Tag: complaince

Categories
Blog

When AI Becomes Evidence of Bad Governance: What CCOs and Boards Can Learn from Fortis Advisors

The Delaware Court of Chancery has handed compliance leaders and boards a timely lesson: generative AI is not a substitute for judgment, legal discipline, or governance. When leaders use AI to validate a predetermined objective, the technology does not reduce risk. It can become powerful evidence of intent, bad faith, and control failure.

A Cautionary Tale for Corporate Leaders

The recent Delaware Court of Chancery decision in Fortis Advisors, LLC v. Krafton, Inc. should be read by every Chief Compliance Officer (CCO), board member, general counsel, and corporate deal professional. The article describing the decision recounts a dispute in which a buyer, apparently unhappy with a substantial earnout obligation, turned to ChatGPT for advice on how to escape the economic consequences of the deal. According to the court’s account, the buyer then executed an AI-generated strategy designed to renegotiate the arrangement or take control from the seller management team. The court ultimately found that the buyer had wrongfully terminated key employees, improperly seized operational control, reinstated the seller’s CEO, and extended the earnout window to restore a genuine opportunity to achieve the payout.

The Real Compliance Lesson

For compliance professionals, the most important lesson is not that AI is dangerous. The lesson is that leadership can use AI in dangerous ways when governance is absent. That is a far more important point.

Too many organizations still approach AI governance as a technology problem. They focus on model performance, cybersecurity, or procurement review. Those are important issues, but this case reminds us that AI governance begins with human purpose. What question was asked? What objective was embedded in the prompt? What controls existed before action was taken? Who challenged the proposed course of conduct? Who documented the legal and ethical analysis? Those are compliance questions. Those are board questions.

Viewing the Case Through the DOJ ECCP Lens

This is also where the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) provides a useful lens. The ECCP asks whether a company’s program is well designed, adequately resourced, empowered to function effectively, and actually works in practice. Put that framework over this fact pattern, and the governance gaps become painfully clear. Was there a control around the use of generative AI in strategic or legal decision-making? Was there escalation to legal, compliance, or the board when a significant earnout exposure was at stake? Was there any meaningful challenge function, or did leadership use AI as a convenient amplifier for a business objective it had already chosen?

The case suggests the latter. That should concern every board. Generative AI can be useful in brainstorming, summarizing, and scenario testing. But when executives use it to reinforce a desired outcome, particularly one touching contractual obligations, employment decisions, or post-closing governance rights, the tool can become a mechanism for rationalizing misconduct.

When AI Chats Become Discoverable Evidence

Worse, it creates a record. The Court notes that the AI chats were not privileged, were discoverable, and vividly underscored the buyer’s efforts to avoid its legal obligations. That point alone should stop corporate leaders in their tracks.

Many executives still treat AI chats as an informal thinking space, almost like talking to themselves. That is a serious mistake. Prompt histories, outputs, internal forwarding, and downstream use can all become evidence. If employees use public or enterprise AI tools to explore termination strategies, dispute positions, or ways around contractual commitments, they may be creating exactly the documentary record that plaintiffs, regulators, and judges will later find most compelling. In other words, the issue is not simply data leakage. It is discoverability, privilege erosion, and self-generated evidence of intent.

That is why CCOs and boards need to move beyond generic AI-use policies and build governance around high-risk use cases. The question should not be, “Do we allow ChatGPT?” The question should be, “Under what circumstances can generative AI be used in decisions involving legal rights, employee discipline, regulatory exposure, strategic transactions, or board-level matters?” If the answer is unclear, the company has work to do.

The M&A and Earnout Governance Lesson

The dealmaking lesson here is equally important. Earnouts are already fertile ground for post-closing disputes because they sit at the intersection of incentives, control, and timing. Buyers often want flexibility. Sellers want protection from interference. This case illustrates what can happen when a buyer attempts to manipulate operations in a way that affects the achievement of the earnout. The court not only found wrongful interference but also equitably extended the earnout period by 258 days and preserved a further contractual right to extend, thereby materially altering the deal’s economic landscape.

That is a governance lesson hiding inside an M&A lesson. Once a company acquires a business with earnout rights and operational covenants, post-closing conduct is no longer just integration management. It is compliance management. Interference with operational control, pretextual terminations, or actions designed to suppress performance metrics can lead to litigation, destroy value, and trigger judicial remedies that boards did not expect. CCOs should therefore insist that M&A integration playbooks include compliance review of earnout governance, decision rights, escalation protocols, and documentation standards.

Five Lessons for Boards and CCOs

What should boards and compliance officers do now? Here are five lessons.

  1. Govern the objective before you govern the tool. AI is only as sound as the purpose for which it is deployed. If leadership starts with a bad objective, AI can scale the problem. Boards should require management to define prohibited uses of AI in areas such as contract avoidance, pretextual employee actions, retaliation, and legal strategy without oversight by counsel.
  2. Treat high-risk AI prompts and outputs as governed business records. If a prompt relates to litigation, terminations, regulatory response, deal rights, or board matters, it should fall within clear policies on retention, review, and escalation. Employees need to understand that AI interactions may be discoverable and may not be privileged.
  3. Embed legal and compliance into consequential AI use cases. The ECCP emphasizes whether compliance has stature, access, and authority. That principle applies directly here. Strategic uses of AI that touch contractual rights, employment decisions, or fiduciary issues should not proceed without legal and compliance review.
  4. Build AI governance into M&A and post-closing integration. Earnout structures, operational covenants, and seller management rights are precisely the areas where incentives can distort behavior. Boards should ask whether integration teams have controls preventing actions that could be viewed as interference, manipulation, or bad-faith conduct.
  5. Document challenge, not just action. A single final decision does not prove good governance. It is proved by the process surrounding it. Was there dissent? Was there an analysis? Was there an escalation memo? Was there a documented rationale grounded in law, contract, and fiduciary duty? If not, the company may be left with a record that tells the wrong story.

Governance Must Come Before AI

In the end, this case is not really about a video game company. It is about a governance failure dressed in modern technology. Leaders appear to have used AI not to improve judgment, but to reinforce a course of conduct they already wanted to pursue. That is the compliance lesson. AI does not remove the need for fiduciary discipline, legal oversight, or ethical restraint. It makes those requirements more urgent.

For boards and CCOs, the mandate is clear. Governance must come first. Because when AI is used without guardrails, it does not merely create risk; it creates it. It can become the evidence.

Categories
Blog

Compliance Lessons from Bela Lugosi’s Dracula

As many of my readers know, I am a huge fan of the Classic Universal Picture Movie Monsters, focusing on the period from 1931 to the mid-1950s. In October, I traditionally use our Halloween-ending month to explore the Classic Universal Movie Monsters, along with other films from the Hammer Studio, those produced by Val Lewton, and those starring Vincent Price.  This year, I wanted to go back to basics by looking at the Classic Universal Movie Monsters, starting with Dracula and Frankenstein in 1931, followed by The Invisible Man in 1933, The Mummy in 1936, and ending with The Wolf Man in 1940.

Over the next five weeks, I will examine each of these movies through the lens of compliance and extract compliance lessons from each one. Today, I continue with the Classic Universal Movie Monster, Bela Lugosi’s version of Dracula. If you want to take a deeper dive into this movie in the podcast format, check out the special series on Popcorn and Compliance, hosted by my friends Fiona and Timothy. These podcasts will be posted alongside the blog post each Friday during October.

When Bela Lugosi first spoke the words, “I am Dracula,” in Tod Browning’s 1931 classic, audiences were mesmerized. His piercing stare, deliberate speech, and aristocratic charm redefined horror cinema. But beneath the gothic atmosphere lies something compliance professionals know all too well: the dangers of deception, unchecked power, and the failure to recognize risk until it’s too late.

The Lugosi Dracula is not just a horror film; instead, think of it as a parable of compliance. The Count operates as a smooth-talking third-party who gains access, conceals his true motives, and ultimately causes destruction when left unmonitored. For the corporate compliance professional, there are striking lessons in risk management, due diligence, and the importance of cultural awareness.

We continue our look at the Classic Universal Monster Movies by reviewing five key compliance lessons from the Lugosi Dracula.

1. Third Parties Are Your Greatest Risk

Dracula does not walk into London as a monster. He enters as an exotic nobleman, charming, well-spoken, and seemingly trustworthy. The people around him take him at face value. Only too late do they discover the truth: he is feeding off their lifeblood. This is the archetype of third-party risk. Business partners, agents, or distributors may present themselves as polished and reputable, but without thorough due diligence, they can bring immense legal and reputational risk.

Compliance takeaway: Treat every third-party relationship as a potential source of risk. Conduct due diligence, monitor relationships, and never rely solely on surface-level reputation. A charming exterior may conceal dangerous intentions.

2. Beware the Power of Influence

One of Lugosi’s most memorable traits is his hypnotic gaze. With it, he bends others to his will: Renfield, Mina, and Lucy, as each falls victim not by force, but by subtle manipulation. In the compliance world, influence is often exerted by powerful executives, dominant cultures, or high-performing employees. When individuals exercise undue influence, they can pressure others to bend the rules, ignore red flags, or accept unethical behavior as usual.

Compliance takeaway: Compliance officers must watch for undue influence in corporate cultures. Strong tone from the top matters, but so does tone in the middle. Employees must feel empowered to resist pressure, report concerns, and recognize when influence becomes coercion.

3. Risk Hides in the Shadows

Much of the horror in Dracula comes not from what is seen, but from what lurks in the shadows. The Count moves by night, unseen, exploiting darkness to conceal his actions. By the time victims realize what has happened, the damage is already done. This resonates with how misconduct often operates in organizations. Corruption, fraud, and abuse typically occur out of sight, through falsified invoices, shell companies, or hidden payments. By the time regulators or auditors arrive, the harm is already inflicted.

Compliance takeaway: Continuous monitoring and data analytics are the compliance professional’s tools for shining light into the shadows. Proactive detection: real-time alerts, AI-driven monitoring, and transactional reviews help catch misconduct before it metastasizes.

4. Cultural Blindness Increases Vulnerability

One of the early warnings comes from the locals in Transylvania, who beg Jonathan Harker not to go to Dracula’s castle. They know the legends, they understand the risks, and they offer charms for protection. Yet he dismisses them as superstition. This is a classic case of ignoring cultural risk signals. In multinational operations, compliance failures often occur when the headquarters dismisses local knowledge, customs, or warnings. By failing to respect the insights of those closest to the risk, organizations make themselves vulnerable.

Compliance takeaway: Listen to local voices. Local compliance officers, employees, and partners often see risks first. A compliance program that ignores or downplays its input is doomed to fail. Respecting cultural context is essential for effective risk management.

5. Complacency Enables Catastrophe

Finally, one of the key reasons Dracula thrives in London is that no one believes such evil could exist among them. Van Helsing recognizes the threat, but others mock him or rationalize the strange events. Denial and complacency give Dracula the space to flourish. In corporate compliance, complacency is equally dangerous. When companies assume “it can’t happen here,” they let their guard down. When managers dismiss warning signs as anomalies, they enable misconduct to spread. Complacency is the enemy of effective compliance.

Compliance takeaway: Compliance professionals must cultivate vigilance. Risk assessments should be ongoing, investigations must be taken seriously, and whistleblower reports must never be ignored. The moment an organization believes it is immune, it becomes most vulnerable.

Conclusion: Dracula in the Boardroom

Bela Lugosi’s Dracula is remembered for its elegance and terror. But for compliance officers, it offers something more: a reminder that risk often comes disguised as opportunity, that influence can corrupt, that danger thrives in shadows, that cultural insights matter, and that complacency kills.

Just as Van Helsing armed himself with crucifixes, garlic, and sunlight, compliance professionals must arm their organizations with due diligence, monitoring, cultural awareness, and vigilance. The Lugosi Dracula teaches us that evil is not always obvious; rather, it often comes in a tuxedo, with a charming smile and a foreign accent, promising value while draining the lifeblood of those who trust too easily.

The compliance professional’s mission is clear: don’t let Dracula through the door without asking the hard questions, shining the light into dark places, and ensuring that your organization is prepared for what lurks in the night.

Join us next Friday as we jump to 1940 and consider compliance lessons from Lon Chaney Jr.’s The Wolf Man.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Compliance Lessons from The Invisible Man

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week concludes a 5-part series on compliance lessons from Classic Universal Movie Monsters, focusing on Claude Rains’ portrayal of Jack Griffin in The Invisible Man.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
#RiskNYC Speaker Series

#Risk New York Speaker Series- Upping Your Game with Tom Fox

Join myself and hundreds of other GRC professionals in the city that never sleeps, New York City on July 9 & 10 for one of the top conferences around #Risk New York. current US landscape – shaped by evolving policies, rapid AI advancements, and shifting global dynamics – demands adaptive strategies and cross-functional collaboration.

At #RISK New York you will master the New Regulatory Reality by Getting ahead of US regulatory shifts and their impact. Conquer AI & Tech Risk by Safeguarding your organization in an AI-driven world and understand the implications of major tech investments. Navigate Financial & Crypto Volatility by Protecting assets and explore solutions in a dynamic market. Strengthen Your GRC Framework by Leverage governance, risk, and compliance for strategic advantage. Protect Digital Trust by Addressing challenges in cybersecurity, data privacy, and combating misinformation. All while meeting

In this episode of the Risk New York podcast series, Tom Fox introduces the upcoming Risk New York Conference, scheduled for July 9-10 at Fordham Law School. The conference, hosted by GRC World Forums, will focus on various aspects of risk management, including AI, tech risk, financial and crypto risk, and GRC frameworks. Tom discusses his keynote based on his book ‘Upping the Game’ and highlights key speakers and exhibitors, including Robert Clark from Howard University, Bill Coffin and Erica Alburn from Ecosphere, and Michael Rasmussen, known as the father of GRC. The episode emphasizes the significance of the conference and provides information on discounted tickets and other details available in the show notes.

Resources

#Risk Conference Series

#RiskNYC-Tickets and Information

Categories
Blog

Compliance in a Time Warp: Lessons from Star Trek’s Tomorrow Is Yesterday

Show Summary

In the ever-expanding universe of Star Trek: The Original Series, the episode “Tomorrow Is Yesterday” offers an unexpected bounty of compliance insights. On its surface, the story is a classic time-travel romp: the USS Enterprise is accidentally flung back to 1960s Earth, intercepted by a U.S. Air Force jet, and must find a way to return to the 23rd century without altering the course of history. But below the sci-fi action lies a deeper commentary on responsibility, decision-making, and the unforeseen consequences of even well-intentioned actions, making it a surprising compliance masterclass in disguise.

As compliance professionals, we often deal with risks not just of what is known but of what could happen: the unknown impact of an overlooked third-party relationship, a lack of controls in an emerging market, or a cultural blind spot that results in reputational fallout. In “Tomorrow Is Yesterday,” the crew must tread carefully to avoid disrupting the timeline, and in doing so, they offer lessons on ethics, documentation, information handling, and more. Let’s break it down: each lesson begins with a scene from the episode, followed by a compliance insight that today’s professionals can apply.

Lesson 1: Every Action Has Ripple Effects

Illustrated By: When the Enterprise accidentally ends up in the Earth’s atmosphere in the 1960s, it is detected by U.S. military radar. An Air Force pilot, Captain Christopher, is scrambled to intercept. The crew beams him aboard to save his life when his aircraft is destroyed—but now, they’ve interfered with the timeline.

Compliance Lesson:

This scene serves as a powerful reminder that even minor actions can have significant consequences when not carefully considered. In compliance, well-meaning decisions made under pressure, such as rushing a vendor through onboarding or bypassing standard procedures to hit a deadline, can trigger cascading problems. A missing due diligence step today might become tomorrow’s enforcement action.

The key takeaway is that compliance must always be mindful of unintended consequences. Strong controls and decision-making frameworks help teams slow down just enough to assess risks before acting. Preventing compliance failures often comes down to building in that pause, the moment of reflection before action.

Lesson 2: Do not Underestimate the Importance of Containment

Illustrated By: Captain Christopher now knows too much. He’s seen a starship, spoken with its crew, and witnessed 23rd-century technology. Spock warns that releasing him could change the course of Earth’s future. The crew must now decide whether to detain him, erase his memory, or seek an alternative solution.

Compliance Lesson:

When sensitive information is accidentally exposed, whether it is confidential business data, personal employee details, or insider information, containment becomes the first and most crucial response step. Like the Enterprise crew managing the fallout of their accidental encounter, compliance professionals must act quickly and decisively to limit exposure.

This lesson is especially critical in the era of data privacy regulations, such as GDPR and CCPA. Companies must have protocols in place to isolate breaches, report them within the required timeframes, and prevent further spread. Your compliance team should conduct tabletop exercises that simulate this kind of scenario, where exposure has already occurred, and now it is about mitigating the damage.

Lesson 3: Documentation and Traceability Are Critical

Illustrated by: As the crew works to reverse their time jump, they must carefully reconstruct a plan to erase all evidence of their presence in the past. They go so far as to recover physical recordings and tamper with computer logs to restore the timeline to its original state.

Compliance Lesson:

This scene underscores the importance of meticulous recordkeeping. While the Enterprise crew is in a rare situation of removing data for the good of the universe, in the corporate world, proper documentation is essential to ensure traceability, accountability, and auditability. Without documentation, there is no proof of process, no evidence of decisions, and no way to defend against accusations or demonstrate compliance.

Whether you are conducting due diligence, implementing a policy, or investigating a report, thorough documentation serves as the foundation of defensible compliance. Ensure that every step is captured, from the decision to engage a third party to the delivery and recording of employee training.

Lesson 4: Ethics Must Guide Decision-Making Under Uncertainty

Illustrated By: Faced with conflicting outcomes, if they return Captain Christopher to Earth, he may reveal classified knowledge; if they don’t, they alter his family line. Kirk and Spock must weigh ethical considerations against practical risks. Ultimately, they learn that Christopher’s unborn son will become pivotal to Earth’s future space exploration, so they must return him.

Compliance Lesson:

When policies do not offer a clear answer, ethical judgment must guide your decision-making. In many situations, especially those involving gray areas or new technologies, compliance teams are left to interpret principles rather than rules. That’s where a well-structured code of ethics becomes essential.

Training should teach employees not only what the law says but also how to apply ethical reasoning when there is no perfect option. Ethical leadership, modeled by those at the top, also reinforces that it’s not just about staying within bounds but rather about doing the right thing even when the stakes are high.

Lesson 5: Cross-Functional Collaboration Enhances Compliance Outcomes

Illustrated By: To return to their time and restore the timeline, the crew must coordinate multiple systems across engineering, science, navigation, and command. Mr. Scott recalibrates the engines, Spock calculates gravitational trajectories, and Sulu pilots the ship at precisely the right moment.

Compliance Lesson:

Compliance cannot operate in a silo. Like the crew of the Enterprise, compliance teams must work across various departments—such as legal, IT, HR, operations, and more—to execute effective risk mitigation. Whether you’re launching a third-party review process, addressing a whistleblower complaint, or updating privacy policies, your success depends on collaboration.

This involves building trust, facilitating effective communication, and aligning incentives across various functions. Consider forming cross-functional compliance working groups to stay informed about emerging risks and ensure shared ownership of compliance outcomes.

Lesson 6: Time Is of the Essence

Illustrated By: As the Earth’s gravitational pull begins to reassert itself, the Enterprise must execute its time-warp escape with split-second precision. A single delay could strand them in the 20th century or, worse, destroy the ship.

Compliance Lesson:

Timing can be the difference between a manageable issue and a full-blown crisis. Regulatory deadlines, investigation windows, and breach notification requirements all operate on strict timelines. Compliance professionals must be equipped to respond swiftly and decisively, particularly in crises.

Establishing a rapid-response protocol with clearly defined roles and pre-approved escalation paths is critical. Regularly review these protocols through simulated drills and update them based on lessons learned from real-world experiences. Like the crew navigating their return through time, your team must be prepared to act quickly when risk strikes.

Conclusion: Compliance for the Future—Rooted in Responsibility

“Tomorrow Is Yesterday” reminds us that ethical conduct isn’t just about navigating today’s rules but also about understanding the impact of our actions on tomorrow. For the crew of the Enterprise, that meant carefully extracting themselves from history without doing damage. For compliance professionals, it means building systems and cultures that consider not only legal obligations but also ethical consequences, unintended impacts, and the interconnectedness of our global environment.

In an era of accelerating technology, geopolitical shifts, and complex regulatory changes, these lessons are more relevant than ever. Whether it’s responding to a data breach, managing an FCPA risk, or updating your training protocols, ask yourself, “What ripple effects could this create? Are we prepared? Are we acting with integrity? ”

To boldly go where no compliance program has gone before, we must learn from the past, act responsibly in the present, and remain ever-mindful of the future. So, let’s not just manage compliance—let’s lead it ethically, collaboratively, and with a focus on the future.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Implementing Internal Controls

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

How to implement an internal controls regime in your organization.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Blog

Compliance Lessons Learned: Building Meaningful Workplace Connections

In today’s business environment, compliance professionals are often praised for their pivotal role in fostering ethical, sustainable, and resilient corporate cultures. A recent HBR article, What Employers Get Wrong About How People Connect at Work, provides a compelling framework that compliance officers can integrate into their strategies to strengthen organizational integrity and trust.

The authors believe that connections in the workplace are commonly thought of as a single dimension that prioritizes interpersonal relationships with co-workers. However, the authors have identified that connections in the workplace are made up of four interrelated and essential elements: employee connections with their colleagues, leader, employer, and role. This more accurate and nuanced view of workplace connections has implications for how organizations can design intentional talent strategies to create workplaces where employees are committed, engaged, and performing. They introduce the CLEAR framework to help facilitate transformative workplace lessons. I have adapted their ideas for the compliance professional.

  • Colleague Connection: Compliance as a Collaborative Endeavor

In compliance, collaboration is non-negotiable. The CLEAR framework emphasizes the importance of trust and mutual support among colleagues, a principle that extends seamlessly into compliance programs. When employees feel connected to their peers, they are more likely to share insights and raise concerns, a cornerstone of effective whistleblowing mechanisms. For compliance professionals, this means building platforms and safe spaces for employees to collaborate. Initiatives like ethics roundtables or cross-departmental compliance champions can foster peer-to-peer connections, encouraging the open exchange of ideas and concerns about compliance issues.

  • Leader Connection: Ethical Leadership in Action

The article identifies leader connection as a key factor, noting that 70% of the variance in team engagement is attributed to managerial quality. For compliance professionals, this underscores the need for leadership at all levels to embody ethical conduct. Leaders who communicate, provide constructive feedback, and model ethical behavior are indispensable in embedding compliance into an organization’s DNA. You should work to train your business leaders to be compliance ambassadors. This means both senior managers and middle managers as well. Equip them with tools to integrate compliance into their everyday leadership practices, from reinforcing training to discussing real-world ethical dilemmas with their teams.

  • Employer Connection: Aligning Compliance with Corporate Values

A strong employer connection, where employees see their work as meaningful and aligned with organizational goals, is critical. Compliance professionals are central in shaping this narrative by linking ethical practices to the company’s mission. When employees view compliance as an enabler of corporate success rather than a hindrance, their engagement deepens. Positioning compliance as a competitive business advantage and using internal communications to highlight how ethical practices contribute to the organization’s reputation, financial health, and long-term success will further align your employees with your overall goal of doing business ethically and in compliance.

  • Role Connection: Engaging Through Purpose

Role connection thrives when employees find satisfaction in their work and see clear pathways for growth. Compliance means integrating ethical considerations into individual roles and responsibilities. Employees who understand how their job contributes to the company’s compliance goals are likelier to take ownership of ethical behavior. Here, your compliance team should work to tailor compliance training to individual roles. Move beyond generic programs to create targeted, role-specific training that shows employees how compliance intersects with their day-to-day responsibilities.

  • CLEAR Connections and the Return-to-Office Debate

The authors critique a narrow focus on colleague connections in return-to-office mandates, warning that neglecting other CLEAR elements can undermine employee engagement. For compliance teams, this presents a nuanced challenge. Remote work can dilute compliance oversight, but rigid in-office policies may harm trust and morale. This will allow your compliance function to adopt flexible compliance monitoring strategies. Use technology to maintain oversight while respecting diverse work arrangements and ensure employees feel trusted and supported regardless of where they work. 

  • The Patchwork Principle: Balancing Connection Needs

The authors propose the “patchwork principle,” urging leaders to adopt a portfolio of policies that reflect employees’ diverse connection preferences. Compliance teams can take inspiration from this approach to design policies that address various needs while ensuring alignment with regulatory requirements. The DOJ has long clarified that your compliance program should be based on your company’s compliance risks. This means you should customize your compliance program. Consider employee demographics, cultural nuances, and risk profiles when designing policies and procedures, ensuring they resonate across the organization.

Final Thoughts: CLEAR Insights for Compliance Success

The CLEAR framework challenges compliance professionals to think beyond policies and procedures, emphasizing the human connections that underpin ethical behavior. By fostering meaningful relationships across these four pillars, compliance leaders can build a culture that adheres to regulations and thrives on trust, engagement, and integrity.

Incorporating these lessons is not simply about compliance but redefining how organizations connect, collaborate, and succeed. By adopting these principles, compliance professionals can lead the way in creating workplaces that are not only compliant but also connected and committed to excellence.

Categories
FCPA Compliance Report

FCPA Compliance Report: Unlocking Financial Gains Through Proactive Compliance: Insights with Nicolas Tollet

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this edition of the FCPA Compliance Report, Tom Fox cross post the first episode of a new podcast series from Nicolas Tollet, partner at Hughes, Hubbard and Reed

In this episode, Tollet delves into the substantial financial benefits stemming from robust compliance measures. Tollet recounts a company’s journey through two deferred prosecution agreements (DPAs) related to bribery and corruption allegations in Africa and Brazil, detailing how proactive compliance actions saved the company approximately $100 million. He emphasizes the crucial role of an independent monitor and in-depth compliance reviews in identifying and mitigating misconduct. Tollet explores the implementation of compliance policies and training programs, drawing comparisons with high-profile cases like Walmart’s FCPA settlement, to illustrate the long-term financial stability and operational integrity gained through early compliance investment.

Highlights in this Episode:

  • The First Deferred Prosecution Agreement (DPA)
  • The Second DPA and Lava Jato Investigation
  • Compliance as a Competitive Advantage
  • Detecting and Addressing Misconduct
  • Remediation and Strengthening Compliance
  • Financial Benefits of Compliance
  • Comparing with Walmart FCPA Case

 Resources:

Nicolas Tollet at Hughes Hubbard & Reed

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For an audio/video version of the Compliance Kids book, Speaking Up is AWESOME, contact Tom Fox.

Categories
Blog

TD Bank: Part 3 – Lessons Learned for Compliance

We continue our exploration of the resolution of the AML/BSA enforcement action involving the TD Bank US (the Bank) wholly owned by the TD Bank Group,  a publicly traded (NYSE: TD) international banking and financial services corporation headquartered in Toronto, Canada. Today, we explore some key lessons learned for the AML compliance professional. We begin with what Attorney Merrick Garland noted: “Three money laundering networks took advantage of TD Bank’s failed anti-money laundering system.”

The 3 Money-Laundering Scheme

The David Scheme

Da Ying Sze, also known as David, used the Bank as a money laundering and unlicensed money transmitting scheme for which he pled guilty in 2022. David conspired to launder and transmit over $653 million, with more than $470 million laundered through TDBNA. He bribed bank employees with over $57,000 in gift cards to facilitate the scheme. David laundered money by depositing large amounts of cash, sometimes exceeding $1 million in a single day, into accounts opened by other individuals. He also instructed bank employees to send wires and issue official checks. The Bank needed to correctly identify David as the person conducting the transactions in over 500 CTRs, which covered more than $400 million in transaction value, despite David directly depositing large cash sums into accounts he allegedly did not control.

Bank Insiders

Five Bank employees provided material assistance to a second money laundering scheme, which laundered millions of dollars from the United States to Colombia. The five individuals, referred to as “TDBNA Insiders,” held various positions within the bank, including Financial Service Representative, Retail Banker, Assistant Store Manager, and Store Supervisor at TDBNA stores in New Jersey and Florida. These insiders helped the money laundering networks by opening accounts and providing dozens of ATM cards used to launder funds through high-volume ATM withdrawals. They also assisted in maintaining these accounts by issuing new ATM cards and overcoming internal controls and freezes on account activity. Through these actions, approximately $39 million was laundered through the bank. Despite significant internal red flags, TDBNA did not identify the insiders’ involvement in the money laundering scheme until law enforcement arrested Insider-1 in October 2023.

Shell Company Scammers

From March 2021 through March 2023, a money laundering organization known as “MLO-1,” which claimed to be involved in the wholesale diamond, gold, and jewelry business, maintained accounts for at least five shell companies at the Bank. These accounts moved approximately $123 million in illicit funds through the bank. The Bank knew these shell companies were connected, sharing the same account signatories. Despite these red flags, The Bank did not file a Suspicious Activity Report (SAR) on MLO-1 until law enforcement notified the bank in April 2022. By then, MLO-1’s accounts had been open for over 13 months and had transferred nearly $120 million through TDBNA.

Lessons Learned

This enforcement action is a sobering reminder of compliance’s critical role in preventing and detecting financial crimes like money laundering. With over $470 million laundered in one scheme, $39 million moved through insiders, and $123 million transferred via shell companies, significant compliance failures occurred.  Of course, these are only a part of the $18.3 trillion in transactions that the Bank does not monitor due to its conscious compliance failures. These incidents underscore the importance of maintaining robust internal controls, employee oversight, and proper reporting mechanisms.

Failing to Detect Obvious Red Flags

In this case, one of the most glaring issues is the bank’s failure to identify the obvious red flags associated with laundering large sums of money. In the case of David, the Bank failed to file accurate CTRs for over $400 million in transactions. David regularly deposited enormous amounts of cash, over $1 million in a single day, into accounts opened by others, yet the bank failed to link him to these transactions.

The key takeaway for compliance professionals is to ensure that their systems are calibrated to flag suspicious activities, especially when transactions exceed certain thresholds. Large cash deposits, frequent activity involving multiple accounts, and nominee account holders should always trigger enhanced due diligence and review. Automated systems must be updated and combined with human oversight to catch these patterns.

The Role of Corrupt Employees in Facilitating Money Laundering

The involvement of the Bank Insiders in the second laundering scheme is a textbook example of how internal corruption can undermine even the most sophisticated compliance programs. These employees assisted money laundering networks by opening accounts, providing ATM cards, and circumventing internal controls and account freezes. In exchange, they received bribes, showing the vulnerability of staff in critical roles.

This scenario mandates why employees must undergo regular anti-bribery and anti-corruption training to reinforce the consequences of accepting bribes and engaging in unethical behavior. In addition, a strong compliance culture should include mechanisms for detecting internal misconduct, such as anonymous reporting systems and independent audits to identify corrupt employees early. Creating ethical guardrails within your organization, alongside frequent checks and balances, can protect against insider threats.

CTRs and SARs Must be a Priority

A key regulatory requirement under the Bank Secrecy Act (BSA) is the filing of Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). The Bank’s failure to file accurate CTRs in David’s case and delayed filing of SARs in the Shell Company Scammers scheme underscores how devastating the consequences can be when compliance teams do not take their regulatory obligations seriously. Even after identifying that shell companies were linked to each other by shared account signatories, the Bank failed to act quickly, allowing nearly $120 million to be laundered through their systems.

The timely filing of CTRs and SARs is not just a best practice; it is a regulatory requirement. Compliance officers must ensure that processes for flagging suspicious activity are effective and swift. Training staff to recognize when CTRs and SARs are needed and implementing systems that automatically flag transactions for review will help ensure compliance with reporting obligations.

Third-Party Risk and Shell Companies: Know Your Customer (KYC) Failures

The shell companies used to launder $123 million demonstrate a significant lapse in the bank’s Know Your Customer (KYC) protocols. The Bank knew the shell companies were linked by the same account signatories yet failed to act for over a year. This gap in KYC enforcement allowed significant funds to pass through without appropriate scrutiny or action.

KYC processes should be foundational to every compliance program. Regular reviews and enhanced due diligence are required when dealing with high-risk entities like shell companies. Compliance professionals should prioritize the identification of ultimate beneficial ownership (UBO) and remain vigilant when patterns suggest potential fraud, even if account openings appear legitimate at first glance. Your KYC protocols must also integrate ongoing monitoring, not just one-time checks.

The Consequences of Ignoring Red Flags

Across all three schemes, the Bank ignored significant internal red flags—whether employees directly deposited large sums of cash, insiders actively assisting in laundering activities, or shell companies linked by shared signatories. Compliance must be more than just a checkbox exercise. Red flags must be taken seriously and escalated quickly to prevent further damage.

Compliance teams must be empowered to act decisively when red flags are raised. This includes having the authority to freeze accounts, file reports, and escalate issues to senior management and regulatory authorities when needed. Additionally, a strong culture of compliance, backed by leadership, should encourage immediate action when suspicious activity is detected.

Monitoring and Auditing: Preventing Future Failures

Finally, this case reveals the importance of ongoing monitoring and regular auditing. In all three schemes, the Bank failed to sufficiently monitor account activities and employees, which allowed the laundering schemes to continue for extended periods. Regular audits and automated transaction monitoring systems are essential to detect and prevent similar issues.

Auditing and monitoring systems should be built into your compliance framework, focusing on high-risk accounts, employees, and geographies. By continuously reviewing and auditing compliance processes, teams can identify gaps early and prevent further exploitation. Technology can be key in monitoring, but human oversight is critical to analyzing more complex behavior patterns.

This enforcement action is a stark reminder of the consequences of weak compliance controls, employee corruption, and failure to act on red flags. For compliance professionals, the lessons from this case are clear: robust internal controls, continuous training, effective KYC procedures, and timely reporting are essential to preventing and detecting money laundering. By learning from these failures, compliance officers can strengthen their programs and ensure their organizations remain vigilant in the fight against financial crime.

I will explore this matter in depth over the next several blog posts. Tomorrow, I will consider the Bank’s culture and flat cost paradigm.

Resources

OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

Categories
Compliance Into the Weeds

Compliance into the Weeds: Adventures in Squeezing Out Compliance – TD Bank’s Flat Cost Paradigm

The award-winning Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the TD Bank BSA and AML enforcement action, which led to $3 billion in fines and penalties.

Tom and Matt discuss TD Bank’s conscious strategy of not raising the budget, known as the Flat Cost Paradigm or Zero Expense Growth Paradigm, and how this strategy severely restricted the Bank’s compliance and AML functions. This tactic aimed to increase profits by keeping expenditures flat year after year. The impact of this strategy is particularly evident in the global AML team’s expenditures on the U.S. anti-money laundering program, which decreased in 2021 compared to 2018. Despite significantly growing U.S. assets and net income, the bank refrained from increasing its budget for essential programs, a fact highlighted in the Justice Department indictment. The Bank’s strategy serves as a clear warning about the dangers of prioritizing profits over compliance.

Key Highlights:

  • Introduction to the Flat Cost Paradigm
  • Details of the Budget Strategy
  • Impact on Anti-Money Laundering Efforts
  • Financial Growth Amidst Budget Constraints

Resources:

  1. Blogs

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

  1. Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

  1. Enforcement Related Material

OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

 DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks