Tag: 2024 ECCP

Categories
Compliance Tip of the Day

Compliance Tip of the Day – AI and Recruiting

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Among the numerous applications of AI, its deployment in recruitment is rapidly becoming one of the most significant and controversial topics compliance professionals need to navigate.

Categories
Blog

AI in Recruitment: Compliance Challenges and Opportunities

Compliance officers increasingly deal with emerging technologies in today’s business environment, and artificial intelligence (AI) is undeniably at the forefront. Among the numerous applications of AI, its deployment in recruitment is rapidly becoming one of the most significant and controversial topics compliance professionals need to navigate. The reason for the spotlight is clear. AI-driven recruitment tools promise substantial efficiency gains, automating tedious processes such as CV screening, initial interviews, and candidate ranking. However, this automation does not come without significant compliance and ethical pitfalls. The implications are vast, involving transparency, fairness, accuracy, and potential biases, each presenting substantial regulatory and reputational risks.

Jonathan Armstrong and I recently explored the issues surrounding the use of AI in corporate recruiting in a recent episode of Life with GDPR. This blog post is based on our discussion. For more information, I invite you to check out the full episode.

The Compliance Landscape: EU, UK, and US Perspectives

The regulatory perspective surrounding AI in recruitment varies significantly, but a general compliance framework exists through the General Data Protection Regulation (GDPR) in Europe. GDPR lays foundational principles such as transparency, fairness, accuracy, and accountability, directly impacting how AI systems must operate in talent acquisition. In the United States, state-level regulations addressing automated recruitment systems are also beginning, reflecting a broader global trend toward stronger regulatory scrutiny of these technologies.

Armstrong highlighted that enforcement is becoming more pronounced. Spain, for example, has seen regulatory actions requiring companies benefiting from AI-driven processes to articulate the basis for automated decisions clearly. The UK’s regulator explicitly notes recruitment as an area under active scrutiny, emphasizing the significance compliance professionals must attach to these practices.

Transparency and Fairness: Essential Compliance Considerations

Transparency in AI systems, particularly in recruitment, is more than a regulatory requirement; it is an ethical imperative. Under GDPR, a candidate who is rejected by an automated system is entitled to understand the basis for that decision. Simply stating “the algorithm decided” will not suffice. Organizations must be prepared to provide candidates with clear, intelligible explanations about how decisions were reached, which inherently involves unpacking the often opaque nature of AI processes.

The challenge is compounded by machine learning technologies, where decision pathways evolve dynamically. Unlike rule-based systems, the internal workings of machine learning-driven AI can be complex, making it difficult, even impossible in some instances, for companies to understand or explain their decision-making criteria fully. This opacity can lead to bias, discrimination, and unfair treatment accusations.

Bias and Discrimination: A Risk Too Real

The specter of bias and discrimination looms large with AI recruitment tools. Systems have been reported to inadvertently penalize candidates for factors unrelated to their competencies or skills, such as internet connection quality during virtual interviews. For instance, a candidate could be unfairly penalized if their internet connectivity is unreliable, leading AI systems to interpret technical delays as hesitancy or lack of confidence wrongly. This subtle discrimination disproportionately affects individuals from lower socioeconomic backgrounds, exacerbating existing inequalities.

Moreover, disturbing parallels can be drawn from AI decision-making in areas such as bail applications in the US, where biases based on ethnicity or racial profiling have resulted in unjust outcomes. The risk of similar biases entering recruitment processes cannot be underestimated, underscoring the need for vigilant compliance oversight.

Proactive Compliance: Essential Steps for Mitigation

Given these concerns, compliance officers cannot afford to adopt a passive stance. The issue of AI in recruitment is far too consequential to be left solely in the hands of HR departments or recruitment agencies. Compliance teams must proactively engage to ensure that all AI applications used in their organizations or by their third-party vendors are compliant, transparent, and fair.

Armstrong proposed the following framework compliance professionals can adopt to manage the risks of using AI in their recruiting process.

  1. Vet AI Providers Rigorously
  2. Not all AI vendors operate equally. Compliance professionals should avoid opaque, “black-box” solutions and favor providers willing and able to demonstrate transparent practices.
  3. Comprehensive Due Diligence
  4. Conduct meticulous due diligence on AI recruitment vendors. This includes verifying their ability to comply with GDPR transparency and fairness principles and their willingness to cooperate fully with subject access requests.
  5. Contractual Protections
  6. Ensure comprehensive contracts with AI recruitment providers that allocate responsibilities clearly and provide sufficient recourse in case of litigation or regulatory action. The provider must be incentivized to maintain stringent compliance standards.
  7. Transparency Obligations
  8. Communicate to candidates how AI systems will process their data. The GDPR demands openness; hence, organizations must disclose the use of AI tools, how decisions are made, and the implications for candidates.
  9. Robust Data Subject Request Procedures
  10. Compliance teams must have effective, responsive mechanisms for handling data subject requests swiftly. Candidates dissatisfied with recruitment decisions frequently resort to GDPR subject access requests, creating significant administrative and compliance burdens.
  11. Regular Auditing and Checks
  12. Establish ongoing monitoring and periodic audits to continually assess AI recruitment tools. This process helps ensure that the systems adhere to compliance principles and remain free from bias or unethical decision-making patterns.
  13. Educate and Engage Internally
  14. Compliance professionals should engage closely with internal stakeholders, educating HR teams and recruiters on the implications of AI and compliance expectations. Internal awareness significantly mitigates the risk of non-compliance and encourages proactive risk management.

Looking Ahead: Staying Vigilant and Informed

The compliance landscape for AI in recruitment is undoubtedly complex, and the stakes are high. As Armstrong emphasizes, regulatory scrutiny is set to intensify, making it imperative for compliance teams to stay ahead of developments. Vigilance, proactive engagement, and informed awareness are key to successfully navigating these challenges.

This field remains ripe for academic and regulatory inquiry. More comprehensive research and analysis into AI’s implications on recruitment fairness, bias, and effectiveness would benefit organizations and compliance practitioners. Compliance professionals should watch developments closely and contribute actively to discussions, research, and policy development in this dynamic area.

AI in recruitment offers immense promise and substantial compliance challenges. Proactively addressing these issues ensures regulatory adherence and upholds corporate ethical standards, which are crucial in maintaining brand integrity and public trust. Compliance officers, thus, play a pivotal role in guiding their organizations through this rapidly evolving technological frontier.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Unsexy Keys to Data Analytics for Compliance Programs

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this Compliance into the Weeds episode, Tom Fox and Matt Kelly take a deep dive into the critical yet often overlooked aspects of data analytics.

They discuss Matt’s recent blog post on the ‘Unsexy Keys to Data Analytics,’ emphasizing the importance of foundational infrastructure over flashy visualizations. The conversation covers the need for robust data validation, the cooperation between compliance, business units, and IT departments, and the challenges faced by compliance officers in smaller companies. Highlights include real-world examples, the role of data governance, and how to align compliance risk management with corporate objectives amid ever-changing business landscapes.

Key highlights:

  • The Importance of Data Infrastructure
  • Compliance vs. Enterprise Data Analytics
  • Collaboration Across Departments
  • Data Governance and Change Management
  • Aligning Compliance with Corporate Risk Management

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Compliance into the Weeds was recently honored as one of the Top 25 Regulatory Compliance Podcast.

Categories
Blog

The Role of Compliance in Auditing AI

As compliance professionals, our roles evolve constantly, shaped by new technologies and emerging risks. One of the most significant developments in recent years has been the rapid growth of artificial intelligence (AI) and machine learning systems in the corporate environment. The 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), under the Management of Emerging Risks to Ensure Compliance with Applicable Law section, asked several key questions.

  • What is the company’s approach to governance regarding the use of new technologies, such as AI, in its commercial business and compliance program?
  • How is the company curbing any potential adverse or unintended consequences resulting from using technologies, both in its commercial business and its compliance program?
  • How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
  • To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
  • Do controls exist to ensure the technology is used only for its intended purposes?
  • What baseline of human decision-making is used to assess AI?
  • How is accountability over the use of AI monitored and enforced?

One key tool for answering many of these questions is auditing. In his recent article in the Harvard Business Review, What Leaders Need to Know About Auditing AI, author Luca Belli outlines crucial insights that business leaders must understand about auditing AI. I have adapted his thoughts for a Chief Compliance Officer and compliance professional.

While audits are becoming a core feature of working with AI, they do not have a predetermined process that follows a straight line; rather, they are a web of different decisions, both from the business and the technical side. Specifically, audits often face four core challenges: 1) they do not follow a straight line, 2) data governance is messy, 3) they require internal trust, and 4) they focus on the past. Leaders can take steps to help audits succeed. Compliance professionals can help instill the right culture and incentives and help design the audit. During the audit, they can shape the process and remove red tape.

AI is no longer confined to back-end analytics. It has stepped confidently into customer-facing roles, making decisions in critical areas such as finance, healthcare, and housing. With such reach and influence, AI poses significant ethical, reputational, and legal risks if left unchecked. Audits of AI systems, therefore, have become a cornerstone of modern compliance frameworks. Policymakers worldwide, including through the EU’s Digital Services Act and New York City’s AI bias law, are mandating external audits of AI systems. Even where not mandated, businesses voluntarily engage in audits to manage risk, mitigate potential crises, and anticipate regulatory developments.

However, auditing of AI is not straightforward. Compliance professionals must understand four fundamental challenges inherent in AI audits.

1. Non-linear Audit Processes

AI audits rarely follow a straight, predictable path. Instead, they often resemble a “random walk,” as auditors must continually adjust their focus based on emerging data and shifting business needs. Consider an audit to detect racial bias in decision-making algorithms where direct data on race is unavailable. Auditors may pivot to proxy measures like zip codes to approximate racial data. This approach, while practical, introduces discrepancies and limitations that must be carefully managed and transparently documented.

2. Complex Data Governance

Effective auditing relies heavily on data governance practices, yet data management often resembles an “old building” layered with historical inefficiencies rather than a clean, structured system. Many organizations struggle to locate and interpret data due to outdated documentation or employee turnover. Compliance teams must actively collaborate with technical teams to ensure data accuracy and completeness. As Belli suggests, robust internal documentation and dedicated data custodians can significantly ease this challenge.

3. Building Internal Trust

Audits can strain internal team dynamics, particularly if audit results lead to perceived criticisms of operational decisions. Compliance professionals must proactively foster a culture of trust, reinforcing that audits are not punitive but integral to operational excellence. As Belli notes, incentives should align accordingly: supporting audits should positively influence personal and professional evaluations, signaling organizational value in transparency and continuous improvement.

4. Historical Focus and Technical Limitations

Most audits evaluate past performance, and evolving AI systems and datasets pose challenges in replicating historical conditions. A user deleting their profile data or changes in system algorithms can complicate audits significantly. Compliance professionals must advocate for real-time monitoring or, at minimum, detailed record-keeping, ensuring auditors have sufficient context to interpret their findings and recommendations accurately.

Given these complexities, how can corporate compliance officers effectively lead their organizations through AI audits? Belli provides several practical steps:

  • Proactive Preparation: Companies should not wait for external mandates to build auditing capabilities. By establishing internal audit teams or clearly defined points of contact within existing teams, organizations can swiftly respond to audit needs while minimizing operational disruption.
  • Cultural Alignment: Corporate culture profoundly impacts audit effectiveness. Compliance professionals must champion transparency and accountability at the highest organizational levels, ensuring that audits are critical to long-term business success rather than occasional inconveniences.
  • Strategic Audit Design: Choosing between external auditors and internal audit teams requires careful consideration of organizational dynamics. Internal teams offer in-depth institutional knowledge, while external auditors provide objective perspectives without internal friction. Belli suggests a hybrid model, often ideal, balancing centralized expertise with distributed operational familiarity.
  • Leadership Engagement: Active, informed involvement by senior leadership during audits can clarify organizational priorities and remove operational roadblocks. Leaders should regularly engage with technical teams to understand key decisions, encourage thorough documentation, and ensure audit findings align clearly with broader business objectives.

The author underscores the CCO’s crucial role in navigating the nuanced landscape of AI auditing. As technology’s reach expands, compliance teams must proactively address these emerging complexities, continually adapting their oversight frameworks to meet the dynamic challenges presented by AI systems. By fostering robust internal collaboration, aligning incentives, and strategically preparing audit infrastructure, compliance professionals not only mitigate risks but also enable their organizations to harness AI’s transformative potential responsibly and ethically.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The DOJ in Crisis

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this Compliance into the Weeds episode, Tom Fox and Matt Kelly review the recent astonishing developments at the Justice Department involving the indictment and subsequent attempted dismissal of charges against New York City Mayor Eric Adams.

Tom and Matt explore the implications for corporate compliance professionals and the broader message this dysfunction sends about ethics and the role of compliance programs under the current administration. They consider the possible repercussions for future corporate enforcement, drawing important parallels between the Justice Department’s actions and the expectations for corporate compliance. They emphasize the necessity of disentailing the ethical dysfunction at the department from the practical guidelines for compliance programs. The episode critically analyzes how political maneuvers affect the justice system and corporate compliance standards.

Key highlights:

  • The Eric Adams Indictment
  • Resignations and Internal Conflict
  • Separating DOJ Integrity from Compliance Guidance
  • Tone at the Top vs. Mood at the Middle
  • Future of Compliance Guidelines

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Compliance into the Weeds was recently honored as one of the Top 25 Regulatory Compliance Podcast.

Categories
Blog

Building a Data-Driven Culture: A Compliance Imperative in the Age of AI

I recently read an article in the Sloan Management Review entitled “Building a Data-Driven Culture: Four Key Elements” by Ganes Kasari, founder and CEO at Tensor Planet. He posits that a data-driven culture is vital to success with AI projects, but shaping one involves many challenges. He suggests that learning how to build one from organizations that have made the journey engaging for employees is one approach to take. For compliance professionals, this is a critical issue. Compliance, risk management, and governance efforts may be ineffective if a company’s workforce does not instinctively turn to data when making decisions.

The Department of Justice’s (DOJ) 2024 Update on the Evaluation of Corporate Compliance Programs (2024 ECCP) has made it clear that compliance programs must be data-driven, proactive, and continuously monitored. But if an organization has not built a culture of data-driven decision-making, compliance will always be playing catch-up.

So, how do companies foster a data-driven compliance culture? Kasari says the answer lies in four key areas:

  1. Leadership Intervention
  2. Data Empowerment
  3. Collaboration
  4. Value Realization

Leadership Intervention: Setting the Tone from the Top

For a compliance program to be truly effective, proactive, and data-driven, leadership must take an active role in championing the importance of data in decision-making. Too often, executives fund compliance initiatives but delegate execution entirely to compliance and IT teams. The result? Employees still see compliance as someone else’s job rather than an integral part of business operations.

The DOJ has emphasized that compliance programs must have engaged leadership. That means:

  • Executives must communicate why data and AI are essential for compliance.
  • Leaders must use data themselves, modeling the behavior they expect from their employees.
  • Regular check-ins and accountability measures should ensure compliance is not just an IT issue but an enterprise-wide priority.

Concept in Action: Rewarding Compliance Innovation at DBS Bank

When DBS Bank launched its digital transformation initiative, CEO Piyush Gupta prioritized creating a culture that rewarded data-driven decision-making and innovation. In one case, an employee made a data-driven compliance decision, ultimately leading to a failed experiment. There was regulatory pressure to penalize the employee, but Gupta stepped in and awarded them instead—for trying, learning, and embracing the new compliance culture.

This kind of visible leadership support sends a powerful message: compliance isn’t just about avoiding penalties but also about building a smarter, more resilient organization.

Data Empowerment: Making Compliance Everyone’s Job

For compliance to be truly embedded in company culture, every employee, not just compliance officers, must be able to access, understand, and act on data.

This means focusing on three levels of readiness:

  1. Data Readiness – Ensuring high-quality data is available at the right time to the right people.
  2. Analytical Readiness – Training employees to interpret compliance data and make informed decisions.
  3. Infrastructure Readiness – Investing in AI-driven compliance tools, automation, and real-time risk monitoring systems.

Concept in Action: JPMorgan Chase and the DeepRacer Challenge

JPMorgan Chase wanted to upskill employees in AI and data analytics. Instead of boring compliance training sessions, the company introduced a global challenge using AWS DeepRacer, a competitive coding event where employees programmed autonomous vehicles to race.

Employees learned data analytics, AI programming, and machine learning principles while having fun. The result? Thousands of employees became data-literate, able to apply AI-driven insights to compliance, risk management, and fraud detection.

Collaboration: Breaking Down Compliance Silos

Too often, compliance sits in its bubble, siloed from business operations. However, in an AI-driven world, compliance must be embedded in every department, from finance and HR to product development and supply chain management.

A major barrier to compliance collaboration is language. Compliance teams often use technical jargon, while business teams use operational language. The result? Miscommunication, resistance, and confusion.

To fix this, compliance functions must invest in:

  • Cross-functional compliance training so business leaders understand compliance risks.
  • Compliance “translators”—employees who bridge the gap between compliance and business operations.
  • AI-powered compliance dashboards that translate risk into actionable business insights.

Concept in Action: Gulf Bank’s Data Ambassador Program

Gulf Bank wanted to embed data-driven compliance across its 1,800 employees. Instead of relying solely on compliance officers, the bank created a network of data ambassadors—employees across departments trained to champion compliance best practices.

The results were impressive: employees felt more ownership over compliance decisions, and the company saw a significant reduction in compliance violations.

Value Realization: Measuring and Celebrating Compliance Success

One of the companies’ biggest mistakes is treating compliance as a cost center rather than a value driver. Compliance isn’t just about avoiding fines—it’s about driving better business decisions.

To ensure compliance is seen as a competitive advantage, companies must:

  • Define clear KPIs to measure compliance impact.
  • Track and communicate compliance success stories internally and externally.
  • Tie compliance initiatives to tangible business outcomes (e.g., revenue growth, cost savings, enhanced brand reputation).

Concept in Action: AI-Powered Warehouse Compliance at a Logistics Firm

A cold chain logistics company struggled with inefficient warehouse scheduling, leading to regulatory fines and supply chain bottlenecks. The compliance team introduced an AI-driven scheduling system, analyzing weather data, shipment history, and supplier reliability to optimize deliveries.

The results?

  • 16% reduction in turnaround time
  • $1.2 million saved annually in avoided fines
  • Increased customer satisfaction

To celebrate this success, the company shared the story through internal newsletters, town halls, and webinars, ensuring that employees saw compliance as a strategic enabler rather than just a legal requirement.

Compliance in the Age of AI

The DOJ’s 2024 guidance has made it clear that compliance programs must be data-driven, proactive, and continuously monitored. But simply investing in AI tools isn’t enough. Companies must build a truly data-driven culture where compliance is instinctive, embedded, and embraced across all levels of the organization.

The key takeaways?

  1. Leadership must champion compliance—not just fund it.
  2. Compliance must be accessible, understandable, and actionable for all employees.
  3. Cross-functional collaboration is essential to break down compliance silos.
  4. Compliance success must be measured, celebrated, and tied to business impact.

In 2025 and beyond, companies that embed AI-driven compliance into their culture will not only avoid regulatory fines and penalties or even FCPA violations, but they will also gain a competitive edge in an increasingly complex business world.

Categories
Blog

From Sanctions to AI Disruption: How Compliance Officers Can Navigate the Rapid Pace of Change

The pace of change in today’s global business environment is breathtaking. Events that unfold over a weekend can have massive implications for corporate compliance professionals by Monday morning. When there is a business change, risks constantly change. Over the past week, this was demonstrated with two seemingly unrelated but equally impactful developments:

  • The U.S. is imposing sanctions on Colombia because of its alleged failure to take back migrants, including a 25% tariff on goods imported from the country.
  • The emergence of DeepSeek, a Chinese AI company that has developed a large language model rivaling OpenAI’s ChatGPT—at a fraction of the cost.

For the compliance professional, what do these risks mean for your organization? What do you think about a framework for assessing and managing these risks as they raise critical compliance concerns spanning sanctions enforcement, export controls, supply chain transparency, and regulatory readiness? In the most recent episode of the FCPA Compliance Report, I explored these issues with Jag Lamba, CEO at Certa.ai. We focused on the Department of Justice (DOJ) framework in its 2024 Update to the Evaluation of Corporate Compliance Programs (2024 Update) to make sense of and respond to these rapid developments.

The DOJ’s framework in the 2024 Update is broken down into three key components:

  1. Is the compliance program well-designed?
  2. Is the compliance program adequately resourced and empowered to function effectively?
  3. Does the compliance program work in practice?

We applied these elements to the recent developments and explored how compliance professionals can prepare for similar shocks in the future.

  • Is Your Compliance Program Well-Designed to Handle Rapidly Emerging Risks?

The first test of a compliance program is whether it is designed to assess, identify, and mitigate risks promptly. The DOJ has emphasized real-time risk assessment—a shift from static, once-a-year reviews to continuous monitoring.

Take the U.S. sanctions against Colombia. This was not a predictable, drawn-out regulatory action. It happened over a weekend, and by Monday, businesses importing Colombian goods faced a 25% tariff with little time to prepare. Compliance officers had to:

  1. Quickly identify how much of their supply chain relied on Colombian imports.
  2. Determine if alternatives existed to mitigate the cost impact.
  3. Communicate rapidly with leadership to ensure the company could pivot operations where needed.

A traditional, slow-moving risk assessment process would have left companies flat-footed. Instead, an agile risk management system, leveraging real-time data analytics and automated monitoring, can help companies proactively spot emerging risks before they become crises.

The same logic applies to export controls in the tech sector, especially in light of the DeepSeek development. Compliance officers at major AI and semiconductor companies must now be asking:

  1. Who are our customers in Singapore and neighboring markets?
  2. Are our chips being resold or rerouted to sanctioned entities in China?
  3. Do we have automated tools to track and verify shipments to ensure compliance with U.S. export control laws?

It may be too late to prevent regulatory scrutiny if a company relies on manual risk assessments and outdated compliance processes.

  • Is Your Compliance Program Adequately Resourced and Empowered?

The DOJ has clarified that a compliance program is only as good as the resources allocated to it. Ten years ago, the conversation centered around whether compliance officers had direct access to the board. The conversation then shifted to the quality of your Chief Compliance Officer (CCO) and compliance personnel. Today, the discussion is shifting to whether compliance has the technology, data, and personnel necessary to operate effectively.

Consider the situation with NVIDIA and its skyrocketing sales in Singapore—a market that, while business-friendly, is geographically close to countries facing strict U.S. export controls. Regulators are undoubtedly scrutinizing this data. The question for NVIDIA’s compliance team is:

  1. Do they have the visibility to track where these chips are ending up?
  2. Are they able to monitor sales intermediaries in real time?
  3. Can they preemptively flag anomalies—such as a single country purchasing a huge volume of restricted technology?

Without AI-driven compliance monitoring and data analytics, even the best compliance teams risk being overwhelmed by the sheer volume of transactions and regulatory changes.

Similarly, companies impacted by the Colombian tariffs must ensure their compliance programs have the right supply chain monitoring tools to:

  1. Identify impacted suppliers instantly.
  2. Assess alternative sourcing options without regulatory hurdles.
  3. Develop contingency plans to mitigate financial and operational risks.

This compliance function cannot be effectively run using spreadsheets and email chains. Companies must invest in data automation, AI-driven analytics, and cross-functional collaboration tools to avoid such fast-moving regulatory changes.

  • Does Your Compliance Program Work in Practice?

Finally, compliance programs must not exist solely on paper but must demonstrate real-world effectiveness. The DOJ’s 2024 Update mandates data-driven evidence to assess whether a compliance program is functional and effective.

This means compliance teams must be able to show:

  1. How many third-party vendors and intermediaries have been vetted and monitored?
  2. How export controls are enforced in practice—not just documented in policy.
  3. How quickly can the company respond to a sudden regulatory change, such as the Colombian sanctions?

One of the best ways to demonstrate effectiveness is through compliance storytelling. A compliance officer should be able to present:

  • This is a clear narrative backed by data showing how the company detected and addressed a regulatory risk before it became a crisis.
  • These are case studies of how compliance actions have improved business outcomes—for example, reducing onboarding time for sales intermediaries without compromising compliance integrity.
  • Tangible evidence includes video training logs, compliance dashboards, and documented decision-making trails.

A powerful example comes from a Fortune 100 company that secured five years of compliance funding in one go rather than having to renegotiate budgets annually. How? By presenting compliance in business terms:

  • Demonstrating how compliance efficiencies improved sales and reduced onboarding delays.
  • Showing the financial impact of proactive risk management.
  • Using data-driven evidence to justify long-term compliance investments.

This is the future of compliance: a function that prevents regulatory risk and actively contributes to business strategy and growth.

The CCO as a Strategic Risk Navigator

The recent developments with Colombian sanctions and DeepSeek’s AI breakthrough highlight how fast compliance risks can evolve. Sanctions, export controls, and regulatory enforcement actions are no longer slow-moving threats—they can materialize overnight.

The DOJ’s 2024 Update provides a clear roadmap for compliance professionals to navigate these challenges:

  1. Risk assessment must be dynamic and continuous. Compliance programs must be designed to identify risks in real-time, not just during annual reviews.
  2. Compliance must be adequately resourced. Companies must invest in technology, data analytics, and automation to meet regulatory changes.
  3. Compliance must demonstrate real-world effectiveness. Data-driven evidence, compelling narratives, and tangible business impact must back compliance programs.

Compliance professionals who embrace data-driven decision-making, automation, and proactive risk management will not only survive but thrive in this era of regulatory volatility. The question is: Is your compliance program ready for the next unexpected headline?

Categories
FCPA Compliance Report

FCPA Compliance Report – Jag Lamba on Navigating Compliance Challenges in a Rapidly Changing World

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast on compliance. In this episode, Tom welcomes Jag Lamba, CEO of Certa.AI, the podcast’s sponsor.

We look at the recent events involving economic and trade sanctions levied on Colombia (now withdrawn) and the announcement of DeepSeek as a cost-effective competitor to ChatGPT in the AI space to discuss how quickly your risks can change. We overlay this discussion through the lens of the DOJ’s 2024 Update on the Evaluation of Corporate Compliance Programs (2024 ECCP). Jag provides insights on how compliance officers can proactively manage risk amidst rapidly changing global landscapes by ensuring their programs are well-designed, adequately resourced, and effective. Key takeaways include the importance of data, controls, and technology in building robust compliance frameworks and using business impact and ROI to secure necessary resources.

Key highlights:

  • Current Events Impacting Compliance
  • 2024 ECCP-Designing a Well-Structured Compliance Program
  • 2024 ECCP-Adequate Resourcing for Compliance Programs
  • 2024 ECCP: Effectiveness of Compliance Programs in Practice
  • Proactive Risk Management Strategies
  • Export Controls and Compliance Challenges

Resources:

Jag Lamba on LinkedIn

Certa.ai

Categories
Blog

How Compliance Can Leverage Agentic AI Systems, Part 2

Agentic AI systems, with their unique ability to operate autonomously, present a game-changing opportunity for corporate compliance functions. In a recent article in Bloomberg entitled “Using AI Agents Requires a Balance of Trust, Privacy, Compliance,” Sabastian Niles, President, and Chief Legal Officer of Salesforce, discussed AI agents’ roles. Today, we, therefore, enter the world of agentic AI systems. Understanding this new breed of AI is essential for compliance professionals to harness its power responsibly while safeguarding trust, privacy, and compliance.

Unlike traditional chatbots or large language models that are limited to providing static responses, Agentic AI systems can analyze complex data, adapt to new information, and take actions based on predefined parameters. This capability can revolutionize compliance operations by introducing efficiencies, enhancing decision-making, and improving the organization’s ability to anticipate and respond to risks. However, leveraging these systems effectively requires compliance professionals to approach them thoughtfully and strategically. Over this three-part blog series, I will explore what Agentic AI systems are, how they can be used in compliance, and how to use Agentic AI going forward. In Part 2, we look at how compliance can use Agentic AI systems.

Understanding the Potential of Agentic AI in Compliance

Agentic AI is distinguished by its autonomy. These systems do not simply respond to queries; they execute tasks, provide actionable insights, and adapt to changing circumstances with minimal human intervention. For compliance professionals, this shift represents an opportunity to go beyond even monitoring and detection. Instead, compliance teams can integrate AI agents into their workflows to proactively manage risks, enhance internal processes, and improve the organization’s overall compliance posture. Here are some specific ways agentic AI systems can be applied within the compliance function.

Automating Routine Tasks. Many compliance activities are repetitive and resource-intensive, leading to inefficiencies and bottlenecks. Agentic AI can streamline these processes by handling internal inquiries. AI agents can respond to frequently asked compliance questions from employees, such as clarifications on company policies, reporting obligations, or training requirements. This reduces the workload on compliance officers while ensuring consistent and accurate responses.

Agentic AI can assist in managing external counsel and external consultant relationships. For companies working with multiple external legal advisors, Agentic AI can automate the tracking of legal expenses, performance metrics, and case statuses, providing a centralized view of outside counsel activities. Finally, Agentic AI can be a game-changer in monitoring transactions on a real-time and ongoing basis. Agentic AI systems can autonomously review large volumes of financial transactions to identify red flags, such as unusual payment patterns or potential violations of anti-corruption laws.

  • Enhancing Decision-Making

Compliance often involves making decisions based on a wide array of data, from regulatory updates to internal audit findings. Agentic AI can enhance this process by providing real-time insights. It can analyze data across the organization to identify emerging risks, such as changes in geopolitical conditions or new regulatory developments, and provide recommendations on how to address them.

Agentic AI can also help reduce human error. Agentic AI can help eliminate biases or oversight errors in compliance assessments, ensuring that decisions are more objective and accurate. It can also model the potential impact of regulatory changes or proposed business initiatives, allowing compliance teams to anticipate challenges and provide informed guidance to leadership.

  • Driving Resilience

The regulatory environment is constantly evolving under the second Trump Administration, and organizations must be able to adapt quickly. Agentic AI can help compliance teams stay ahead by monitoring regulatory changes. It can automatically track and analyze updates to laws and regulations worldwide, highlighting changes relevant to the organization and suggesting actions to ensure compliance.

One of the key areas the Department of Justice communicated back in 2020 and brought forward in the 2024 Update to the Evaluation of Corporate Compliance Programs (2024 Update) was the need for risk assessments as your risk changes. Agentic AI moves you to a level beyond this with proactive risk assessments. By analyzing internal and external data, AI systems can identify vulnerabilities and recommend preventive measures, reducing the likelihood of compliance failures. It can also assist in your incident and triage process by investigating the issue, gathering evidence, and suggesting corrective actions, enabling the organization to respond more effectively.

Managing the Risks of Autonomy

While the autonomy of agentic AI systems offers significant benefits, it also introduces new risks that compliance professionals must address. Poor data quality and bias will still generate suboptimal results. Poor-quality or incomplete data can lead to incorrect or biased outputs from AI systems. Compliance teams must ensure that the data used by these systems is accurate, representative, and regularly updated.

The autonomous nature of Agentic AI means that organizations must establish clear guidelines for oversight and accountability. This includes defining when human intervention is required and ensuring that AI decisions align with organizational values and regulatory requirements. Finally, there are the dual areas of transparency and accountability. One of the most critical challenges with agentic AI is understanding how the system arrives at its decisions. Compliance teams must advocate for transparency in AI operations and develop mechanisms to explain decisions to regulators, stakeholders, and employees.

Steps for Compliance Teams to Adopt Agentic AI

To maximize the benefits of agentic AI while minimizing its risks, compliance teams should take the following steps:

  1. Assess Current Processes. Begin by identifying compliance activities that are repetitive, time-consuming, or prone to error. These are often the best candidates for automation through agentic AI.
  2. Pilot AI Applications. Before deploying AI across the entire compliance function, start with pilot projects in specific areas, such as policy monitoring or transaction reviews. Use pilots to test the system’s capabilities, identify potential risks, and gather feedback.
  3. Strengthen Data Governance. Agentic AI relies heavily on data, making strong data governance practices essential. This includes implementing controls to ensure data accuracy, managing access to sensitive information, and maintaining compliance with data privacy regulations.
  4. Develop Ethical Guidelines. Work with cross-functional teams to establish ethical guidelines for AI use. These guidelines should cover issues such as transparency, accountability, and acceptable use and should be reviewed regularly to reflect evolving best practices and regulatory standards.
  5. Provide Training and Support. Compliance teams must be equipped to work effectively with AI systems. Offer training to help team members understand how agentic AI works, how it can be used responsibly, and their role in overseeing its operations.
  6. Establish a Feedback Loop. Implement processes for continuously monitoring AI performance and gathering feedback from users. Use this information to refine the system and address any issues that arise.

Down the Road

Agentic AI systems represent a powerful tool for compliance functions, offering the potential to enhance efficiency, improve decision-making, and build resilience. However, these benefits can only be realized if the technology is implemented responsibly. Compliance professionals must balance leveraging AI’s capabilities and maintaining the trust, privacy, and ethical standards critical to the organization’s success.

By taking a proactive approach to understanding and adopting agentic AI, compliance teams can streamline their own operations and position themselves as strategic partners in driving the organization’s broader innovation and risk management efforts. The question is no longer whether compliance teams should embrace agentic AI but how they can do so responsibly and effectively.

Categories
Blog

Top Compliance Leadership Skills for the Wild Wild West that is Coming – Part 1, Fairness

Today, Donald Trump will be inaugurated as the 47th President of the United States. I can only say with complete certainty that the world of compliance will never be the same after today. Trump promises tariffs and sanctions against America’s enemies, competitors, and friends. His views on the Foreign Corrupt Practices Act (FCPA) are well known (‘a horrible law’), and so are his views on bribery.

He may well be the first President to employ the FCPA as a weapon against companies from countries that are not only the US’s enemies and competitors but also our allies. This is nothing to say about how he will direct the Department of Justice to use the Foreign Extortion Prevention Act (FEPA) against our enemies, competitors, and allies. So get ready for the Wild West of corporate compliance for the next four years.

As compliance professionals face this miasma in 2025, compliance leadership skills will be more critical than ever. With these new, renewed, and mounting regulatory pressures, declining employee engagement, and intensifying demand for ethical corporate governance, the role of compliance leaders has never been more pivotal or challenging.

To navigate the first part of this Wild West, I propose three leadership skills for the Chief Compliance Officer (CCO), compliance professional, or compliance practitioner to focus on. One faces outward, one faces inward, and the third relates to your attitude. They are (1) fairness, (2) curiosity, and (3) a sense of humor. These three skills will enhance your team’s effectiveness and strengthen your organization’s overall compliance posture.

Fairness: The Cornerstone of Compliance Leadership

Fairness is the bedrock of a strong compliance culture. Employees who perceive their leaders as fair are likelier to adhere to policies, report concerns, and contribute to an ethical workplace. With 70% of workers dissatisfied with their pay and disengagement on the rise, fairness is no longer optional; it is essential. You only need to conference the entire controversy around Return to the Office (RTO) at JP Morgan when, as the Wall Street Journal reported, the company disabled its internal chat function because of the plethora of negative comments on the full implementation of RTO. Talk about not wanting to hear what is on your employees’ collective minds.

Fairness extends beyond legal compliance into the realm of interpersonal relationships. For compliance leaders, this means:

1. Relationship Justice-Treating employees with professionalism, dignity, and respect

Relationship justice is the foundation of trust in any organization and a critical component of compliance leadership. It involves treating employees as valued contributors, respecting them, and maintaining professionalism. Leaders who model relationship justice foster an environment where employees feel psychologically safe to raise concerns, share ideas, and report potential misconduct. For compliance professionals, this means actively listening to employee feedback, addressing grievances promptly, and avoiding behaviors that could be perceived as favoritism or bias. Consistently demonstrating respect and dignity reinforces ethical culture and strengthens employee morale and engagement, making them more likely to align with compliance initiatives.

2. Task Justice- Ensuring decisions are transparent and consistent.

Task justice focuses on the “how” of leadership—how decisions are made, communicated, and executed. Transparency is key to task justice; employees should understand the rationale behind decisions, especially when they affect their roles, responsibilities, or compensation. Consistency is equally important, as arbitrary or unpredictable decision-making undermines trust and can lead to perceptions of unfairness. Compliance leaders can implement task justice by using structured frameworks for decision-making, such as compliance risk matrices, and by documenting the process for policy updates or disciplinary actions. Clear communication of decisions and opportunities for employees to ask questions or provide feedback ensures that everyone feels included and informed, reducing resentment and fostering collaboration.

3. Distributive Justice – Aligning rewards with individual contributions

Distributive justice ensures that rewards, recognition, and outcomes are proportionate to the effort and contributions of individual employees. This dimension of fairness requires leaders to assess performance objectively and ensure that rewards—whether promotions, bonuses, or simple recognition—are distributed equitably. For compliance professionals, distributive justice can manifest in recognizing team members’ contributions to audits, investigations, or training programs. Leaders should avoid blanket recognition that overlooks individual effort and tailor rewards to highlight specific accomplishments. Employees who feel their contributions are valued and acknowledged are more likely to remain engaged, motivated, and committed to compliance goals. Ultimately, distributive justice reinforces the message that ethical behavior and hard work are consistently rewarded.

The CCO is pivotal in embedding fairness within the compliance program and the broader corporate culture. The DOJ refers to this as Institutional Justice and Fairness in the 2024 Evaluation of Corporate Compliance Programs. Whatever you (or the DOJ) might call this, the CCO must prioritize transparency, consistency, and respect across all compliance and cultural touchpoints to achieve this.

First, fairness starts with transparent processes in the compliance program. The CCO should establish clear protocols for investigations, audits, and disciplinary actions, ensuring employees understand the steps and criteria used in decision-making. The CCO can reduce bias and promote consistency by leveraging tools such as decision matrices or documented frameworks. Regular communication about compliance updates, policy changes, and enforcement actions reinforces transparency and builds trust.

Second, fairness in corporate culture is achieved through relationship-building and recognition. The CCO should foster open dialogue by creating channels for employees to voice concerns without fear of retaliation. Training programs emphasizing fairness—such as workshops on unconscious bias or ethical leadership—can cultivate a more respectful workplace. The CCO must ensure that ethical behavior and contributions to compliance efforts are consistently acknowledged and rewarded.

Ultimately, by modeling fairness in leadership and weaving it into compliance processes and cultural practices, the CCO sets the standard for ethical behavior, fostering employee trust and long-term organizational integrity.

Join us tomorrow to explore curiosity and the CCO/compliance professional.