documented, it does not exist for governance.
  • Human oversight and logging: Define when human-in-the-loop is mandatory and ensure logs capture who approved what, when, and why.
  • Third-party AI controls: Contract for transparency, audit support, change notification, and security requirements. Vendor opacity is not a strategy.

This is where ECCP thinking helps. The question is not whether you have a policy. The question is whether the policy is operationalized, tested, and improved. That is the bridge from compliance to competitive advantage.

If you want AI compliance to be a competitive advantage, treat it like a management system that produces evidence, not like a policy library that produces comfort. When governance becomes repeatable, the business can move faster, regulators become more confident, and customers see the difference. That is not a cost center. That is credibility you can take to the bank.

Categories
AI Today in 5

AI Today in 5: March 5, 2026, The AI ‘s Biggest Test Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Ending compliance bottlenecks with AI. (FinTechGlobal)
  2. AI surge will reshape compliance. (FinTechGlobal)
  3. Compliance first AI. (Cyberscoop)
  4. Trump, AI Data Centers, and the midterms. (CNBC)
  5. Healthcare is AI’s biggest test. (Time)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.